/** * \test DetectFlowintTestPacket03Real * \brief Check the behaviour of isset/notset */ int DetectFlowintTestPacket03Real() { Packet *p = NULL; ThreadVars th_v; DetectEngineThreadCtx *det_ctx = NULL; memset(&th_v, 0, sizeof(th_v)); DetectEngineCtx *de_ctx = DetectEngineCtxInit(); FAIL_IF(de_ctx == NULL); de_ctx->flags |= DE_QUIET; char *sigs[3]; sigs[0] = "alert tcp any any -> any any (msg:\"check notset\"; content:\"GET\"; flowint: myvar, notset; flowint: myvar,=,0; flowint: other,=,10; sid:101;)"; sigs[1] = "alert tcp any any -> any any (msg:\"check isset\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: other,isset; sid:102;)"; sigs[2] = "alert tcp any any -> any any (msg:\"check notset\"; content:\"Unauthorized\"; flowint:lala,isset; sid:103;)"; FAIL_IF(UTHAppendSigs(de_ctx, sigs, 3) == 0); SCSigRegisterSignatureOrderingFuncs(de_ctx); SCSigOrderSignatures(de_ctx); SCSigSignatureOrderingModuleCleanup(de_ctx); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v,(void *) de_ctx,(void *) &det_ctx); Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80); FAIL_IF(f == NULL); f->proto = IPPROTO_TCP; p = UTHBuildPacket((uint8_t *)"GET", 3, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); FAIL_IF(!PacketAlertCheck(p, 101)); UTHFreePacket(p); p = UTHBuildPacket((uint8_t *)"Unauthorized", 12, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); FAIL_IF(!PacketAlertCheck(p, 102)); FAIL_IF(PacketAlertCheck(p, 103)); UTHFreePacket(p); p = UTHBuildPacket((uint8_t *)"1", 1, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); FAIL_IF(PacketAlertCheck(p, 102)); FAIL_IF(PacketAlertCheck(p, 103)); UTHFreePacket(p); UTHFreeFlow(f); DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx); DetectEngineCtxFree(de_ctx); PASS; }
/** * \test UTHMatchPackets Match a packet or a array of packets against sigs * of a de_ctx, but note that the return value doesn't mean that we have a * match, we have to check it later with PacketAlertCheck() * * \param de_ctx pointer with the signatures loaded * \param p pointer to the array of packets * \param num_packets number of packets in the array * * \retval return 1 if all goes well * \retval return 0 if something fail */ int UTHMatchPackets(DetectEngineCtx *de_ctx, Packet **p, int num_packets) { int result = 1; if (de_ctx == NULL || p == NULL) { SCLogError(SC_ERR_INVALID_ARGUMENT, "packet or de_ctx was null"); result = 0; goto end; } DecodeThreadVars dtv; ThreadVars th_v; DetectEngineThreadCtx *det_ctx = NULL; memset(&dtv, 0, sizeof(DecodeThreadVars)); memset(&th_v, 0, sizeof(th_v)); //de_ctx->flags |= DE_QUIET; SCSigRegisterSignatureOrderingFuncs(de_ctx); SCSigOrderSignatures(de_ctx); SCSigSignatureOrderingModuleCleanup(de_ctx); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); int i = 0; for (; i < num_packets; i++) SigMatchSignatures(&th_v, de_ctx, det_ctx, p[i]); /* Here we don't check if the packet matched or not, because * the de_ctx can have multiple signatures, and some of them may match * and others may not. That check will be outside */ if (det_ctx != NULL) { DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); } end: if (de_ctx != NULL) SigGroupCleanup(de_ctx); return result; }
/** * \test DetectFlowintTestPacket02Real * \brief like DetectFlowintTestPacket01Real but using isset/notset keywords */ static int DetectFlowintTestPacket02Real() { Packet *p = NULL; ThreadVars th_v; DetectEngineThreadCtx *det_ctx = NULL; memset(&th_v, 0, sizeof(th_v)); DetectEngineCtx *de_ctx = DetectEngineCtxInit(); FAIL_IF(de_ctx == NULL); de_ctx->flags |= DE_QUIET; char *sigs[5]; sigs[0] = "alert tcp any any -> any any (msg:\"Setting a flowint counter\"; content:\"GET\"; flowint: myvar, notset; flowint:maxvar,notset; flowint: myvar,=,1; flowint: maxvar,=,6; sid:101;)"; sigs[1] = "alert tcp any any -> any any (msg:\"Adding to flowint counter\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: myvar,+,2; sid:102;)"; sigs[2] = "alert tcp any any -> any any (msg:\"if the flowint counter is 3 create a new counter\"; content:\"Unauthorized\"; flowint: myvar, isset; flowint: myvar,==,3; flowint:cntpackets,notset; flowint: cntpackets, =, 0; sid:103;)"; sigs[3] = "alert tcp any any -> any any (msg:\"and count the rest of the packets received without generating alerts!!!\"; flowint: cntpackets,isset; flowint: cntpackets, +, 1; noalert;sid:104;)"; sigs[4] = "alert tcp any any -> any any (msg:\" and fire this when it reach 6\"; flowint: cntpackets, isset; flowint: maxvar,isset; flowint: cntpackets, ==, maxvar; sid:105;)"; FAIL_IF(UTHAppendSigs(de_ctx, sigs, 5) == 0); SCSigRegisterSignatureOrderingFuncs(de_ctx); SCSigOrderSignatures(de_ctx); SCSigSignatureOrderingModuleCleanup(de_ctx); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v,(void *) de_ctx,(void *) &det_ctx); Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80); FAIL_IF(f == NULL); f->proto = IPPROTO_TCP; p = UTHBuildPacket((uint8_t *)"GET", 3, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); FAIL_IF(!PacketAlertCheck(p, 101)); UTHFreePacket(p); p = UTHBuildPacket((uint8_t *)"Unauthorized", 12, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); FAIL_IF(!PacketAlertCheck(p, 102)); FAIL_IF(!PacketAlertCheck(p, 103)); UTHFreePacket(p); p = UTHBuildPacket((uint8_t *)"1", 1, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); UTHFreePacket(p); p = UTHBuildPacket((uint8_t *)"X", 1, IPPROTO_TCP); FAIL_IF(p == NULL); p->flow = f; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); FAIL_IF(!PacketAlertCheck(p, 105)); UTHFreePacket(p); UTHFreeFlow(f); DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx); DetectEngineCtxFree(de_ctx); PASS; }