/**
* \test Check if the classtype info from the invalid classification.config file
* have not been loaded into the hash table, and cross verify to check
* that the hash table contains no classtype data.
*/
int SCClassConfTest05(void)
{
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
int result = 1;
if (de_ctx == NULL)
return 0;
SCClassConfGenerateInValidDummyClassConfigFD03();
SCClassConfLoadClassficationConfigFile(de_ctx);
SCClassConfDeleteDummyClassificationConfigFD();
if (de_ctx->class_conf_ht == NULL)
return 0;
result = (de_ctx->class_conf_ht->count == 0);
result &= (SCClassConfGetClasstype("unknown", de_ctx) == NULL);
result &= (SCClassConfGetClasstype("unKnoWn", de_ctx) == NULL);
result &= (SCClassConfGetClasstype("bamboo", de_ctx) == NULL);
result &= (SCClassConfGetClasstype("bad-unknown", de_ctx) == NULL);
result &= (SCClassConfGetClasstype("BAD-UNKnOWN", de_ctx) == NULL);
result &= (SCClassConfGetClasstype("bed-unknown", de_ctx) == NULL);
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test Check if the classtype info from the classification.config file have
* been loaded into the hash table.
*/
int SCClassConfTest06(void)
{
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
int result = 1;
if (de_ctx == NULL)
return 0;
SCClassConfGenerateInValidDummyClassConfigFD02();
SCClassConfLoadClassficationConfigFile(de_ctx);
SCClassConfDeleteDummyClassificationConfigFD();
if (de_ctx->class_conf_ht == NULL)
return 0;
result = (de_ctx->class_conf_ht->count == 3);
result &= (SCClassConfGetClasstype("unknown", de_ctx) == NULL);
result &= (SCClassConfGetClasstype("not-suspicious", de_ctx) != NULL);
result &= (SCClassConfGetClasstype("bamboola1", de_ctx) != NULL);
result &= (SCClassConfGetClasstype("bamboola1", de_ctx) != NULL);
result &= (SCClassConfGetClasstype("BAMBOolA1", de_ctx) != NULL);
result &= (SCClassConfGetClasstype("unkNOwn", de_ctx) == NULL);
DetectEngineCtxFree(de_ctx);
return result;
}
static int DetectMsgParseTest01(void)
{
int result = 0;
Signature *sig = NULL;
char *teststringparsed = "flow stateless to_server";
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
SCClassConfGenerateValidDummyClassConfigFD01();
SCClassConfLoadClassficationConfigFile(de_ctx);
SCClassConfDeleteDummyClassificationConfigFD();
sig = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"flow stateless to_server\"; flow:stateless,to_server; content:\"flowstatelesscheck\"; classtype:bad-unknown; sid: 40000002; rev: 1;)");
if(sig == NULL)
goto end;
if (strcmp(sig->msg, teststringparsed) != 0) {
printf("got \"%s\", expected: \"%s\": ", sig->msg, teststringparsed);
goto end;
}
result = 1;
end:
if (sig != NULL)
SigFree(sig);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
int AlertFastLogTest02()
{
int result = 0;
uint8_t *buf = (uint8_t *) "GET /one/ HTTP/1.1\r\n"
"Host: one.example.org\r\n";
uint16_t buflen = strlen((char *)buf);
Packet *p = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
return result;
}
de_ctx->flags |= DE_QUIET;
SCClassConfGenerateValidDummyClassConfigFD01();
SCClassConfLoadClassficationConfigFile(de_ctx);
SCClassConfDeleteDummyClassificationConfigFD();
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"FastLog test\"; content:\"GET\"; "
"Classtype:unknown; sid:1;)");
result = (de_ctx->sig_list != NULL);
if (result == 0)
printf("sig parse failed: ");
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (p->alerts.cnt == 1) {
result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown Traffic") != 0);
if (result == 0)
printf("p->alerts.alerts[0].class_msg %s: ", p->alerts.alerts[0].s->class_msg);
result = (strcmp(p->alerts.alerts[0].s->class_msg,
"Unknown are we") == 0);
if (result == 0)
printf("p->alerts.alerts[0].class_msg %s: ", p->alerts.alerts[0].s->class_msg);
} else {
result = 0;
}
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
UTHFreePackets(&p, 1);
return result;
}
int AlertFastLogTest01()
{
int result = 0;
uint8_t *buf = (uint8_t *) "GET /one/ HTTP/1.1\r\n"
"Host: one.example.org\r\n";
uint16_t buflen = strlen((char *)buf);
Packet *p = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
return result;
}
de_ctx->flags |= DE_QUIET;
SCClassConfGenerateValidDummyClassConfigFD01();
SCClassConfLoadClassficationConfigFile(de_ctx);
SCClassConfDeleteDummyClassificationConfigFD();
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"FastLog test\"; content:\"GET\"; "
"Classtype:unknown; sid:1;)");
result = (de_ctx->sig_list != NULL);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (p->alerts.cnt == 1)
result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown are we") == 0);
else
result = 0;
#ifdef __SC_CUDA_SUPPORT__
B2gCudaKillDispatcherThreadRC();
if (SCCudaHlPushCudaContextFromModule("SC_RULES_CONTENT_B2G_CUDA") == -1) {
printf("Call to SCCudaHlPushCudaContextForModule() failed\n");
return 0;
}
#endif
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
UTHFreePackets(&p, 1);
return result;
}
/**
* \test Check if the classtype info from the classification.config file have
* been loaded into the hash table.
*/
int SCClassConfTest06(void)
{
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
SCClassConfClasstype *ct = NULL;
int result = 1;
if (de_ctx == NULL)
return 0;
SCClassConfGenerateInValidDummyClassConfigFD02();
SCClassConfLoadClassficationConfigFile(de_ctx);
SCClassConfDeleteDummyClassificationConfigFD();
if (de_ctx->class_conf_ht == NULL)
return 0;
result = (de_ctx->class_conf_ht->count == 3);
ct = SCClassConfAllocClasstype(0, "unknown", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "not-suspicious", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "bamboola1", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "bamboola1", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "BAMBOolA1", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "unkNOwn", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test Check if the classtype info from the invalid classification.config file
* have not been loaded into the hash table, and cross verify to check
* that the hash table contains no classtype data.
*/
int SCClassConfTest05(void)
{
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
SCClassConfClasstype *ct = NULL;
int result = 1;
if (de_ctx == NULL)
return 0;
SCClassConfGenerateInValidDummyClassConfigFD03();
SCClassConfLoadClassficationConfigFile(de_ctx);
SCClassConfDeleteDummyClassificationConfigFD();
if (de_ctx->class_conf_ht == NULL)
return 0;
result = (de_ctx->class_conf_ht->count == 0);
ct = SCClassConfAllocClasstype(0, "unknown", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "unKnoWn", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "bamboo", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "bad-unknown", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "BAD-UNKnOWN", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
ct = SCClassConfAllocClasstype(0, "bed-unknown", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL);
SCClassConfDeAllocClasstype(ct);
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test Check that only valid classtypes are loaded into the hash table from
* the classfication.config file.
*/
int SCClassConfTest03(void)
{
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
int result = 0;
if (de_ctx == NULL)
return result;
SCClassConfGenerateInValidDummyClassConfigFD02();
SCClassConfLoadClassficationConfigFile(de_ctx);
SCClassConfDeleteDummyClassificationConfigFD();
if (de_ctx->class_conf_ht == NULL)
return result;
result = (de_ctx->class_conf_ht->count == 3);
DetectEngineCtxFree(de_ctx);
return result;
}
/** \brief test if the action is alert then packet shouldn't be logged */
int LogDropLogTest02()
{
int result = 0;
extern uint8_t engine_mode;
SET_ENGINE_MODE_IPS(engine_mode);
uint8_t *buf = (uint8_t *) "GET";
uint16_t buflen = strlen((char *)buf);
Packet *p = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
LogDropLogThread dlt;
LogFileCtx *logfile_ctx = LogFileNewCtx();
if (logfile_ctx == NULL) {
printf("Could not create new LogFileCtx\n");
return 0;
}
memset (&dlt, 0, sizeof(LogDropLogThread));
dlt.file_ctx = logfile_ctx;
dlt.file_ctx->fp = stdout;
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacket(buf, buflen, IPPROTO_UDP);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
return result;
}
de_ctx->flags |= DE_QUIET;
SCClassConfGenerateValidDummyClassConfigFD01();
SCClassConfLoadClassficationConfigFile(de_ctx);
SCClassConfDeleteDummyClassificationConfigFD();
de_ctx->sig_list = SigInit(de_ctx, "alert udp any any -> any any "
"(msg:\"LogDropLog test\"; content:\"GET\"; Classtype:unknown; sid:1;)");
result = (de_ctx->sig_list != NULL);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (p->alerts.cnt == 1 && p->alerts.alerts[0].action != ACTION_DROP)
result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown are we") == 0);
else
result = 0;
LogDropLog(NULL, p, &dlt, NULL, NULL);
if (dlt.drop_cnt != 0) {
printf("Packet shouldn't be logged but it is\n");
result = 0;
}
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
UTHFreePackets(&p, 1);
return result;
}
