/** * \test Check if the classtype info from the classification.config file have * been loaded into the hash table. */ int SCClassConfTest04(void) { DetectEngineCtx *de_ctx = DetectEngineCtxInit(); int result = 1; if (de_ctx == NULL) return 0; SCClassConfGenerateValidDummyClassConfigFD01(); SCClassConfLoadClassficationConfigFile(de_ctx); SCClassConfDeleteDummyClassificationConfigFD(); if (de_ctx->class_conf_ht == NULL) return 0; result = (de_ctx->class_conf_ht->count == 3); result &= (SCClassConfGetClasstype("unknown", de_ctx) != NULL); result &= (SCClassConfGetClasstype("unKnoWn", de_ctx) != NULL); result &= (SCClassConfGetClasstype("bamboo", de_ctx) == NULL); result &= (SCClassConfGetClasstype("bad-unknown", de_ctx) != NULL); result &= (SCClassConfGetClasstype("BAD-UNKnOWN", de_ctx) != NULL); result &= (SCClassConfGetClasstype("bed-unknown", de_ctx) == NULL); DetectEngineCtxFree(de_ctx); return result; }
static int DetectMsgParseTest01(void) { int result = 0; Signature *sig = NULL; char *teststringparsed = "flow stateless to_server"; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) goto end; SCClassConfGenerateValidDummyClassConfigFD01(); SCClassConfLoadClassficationConfigFile(de_ctx); SCClassConfDeleteDummyClassificationConfigFD(); sig = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"flow stateless to_server\"; flow:stateless,to_server; content:\"flowstatelesscheck\"; classtype:bad-unknown; sid: 40000002; rev: 1;)"); if(sig == NULL) goto end; if (strcmp(sig->msg, teststringparsed) != 0) { printf("got \"%s\", expected: \"%s\": ", sig->msg, teststringparsed); goto end; } result = 1; end: if (sig != NULL) SigFree(sig); if (de_ctx != NULL) DetectEngineCtxFree(de_ctx); return result; }
int AlertFastLogTest02() { int result = 0; uint8_t *buf = (uint8_t *) "GET /one/ HTTP/1.1\r\n" "Host: one.example.org\r\n"; uint16_t buflen = strlen((char *)buf); Packet *p = NULL; ThreadVars th_v; DetectEngineThreadCtx *det_ctx; memset(&th_v, 0, sizeof(th_v)); p = UTHBuildPacket(buf, buflen, IPPROTO_TCP); DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { return result; } de_ctx->flags |= DE_QUIET; SCClassConfGenerateValidDummyClassConfigFD01(); SCClassConfLoadClassficationConfigFile(de_ctx); SCClassConfDeleteDummyClassificationConfigFD(); de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(msg:\"FastLog test\"; content:\"GET\"; " "Classtype:unknown; sid:1;)"); result = (de_ctx->sig_list != NULL); if (result == 0) printf("sig parse failed: "); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); if (p->alerts.cnt == 1) { result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown Traffic") != 0); if (result == 0) printf("p->alerts.alerts[0].class_msg %s: ", p->alerts.alerts[0].s->class_msg); result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown are we") == 0); if (result == 0) printf("p->alerts.alerts[0].class_msg %s: ", p->alerts.alerts[0].s->class_msg); } else { result = 0; } SigGroupCleanup(de_ctx); SigCleanSignatures(de_ctx); DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); DetectEngineCtxFree(de_ctx); UTHFreePackets(&p, 1); return result; }
int AlertFastLogTest01() { int result = 0; uint8_t *buf = (uint8_t *) "GET /one/ HTTP/1.1\r\n" "Host: one.example.org\r\n"; uint16_t buflen = strlen((char *)buf); Packet *p = NULL; ThreadVars th_v; DetectEngineThreadCtx *det_ctx; memset(&th_v, 0, sizeof(th_v)); p = UTHBuildPacket(buf, buflen, IPPROTO_TCP); DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { return result; } de_ctx->flags |= DE_QUIET; SCClassConfGenerateValidDummyClassConfigFD01(); SCClassConfLoadClassficationConfigFile(de_ctx); SCClassConfDeleteDummyClassificationConfigFD(); de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " "(msg:\"FastLog test\"; content:\"GET\"; " "Classtype:unknown; sid:1;)"); result = (de_ctx->sig_list != NULL); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); if (p->alerts.cnt == 1) result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown are we") == 0); else result = 0; #ifdef __SC_CUDA_SUPPORT__ B2gCudaKillDispatcherThreadRC(); if (SCCudaHlPushCudaContextFromModule("SC_RULES_CONTENT_B2G_CUDA") == -1) { printf("Call to SCCudaHlPushCudaContextForModule() failed\n"); return 0; } #endif SigGroupCleanup(de_ctx); SigCleanSignatures(de_ctx); DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); DetectEngineCtxFree(de_ctx); UTHFreePackets(&p, 1); return result; }
/** * \test Check if the classtype info from the classification.config file have * been loaded into the hash table. */ int SCClassConfTest04(void) { DetectEngineCtx *de_ctx = DetectEngineCtxInit(); SCClassConfClasstype *ct = NULL; int result = 1; if (de_ctx == NULL) return 0; SCClassConfGenerateValidDummyClassConfigFD01(); SCClassConfLoadClassficationConfigFile(de_ctx); SCClassConfDeleteDummyClassificationConfigFD(); if (de_ctx->class_conf_ht == NULL) return 0; result = (de_ctx->class_conf_ht->count == 3); ct = SCClassConfAllocClasstype(0, "unknown", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL); SCClassConfDeAllocClasstype(ct); ct = SCClassConfAllocClasstype(0, "unKnoWn", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL); SCClassConfDeAllocClasstype(ct); ct = SCClassConfAllocClasstype(0, "bamboo", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL); SCClassConfDeAllocClasstype(ct); ct = SCClassConfAllocClasstype(0, "bad-unknown", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL); SCClassConfDeAllocClasstype(ct); ct = SCClassConfAllocClasstype(0, "BAD-UNKnOWN", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL); SCClassConfDeAllocClasstype(ct); ct = SCClassConfAllocClasstype(0, "bed-unknown", NULL, 0); result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) == NULL); SCClassConfDeAllocClasstype(ct); DetectEngineCtxFree(de_ctx); return result; }
/** * \test Check that the classification file is loaded and the detection engine * content class_conf_hash_table loaded with the classtype data. */ int SCClassConfTest01(void) { DetectEngineCtx *de_ctx = DetectEngineCtxInit(); int result = 0; if (de_ctx == NULL) return result; SCClassConfGenerateValidDummyClassConfigFD01(); SCClassConfLoadClassficationConfigFile(de_ctx); SCClassConfDeleteDummyClassificationConfigFD(); if (de_ctx->class_conf_ht == NULL) return result; result = (de_ctx->class_conf_ht->count == 3); if (result == 0) printf("de_ctx->class_conf_ht->count %u: ", de_ctx->class_conf_ht->count); DetectEngineCtxFree(de_ctx); return result; }
/** \brief test if the action is alert then packet shouldn't be logged */ int LogDropLogTest02() { int result = 0; EngineModeSetIPS(); uint8_t *buf = (uint8_t *) "GET"; uint16_t buflen = strlen((char *)buf); Packet *p = NULL; ThreadVars th_v; DetectEngineThreadCtx *det_ctx; LogDropLogThread dlt; LogFileCtx *logfile_ctx = LogFileNewCtx(); if (logfile_ctx == NULL) { printf("Could not create new LogFileCtx\n"); return 0; } memset (&dlt, 0, sizeof(LogDropLogThread)); dlt.file_ctx = logfile_ctx; dlt.file_ctx->fp = stdout; memset(&th_v, 0, sizeof(th_v)); p = UTHBuildPacket(buf, buflen, IPPROTO_UDP); DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { return result; } de_ctx->flags |= DE_QUIET; FILE *fd = SCClassConfGenerateValidDummyClassConfigFD01(); SCClassConfLoadClassficationConfigFile(de_ctx, fd); de_ctx->sig_list = SigInit(de_ctx, "alert udp any any -> any any " "(msg:\"LogDropLog test\"; content:\"GET\"; Classtype:unknown; sid:1;)"); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); if (p->alerts.cnt == 1 && p->alerts.alerts[0].action != ACTION_DROP) result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown are we") == 0); if (LogDropCondition(NULL, p) == TRUE) LogDropLogger(NULL, &dlt, p); if (dlt.drop_cnt != 0) { printf("Packet shouldn't be logged but it is\n"); result = 0; } SigGroupCleanup(de_ctx); SigCleanSignatures(de_ctx); DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); DetectEngineCtxFree(de_ctx); UTHFreePackets(&p, 1); EngineModeSetIDS(); return result; }
/** \brief test if the action is drop then packet should be logged */ int LogDropLogTest01() { int result = 0; extern uint8_t engine_mode; SET_ENGINE_MODE_IPS(engine_mode); uint8_t *buf = (uint8_t *) "GET /one/ HTTP/1.1\r\n" "Host: one.example.org\r\n"; uint16_t buflen = strlen((char *)buf); Packet *p = NULL; ThreadVars th_v; DetectEngineThreadCtx *det_ctx; LogDropLogThread dlt; LogFileCtx *logfile_ctx = LogFileNewCtx(); if (logfile_ctx == NULL) { printf("Could not create new LogFileCtx\n"); return 0; } memset (&dlt, 0, sizeof(LogDropLogThread)); dlt.file_ctx = logfile_ctx; dlt.file_ctx->fp = stdout; memset(&th_v, 0, sizeof(th_v)); p = UTHBuildPacket(buf, buflen, IPPROTO_TCP); DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { return result; } de_ctx->flags |= DE_QUIET; SCClassConfGenerateValidDummyClassConfigFD01(); SCClassConfLoadClassficationConfigFile(de_ctx); SCClassConfDeleteDummyClassificationConfigFD(); de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any any " "(msg:\"LogDropLog test\"; content:\"GET\"; Classtype:unknown; sid:1;)"); result = (de_ctx->sig_list != NULL); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); if (p->alerts.cnt == 1 && (PACKET_TEST_ACTION(p, ACTION_DROP))) result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown are we") == 0); else result = 0; LogDropLog(NULL, p, &dlt, NULL, NULL); if (dlt.drop_cnt == 0) { printf("Packet should be logged but its not\n"); result = 0; } SigGroupCleanup(de_ctx); SigCleanSignatures(de_ctx); DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); DetectEngineCtxFree(de_ctx); UTHFreePackets(&p, 1); return result; }