aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix negated variables, add tests.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 16 years ago
parent dce2c12915
commit 0250642cc0
4 changed files with 122 additions and 5 deletions
Show Stats Download Patch File Download Diff File

2
src/detect-engine-port.c
Unescape Escape View File

@ -1064,6 +1064,8 @@ DetectPortLookupGroup(DetectPort *dp, u_int16_t port) {
for ( ; p != NULL; p = p->next) {
if (DetectPortMatch(p,port) == 1) {
//printf("DetectPortLookupGroup: match, port %u, dp ", port);
//DetectPortPrint(p); printf("\n");
return p;
}
}

17
src/detect-parse.c
Unescape Escape View File

@ -300,17 +300,26 @@ int SigParseProto(Signature *s, const char *protostr) {
int SigParsePort(Signature *s, const char *portstr, char flag) {
int r = 0;
char *port;
char negate = 0;
/* XXX VJ exclude handling this for none UDP/TCP proto's */
if (portstr[0] == '!') {
portstr++;
negate = 1;
}
if (strcmp(portstr,"$HTTP_PORTS") == 0) {
port = "80:81,88";
if (negate) port = "![80:81,88]";
else port = "80:81,88";
} else if (strcmp(portstr,"$SHELLCODE_PORTS") == 0) {
port = "!80";
} else if (strcmp(portstr,"$ORACLE_PORTS") == 0) {
port = "1521";
if (negate) port = "!1521";
else port = "1521";
} else if (strcmp(portstr,"$SSH_PORTS") == 0) {
port = "22";
if (negate) port = "!22";
else port = "22";
} else {
port = (char *)portstr;
}
@ -325,6 +334,8 @@ int SigParsePort(Signature *s, const char *portstr, char flag) {
s->flags |= SIG_FLAG_DP_ANY;
r = DetectPortParse(&s->dp,(char *)port);
//DetectPortPrint(s->dp);
}
if (r < 0) {
printf("SigParsePort: DetectPortParse \"%s\" failed\n", portstr);

106
src/detect.c
Unescape Escape View File

@ -421,6 +421,7 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p)
DetectPort *dport = DetectPortLookupGroup(s->dp,p->dp);
if (dport == NULL)
continue;
}
if (!(s->flags & SIG_FLAG_SP_ANY)) {
DetectPort *sport = DetectPortLookupGroup(s->sp,p->sp);
@ -440,6 +441,7 @@ int SigMatchSignatures(ThreadVars *th_v, PatternMatcherThread *pmt, Packet *p)
if (daddr == NULL)
continue;
}
/* reset pkt ptr and offset */
pmt->pkt_ptr = NULL;
pmt->pkt_off = 0;
@ -2002,7 +2004,7 @@ void DbgPrintSigs2(SigGroupHead *sgh) {
/* shortcut for debugging. If enabled Stage5 will
* print sigid's for all groups */
//#define PRINTSIGS
#define PRINTSIGS
/* just printing */
int SigAddressPrepareStage5(void) {
@ -3130,6 +3132,106 @@ end:
return result;
}
int SigTest15 (void) {
u_int8_t *buf = (u_int8_t *)
"CONNECT 213.92.8.7:31204 HTTP/1.1";
u_int16_t buflen = strlen((char *)buf);
Packet p;
ThreadVars th_v;
PatternMatcherThread *pmt;
int result = 0;
memset(&th_v, 0, sizeof(th_v));
memset(&p, 0, sizeof(p));
p.src.family = AF_INET;
p.dst.family = AF_INET;
p.tcp_payload = buf;
p.tcp_payload_len = buflen;
p.proto = IPPROTO_TCP;
p.dp = 80;
g_de_ctx = DetectEngineCtxInit();
if (g_de_ctx == NULL) {
goto end;
}
g_de_ctx->flags |= DE_QUIET;
g_de_ctx->sig_list = SigInit("alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; classtype:misc-activity; sid:2008284; rev:2;)");
if (g_de_ctx->sig_list == NULL) {
result = 0;
goto end;
}
SigGroupBuild(g_de_ctx);
PatternMatchPrepare(mpm_ctx);
PatternMatcherThreadInit(&th_v, (void *)&pmt);
SigMatchSignatures(&th_v, pmt, &p);
if (PacketAlertCheck(&p, 2008284))
result = 0;
else
result = 1;
SigGroupCleanup();
SigCleanSignatures();
PatternMatcherThreadDeinit(&th_v, (void *)pmt);
PatternMatchDestroy(mpm_ctx);
DetectEngineCtxFree(g_de_ctx);
end:
return result;
}
int SigTest16 (void) {
u_int8_t *buf = (u_int8_t *)
"CONNECT 213.92.8.7:31204 HTTP/1.1";
u_int16_t buflen = strlen((char *)buf);
Packet p;
ThreadVars th_v;
PatternMatcherThread *pmt;
int result = 0;
memset(&th_v, 0, sizeof(th_v));
memset(&p, 0, sizeof(p));
p.src.family = AF_INET;
p.dst.family = AF_INET;
p.tcp_payload = buf;
p.tcp_payload_len = buflen;
p.proto = IPPROTO_TCP;
p.dp = 1234;
g_de_ctx = DetectEngineCtxInit();
if (g_de_ctx == NULL) {
goto end;
}
g_de_ctx->flags |= DE_QUIET;
g_de_ctx->sig_list = SigInit("alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; classtype:misc-activity; sid:2008284; rev:2;)");
if (g_de_ctx->sig_list == NULL) {
result = 0;
goto end;
}
SigGroupBuild(g_de_ctx);
PatternMatchPrepare(mpm_ctx);
PatternMatcherThreadInit(&th_v, (void *)&pmt);
SigMatchSignatures(&th_v, pmt, &p);
if (PacketAlertCheck(&p, 2008284))
result = 1;
else
result = 0;
SigGroupCleanup();
SigCleanSignatures();
PatternMatcherThreadDeinit(&th_v, (void *)pmt);
PatternMatchDestroy(mpm_ctx);
DetectEngineCtxFree(g_de_ctx);
end:
return result;
}
void SigRegisterTests(void) {
SigParseRegisterTests();
UtRegisterTest("SigTest01 -- HTTP URI cap", SigTest01, 1);
@ -3146,5 +3248,7 @@ void SigRegisterTests(void) {
UtRegisterTest("SigTest12 -- content order matching, normal", SigTest12, 1);
UtRegisterTest("SigTest13 -- content order matching, diff order", SigTest13, 1);
UtRegisterTest("SigTest14 -- content order matching, distance 0", SigTest14, 1);
UtRegisterTest("SigTest15 -- port negation sig (no match)", SigTest15, 1);
UtRegisterTest("SigTest16 -- port negation sig (match)", SigTest16, 1);
}

2
src/vips.c
Unescape Escape View File

@ -198,10 +198,10 @@ int main(int argc, char **argv)
TmModuleRegisterTests();
MpmRegisterTests();
SigTableRegisterTests();
SigRegisterTests();
HashTableRegisterTests();
BloomFilterRegisterTests();
BloomFilterCountingRegisterTests();
SigRegisterTests();
UtRunTests();
UtCleanup();
//exit(1);

Write Preview
Loading…
Cancel
Save