aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tests/bsize: Test cases with preceding content

Browse Source 
This commit adds test cases that validate behavior when "content"
immediately precedes "bsize".
pull/8165/head
Jeff Lucovsky 5 years ago committed by Victor Julien
parent c91b987732
commit 25c0a6ea7c
1 changed files with 50 additions and 17 deletions
Show Stats Download Patch File Download Diff File

67
src/tests/detect-bsize.c
Unescape Escape View File

@ -1,4 +1,4 @@
/* Copyright (C) 2017 Open Information Security Foundation
/* Copyright (C) 2017-2020 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
@ -96,32 +96,65 @@ static int DetectBsizeTest04(void)
#undef TEST_OK
#undef TEST_FAIL
#define TEST_OK(rule) \
{ \
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
FAIL_IF_NULL(de_ctx); \
Signature *s = DetectEngineAppendSig(de_ctx, (rule)); \
FAIL_IF_NULL(s); \
DetectEngineCtxFree(de_ctx); \
}
#define TEST_OK(rule) \
{ \
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
FAIL_IF_NULL(de_ctx); \
SCLogNotice("rule: %s", rule); \
Signature *s = DetectEngineAppendSig(de_ctx, (rule)); \
FAIL_IF_NULL(s); \
DetectEngineCtxFree(de_ctx); \
}
#define TEST_FAIL(rule) \
{ \
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
FAIL_IF_NULL(de_ctx); \
Signature *s = DetectEngineAppendSig(de_ctx, (rule)); \
FAIL_IF_NOT_NULL(s); \
DetectEngineCtxFree(de_ctx); \
}
#define TEST_FAIL(rule) \
{ \
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
FAIL_IF_NULL(de_ctx); \
SCLogNotice("rule: %s", rule); \
Signature *s = DetectEngineAppendSig(de_ctx, (rule)); \
FAIL_IF_NOT_NULL(s); \
DetectEngineCtxFree(de_ctx); \
}
static int DetectBsizeSigTest01(void)
{
#if 0
TEST_OK("alert http any any -> any any (http_request_line; bsize:10; sid:1;)");
TEST_OK("alert http any any -> any any (file_data; bsize:>1000; sid:2;)");
TEST_FAIL("alert tcp any any -> any any (content:\"abc\"; bsize:10; sid:3;)");
TEST_FAIL("alert http any any -> any any (content:\"GET\"; http_method; bsize:10; sid:4;)");
TEST_FAIL("alert http any any -> any any (http_request_line; content:\"GET\"; bsize:<10>; sid:5;)");
/* bsize validation with buffer */
TEST_OK("alert http any any -> any any (http.uri; content:\"/index.php\"; bsize:>1024; "
"sid:6;)");
TEST_OK("alert http any any -> any any (http.uri; content:\"abdcef\"; content: \"g\"; bsize:1; "
"sid:7;)");
TEST_OK("alert http any any -> any any (http.uri; content:\"abdcef\"; content: \"g\"; bsize:4; "
"sid:8;)");
TEST_OK("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:<20; "
" sid:9;)");
TEST_OK("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:15<>25; "
"sid:10;)");
TEST_FAIL("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:2; "
"sid:11;)");
TEST_FAIL("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:<13; "
"sid:12;)");
TEST_OK("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:10<>15; "
"sid:13;)");
TEST_FAIL("alert http any any -> any any (http.uri; content:\"abcdefghi123456\"; offset:12; "
"bsize:3; sid:14;)");
TEST_FAIL("alert http any any -> any any (http.uri; content:\"abc\"; offset:3; depth:3; "
"bsize:3; sid:15;)");
TEST_FAIL("alert http any any -> any any (http.uri; content:\"abdcef\"; content: \"gh\"; "
"bsize:1; sid:16;)");
TEST_FAIL("alert http any any -> any any (http.uri; content:\"abc\"; offset:3; bsize:3; "
"sid:17;)");
#endif
TEST_FAIL("alert http any any -> any any (http.uri; content:\"abc\"; offset:65535; bsize:3; "
"sid:18;)");
PASS;
}

Write Preview
Loading…
Cancel
Save