tests: fix drop test; cleanup

SigTestDropFlow04 was incorrectly expecting an alert in the packet following a "drop" packet. The first drop is applied to the flow, so it should lead to the 2nd packet being dropped before inspection is run. Clean up the test as well.
4 years ago · 3874d08015
parent e36b9b89a1
commit 3874d08015
1 changed files with 24 additions and 96 deletions
--- a/src/tests/detect.c
+++ b/src/tests/detect.c
@ -4808,7 +4808,6 @@ end:
 *        as usual (instead of on IPS mode) */
 static int SigTestDropFlow04(void)
 {
-    int result = 0;
    Flow f;
    HtpState *http_state = NULL;
    uint8_t http_buf1[] = "POST /one HTTP/1.0\r\n"
@ -4855,127 +4854,56 @@ static int SigTestDropFlow04(void)
    StreamTcpInitConfig(true);

    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
-    if (de_ctx == NULL) {
-        goto end;
-    }
+    FAIL_IF_NULL(de_ctx);
    de_ctx->flags |= DE_QUIET;

-    s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any 80 "
-                                   "(msg:\"Test proto match\"; uricontent:\"one\";"
-                                   "sid:1;)");
-    if (s == NULL) {
-        goto end;
-    }
+    s = DetectEngineAppendSig(de_ctx, "drop tcp any any -> any 80 "
+                                      "(msg:\"Test proto match\"; uricontent:\"one\";"
+                                      "sid:1;)");
+    FAIL_IF_NULL(s);

    /* the no inspection flag should be set after the first sig gets triggered,
     * so the second packet should not match the next sig (because of no inspection) */
-    s = de_ctx->sig_list->next = SigInit(de_ctx, "alert tcp any any -> any 80 "
-                                   "(msg:\"Test proto match\"; uricontent:\"two\";"
-                                   "sid:2;)");
-    if (s == NULL) {
-        goto end;
-    }
+    s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any 80 "
+                                      "(msg:\"Test proto match\"; uricontent:\"two\";"
+                                      "sid:2;)");
+    FAIL_IF_NULL(s);

    SigGroupBuild(de_ctx);
    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);

-    FLOWLOCK_WRLOCK(&f);
    int r = AppLayerParserParse(
            NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf1, http_buf1_len);
-    if (r != 0) {
-        printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
-        FLOWLOCK_UNLOCK(&f);
-        goto end;
-    }
-    FLOWLOCK_UNLOCK(&f);
+    FAIL_IF_NOT(r == 0);

    http_state = f.alstate;
-    if (http_state == NULL) {
-        printf("no http state: ");
-        goto end;
-    }
+    FAIL_IF_NULL(http_state);

    /* do detect */
    SigMatchSignatures(&tv, de_ctx, det_ctx, p1);

-    if (!PacketAlertCheck(p1, 1)) {
-        printf("sig 1 didn't alert on p1, but it should: ");
-        goto end;
-    }
-
-    if (PacketAlertCheck(p1, 2)) {
-        printf("sig 2 alerted on p1, but it should not: ");
-        goto end;
-    }
-
-    if ( !(p1->flow->flags & FLOW_ACTION_DROP)) {
-        printf("sig 1 alerted but flow was not flagged correctly: ");
-        goto end;
-    }
-
-    if (!(PacketTestAction(p1, ACTION_DROP))) {
-        printf("A \"drop\" action was set from the flow to the packet "
-               "which is right, but setting the flag shouldn't disable "
-               "inspection on the packet in IDS mode");
-        goto end;
-    }
+    FAIL_IF_NOT(PacketAlertCheck(p1, 1));
+    FAIL_IF(PacketAlertCheck(p1, 2));

-    /* Second part.. Let's feed with another packet */
-    if (StreamTcpCheckFlowDrops(p2) == 1) {
-        FlowSetNoPacketInspectionFlag(p2->flow);
-        DecodeSetNoPacketInspectionFlag(p2);
-        StreamTcpDisableAppLayer(p2->flow);
-        p2->action |= ACTION_DROP;
-        /* return the segments to the pool */
-        StreamTcpSessionPktFree(p2);
-    }
+    FAIL_IF_NOT(p1->flow->flags & FLOW_ACTION_DROP);
+    FAIL_IF_NOT(PacketTestAction(p1, ACTION_DROP));

-    if ( (p2->flags & PKT_NOPACKET_INSPECTION)) {
-        printf("The packet was flagged with no-inspection but we are not on IPS mode: ");
-        goto end;
-    }
+    FAIL_IF(p2->flags & PKT_NOPACKET_INSPECTION);

-    FLOWLOCK_WRLOCK(&f);
    r = AppLayerParserParse(
            NULL, alp_tctx, &f, ALPROTO_HTTP1, STREAM_TOSERVER, http_buf2, http_buf2_len);
-    if (r != 0) {
-        printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
-        FLOWLOCK_UNLOCK(&f);
-        goto end;
-    }
-    FLOWLOCK_UNLOCK(&f);
+    FAIL_IF_NOT(r == 0);

    /* do detect */
    SigMatchSignatures(&tv, de_ctx, det_ctx, p2);

-    if (PacketAlertCheck(p2, 1)) {
-        printf("sig 1 alerted, but it should not: ");
-        goto end;
-    }
+    FAIL_IF(PacketAlertCheck(p2, 1));
+    FAIL_IF(PacketAlertCheck(p2, 2));
+    FAIL_IF_NOT(PacketTestAction(p2, ACTION_DROP));

-    if (!PacketAlertCheck(p2, 2)) {
-        printf("sig 2 didn't alert, but it should, since we are not on IPS mode: ");
-        goto end;
-    }
-
-    if (!(PacketTestAction(p2, ACTION_DROP))) {
-        printf("A \"drop\" action was set from the flow to the packet "
-               "which is right, but setting the flag shouldn't disable "
-               "inspection on the packet in IDS mode");
-        goto end;
-    }
-
-    result = 1;
-
-end:
-    if (alp_tctx != NULL)
-        AppLayerParserThreadCtxFree(alp_tctx);
-    if (det_ctx != NULL)
-        DetectEngineThreadCtxDeinit(&tv, det_ctx);
-    if (de_ctx != NULL)
-        SigGroupCleanup(de_ctx);
-    if (de_ctx != NULL)
-        DetectEngineCtxFree(de_ctx);
+    AppLayerParserThreadCtxFree(alp_tctx);
+    DetectEngineThreadCtxDeinit(&tv, det_ctx);
+    DetectEngineCtxFree(de_ctx);

    StreamTcpFreeConfig(true);
    FLOW_DESTROY(&f);
@ -4983,7 +4911,7 @@ end:
    UTHFreePackets(&p1, 1);
    UTHFreePackets(&p2, 1);

-    return result;
+    PASS;
 }

 /** \test ICMP packet shouldn't be matching port based sig