aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improve the handling of addresses and ports. Properly detect !any, other full negation. Fix [80:!80] syntax errors being undetected.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 16 years ago
parent ea1fe0cf61
commit 4cc24fe463
6 changed files with 411 additions and 97 deletions
Show Stats Download Patch File Download Diff File

38
src/detect-engine-address-ipv4.c
Unescape Escape View File

@ -614,6 +614,44 @@ error:
return -1;
}
/** \brief check if the address group list covers the complete
* IPv4 IP space.
* \retval 0 no
* \retval 1 yes
*/
int DetectAddressGroupIsCompleteIPSpaceIPv4(DetectAddressGroup *ag) {
uint32_t next_ip = 0;
if (ag == NULL || ag->ad == NULL)
return 0;
/* if we don't start with 0.0.0.0 we know we're good */
if (ntohl(ag->ad->ip[0]) != 0x00000000)
return 0;
/* if we're ending with 255.255.255.255 while we know
we started with 0.0.0.0 it's the complete space */
if (ntohl(ag->ad->ip2[0]) == 0xFFFFFFFF)
return 1;
next_ip = htonl(ntohl(ag->ad->ip2[0]) + 1);
ag = ag->next;
for ( ; ag != NULL; ag = ag->next) {
if (ag == NULL || ag->ad == NULL)
return 0;
if (ag->ad->ip[0] != next_ip)
return 0;
if (ntohl(ag->ad->ip2[0]) == 0xFFFFFFFF)
return 1;
next_ip = htonl(ntohl(ag->ad->ip2[0]) + 1);
}
return 0;
}
/* a = 1.2.3.4
* must result in: a == 0.0.0.0-1.2.3.3, b == 1.2.3.5-255.255.255.255

1
src/detect-engine-address-ipv4.h
Unescape Escape View File

@ -12,6 +12,7 @@ int DetectAddressCutNotIPv4(DetectAddressData *, DetectAddressData **);
int DetectAddressGroupCutIPv4(DetectEngineCtx *, DetectAddressGroup *, DetectAddressGroup *, DetectAddressGroup **);
int DetectAddressGroupJoinIPv4(DetectEngineCtx *, DetectAddressGroup *target, DetectAddressGroup *source);
int DetectAddressGroupIsCompleteIPSpaceIPv4(DetectAddressGroup *);
#endif /* __DETECT_ENGINE_ADDRESS_IPV4_H__ */

93
src/detect-engine-address.c
Unescape Escape View File

@ -22,13 +22,15 @@
#include "detect-engine-address-ipv6.h"
#include "detect-engine-port.h"
//#define DEBUG
int DetectAddressSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *sidstr);
void DetectAddressTests (void);
void DetectAddressRegister (void) {
sigmatch_table[DETECT_ADDRESS].name = "__address__";
sigmatch_table[DETECT_ADDRESS].Match = NULL;
sigmatch_table[DETECT_ADDRESS].Setup = DetectAddressSetup;
sigmatch_table[DETECT_ADDRESS].Setup = NULL;
sigmatch_table[DETECT_ADDRESS].Free = NULL;
sigmatch_table[DETECT_ADDRESS].RegisterTests = DetectAddressTests;
}
@ -76,6 +78,7 @@ void DetectAddressGroupFree(DetectAddressGroup *ag) {
if (ag->ad != NULL) {
DetectAddressDataFree(ag->ad);
}
ag->ad = NULL;
/* only free the head if we have the original */
if (ag->sh != NULL && !(ag->flags & ADDRESS_GROUP_SIGGROUPHEAD_COPY)) {
@ -591,6 +594,10 @@ int DetectAddressGroupSetup(DetectAddressGroupsHead *gh, char *s) {
DetectAddressData *ad = NULL;
int r = 0;
#ifdef DEBUG
printf("DetectAddressGroupSetup: gh %p, s %s\n", gh, s);
#endif
/* parse the address */
ad = DetectAddressParse(s);
if (ad == NULL) {
@ -630,9 +637,9 @@ int DetectAddressGroupSetup(DetectAddressGroupsHead *gh, char *s) {
if (DetectAddressInsert(gh, ad) < 0)
goto error;
ad = DetectAddressParse("::/0");
if (ad == NULL)
goto error;
ad = DetectAddressParse("::/0");
if (ad == NULL)
goto error;
if (DetectAddressInsert(gh, ad) < 0)
goto error;
@ -707,12 +714,38 @@ int DetectAddressParse2(DetectAddressGroupsHead *gh, DetectAddressGroupsHead *gh
// return -1;
}
/** \brief See if the addresses and ranges in a group head cover the entire
* ip space.
* \param gh group head to check
* \retval 0 no
* \retval 1 yes
* \todo do the same for IPv6
* \internal
*/
static int DetectAddressGroupIsCompleteIPSpace(DetectAddressGroupsHead *gh) {
int r = DetectAddressGroupIsCompleteIPSpaceIPv4(gh->ipv4_head);
if (r == 1) {
return 1;
}
return 0;
}
/** \brief Merge the + and the - list (+ positive match, - 'not' match) */
int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsHead *ghn) {
DetectAddressData *ad;
DetectAddressGroup *ag, *ag2;
int r = 0;
/* check if the negated list covers the entire ip space. If so
the user screwed up the rules/vars. */
if (DetectAddressGroupIsCompleteIPSpace(ghn) == 1) {
#ifdef DEBUG
printf("DetectAddressGroupMergeNot: complete IP space negated\n");
#endif
goto error;
}
/* step 0: if the gh list is empty, but the ghn list isn't
* we have a pure not thingy. In that case we add a 0.0.0.0/0
* first. */
@ -738,6 +771,7 @@ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsH
if (ad == NULL) {
goto error;
}
r = DetectAddressInsert(gh,ad);
if (r < 0) {
goto error;
@ -751,6 +785,7 @@ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsH
if (ad == NULL) {
goto error;
}
r = DetectAddressInsert(gh,ad);
if (r < 0) {
goto error;
@ -759,7 +794,13 @@ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsH
/* step 2: pull the address blocks that match our 'not' blocks */
for (ag = ghn->ipv4_head; ag != NULL; ag = ag->next) {
#ifdef DEBUG
printf("DetectAddressGroupMergeNot: ag %p ", ag); DetectAddressDataPrint(ag->ad); printf("\n");
#endif
for (ag2 = gh->ipv4_head; ag2 != NULL; ) {
#ifdef DEBUG
printf("DetectAddressGroupMergeNot: ag2 %p ", ag2); DetectAddressDataPrint(ag2->ad); printf("\n");
#endif
r = DetectAddressCmp(ag->ad,ag2->ad);
if (r == ADDRESS_EQ || r == ADDRESS_EB) { /* XXX more ??? */
if (ag2->prev == NULL) {
@ -771,6 +812,7 @@ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsH
if (ag2->next != NULL) {
ag2->next->prev = ag2->prev;
}
/* store the next ptr and remove the group */
DetectAddressGroup *next_ag2 = ag2->next;
DetectAddressGroupFree(ag2);
@ -782,11 +824,11 @@ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsH
}
/* ... and the same for ipv6 */
for (ag = ghn->ipv6_head; ag != NULL; ag = ag->next) {
for (ag2 = gh->ipv6_head; ag2 != NULL; ag2 = ag2->next) {
for (ag2 = gh->ipv6_head; ag2 != NULL; ) {
r = DetectAddressCmp(ag->ad,ag2->ad);
if (r == ADDRESS_EQ || r == ADDRESS_EB) { /* XXX more ??? */
if (ag2->prev == NULL) {
gh->ipv4_head = ag2->next;
gh->ipv6_head = ag2->next;
} else {
ag2->prev->next = ag2->next;
}
@ -795,11 +837,24 @@ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsH
ag2->next->prev = ag2->prev;
}
/* store the next ptr and remove the group */
DetectAddressGroup *next_ag2 = ag2->next;
DetectAddressGroupFree(ag2);
ag2 = next_ag2;
} else {
ag2 = ag2->next;
}
}
}
/* if the result is that we have no addresses we return error */
if (gh->ipv4_head == NULL && gh->ipv6_head == NULL) {
#ifdef DEBUG
printf("DetectAddressGroupMergeNot: no addresses left after merge\n");
#endif
goto error;
}
return 0;
error:
return -1;
@ -809,6 +864,10 @@ error:
int DetectAddressGroupParse(DetectAddressGroupsHead *gh, char *str) {
int r;
#ifdef DEBUG
printf("DetectAddressGroupParse: gh %p, str %s\n", gh, str);
#endif
DetectAddressGroupsHead *ghn = DetectAddressGroupsHeadInit();
if (ghn == NULL) {
goto error;
@ -936,7 +995,7 @@ void DetectAddressParseIPv6CIDR(int cidr, struct in6_addr *in6) {
}
}
int AddressParse(DetectAddressData *dd, char *str) {
static int AddressParse(DetectAddressData *dd, char *str) {
char *ipdup = strdup(str);
char *ip2 = NULL;
char *mask = NULL;
@ -1155,23 +1214,6 @@ error:
return NULL;
}
int DetectAddressSetup (DetectEngineCtx * de_ctx, Signature *s, SigMatch *m, char *addressstr)
{
char *str = addressstr;
char dubbed = 0;
/* strip "'s */
if (addressstr[0] == '\"' && addressstr[strlen(addressstr)-1] == '\"') {
str = strdup(addressstr+1);
str[strlen(addressstr)-2] = '\0';
dubbed = 1;
}
if (dubbed) free(str);
return 0;
}
void DetectAddressDataFree(DetectAddressData *dd) {
if (dd != NULL) {
free(dd);
@ -1240,7 +1282,7 @@ void DetectAddressDataPrint(DetectAddressData *ad) {
}
}
/* find the group matching address in a group head */
/** \brief find the group matching address in a group head */
DetectAddressGroup *
DetectAddressLookupGroup(DetectAddressGroupsHead *gh, Address *a) {
DetectAddressGroup *g;
@ -1718,6 +1760,7 @@ int AddressTestParse30 (void) {
return 0;
}
/** \test make sure !any is rejected */
int AddressTestParse31 (void) {
DetectAddressData *dd = NULL;
dd = DetectAddressParse("!any");

114
src/detect-engine-port.c
Unescape Escape View File

@ -20,6 +20,8 @@
#include "detect-engine-siggroup.h"
#include "detect-engine-port.h"
//#define DEBUG
int DetectPortSetupTmp (DetectEngineCtx *, Signature *s, SigMatch *m, char *sidstr);
void DetectPortTests (void);
@ -849,6 +851,10 @@ static int DetectPortParseInsertString(DetectPort **head, char *s) {
DetectPort *ad = NULL;
int r = 0;
#ifdef DEBUG
printf("DetectPortParseInsertString: head %p, *head %p, s %s\n", head, *head, s);
#endif
/* parse the address */
ad = PortParse(s);
if (ad == NULL) {
@ -901,15 +907,27 @@ error:
static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int negate) {
int i, x;
int o_set = 0, n_set = 0;
int range = 0;
int depth = 0;
size_t size = strlen(s);
char address[1024] = "";
#ifdef DEBUG
printf("DetectPortParseDo: head %p, *head %p\n", head, *head);
#endif
for (i = 0, x = 0; i < size && x < sizeof(address); i++) {
address[x] = s[i];
x++;
if (!o_set && s[i] == '!') {
if (s[i] == ':') {
range = 1;
} else if (range == 1 && s[i] == '!') {
#ifdef DEBUG
printf("Can't have a negated value in a range.\n");
#endif
return -1;
} else if (!o_set && s[i] == '!') {
n_set = 1;
x--;
} else if (s[i] == '[') {
@ -919,7 +937,8 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int
}
depth++;
} else if (s[i] == ']') {
if (depth == 1) {
range = 0;
if (depth == 1) {
address[x-1] = '\0';
x = 0;
@ -928,11 +947,11 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int
}
depth--;
} else if (depth == 0 && s[i] == ',') {
range = 0;
if (o_set == 1) {
o_set = 0;
} else {
address[x-1] = '\0';
if (negate == 0 && n_set == 0) {
DetectPortParseInsertString(head,address);
} else {
@ -942,6 +961,7 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int
}
x = 0;
} else if (depth == 0 && i == size-1) {
range = 0;
address[x] = '\0';
x = 0;
@ -959,16 +979,62 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int
// return -1;
}
/** \brief check if the port group list covers the complete
* port space.
* \retval 0 no
* \retval 1 yes
*/
int DetectPortIsCompletePortSpace(DetectPort *p) {
uint16_t next_port = 0;
if (p == NULL)
return 0;
if (p->port != 0x0000)
return 0;
/* if we're ending with 0xFFFF while we know
we started with 0x0000 it's the complete space */
if (p->port2 == 0xFFFF)
return 1;
next_port = p->port2 + 1;
p = p->next;
for ( ; p != NULL; p = p->next) {
if (p == NULL)
return 0;
if (p->port != next_port)
return 0;
if (p->port2 == 0xFFFF)
return 1;
next_port = p->port2 + 1;
}
return 0;
}
/* part of the parsing routine */
int DetectPortParseMergeNotPorts(DetectPort **head, DetectPort **nhead) {
DetectPort *ad;
DetectPort *ag, *ag2;
int r = 0;
/* check if the full port space is negated */
if (DetectPortIsCompletePortSpace(*nhead) == 1) {
goto error;
}
/* step 0: if the head list is empty, but the nhead list isn't
* we have a pure not thingy. In that case we add a 0:65535
* first. */
if (*head == NULL && *nhead != NULL) {
#ifdef DEBUG
printf("DetectPortParseMergeNotPorts: inserting 0:65535 into head\n");
#endif
r = DetectPortParseInsertString(head,"0:65535");
if (r < 0) {
goto error;
@ -991,7 +1057,13 @@ int DetectPortParseMergeNotPorts(DetectPort **head, DetectPort **nhead) {
/* step 2: pull the address blocks that match our 'not' blocks */
for (ag = *nhead; ag != NULL; ag = ag->next) {
#ifdef DEBUG
printf("DetectPortParseMergeNotPorts: ag %p ", ag); DetectPortPrint(ag); printf("\n");
#endif
for (ag2 = *head; ag2 != NULL; ) {
#ifdef DEBUG
printf("DetectPortParseMergeNotPorts: ag2 %p ", ag2); DetectPortPrint(ag2); printf("\n");
#endif
r = DetectPortCmp(ag,ag2);
if (r == PORT_EQ || r == PORT_EB) { /* XXX more ??? */
if (ag2->prev == NULL) {
@ -1013,6 +1085,19 @@ int DetectPortParseMergeNotPorts(DetectPort **head, DetectPort **nhead) {
}
}
for (ag2 = *head; ag2 != NULL; ag2 = ag2->next) {
#ifdef DEBUG
printf("DetectPortParseMergeNotPorts: ag2 %p ", ag2); DetectPortPrint(ag2); printf("\n");
#endif
}
if (*head == NULL) {
#ifdef DEBUG
printf("DetectPortParseMergeNotPorts: no ports left after merge\n");
#endif
goto error;
}
return 0;
error:
return -1;
@ -1021,6 +1106,10 @@ error:
int DetectPortParse(DetectPort **head, char *str) {
int r;
#ifdef DEBUG
printf("DetectPortParse: str %s\n", str);
#endif
/* negate port list */
DetectPort *nhead = NULL;
@ -1029,6 +1118,10 @@ int DetectPortParse(DetectPort **head, char *str) {
goto error;
}
#ifdef DEBUG
printf("DetectPortParse: head %p %p, nhead %p\n", head, *head, nhead);
#endif
/* merge the 'not' address groups */
if (DetectPortParseMergeNotPorts(head,&nhead) < 0) {
goto error;
@ -1339,6 +1432,20 @@ end:
return result;
}
int PortTestParse08 (void) {
DetectPort *dd = NULL;
int result = 0;
int r = DetectPortParse(&dd,"[80:!80]");
if (r == 0)
goto end;
DetectPortCleanupList(dd);
result = 1;
end:
return result;
}
void DetectPortTests(void) {
UtRegisterTest("PortTestParse01", PortTestParse01, 1);
@ -1348,5 +1455,6 @@ void DetectPortTests(void) {
UtRegisterTest("PortTestParse05", PortTestParse05, 1);
UtRegisterTest("PortTestParse06", PortTestParse06, 1);
UtRegisterTest("PortTestParse07", PortTestParse07, 1);
UtRegisterTest("PortTestParse08", PortTestParse08, 1);
}

197
src/detect-parse.c
Unescape Escape View File

@ -258,7 +258,7 @@ int SigParseAddress(Signature *s, const char *addrstr, char flag) {
addr = "any";
} else {
addr = (char *)addrstr;
//printf("addr \"%s\"\n", addrstr);
//printf("SigParseAddress: addr \"%s\"\n", addrstr);
}
/* pass on to the address(list) parser */
@ -342,7 +342,6 @@ int SigParsePort(Signature *s, const char *portstr, char flag) {
//DetectPortPrint(s->dp);
}
if (r < 0) {
printf("SigParsePort: DetectPortParse \"%s\" failed\n", portstr);
return -1;
}
@ -408,7 +407,7 @@ int SigParseBasics(Signature *s, char *sigstr, char ***result) {
/* Parse Address & Ports */
if (SigParseAddress(s, arr[CONFIG_SRC], 0) < 0)
goto error;
goto error;
/* For "ip" we parse the ports as well, even though they will
be just "any". We do this for later sgh building for the
@ -438,8 +437,10 @@ int SigParse(DetectEngineCtx *de_ctx, Signature *s, char *sigstr) {
char **basics;
int ret = SigParseBasics(s, sigstr, &basics);
if (ret < 0)
if (ret < 0) {
//printf("SigParseBasics failed\n");
return -1;
}
#ifdef DEBUG
DEBUGPRINT("SigParse: %p", basics);
@ -570,8 +571,196 @@ end:
return result;
}
/**
* \test check that we don't allow invalid negation options
*/
static int SigParseTestNegation01 (void) {
int result = 0;
DetectEngineCtx *de_ctx;
Signature *s=NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx,"alert tcp !any any -> any any (msg:\"SigTest41-01 src address is !any \"; classtype:misc-activity; sid:410001; rev:1;)");
if (s != NULL) {
SigFree(s);
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test check that we don't allow invalid negation options
*/
static int SigParseTestNegation02 (void) {
int result = 0;
DetectEngineCtx *de_ctx;
Signature *s=NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx,"alert tcp any !any -> any any (msg:\"SigTest41-02 src ip is !any \"; classtype:misc-activity; sid:410002; rev:1;)");
if (s != NULL) {
SigFree(s);
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test check that we don't allow invalid negation options
*/
static int SigParseTestNegation03 (void) {
int result = 0;
DetectEngineCtx *de_ctx;
Signature *s=NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx,"alert tcp any any -> any [80:!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
if (s != NULL) {
SigFree(s);
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test check that we don't allow invalid negation options
*/
static int SigParseTestNegation04 (void) {
int result = 0;
DetectEngineCtx *de_ctx;
Signature *s=NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx,"alert tcp any any -> any [80,!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
if (s != NULL) {
SigFree(s);
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test check that we don't allow invalid negation options
*/
static int SigParseTestNegation05 (void) {
int result = 0;
DetectEngineCtx *de_ctx;
Signature *s=NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx,"alert tcp any any -> [192.168.0.2,!192.168.0.2] any (msg:\"SigTest41-04 dst ip [192.168.0.2,!192.168.0.2] \"; classtype:misc-activity; sid:410004; rev:1;)");
if (s != NULL) {
SigFree(s);
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test check that we don't allow invalid negation options
*/
static int SigParseTestNegation06 (void) {
int result = 0;
DetectEngineCtx *de_ctx;
Signature *s=NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx,"alert tcp any any -> any [100:1000,!1:20000] (msg:\"SigTest41-05 dst port [100:1000,!1:20000] \"; classtype:misc-activity; sid:410005; rev:1;)");
if (s != NULL) {
SigFree(s);
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test check that we don't allow invalid negation options
*/
static int SigParseTestNegation07 (void) {
int result = 0;
DetectEngineCtx *de_ctx;
Signature *s=NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx,"alert tcp any any -> [192.168.0.2,!192.168.0.0/24] any (msg:\"SigTest41-06 dst ip [192.168.0.2,!192.168.0.0/24] \"; classtype:misc-activity; sid:410006; rev:1;)");
if (s != NULL) {
SigFree(s);
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
//printf("%s\n", result?"ok":"fail");
//exit(1);
return result;
}
void SigParseRegisterTests(void) {
UtRegisterTest("SigParseTest01", SigParseTest01, 1);
UtRegisterTest("SigParseTest02", SigParseTest02, 1);
UtRegisterTest("SigParseTestNegation01", SigParseTestNegation01, 1);
UtRegisterTest("SigParseTestNegation02", SigParseTestNegation02, 1);
UtRegisterTest("SigParseTestNegation03", SigParseTestNegation03, 1);
UtRegisterTest("SigParseTestNegation04", SigParseTestNegation04, 1);
UtRegisterTest("SigParseTestNegation05", SigParseTestNegation05, 1);
UtRegisterTest("SigParseTestNegation06", SigParseTestNegation06, 1);
UtRegisterTest("SigParseTestNegation07", SigParseTestNegation07, 1);
}

65
src/detect.c
Unescape Escape View File

@ -6349,68 +6349,6 @@ end:
return result;
}
/**
* \test SigTest41Negation01 is a test to check that we don't allow invalid negation options
*/
static int SigTest41Negation01 (void) {
int result = 1;
DetectEngineCtx *de_ctx;
Signature *s=NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx,"alert tcp !any any -> any any (msg:\"SigTest41-01 src address is !any \"; classtype:misc-activity; sid:410001; rev:1;)");
if (s != NULL) {
printf("We set src ip to !any and the sig was parsed successfully: ");
SigFree(s);
result = 0;
}
s = SigInit(de_ctx,"alert tcp any !any -> any any (msg:\"SigTest41-02 src ip is !any \"; classtype:misc-activity; sid:410002; rev:1;)");
if (s != NULL) {
printf("We set src port to !any and the sig was parsed successfully: ");
SigFree(s);
result = 0;
}
s = SigInit(de_ctx,"alert tcp any any -> any [80:!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
if (s != NULL) {
printf("We set dst port to [80:!80] and the sig was parsed successfully: ");
SigFree(s);
result = 0;
}
s = SigInit(de_ctx,"alert tcp any any -> [192.168.0.2,!192.168.0.2] any (msg:\"SigTest41-04 dst ip [192.168.0.2,!192.168.0.2] \"; classtype:misc-activity; sid:410004; rev:1;)");
if (s != NULL) {
printf("We set dst ip to [192.168.0.2,!192.168.0.2] and the sig was parsed successfully: ");
SigFree(s);
result = 0;
}
s = SigInit(de_ctx,"alert tcp any any -> any [100:1000,!1:20000] (msg:\"SigTest41-05 dst port [100:1000,!1:20000] \"; classtype:misc-activity; sid:410005; rev:1;)");
if (s != NULL) {
printf("We set dst port to [100:1000,!1:20000] and the sig was parsed successfully: ");
SigFree(s);
result = 0;
}
s = SigInit(de_ctx,"alert tcp any any -> [192.168.0.2,!192.168.0.0/24] any (msg:\"SigTest41-06 dst ip [192.168.0.2,!192.168.0.0/24] \"; classtype:misc-activity; sid:410006; rev:1;)");
if (s != NULL) {
printf("We set dst ip to [192.168.0.2,!192.168.0.0/24] and the sig was parsed successfully: ");
SigFree(s);
result = 0;
}
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
#endif /* UNITTESTS */
void SigRegisterTests(void) {
@ -6561,9 +6499,6 @@ void SigRegisterTests(void) {
UtRegisterTest("SigTest40SignatureIsIPOnly01", SigTest40IPOnly01, 1);
UtRegisterTest("SigTest40SignatureIsIPOnly02", SigTest40IPOnly02, 1);
UtRegisterTest("SigTest40SignatureIsIPOnly03", SigTest40IPOnly03, 1);
UtRegisterTest("SigTestSignature41Negation01", SigTest41Negation01, 1);
#endif /* UNITTESTS */
}

Write Preview
Loading…
Cancel
Save