diff --git a/src/detect-engine-address-ipv4.c b/src/detect-engine-address-ipv4.c index 975165e42b..94a3d61fc7 100644 --- a/src/detect-engine-address-ipv4.c +++ b/src/detect-engine-address-ipv4.c @@ -614,6 +614,44 @@ error: return -1; } +/** \brief check if the address group list covers the complete + * IPv4 IP space. + * \retval 0 no + * \retval 1 yes + */ +int DetectAddressGroupIsCompleteIPSpaceIPv4(DetectAddressGroup *ag) { + uint32_t next_ip = 0; + + if (ag == NULL || ag->ad == NULL) + return 0; + + /* if we don't start with 0.0.0.0 we know we're good */ + if (ntohl(ag->ad->ip[0]) != 0x00000000) + return 0; + + /* if we're ending with 255.255.255.255 while we know + we started with 0.0.0.0 it's the complete space */ + if (ntohl(ag->ad->ip2[0]) == 0xFFFFFFFF) + return 1; + + next_ip = htonl(ntohl(ag->ad->ip2[0]) + 1); + ag = ag->next; + + for ( ; ag != NULL; ag = ag->next) { + if (ag == NULL || ag->ad == NULL) + return 0; + + if (ag->ad->ip[0] != next_ip) + return 0; + + if (ntohl(ag->ad->ip2[0]) == 0xFFFFFFFF) + return 1; + + next_ip = htonl(ntohl(ag->ad->ip2[0]) + 1); + } + + return 0; +} /* a = 1.2.3.4 * must result in: a == 0.0.0.0-1.2.3.3, b == 1.2.3.5-255.255.255.255 diff --git a/src/detect-engine-address-ipv4.h b/src/detect-engine-address-ipv4.h index 674e2c1938..4e43b919ab 100644 --- a/src/detect-engine-address-ipv4.h +++ b/src/detect-engine-address-ipv4.h @@ -12,6 +12,7 @@ int DetectAddressCutNotIPv4(DetectAddressData *, DetectAddressData **); int DetectAddressGroupCutIPv4(DetectEngineCtx *, DetectAddressGroup *, DetectAddressGroup *, DetectAddressGroup **); int DetectAddressGroupJoinIPv4(DetectEngineCtx *, DetectAddressGroup *target, DetectAddressGroup *source); +int DetectAddressGroupIsCompleteIPSpaceIPv4(DetectAddressGroup *); #endif /* __DETECT_ENGINE_ADDRESS_IPV4_H__ */ diff --git a/src/detect-engine-address.c b/src/detect-engine-address.c index fbd4624f76..3c95878ef1 100644 --- a/src/detect-engine-address.c +++ b/src/detect-engine-address.c @@ -22,13 +22,15 @@ #include "detect-engine-address-ipv6.h" #include "detect-engine-port.h" +//#define DEBUG + int DetectAddressSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *sidstr); void DetectAddressTests (void); void DetectAddressRegister (void) { sigmatch_table[DETECT_ADDRESS].name = "__address__"; sigmatch_table[DETECT_ADDRESS].Match = NULL; - sigmatch_table[DETECT_ADDRESS].Setup = DetectAddressSetup; + sigmatch_table[DETECT_ADDRESS].Setup = NULL; sigmatch_table[DETECT_ADDRESS].Free = NULL; sigmatch_table[DETECT_ADDRESS].RegisterTests = DetectAddressTests; } @@ -76,6 +78,7 @@ void DetectAddressGroupFree(DetectAddressGroup *ag) { if (ag->ad != NULL) { DetectAddressDataFree(ag->ad); } + ag->ad = NULL; /* only free the head if we have the original */ if (ag->sh != NULL && !(ag->flags & ADDRESS_GROUP_SIGGROUPHEAD_COPY)) { @@ -591,6 +594,10 @@ int DetectAddressGroupSetup(DetectAddressGroupsHead *gh, char *s) { DetectAddressData *ad = NULL; int r = 0; +#ifdef DEBUG + printf("DetectAddressGroupSetup: gh %p, s %s\n", gh, s); +#endif + /* parse the address */ ad = DetectAddressParse(s); if (ad == NULL) { @@ -630,9 +637,9 @@ int DetectAddressGroupSetup(DetectAddressGroupsHead *gh, char *s) { if (DetectAddressInsert(gh, ad) < 0) goto error; - ad = DetectAddressParse("::/0"); - if (ad == NULL) - goto error; + ad = DetectAddressParse("::/0"); + if (ad == NULL) + goto error; if (DetectAddressInsert(gh, ad) < 0) goto error; @@ -707,12 +714,38 @@ int DetectAddressParse2(DetectAddressGroupsHead *gh, DetectAddressGroupsHead *gh // return -1; } +/** \brief See if the addresses and ranges in a group head cover the entire + * ip space. + * \param gh group head to check + * \retval 0 no + * \retval 1 yes + * \todo do the same for IPv6 + * \internal + */ +static int DetectAddressGroupIsCompleteIPSpace(DetectAddressGroupsHead *gh) { + int r = DetectAddressGroupIsCompleteIPSpaceIPv4(gh->ipv4_head); + if (r == 1) { + return 1; + } + + return 0; +} + /** \brief Merge the + and the - list (+ positive match, - 'not' match) */ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsHead *ghn) { DetectAddressData *ad; DetectAddressGroup *ag, *ag2; int r = 0; + /* check if the negated list covers the entire ip space. If so + the user screwed up the rules/vars. */ + if (DetectAddressGroupIsCompleteIPSpace(ghn) == 1) { +#ifdef DEBUG + printf("DetectAddressGroupMergeNot: complete IP space negated\n"); +#endif + goto error; + } + /* step 0: if the gh list is empty, but the ghn list isn't * we have a pure not thingy. In that case we add a 0.0.0.0/0 * first. */ @@ -738,6 +771,7 @@ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsH if (ad == NULL) { goto error; } + r = DetectAddressInsert(gh,ad); if (r < 0) { goto error; @@ -751,6 +785,7 @@ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsH if (ad == NULL) { goto error; } + r = DetectAddressInsert(gh,ad); if (r < 0) { goto error; @@ -759,7 +794,13 @@ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsH /* step 2: pull the address blocks that match our 'not' blocks */ for (ag = ghn->ipv4_head; ag != NULL; ag = ag->next) { +#ifdef DEBUG + printf("DetectAddressGroupMergeNot: ag %p ", ag); DetectAddressDataPrint(ag->ad); printf("\n"); +#endif for (ag2 = gh->ipv4_head; ag2 != NULL; ) { +#ifdef DEBUG + printf("DetectAddressGroupMergeNot: ag2 %p ", ag2); DetectAddressDataPrint(ag2->ad); printf("\n"); +#endif r = DetectAddressCmp(ag->ad,ag2->ad); if (r == ADDRESS_EQ || r == ADDRESS_EB) { /* XXX more ??? */ if (ag2->prev == NULL) { @@ -771,6 +812,7 @@ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsH if (ag2->next != NULL) { ag2->next->prev = ag2->prev; } + /* store the next ptr and remove the group */ DetectAddressGroup *next_ag2 = ag2->next; DetectAddressGroupFree(ag2); @@ -782,11 +824,11 @@ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsH } /* ... and the same for ipv6 */ for (ag = ghn->ipv6_head; ag != NULL; ag = ag->next) { - for (ag2 = gh->ipv6_head; ag2 != NULL; ag2 = ag2->next) { + for (ag2 = gh->ipv6_head; ag2 != NULL; ) { r = DetectAddressCmp(ag->ad,ag2->ad); if (r == ADDRESS_EQ || r == ADDRESS_EB) { /* XXX more ??? */ if (ag2->prev == NULL) { - gh->ipv4_head = ag2->next; + gh->ipv6_head = ag2->next; } else { ag2->prev->next = ag2->next; } @@ -795,11 +837,24 @@ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsH ag2->next->prev = ag2->prev; } + /* store the next ptr and remove the group */ + DetectAddressGroup *next_ag2 = ag2->next; DetectAddressGroupFree(ag2); + ag2 = next_ag2; + } else { + ag2 = ag2->next; } } } + /* if the result is that we have no addresses we return error */ + if (gh->ipv4_head == NULL && gh->ipv6_head == NULL) { +#ifdef DEBUG + printf("DetectAddressGroupMergeNot: no addresses left after merge\n"); +#endif + goto error; + } + return 0; error: return -1; @@ -809,6 +864,10 @@ error: int DetectAddressGroupParse(DetectAddressGroupsHead *gh, char *str) { int r; +#ifdef DEBUG + printf("DetectAddressGroupParse: gh %p, str %s\n", gh, str); +#endif + DetectAddressGroupsHead *ghn = DetectAddressGroupsHeadInit(); if (ghn == NULL) { goto error; @@ -936,7 +995,7 @@ void DetectAddressParseIPv6CIDR(int cidr, struct in6_addr *in6) { } } -int AddressParse(DetectAddressData *dd, char *str) { +static int AddressParse(DetectAddressData *dd, char *str) { char *ipdup = strdup(str); char *ip2 = NULL; char *mask = NULL; @@ -1155,23 +1214,6 @@ error: return NULL; } -int DetectAddressSetup (DetectEngineCtx * de_ctx, Signature *s, SigMatch *m, char *addressstr) -{ - char *str = addressstr; - char dubbed = 0; - - /* strip "'s */ - if (addressstr[0] == '\"' && addressstr[strlen(addressstr)-1] == '\"') { - str = strdup(addressstr+1); - str[strlen(addressstr)-2] = '\0'; - dubbed = 1; - } - - - if (dubbed) free(str); - return 0; -} - void DetectAddressDataFree(DetectAddressData *dd) { if (dd != NULL) { free(dd); @@ -1240,7 +1282,7 @@ void DetectAddressDataPrint(DetectAddressData *ad) { } } -/* find the group matching address in a group head */ +/** \brief find the group matching address in a group head */ DetectAddressGroup * DetectAddressLookupGroup(DetectAddressGroupsHead *gh, Address *a) { DetectAddressGroup *g; @@ -1718,6 +1760,7 @@ int AddressTestParse30 (void) { return 0; } +/** \test make sure !any is rejected */ int AddressTestParse31 (void) { DetectAddressData *dd = NULL; dd = DetectAddressParse("!any"); diff --git a/src/detect-engine-port.c b/src/detect-engine-port.c index 6188224fc5..c15c8e7fcb 100644 --- a/src/detect-engine-port.c +++ b/src/detect-engine-port.c @@ -20,6 +20,8 @@ #include "detect-engine-siggroup.h" #include "detect-engine-port.h" +//#define DEBUG + int DetectPortSetupTmp (DetectEngineCtx *, Signature *s, SigMatch *m, char *sidstr); void DetectPortTests (void); @@ -849,6 +851,10 @@ static int DetectPortParseInsertString(DetectPort **head, char *s) { DetectPort *ad = NULL; int r = 0; +#ifdef DEBUG + printf("DetectPortParseInsertString: head %p, *head %p, s %s\n", head, *head, s); +#endif + /* parse the address */ ad = PortParse(s); if (ad == NULL) { @@ -901,15 +907,27 @@ error: static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int negate) { int i, x; int o_set = 0, n_set = 0; + int range = 0; int depth = 0; size_t size = strlen(s); char address[1024] = ""; +#ifdef DEBUG + printf("DetectPortParseDo: head %p, *head %p\n", head, *head); +#endif + for (i = 0, x = 0; i < size && x < sizeof(address); i++) { address[x] = s[i]; x++; - if (!o_set && s[i] == '!') { + if (s[i] == ':') { + range = 1; + } else if (range == 1 && s[i] == '!') { +#ifdef DEBUG + printf("Can't have a negated value in a range.\n"); +#endif + return -1; + } else if (!o_set && s[i] == '!') { n_set = 1; x--; } else if (s[i] == '[') { @@ -919,7 +937,8 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int } depth++; } else if (s[i] == ']') { - if (depth == 1) { + range = 0; + if (depth == 1) { address[x-1] = '\0'; x = 0; @@ -928,11 +947,11 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int } depth--; } else if (depth == 0 && s[i] == ',') { + range = 0; if (o_set == 1) { o_set = 0; } else { address[x-1] = '\0'; - if (negate == 0 && n_set == 0) { DetectPortParseInsertString(head,address); } else { @@ -942,6 +961,7 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int } x = 0; } else if (depth == 0 && i == size-1) { + range = 0; address[x] = '\0'; x = 0; @@ -959,16 +979,62 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int // return -1; } +/** \brief check if the port group list covers the complete + * port space. + * \retval 0 no + * \retval 1 yes + */ +int DetectPortIsCompletePortSpace(DetectPort *p) { + uint16_t next_port = 0; + + if (p == NULL) + return 0; + + if (p->port != 0x0000) + return 0; + + /* if we're ending with 0xFFFF while we know + we started with 0x0000 it's the complete space */ + if (p->port2 == 0xFFFF) + return 1; + + next_port = p->port2 + 1; + p = p->next; + + for ( ; p != NULL; p = p->next) { + if (p == NULL) + return 0; + + if (p->port != next_port) + return 0; + + if (p->port2 == 0xFFFF) + return 1; + + next_port = p->port2 + 1; + } + + return 0; +} + /* part of the parsing routine */ int DetectPortParseMergeNotPorts(DetectPort **head, DetectPort **nhead) { DetectPort *ad; DetectPort *ag, *ag2; int r = 0; + /* check if the full port space is negated */ + if (DetectPortIsCompletePortSpace(*nhead) == 1) { + goto error; + } + /* step 0: if the head list is empty, but the nhead list isn't * we have a pure not thingy. In that case we add a 0:65535 * first. */ if (*head == NULL && *nhead != NULL) { +#ifdef DEBUG + printf("DetectPortParseMergeNotPorts: inserting 0:65535 into head\n"); +#endif r = DetectPortParseInsertString(head,"0:65535"); if (r < 0) { goto error; @@ -991,7 +1057,13 @@ int DetectPortParseMergeNotPorts(DetectPort **head, DetectPort **nhead) { /* step 2: pull the address blocks that match our 'not' blocks */ for (ag = *nhead; ag != NULL; ag = ag->next) { +#ifdef DEBUG + printf("DetectPortParseMergeNotPorts: ag %p ", ag); DetectPortPrint(ag); printf("\n"); +#endif for (ag2 = *head; ag2 != NULL; ) { +#ifdef DEBUG + printf("DetectPortParseMergeNotPorts: ag2 %p ", ag2); DetectPortPrint(ag2); printf("\n"); +#endif r = DetectPortCmp(ag,ag2); if (r == PORT_EQ || r == PORT_EB) { /* XXX more ??? */ if (ag2->prev == NULL) { @@ -1013,6 +1085,19 @@ int DetectPortParseMergeNotPorts(DetectPort **head, DetectPort **nhead) { } } + for (ag2 = *head; ag2 != NULL; ag2 = ag2->next) { +#ifdef DEBUG + printf("DetectPortParseMergeNotPorts: ag2 %p ", ag2); DetectPortPrint(ag2); printf("\n"); +#endif + } + + if (*head == NULL) { +#ifdef DEBUG + printf("DetectPortParseMergeNotPorts: no ports left after merge\n"); +#endif + goto error; + } + return 0; error: return -1; @@ -1021,6 +1106,10 @@ error: int DetectPortParse(DetectPort **head, char *str) { int r; +#ifdef DEBUG + printf("DetectPortParse: str %s\n", str); +#endif + /* negate port list */ DetectPort *nhead = NULL; @@ -1029,6 +1118,10 @@ int DetectPortParse(DetectPort **head, char *str) { goto error; } +#ifdef DEBUG + printf("DetectPortParse: head %p %p, nhead %p\n", head, *head, nhead); +#endif + /* merge the 'not' address groups */ if (DetectPortParseMergeNotPorts(head,&nhead) < 0) { goto error; @@ -1339,6 +1432,20 @@ end: return result; } +int PortTestParse08 (void) { + DetectPort *dd = NULL; + int result = 0; + + int r = DetectPortParse(&dd,"[80:!80]"); + if (r == 0) + goto end; + + DetectPortCleanupList(dd); + result = 1; +end: + return result; +} + void DetectPortTests(void) { UtRegisterTest("PortTestParse01", PortTestParse01, 1); @@ -1348,5 +1455,6 @@ void DetectPortTests(void) { UtRegisterTest("PortTestParse05", PortTestParse05, 1); UtRegisterTest("PortTestParse06", PortTestParse06, 1); UtRegisterTest("PortTestParse07", PortTestParse07, 1); + UtRegisterTest("PortTestParse08", PortTestParse08, 1); } diff --git a/src/detect-parse.c b/src/detect-parse.c index 2cc9272be0..57b27b10e0 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -258,7 +258,7 @@ int SigParseAddress(Signature *s, const char *addrstr, char flag) { addr = "any"; } else { addr = (char *)addrstr; - //printf("addr \"%s\"\n", addrstr); + //printf("SigParseAddress: addr \"%s\"\n", addrstr); } /* pass on to the address(list) parser */ @@ -342,7 +342,6 @@ int SigParsePort(Signature *s, const char *portstr, char flag) { //DetectPortPrint(s->dp); } if (r < 0) { - printf("SigParsePort: DetectPortParse \"%s\" failed\n", portstr); return -1; } @@ -408,7 +407,7 @@ int SigParseBasics(Signature *s, char *sigstr, char ***result) { /* Parse Address & Ports */ if (SigParseAddress(s, arr[CONFIG_SRC], 0) < 0) - goto error; + goto error; /* For "ip" we parse the ports as well, even though they will be just "any". We do this for later sgh building for the @@ -438,8 +437,10 @@ int SigParse(DetectEngineCtx *de_ctx, Signature *s, char *sigstr) { char **basics; int ret = SigParseBasics(s, sigstr, &basics); - if (ret < 0) + if (ret < 0) { + //printf("SigParseBasics failed\n"); return -1; +} #ifdef DEBUG DEBUGPRINT("SigParse: %p", basics); @@ -570,8 +571,196 @@ end: return result; } +/** + * \test check that we don't allow invalid negation options + */ +static int SigParseTestNegation01 (void) { + int result = 0; + DetectEngineCtx *de_ctx; + Signature *s=NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + s = SigInit(de_ctx,"alert tcp !any any -> any any (msg:\"SigTest41-01 src address is !any \"; classtype:misc-activity; sid:410001; rev:1;)"); + if (s != NULL) { + SigFree(s); + goto end; + } + + result = 1; +end: + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + return result; +} + +/** + * \test check that we don't allow invalid negation options + */ +static int SigParseTestNegation02 (void) { + int result = 0; + DetectEngineCtx *de_ctx; + Signature *s=NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + s = SigInit(de_ctx,"alert tcp any !any -> any any (msg:\"SigTest41-02 src ip is !any \"; classtype:misc-activity; sid:410002; rev:1;)"); + if (s != NULL) { + SigFree(s); + goto end; + } + + result = 1; +end: + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + return result; +} +/** + * \test check that we don't allow invalid negation options + */ +static int SigParseTestNegation03 (void) { + int result = 0; + DetectEngineCtx *de_ctx; + Signature *s=NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + s = SigInit(de_ctx,"alert tcp any any -> any [80:!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)"); + if (s != NULL) { + SigFree(s); + goto end; + } + + result = 1; +end: + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + return result; +} +/** + * \test check that we don't allow invalid negation options + */ +static int SigParseTestNegation04 (void) { + int result = 0; + DetectEngineCtx *de_ctx; + Signature *s=NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + s = SigInit(de_ctx,"alert tcp any any -> any [80,!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)"); + if (s != NULL) { + SigFree(s); + goto end; + } + + result = 1; +end: + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + return result; +} +/** + * \test check that we don't allow invalid negation options + */ +static int SigParseTestNegation05 (void) { + int result = 0; + DetectEngineCtx *de_ctx; + Signature *s=NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + s = SigInit(de_ctx,"alert tcp any any -> [192.168.0.2,!192.168.0.2] any (msg:\"SigTest41-04 dst ip [192.168.0.2,!192.168.0.2] \"; classtype:misc-activity; sid:410004; rev:1;)"); + if (s != NULL) { + SigFree(s); + goto end; + } + + result = 1; +end: + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + return result; +} +/** + * \test check that we don't allow invalid negation options + */ +static int SigParseTestNegation06 (void) { + int result = 0; + DetectEngineCtx *de_ctx; + Signature *s=NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + s = SigInit(de_ctx,"alert tcp any any -> any [100:1000,!1:20000] (msg:\"SigTest41-05 dst port [100:1000,!1:20000] \"; classtype:misc-activity; sid:410005; rev:1;)"); + if (s != NULL) { + SigFree(s); + goto end; + } + + result = 1; +end: + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + return result; +} +/** + * \test check that we don't allow invalid negation options + */ +static int SigParseTestNegation07 (void) { + int result = 0; + DetectEngineCtx *de_ctx; + Signature *s=NULL; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + de_ctx->flags |= DE_QUIET; + + s = SigInit(de_ctx,"alert tcp any any -> [192.168.0.2,!192.168.0.0/24] any (msg:\"SigTest41-06 dst ip [192.168.0.2,!192.168.0.0/24] \"; classtype:misc-activity; sid:410006; rev:1;)"); + if (s != NULL) { + SigFree(s); + goto end; + } + + result = 1; +end: + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + +//printf("%s\n", result?"ok":"fail"); +//exit(1); + return result; +} + + void SigParseRegisterTests(void) { UtRegisterTest("SigParseTest01", SigParseTest01, 1); UtRegisterTest("SigParseTest02", SigParseTest02, 1); + UtRegisterTest("SigParseTestNegation01", SigParseTestNegation01, 1); + UtRegisterTest("SigParseTestNegation02", SigParseTestNegation02, 1); + UtRegisterTest("SigParseTestNegation03", SigParseTestNegation03, 1); + UtRegisterTest("SigParseTestNegation04", SigParseTestNegation04, 1); + UtRegisterTest("SigParseTestNegation05", SigParseTestNegation05, 1); + UtRegisterTest("SigParseTestNegation06", SigParseTestNegation06, 1); + UtRegisterTest("SigParseTestNegation07", SigParseTestNegation07, 1); } diff --git a/src/detect.c b/src/detect.c index 60495d82ef..7170fc026e 100644 --- a/src/detect.c +++ b/src/detect.c @@ -6349,68 +6349,6 @@ end: return result; } -/** - * \test SigTest41Negation01 is a test to check that we don't allow invalid negation options - */ - -static int SigTest41Negation01 (void) { - int result = 1; - DetectEngineCtx *de_ctx; - Signature *s=NULL; - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - de_ctx->flags |= DE_QUIET; - - s = SigInit(de_ctx,"alert tcp !any any -> any any (msg:\"SigTest41-01 src address is !any \"; classtype:misc-activity; sid:410001; rev:1;)"); - if (s != NULL) { - printf("We set src ip to !any and the sig was parsed successfully: "); - SigFree(s); - result = 0; - } - - s = SigInit(de_ctx,"alert tcp any !any -> any any (msg:\"SigTest41-02 src ip is !any \"; classtype:misc-activity; sid:410002; rev:1;)"); - if (s != NULL) { - printf("We set src port to !any and the sig was parsed successfully: "); - SigFree(s); - result = 0; - } - - s = SigInit(de_ctx,"alert tcp any any -> any [80:!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)"); - if (s != NULL) { - printf("We set dst port to [80:!80] and the sig was parsed successfully: "); - SigFree(s); - result = 0; - } - - s = SigInit(de_ctx,"alert tcp any any -> [192.168.0.2,!192.168.0.2] any (msg:\"SigTest41-04 dst ip [192.168.0.2,!192.168.0.2] \"; classtype:misc-activity; sid:410004; rev:1;)"); - if (s != NULL) { - printf("We set dst ip to [192.168.0.2,!192.168.0.2] and the sig was parsed successfully: "); - SigFree(s); - result = 0; - } - - s = SigInit(de_ctx,"alert tcp any any -> any [100:1000,!1:20000] (msg:\"SigTest41-05 dst port [100:1000,!1:20000] \"; classtype:misc-activity; sid:410005; rev:1;)"); - if (s != NULL) { - printf("We set dst port to [100:1000,!1:20000] and the sig was parsed successfully: "); - SigFree(s); - result = 0; - } - - s = SigInit(de_ctx,"alert tcp any any -> [192.168.0.2,!192.168.0.0/24] any (msg:\"SigTest41-06 dst ip [192.168.0.2,!192.168.0.0/24] \"; classtype:misc-activity; sid:410006; rev:1;)"); - if (s != NULL) { - printf("We set dst ip to [192.168.0.2,!192.168.0.0/24] and the sig was parsed successfully: "); - SigFree(s); - result = 0; - } - -end: - if (de_ctx != NULL) - DetectEngineCtxFree(de_ctx); - return result; -} - #endif /* UNITTESTS */ void SigRegisterTests(void) { @@ -6561,9 +6499,6 @@ void SigRegisterTests(void) { UtRegisterTest("SigTest40SignatureIsIPOnly01", SigTest40IPOnly01, 1); UtRegisterTest("SigTest40SignatureIsIPOnly02", SigTest40IPOnly02, 1); UtRegisterTest("SigTest40SignatureIsIPOnly03", SigTest40IPOnly03, 1); - - UtRegisterTest("SigTestSignature41Negation01", SigTest41Negation01, 1); - #endif /* UNITTESTS */ }