aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Improve the handling of addresses and ports. Properly detect !any, other full negation. Fix [80:!80] syntax errors being undetected.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 16 years ago
parent ea1fe0cf61
commit 4cc24fe463
6 changed files with 411 additions and 97 deletions
Show Stats Download Patch File Download Diff File

38
src/detect-engine-address-ipv4.c
Unescape Escape View File

@ -614,6 +614,44 @@ error:
return -1; return -1;
} }
/** \brief check if the address group list covers the complete
* IPv4 IP space.
* \retval 0 no
* \retval 1 yes
*/
int DetectAddressGroupIsCompleteIPSpaceIPv4(DetectAddressGroup *ag) {
uint32_t next_ip = 0;
if (ag == NULL || ag->ad == NULL)
return 0;
/* if we don't start with 0.0.0.0 we know we're good */
if (ntohl(ag->ad->ip[0]) != 0x00000000)
return 0;
/* if we're ending with 255.255.255.255 while we know
we started with 0.0.0.0 it's the complete space */
if (ntohl(ag->ad->ip2[0]) == 0xFFFFFFFF)
return 1;
next_ip = htonl(ntohl(ag->ad->ip2[0]) + 1);
ag = ag->next;
for ( ; ag != NULL; ag = ag->next) {
if (ag == NULL || ag->ad == NULL)
return 0;
if (ag->ad->ip[0] != next_ip)
return 0;
if (ntohl(ag->ad->ip2[0]) == 0xFFFFFFFF)
return 1;
next_ip = htonl(ntohl(ag->ad->ip2[0]) + 1);
}
return 0;
}
/* a = 1.2.3.4 /* a = 1.2.3.4
* must result in: a == 0.0.0.0-1.2.3.3, b == 1.2.3.5-255.255.255.255 * must result in: a == 0.0.0.0-1.2.3.3, b == 1.2.3.5-255.255.255.255

1
src/detect-engine-address-ipv4.h
Unescape Escape View File

@ -12,6 +12,7 @@ int DetectAddressCutNotIPv4(DetectAddressData *, DetectAddressData **);
int DetectAddressGroupCutIPv4(DetectEngineCtx *, DetectAddressGroup *, DetectAddressGroup *, DetectAddressGroup **); int DetectAddressGroupCutIPv4(DetectEngineCtx *, DetectAddressGroup *, DetectAddressGroup *, DetectAddressGroup **);
int DetectAddressGroupJoinIPv4(DetectEngineCtx *, DetectAddressGroup *target, DetectAddressGroup *source); int DetectAddressGroupJoinIPv4(DetectEngineCtx *, DetectAddressGroup *target, DetectAddressGroup *source);
int DetectAddressGroupIsCompleteIPSpaceIPv4(DetectAddressGroup *);
#endif /* __DETECT_ENGINE_ADDRESS_IPV4_H__ */ #endif /* __DETECT_ENGINE_ADDRESS_IPV4_H__ */

93
src/detect-engine-address.c
Unescape Escape View File

@ -22,13 +22,15 @@
#include "detect-engine-address-ipv6.h" #include "detect-engine-address-ipv6.h"
#include "detect-engine-port.h" #include "detect-engine-port.h"
//#define DEBUG
int DetectAddressSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *sidstr); int DetectAddressSetup (DetectEngineCtx *, Signature *s, SigMatch *m, char *sidstr);
void DetectAddressTests (void); void DetectAddressTests (void);
void DetectAddressRegister (void) { void DetectAddressRegister (void) {
sigmatch_table[DETECT_ADDRESS].name = "__address__"; sigmatch_table[DETECT_ADDRESS].name = "__address__";
sigmatch_table[DETECT_ADDRESS].Match = NULL; sigmatch_table[DETECT_ADDRESS].Match = NULL;
sigmatch_table[DETECT_ADDRESS].Setup = DetectAddressSetup; sigmatch_table[DETECT_ADDRESS].Setup = NULL;
sigmatch_table[DETECT_ADDRESS].Free = NULL; sigmatch_table[DETECT_ADDRESS].Free = NULL;
sigmatch_table[DETECT_ADDRESS].RegisterTests = DetectAddressTests; sigmatch_table[DETECT_ADDRESS].RegisterTests = DetectAddressTests;
} }
@ -76,6 +78,7 @@ void DetectAddressGroupFree(DetectAddressGroup *ag) {
if (ag->ad != NULL) { if (ag->ad != NULL) {
DetectAddressDataFree(ag->ad); DetectAddressDataFree(ag->ad);
} }
ag->ad = NULL;
/* only free the head if we have the original */ /* only free the head if we have the original */
if (ag->sh != NULL && !(ag->flags & ADDRESS_GROUP_SIGGROUPHEAD_COPY)) { if (ag->sh != NULL && !(ag->flags & ADDRESS_GROUP_SIGGROUPHEAD_COPY)) {
@ -591,6 +594,10 @@ int DetectAddressGroupSetup(DetectAddressGroupsHead *gh, char *s) {
DetectAddressData *ad = NULL; DetectAddressData *ad = NULL;
int r = 0; int r = 0;
#ifdef DEBUG
printf("DetectAddressGroupSetup: gh %p, s %s\n", gh, s);
#endif
/* parse the address */ /* parse the address */
ad = DetectAddressParse(s); ad = DetectAddressParse(s);
if (ad == NULL) { if (ad == NULL) {
@ -630,9 +637,9 @@ int DetectAddressGroupSetup(DetectAddressGroupsHead *gh, char *s) {
if (DetectAddressInsert(gh, ad) < 0) if (DetectAddressInsert(gh, ad) < 0)
goto error; goto error;
ad = DetectAddressParse("::/0"); ad = DetectAddressParse("::/0");
if (ad == NULL) if (ad == NULL)
goto error; goto error;
if (DetectAddressInsert(gh, ad) < 0) if (DetectAddressInsert(gh, ad) < 0)
goto error; goto error;
@ -707,12 +714,38 @@ int DetectAddressParse2(DetectAddressGroupsHead *gh, DetectAddressGroupsHead *gh
// return -1; // return -1;
} }
/** \brief See if the addresses and ranges in a group head cover the entire
* ip space.
* \param gh group head to check
* \retval 0 no
* \retval 1 yes
* \todo do the same for IPv6
* \internal
*/
static int DetectAddressGroupIsCompleteIPSpace(DetectAddressGroupsHead *gh) {
int r = DetectAddressGroupIsCompleteIPSpaceIPv4(gh->ipv4_head);
if (r == 1) {
return 1;
}
return 0;
}
/** \brief Merge the + and the - list (+ positive match, - 'not' match) */ /** \brief Merge the + and the - list (+ positive match, - 'not' match) */
int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsHead *ghn) { int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsHead *ghn) {
DetectAddressData *ad; DetectAddressData *ad;
DetectAddressGroup *ag, *ag2; DetectAddressGroup *ag, *ag2;
int r = 0; int r = 0;
/* check if the negated list covers the entire ip space. If so
the user screwed up the rules/vars. */
if (DetectAddressGroupIsCompleteIPSpace(ghn) == 1) {
#ifdef DEBUG
printf("DetectAddressGroupMergeNot: complete IP space negated\n");
#endif
goto error;
}
/* step 0: if the gh list is empty, but the ghn list isn't /* step 0: if the gh list is empty, but the ghn list isn't
* we have a pure not thingy. In that case we add a 0.0.0.0/0 * we have a pure not thingy. In that case we add a 0.0.0.0/0
* first. */ * first. */
@ -738,6 +771,7 @@ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsH
if (ad == NULL) { if (ad == NULL) {
goto error; goto error;
} }
r = DetectAddressInsert(gh,ad); r = DetectAddressInsert(gh,ad);
if (r < 0) { if (r < 0) {
goto error; goto error;
@ -751,6 +785,7 @@ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsH
if (ad == NULL) { if (ad == NULL) {
goto error; goto error;
} }
r = DetectAddressInsert(gh,ad); r = DetectAddressInsert(gh,ad);
if (r < 0) { if (r < 0) {
goto error; goto error;
@ -759,7 +794,13 @@ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsH
/* step 2: pull the address blocks that match our 'not' blocks */ /* step 2: pull the address blocks that match our 'not' blocks */
for (ag = ghn->ipv4_head; ag != NULL; ag = ag->next) { for (ag = ghn->ipv4_head; ag != NULL; ag = ag->next) {
#ifdef DEBUG
printf("DetectAddressGroupMergeNot: ag %p ", ag); DetectAddressDataPrint(ag->ad); printf("\n");
#endif
for (ag2 = gh->ipv4_head; ag2 != NULL; ) { for (ag2 = gh->ipv4_head; ag2 != NULL; ) {
#ifdef DEBUG
printf("DetectAddressGroupMergeNot: ag2 %p ", ag2); DetectAddressDataPrint(ag2->ad); printf("\n");
#endif
r = DetectAddressCmp(ag->ad,ag2->ad); r = DetectAddressCmp(ag->ad,ag2->ad);
if (r == ADDRESS_EQ || r == ADDRESS_EB) { /* XXX more ??? */ if (r == ADDRESS_EQ || r == ADDRESS_EB) { /* XXX more ??? */
if (ag2->prev == NULL) { if (ag2->prev == NULL) {
@ -771,6 +812,7 @@ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsH
if (ag2->next != NULL) { if (ag2->next != NULL) {
ag2->next->prev = ag2->prev; ag2->next->prev = ag2->prev;
} }
/* store the next ptr and remove the group */ /* store the next ptr and remove the group */
DetectAddressGroup *next_ag2 = ag2->next; DetectAddressGroup *next_ag2 = ag2->next;
DetectAddressGroupFree(ag2); DetectAddressGroupFree(ag2);
@ -782,11 +824,11 @@ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsH
} }
/* ... and the same for ipv6 */ /* ... and the same for ipv6 */
for (ag = ghn->ipv6_head; ag != NULL; ag = ag->next) { for (ag = ghn->ipv6_head; ag != NULL; ag = ag->next) {
for (ag2 = gh->ipv6_head; ag2 != NULL; ag2 = ag2->next) { for (ag2 = gh->ipv6_head; ag2 != NULL; ) {
r = DetectAddressCmp(ag->ad,ag2->ad); r = DetectAddressCmp(ag->ad,ag2->ad);
if (r == ADDRESS_EQ || r == ADDRESS_EB) { /* XXX more ??? */ if (r == ADDRESS_EQ || r == ADDRESS_EB) { /* XXX more ??? */
if (ag2->prev == NULL) { if (ag2->prev == NULL) {
gh->ipv4_head = ag2->next; gh->ipv6_head = ag2->next;
} else { } else {
ag2->prev->next = ag2->next; ag2->prev->next = ag2->next;
} }
@ -795,11 +837,24 @@ int DetectAddressGroupMergeNot(DetectAddressGroupsHead *gh, DetectAddressGroupsH
ag2->next->prev = ag2->prev; ag2->next->prev = ag2->prev;
} }
/* store the next ptr and remove the group */
DetectAddressGroup *next_ag2 = ag2->next;
DetectAddressGroupFree(ag2); DetectAddressGroupFree(ag2);
ag2 = next_ag2;
} else {
ag2 = ag2->next;
} }
} }
} }
/* if the result is that we have no addresses we return error */
if (gh->ipv4_head == NULL && gh->ipv6_head == NULL) {
#ifdef DEBUG
printf("DetectAddressGroupMergeNot: no addresses left after merge\n");
#endif
goto error;
}
return 0; return 0;
error: error:
return -1; return -1;
@ -809,6 +864,10 @@ error:
int DetectAddressGroupParse(DetectAddressGroupsHead *gh, char *str) { int DetectAddressGroupParse(DetectAddressGroupsHead *gh, char *str) {
int r; int r;
#ifdef DEBUG
printf("DetectAddressGroupParse: gh %p, str %s\n", gh, str);
#endif
DetectAddressGroupsHead *ghn = DetectAddressGroupsHeadInit(); DetectAddressGroupsHead *ghn = DetectAddressGroupsHeadInit();
if (ghn == NULL) { if (ghn == NULL) {
goto error; goto error;
@ -936,7 +995,7 @@ void DetectAddressParseIPv6CIDR(int cidr, struct in6_addr *in6) {
} }
} }
int AddressParse(DetectAddressData *dd, char *str) { static int AddressParse(DetectAddressData *dd, char *str) {
char *ipdup = strdup(str); char *ipdup = strdup(str);
char *ip2 = NULL; char *ip2 = NULL;
char *mask = NULL; char *mask = NULL;
@ -1155,23 +1214,6 @@ error:
return NULL; return NULL;
} }
int DetectAddressSetup (DetectEngineCtx * de_ctx, Signature *s, SigMatch *m, char *addressstr)
{
char *str = addressstr;
char dubbed = 0;
/* strip "'s */
if (addressstr[0] == '\"' && addressstr[strlen(addressstr)-1] == '\"') {
str = strdup(addressstr+1);
str[strlen(addressstr)-2] = '\0';
dubbed = 1;
}
if (dubbed) free(str);
return 0;
}
void DetectAddressDataFree(DetectAddressData *dd) { void DetectAddressDataFree(DetectAddressData *dd) {
if (dd != NULL) { if (dd != NULL) {
free(dd); free(dd);
@ -1240,7 +1282,7 @@ void DetectAddressDataPrint(DetectAddressData *ad) {
} }
} }
/* find the group matching address in a group head */ /** \brief find the group matching address in a group head */
DetectAddressGroup * DetectAddressGroup *
DetectAddressLookupGroup(DetectAddressGroupsHead *gh, Address *a) { DetectAddressLookupGroup(DetectAddressGroupsHead *gh, Address *a) {
DetectAddressGroup *g; DetectAddressGroup *g;
@ -1718,6 +1760,7 @@ int AddressTestParse30 (void) {
return 0; return 0;
} }
/** \test make sure !any is rejected */
int AddressTestParse31 (void) { int AddressTestParse31 (void) {
DetectAddressData *dd = NULL; DetectAddressData *dd = NULL;
dd = DetectAddressParse("!any"); dd = DetectAddressParse("!any");

114
src/detect-engine-port.c
Unescape Escape View File

@ -20,6 +20,8 @@
#include "detect-engine-siggroup.h" #include "detect-engine-siggroup.h"
#include "detect-engine-port.h" #include "detect-engine-port.h"
//#define DEBUG
int DetectPortSetupTmp (DetectEngineCtx *, Signature *s, SigMatch *m, char *sidstr); int DetectPortSetupTmp (DetectEngineCtx *, Signature *s, SigMatch *m, char *sidstr);
void DetectPortTests (void); void DetectPortTests (void);
@ -849,6 +851,10 @@ static int DetectPortParseInsertString(DetectPort **head, char *s) {
DetectPort *ad = NULL; DetectPort *ad = NULL;
int r = 0; int r = 0;
#ifdef DEBUG
printf("DetectPortParseInsertString: head %p, *head %p, s %s\n", head, *head, s);
#endif
/* parse the address */ /* parse the address */
ad = PortParse(s); ad = PortParse(s);
if (ad == NULL) { if (ad == NULL) {
@ -901,15 +907,27 @@ error:
static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int negate) { static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int negate) {
int i, x; int i, x;
int o_set = 0, n_set = 0; int o_set = 0, n_set = 0;
int range = 0;
int depth = 0; int depth = 0;
size_t size = strlen(s); size_t size = strlen(s);
char address[1024] = ""; char address[1024] = "";
#ifdef DEBUG
printf("DetectPortParseDo: head %p, *head %p\n", head, *head);
#endif
for (i = 0, x = 0; i < size && x < sizeof(address); i++) { for (i = 0, x = 0; i < size && x < sizeof(address); i++) {
address[x] = s[i]; address[x] = s[i];
x++; x++;
if (!o_set && s[i] == '!') { if (s[i] == ':') {
range = 1;
} else if (range == 1 && s[i] == '!') {
#ifdef DEBUG
printf("Can't have a negated value in a range.\n");
#endif
return -1;
} else if (!o_set && s[i] == '!') {
n_set = 1; n_set = 1;
x--; x--;
} else if (s[i] == '[') { } else if (s[i] == '[') {
@ -919,7 +937,8 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int
} }
depth++; depth++;
} else if (s[i] == ']') { } else if (s[i] == ']') {
if (depth == 1) { range = 0;
if (depth == 1) {
address[x-1] = '\0'; address[x-1] = '\0';
x = 0; x = 0;
@ -928,11 +947,11 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int
} }
depth--; depth--;
} else if (depth == 0 && s[i] == ',') { } else if (depth == 0 && s[i] == ',') {
range = 0;
if (o_set == 1) { if (o_set == 1) {
o_set = 0; o_set = 0;
} else { } else {
address[x-1] = '\0'; address[x-1] = '\0';
if (negate == 0 && n_set == 0) { if (negate == 0 && n_set == 0) {
DetectPortParseInsertString(head,address); DetectPortParseInsertString(head,address);
} else { } else {
@ -942,6 +961,7 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int
} }
x = 0; x = 0;
} else if (depth == 0 && i == size-1) { } else if (depth == 0 && i == size-1) {
range = 0;
address[x] = '\0'; address[x] = '\0';
x = 0; x = 0;
@ -959,16 +979,62 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,int
// return -1; // return -1;
} }
/** \brief check if the port group list covers the complete
* port space.
* \retval 0 no
* \retval 1 yes
*/
int DetectPortIsCompletePortSpace(DetectPort *p) {
uint16_t next_port = 0;
if (p == NULL)
return 0;
if (p->port != 0x0000)
return 0;
/* if we're ending with 0xFFFF while we know
we started with 0x0000 it's the complete space */
if (p->port2 == 0xFFFF)
return 1;
next_port = p->port2 + 1;
p = p->next;
for ( ; p != NULL; p = p->next) {
if (p == NULL)
return 0;
if (p->port != next_port)
return 0;
if (p->port2 == 0xFFFF)
return 1;
next_port = p->port2 + 1;
}
return 0;
}
/* part of the parsing routine */ /* part of the parsing routine */
int DetectPortParseMergeNotPorts(DetectPort **head, DetectPort **nhead) { int DetectPortParseMergeNotPorts(DetectPort **head, DetectPort **nhead) {
DetectPort *ad; DetectPort *ad;
DetectPort *ag, *ag2; DetectPort *ag, *ag2;
int r = 0; int r = 0;
/* check if the full port space is negated */
if (DetectPortIsCompletePortSpace(*nhead) == 1) {
goto error;
}
/* step 0: if the head list is empty, but the nhead list isn't /* step 0: if the head list is empty, but the nhead list isn't
* we have a pure not thingy. In that case we add a 0:65535 * we have a pure not thingy. In that case we add a 0:65535
* first. */ * first. */
if (*head == NULL && *nhead != NULL) { if (*head == NULL && *nhead != NULL) {
#ifdef DEBUG
printf("DetectPortParseMergeNotPorts: inserting 0:65535 into head\n");
#endif
r = DetectPortParseInsertString(head,"0:65535"); r = DetectPortParseInsertString(head,"0:65535");
if (r < 0) { if (r < 0) {
goto error; goto error;
@ -991,7 +1057,13 @@ int DetectPortParseMergeNotPorts(DetectPort **head, DetectPort **nhead) {
/* step 2: pull the address blocks that match our 'not' blocks */ /* step 2: pull the address blocks that match our 'not' blocks */
for (ag = *nhead; ag != NULL; ag = ag->next) { for (ag = *nhead; ag != NULL; ag = ag->next) {
#ifdef DEBUG
printf("DetectPortParseMergeNotPorts: ag %p ", ag); DetectPortPrint(ag); printf("\n");
#endif
for (ag2 = *head; ag2 != NULL; ) { for (ag2 = *head; ag2 != NULL; ) {
#ifdef DEBUG
printf("DetectPortParseMergeNotPorts: ag2 %p ", ag2); DetectPortPrint(ag2); printf("\n");
#endif
r = DetectPortCmp(ag,ag2); r = DetectPortCmp(ag,ag2);
if (r == PORT_EQ || r == PORT_EB) { /* XXX more ??? */ if (r == PORT_EQ || r == PORT_EB) { /* XXX more ??? */
if (ag2->prev == NULL) { if (ag2->prev == NULL) {
@ -1013,6 +1085,19 @@ int DetectPortParseMergeNotPorts(DetectPort **head, DetectPort **nhead) {
} }
} }
for (ag2 = *head; ag2 != NULL; ag2 = ag2->next) {
#ifdef DEBUG
printf("DetectPortParseMergeNotPorts: ag2 %p ", ag2); DetectPortPrint(ag2); printf("\n");
#endif
}
if (*head == NULL) {
#ifdef DEBUG
printf("DetectPortParseMergeNotPorts: no ports left after merge\n");
#endif
goto error;
}
return 0; return 0;
error: error:
return -1; return -1;
@ -1021,6 +1106,10 @@ error:
int DetectPortParse(DetectPort **head, char *str) { int DetectPortParse(DetectPort **head, char *str) {
int r; int r;
#ifdef DEBUG
printf("DetectPortParse: str %s\n", str);
#endif
/* negate port list */ /* negate port list */
DetectPort *nhead = NULL; DetectPort *nhead = NULL;
@ -1029,6 +1118,10 @@ int DetectPortParse(DetectPort **head, char *str) {
goto error; goto error;
} }
#ifdef DEBUG
printf("DetectPortParse: head %p %p, nhead %p\n", head, *head, nhead);
#endif
/* merge the 'not' address groups */ /* merge the 'not' address groups */
if (DetectPortParseMergeNotPorts(head,&nhead) < 0) { if (DetectPortParseMergeNotPorts(head,&nhead) < 0) {
goto error; goto error;
@ -1339,6 +1432,20 @@ end:
return result; return result;
} }
int PortTestParse08 (void) {
DetectPort *dd = NULL;
int result = 0;
int r = DetectPortParse(&dd,"[80:!80]");
if (r == 0)
goto end;
DetectPortCleanupList(dd);
result = 1;
end:
return result;
}
void DetectPortTests(void) { void DetectPortTests(void) {
UtRegisterTest("PortTestParse01", PortTestParse01, 1); UtRegisterTest("PortTestParse01", PortTestParse01, 1);
@ -1348,5 +1455,6 @@ void DetectPortTests(void) {
UtRegisterTest("PortTestParse05", PortTestParse05, 1); UtRegisterTest("PortTestParse05", PortTestParse05, 1);
UtRegisterTest("PortTestParse06", PortTestParse06, 1); UtRegisterTest("PortTestParse06", PortTestParse06, 1);
UtRegisterTest("PortTestParse07", PortTestParse07, 1); UtRegisterTest("PortTestParse07", PortTestParse07, 1);
UtRegisterTest("PortTestParse08", PortTestParse08, 1);
} }

197
src/detect-parse.c
Unescape Escape View File

@ -258,7 +258,7 @@ int SigParseAddress(Signature *s, const char *addrstr, char flag) {
addr = "any"; addr = "any";
} else { } else {
addr = (char *)addrstr; addr = (char *)addrstr;
//printf("addr \"%s\"\n", addrstr); //printf("SigParseAddress: addr \"%s\"\n", addrstr);
} }
/* pass on to the address(list) parser */ /* pass on to the address(list) parser */
@ -342,7 +342,6 @@ int SigParsePort(Signature *s, const char *portstr, char flag) {
//DetectPortPrint(s->dp); //DetectPortPrint(s->dp);
} }
if (r < 0) { if (r < 0) {
printf("SigParsePort: DetectPortParse \"%s\" failed\n", portstr);
return -1; return -1;
} }
@ -408,7 +407,7 @@ int SigParseBasics(Signature *s, char *sigstr, char ***result) {
/* Parse Address & Ports */ /* Parse Address & Ports */
if (SigParseAddress(s, arr[CONFIG_SRC], 0) < 0) if (SigParseAddress(s, arr[CONFIG_SRC], 0) < 0)
goto error; goto error;
/* For "ip" we parse the ports as well, even though they will /* For "ip" we parse the ports as well, even though they will
be just "any". We do this for later sgh building for the be just "any". We do this for later sgh building for the
@ -438,8 +437,10 @@ int SigParse(DetectEngineCtx *de_ctx, Signature *s, char *sigstr) {
char **basics; char **basics;
int ret = SigParseBasics(s, sigstr, &basics); int ret = SigParseBasics(s, sigstr, &basics);
if (ret < 0) if (ret < 0) {
//printf("SigParseBasics failed\n");
return -1; return -1;
}
#ifdef DEBUG #ifdef DEBUG
DEBUGPRINT("SigParse: %p", basics); DEBUGPRINT("SigParse: %p", basics);
@ -570,8 +571,196 @@ end:
return result; return result;
} }
/**
* \test check that we don't allow invalid negation options
*/
static int SigParseTestNegation01 (void) {
int result = 0;
DetectEngineCtx *de_ctx;
Signature *s=NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx,"alert tcp !any any -> any any (msg:\"SigTest41-01 src address is !any \"; classtype:misc-activity; sid:410001; rev:1;)");
if (s != NULL) {
SigFree(s);
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test check that we don't allow invalid negation options
*/
static int SigParseTestNegation02 (void) {
int result = 0;
DetectEngineCtx *de_ctx;
Signature *s=NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx,"alert tcp any !any -> any any (msg:\"SigTest41-02 src ip is !any \"; classtype:misc-activity; sid:410002; rev:1;)");
if (s != NULL) {
SigFree(s);
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test check that we don't allow invalid negation options
*/
static int SigParseTestNegation03 (void) {
int result = 0;
DetectEngineCtx *de_ctx;
Signature *s=NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx,"alert tcp any any -> any [80:!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
if (s != NULL) {
SigFree(s);
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test check that we don't allow invalid negation options
*/
static int SigParseTestNegation04 (void) {
int result = 0;
DetectEngineCtx *de_ctx;
Signature *s=NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx,"alert tcp any any -> any [80,!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
if (s != NULL) {
SigFree(s);
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test check that we don't allow invalid negation options
*/
static int SigParseTestNegation05 (void) {
int result = 0;
DetectEngineCtx *de_ctx;
Signature *s=NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx,"alert tcp any any -> [192.168.0.2,!192.168.0.2] any (msg:\"SigTest41-04 dst ip [192.168.0.2,!192.168.0.2] \"; classtype:misc-activity; sid:410004; rev:1;)");
if (s != NULL) {
SigFree(s);
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test check that we don't allow invalid negation options
*/
static int SigParseTestNegation06 (void) {
int result = 0;
DetectEngineCtx *de_ctx;
Signature *s=NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx,"alert tcp any any -> any [100:1000,!1:20000] (msg:\"SigTest41-05 dst port [100:1000,!1:20000] \"; classtype:misc-activity; sid:410005; rev:1;)");
if (s != NULL) {
SigFree(s);
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test check that we don't allow invalid negation options
*/
static int SigParseTestNegation07 (void) {
int result = 0;
DetectEngineCtx *de_ctx;
Signature *s=NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx,"alert tcp any any -> [192.168.0.2,!192.168.0.0/24] any (msg:\"SigTest41-06 dst ip [192.168.0.2,!192.168.0.0/24] \"; classtype:misc-activity; sid:410006; rev:1;)");
if (s != NULL) {
SigFree(s);
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
//printf("%s\n", result?"ok":"fail");
//exit(1);
return result;
}
void SigParseRegisterTests(void) { void SigParseRegisterTests(void) {
UtRegisterTest("SigParseTest01", SigParseTest01, 1); UtRegisterTest("SigParseTest01", SigParseTest01, 1);
UtRegisterTest("SigParseTest02", SigParseTest02, 1); UtRegisterTest("SigParseTest02", SigParseTest02, 1);
UtRegisterTest("SigParseTestNegation01", SigParseTestNegation01, 1);
UtRegisterTest("SigParseTestNegation02", SigParseTestNegation02, 1);
UtRegisterTest("SigParseTestNegation03", SigParseTestNegation03, 1);
UtRegisterTest("SigParseTestNegation04", SigParseTestNegation04, 1);
UtRegisterTest("SigParseTestNegation05", SigParseTestNegation05, 1);
UtRegisterTest("SigParseTestNegation06", SigParseTestNegation06, 1);
UtRegisterTest("SigParseTestNegation07", SigParseTestNegation07, 1);
} }

65
src/detect.c
Unescape Escape View File

@ -6349,68 +6349,6 @@ end:
return result; return result;
} }
/**
* \test SigTest41Negation01 is a test to check that we don't allow invalid negation options
*/
static int SigTest41Negation01 (void) {
int result = 1;
DetectEngineCtx *de_ctx;
Signature *s=NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx,"alert tcp !any any -> any any (msg:\"SigTest41-01 src address is !any \"; classtype:misc-activity; sid:410001; rev:1;)");
if (s != NULL) {
printf("We set src ip to !any and the sig was parsed successfully: ");
SigFree(s);
result = 0;
}
s = SigInit(de_ctx,"alert tcp any !any -> any any (msg:\"SigTest41-02 src ip is !any \"; classtype:misc-activity; sid:410002; rev:1;)");
if (s != NULL) {
printf("We set src port to !any and the sig was parsed successfully: ");
SigFree(s);
result = 0;
}
s = SigInit(de_ctx,"alert tcp any any -> any [80:!80] (msg:\"SigTest41-03 dst port [80:!80] \"; classtype:misc-activity; sid:410003; rev:1;)");
if (s != NULL) {
printf("We set dst port to [80:!80] and the sig was parsed successfully: ");
SigFree(s);
result = 0;
}
s = SigInit(de_ctx,"alert tcp any any -> [192.168.0.2,!192.168.0.2] any (msg:\"SigTest41-04 dst ip [192.168.0.2,!192.168.0.2] \"; classtype:misc-activity; sid:410004; rev:1;)");
if (s != NULL) {
printf("We set dst ip to [192.168.0.2,!192.168.0.2] and the sig was parsed successfully: ");
SigFree(s);
result = 0;
}
s = SigInit(de_ctx,"alert tcp any any -> any [100:1000,!1:20000] (msg:\"SigTest41-05 dst port [100:1000,!1:20000] \"; classtype:misc-activity; sid:410005; rev:1;)");
if (s != NULL) {
printf("We set dst port to [100:1000,!1:20000] and the sig was parsed successfully: ");
SigFree(s);
result = 0;
}
s = SigInit(de_ctx,"alert tcp any any -> [192.168.0.2,!192.168.0.0/24] any (msg:\"SigTest41-06 dst ip [192.168.0.2,!192.168.0.0/24] \"; classtype:misc-activity; sid:410006; rev:1;)");
if (s != NULL) {
printf("We set dst ip to [192.168.0.2,!192.168.0.0/24] and the sig was parsed successfully: ");
SigFree(s);
result = 0;
}
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
#endif /* UNITTESTS */ #endif /* UNITTESTS */
void SigRegisterTests(void) { void SigRegisterTests(void) {
@ -6561,9 +6499,6 @@ void SigRegisterTests(void) {
UtRegisterTest("SigTest40SignatureIsIPOnly01", SigTest40IPOnly01, 1); UtRegisterTest("SigTest40SignatureIsIPOnly01", SigTest40IPOnly01, 1);
UtRegisterTest("SigTest40SignatureIsIPOnly02", SigTest40IPOnly02, 1); UtRegisterTest("SigTest40SignatureIsIPOnly02", SigTest40IPOnly02, 1);
UtRegisterTest("SigTest40SignatureIsIPOnly03", SigTest40IPOnly03, 1); UtRegisterTest("SigTest40SignatureIsIPOnly03", SigTest40IPOnly03, 1);
UtRegisterTest("SigTestSignature41Negation01", SigTest41Negation01, 1);
#endif /* UNITTESTS */ #endif /* UNITTESTS */
} }

Write Preview
Loading…
Cancel
Save