|
|
|
|
@ -1,4 +1,4 @@
|
|
|
|
|
/* Copyright (C) 2007-2020 Open Information Security Foundation
|
|
|
|
|
/* Copyright (C) 2007-2022 Open Information Security Foundation
|
|
|
|
|
*
|
|
|
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
|
|
|
* the GNU General Public License version 2 as published by the Free
|
|
|
|
|
@ -1423,260 +1423,6 @@ static int DetectBytetestTestParse24(void)
|
|
|
|
|
PASS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test DetectByteTestTestPacket01 is a test to check matches of
|
|
|
|
|
* byte_test and byte_test relative works if the previous keyword is pcre
|
|
|
|
|
* (bug 142)
|
|
|
|
|
*/
|
|
|
|
|
static int DetectByteTestTestPacket01 (void)
|
|
|
|
|
{
|
|
|
|
|
int result = 0;
|
|
|
|
|
uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
|
|
|
|
|
"User-Agent: Wget/1.11.4"
|
|
|
|
|
"Accept: */*"
|
|
|
|
|
"Host: www.google.com"
|
|
|
|
|
"Connection: Keep-Alive"
|
|
|
|
|
"Date: Mon, 04 Jan 2010 17:29:39 GMT";
|
|
|
|
|
uint16_t buflen = strlen((char *)buf);
|
|
|
|
|
Packet *p;
|
|
|
|
|
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
|
|
|
|
|
|
|
|
|
|
if (p == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
char sig[] = "alert tcp any any -> any any (msg:\"pcre + byte_test + "
|
|
|
|
|
"relative\"; pcre:\"/AllWorkAndNoPlayMakesWillADullBoy/\"; byte_test:1,=,1"
|
|
|
|
|
",6,relative,string,dec; sid:126; rev:1;)";
|
|
|
|
|
|
|
|
|
|
result = UTHPacketMatchSig(p, sig);
|
|
|
|
|
|
|
|
|
|
UTHFreePacket(p);
|
|
|
|
|
end:
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \test DetectByteTestTestPacket02 is a test to check matches of
|
|
|
|
|
* byte_test and byte_test relative works if the previous keyword is byte_jump
|
|
|
|
|
* (bug 158)
|
|
|
|
|
*/
|
|
|
|
|
static int DetectByteTestTestPacket02 (void)
|
|
|
|
|
{
|
|
|
|
|
int result = 0;
|
|
|
|
|
uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
|
|
|
|
|
"User-Agent: Wget/1.11.4"
|
|
|
|
|
"Accept: */*"
|
|
|
|
|
"Host: www.google.com"
|
|
|
|
|
"Connection: Keep-Alive"
|
|
|
|
|
"Date: Mon, 04 Jan 2010 17:29:39 GMT";
|
|
|
|
|
uint16_t buflen = strlen((char *)buf);
|
|
|
|
|
Packet *p;
|
|
|
|
|
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
|
|
|
|
|
|
|
|
|
|
if (p == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test + "
|
|
|
|
|
"relative\"; byte_jump:1,44,string,dec; byte_test:1,=,0,0,relative,string,"
|
|
|
|
|
"dec; sid:777; rev:1;)";
|
|
|
|
|
|
|
|
|
|
result = UTHPacketMatchSig(p, sig);
|
|
|
|
|
|
|
|
|
|
UTHFreePacket(p);
|
|
|
|
|
end:
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int DetectByteTestTestPacket03(void)
|
|
|
|
|
{
|
|
|
|
|
int result = 0;
|
|
|
|
|
uint8_t *buf = NULL;
|
|
|
|
|
uint16_t buflen = 0;
|
|
|
|
|
buf = SCMalloc(4);
|
|
|
|
|
if (unlikely(buf == NULL)) {
|
|
|
|
|
printf("malloc failed\n");
|
|
|
|
|
exit(EXIT_FAILURE);
|
|
|
|
|
}
|
|
|
|
|
memcpy(buf, "boom", 4);
|
|
|
|
|
buflen = 4;
|
|
|
|
|
|
|
|
|
|
Packet *p;
|
|
|
|
|
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
|
|
|
|
|
|
|
|
|
|
if (p == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test\"; "
|
|
|
|
|
"byte_test:1,=,65,214748364; sid:1; rev:1;)";
|
|
|
|
|
|
|
|
|
|
result = !UTHPacketMatchSig(p, sig);
|
|
|
|
|
|
|
|
|
|
UTHFreePacket(p);
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
SCFree(buf);
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \test Test the byte_test signature matching with operator <= */
|
|
|
|
|
static int DetectByteTestTestPacket04(void)
|
|
|
|
|
{
|
|
|
|
|
int result = 0;
|
|
|
|
|
uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
|
|
|
|
|
"User-Agent: Wget/1.11.4"
|
|
|
|
|
"Accept: */*"
|
|
|
|
|
"Host: www.google.com"
|
|
|
|
|
"Connection: Keep-Alive"
|
|
|
|
|
"Date: Mon, 04 Jan 2010 17:29:39 GMT";
|
|
|
|
|
uint16_t buflen = strlen((char *)buf);
|
|
|
|
|
|
|
|
|
|
Packet *p;
|
|
|
|
|
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
|
|
|
|
|
|
|
|
|
|
if (p == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test +"
|
|
|
|
|
"relative\"; content:\"GET \"; depth:4; content:\"HTTP/1.\"; "
|
|
|
|
|
"byte_test:1,<=,0,0,relative,string,dec; sid:124; rev:1;)";
|
|
|
|
|
|
|
|
|
|
result = UTHPacketMatchSig(p, sig);
|
|
|
|
|
|
|
|
|
|
UTHFreePacket(p);
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** \test Test the byte_test signature matching with operator >= */
|
|
|
|
|
static int DetectByteTestTestPacket05(void)
|
|
|
|
|
{
|
|
|
|
|
int result = 0;
|
|
|
|
|
uint8_t *buf = (uint8_t *)"GET /AllWorkAndNoPlayMakesWillADullBoy HTTP/1.0"
|
|
|
|
|
"User-Agent: Wget/1.11.4"
|
|
|
|
|
"Accept: */*"
|
|
|
|
|
"Host: www.google.com"
|
|
|
|
|
"Connection: Keep-Alive"
|
|
|
|
|
"Date: Mon, 04 Jan 2010 17:29:39 GMT";
|
|
|
|
|
uint16_t buflen = strlen((char *)buf);
|
|
|
|
|
|
|
|
|
|
Packet *p;
|
|
|
|
|
p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP);
|
|
|
|
|
|
|
|
|
|
if (p == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
|
|
char sig[] = "alert tcp any any -> any any (msg:\"content + byte_test +"
|
|
|
|
|
"relative\"; content:\"GET \"; depth:4; content:\"HTTP/1.\"; "
|
|
|
|
|
"byte_test:1,>=,0,0,relative,string,dec; sid:125; rev:1;)";
|
|
|
|
|
|
|
|
|
|
result = UTHPacketMatchSig(p, sig);
|
|
|
|
|
|
|
|
|
|
UTHFreePacket(p);
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
/** \test simple dns match on first byte */
|
|
|
|
|
static int DetectByteTestTestPacket06(void)
|
|
|
|
|
{
|
|
|
|
|
uint8_t buf[] = { 0x38, 0x35, 0x01, 0x00, 0x00, 0x01,
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
0x00, 0x00, 0x001, 0x00, 0x01, 0x00,};
|
|
|
|
|
Flow f;
|
|
|
|
|
Packet *p = NULL;
|
|
|
|
|
Signature *s = NULL;
|
|
|
|
|
ThreadVars tv;
|
|
|
|
|
DetectEngineThreadCtx *det_ctx = NULL;
|
|
|
|
|
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
|
|
|
|
|
|
|
|
|
|
FAIL_IF_NULL(alp_tctx);
|
|
|
|
|
|
|
|
|
|
memset(&tv, 0, sizeof(ThreadVars));
|
|
|
|
|
memset(&f, 0, sizeof(Flow));
|
|
|
|
|
|
|
|
|
|
p = UTHBuildPacketReal(buf, sizeof(buf), IPPROTO_UDP,
|
|
|
|
|
"192.168.1.5", "192.168.1.1",
|
|
|
|
|
41424, 53);
|
|
|
|
|
|
|
|
|
|
FLOW_INITIALIZE(&f);
|
|
|
|
|
f.flags |= FLOW_IPV4;
|
|
|
|
|
f.proto = IPPROTO_UDP;
|
|
|
|
|
f.protomap = FlowGetProtoMapping(f.proto);
|
|
|
|
|
|
|
|
|
|
p->flow = &f;
|
|
|
|
|
p->flags |= PKT_HAS_FLOW;
|
|
|
|
|
p->flowflags |= FLOW_PKT_TOSERVER;
|
|
|
|
|
f.alproto = ALPROTO_DNS;
|
|
|
|
|
|
|
|
|
|
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
|
|
|
|
|
FAIL_IF_NULL(de_ctx);
|
|
|
|
|
|
|
|
|
|
de_ctx->mpm_matcher = mpm_default_matcher;
|
|
|
|
|
de_ctx->flags |= DE_QUIET;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check first byte
|
|
|
|
|
* (0x38 & 0xF8) --> 0x38
|
|
|
|
|
* 0x38 >> 3 --> 0x7
|
|
|
|
|
* 0x7 = 0x07
|
|
|
|
|
*/
|
|
|
|
|
/* this rule should alert */
|
|
|
|
|
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
|
|
|
|
|
"(msg:\"Byte test against first byte\"; "
|
|
|
|
|
"byte_test:1,=,0x07,0,bitmask 0xF8;"
|
|
|
|
|
"sid:1;)");
|
|
|
|
|
FAIL_IF_NULL(s);
|
|
|
|
|
|
|
|
|
|
/* this rule should not alert */
|
|
|
|
|
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
|
|
|
|
|
"(msg:\"Test dns_query option\"; "
|
|
|
|
|
"byte_test:1,=,0x07,0,bitmask 0xFF;"
|
|
|
|
|
"sid:2;)");
|
|
|
|
|
FAIL_IF_NULL(s);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check 3rd byte
|
|
|
|
|
* (0x01 & 0xFF) --> 0x01
|
|
|
|
|
* 0x01 >> 0 --> 0x1
|
|
|
|
|
* 0x1 = 0x01
|
|
|
|
|
*/
|
|
|
|
|
/* this rule should alert */
|
|
|
|
|
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
|
|
|
|
|
"(msg:\"Test dns_query option\"; "
|
|
|
|
|
"byte_test:3,=,0x01,0,bitmask 0xFF;"
|
|
|
|
|
"sid:3;)");
|
|
|
|
|
FAIL_IF_NULL(s);
|
|
|
|
|
|
|
|
|
|
SigGroupBuild(de_ctx);
|
|
|
|
|
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
|
|
|
|
|
FAIL_IF_NULL(det_ctx);
|
|
|
|
|
|
|
|
|
|
FAIL_IF_NOT(0 == AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
|
|
|
|
|
STREAM_TOSERVER, buf, sizeof(buf)));
|
|
|
|
|
|
|
|
|
|
FAIL_IF_NULL(f.alstate);
|
|
|
|
|
|
|
|
|
|
/* do detect */
|
|
|
|
|
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
|
|
|
|
|
|
|
|
|
|
FAIL_IF_NOT(PacketAlertCheck(p, 1));
|
|
|
|
|
|
|
|
|
|
FAIL_IF(PacketAlertCheck(p, 2));
|
|
|
|
|
|
|
|
|
|
FAIL_IF_NOT(PacketAlertCheck(p, 3));
|
|
|
|
|
|
|
|
|
|
AppLayerParserThreadCtxFree(alp_tctx);
|
|
|
|
|
DetectEngineThreadCtxDeinit(&tv, det_ctx);
|
|
|
|
|
SigGroupCleanup(de_ctx);
|
|
|
|
|
DetectEngineCtxFree(de_ctx);
|
|
|
|
|
|
|
|
|
|
FLOW_DESTROY(&f);
|
|
|
|
|
UTHFreePacket(p);
|
|
|
|
|
PASS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* \brief this function registers unit tests for DetectBytetest
|
|
|
|
|
*/
|
|
|
|
|
@ -1709,12 +1455,5 @@ static void DetectBytetestRegisterTests(void)
|
|
|
|
|
UtRegisterTest("DetectBytetestTestParse22", DetectBytetestTestParse22);
|
|
|
|
|
UtRegisterTest("DetectBytetestTestParse23", DetectBytetestTestParse23);
|
|
|
|
|
UtRegisterTest("DetectBytetestTestParse24", DetectBytetestTestParse24);
|
|
|
|
|
|
|
|
|
|
UtRegisterTest("DetectByteTestTestPacket01", DetectByteTestTestPacket01);
|
|
|
|
|
UtRegisterTest("DetectByteTestTestPacket02", DetectByteTestTestPacket02);
|
|
|
|
|
UtRegisterTest("DetectByteTestTestPacket03", DetectByteTestTestPacket03);
|
|
|
|
|
UtRegisterTest("DetectByteTestTestPacket04", DetectByteTestTestPacket04);
|
|
|
|
|
UtRegisterTest("DetectByteTestTestPacket05", DetectByteTestTestPacket05);
|
|
|
|
|
UtRegisterTest("DetectByteTestTestPacket06", DetectByteTestTestPacket06);
|
|
|
|
|
}
|
|
|
|
|
#endif /* UNITTESTS */
|
|
|
|
|
|
Modupe Falodun
3 years ago
committed by
Victor Julien