diff --git a/src/detect.c b/src/detect.c index d313b94996..4ed9072cec 100644 --- a/src/detect.c +++ b/src/detect.c @@ -7583,6 +7583,224 @@ static int SigTestContent04Wm (void) { return SigTestContent04Real(MPM_WUMANBER); } +static int SigTestWithinReal01 (int mpm_type) { + DecodeThreadVars dtv; + ThreadVars th_v; + int result = 0; + int alertcnt = 0; + + uint8_t rawpkt1[] = { + 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24, + 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00, + 0x00,0x8c,0x95,0x50,0x00,0x00,0x40,0x06, + 0x2d,0x45,0xc0,0xa8,0x02,0x03,0xd0,0x45, + 0x24,0xe6,0x06,0xcc,0x03,0x09,0x18,0x72, + 0xd0,0xe3,0x1a,0xab,0x7c,0x98,0x50,0x00, + 0x02,0x00,0x46,0xa0,0x00,0x00,0x48,0x69, + 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69, + 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20, + 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20, + 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f, + 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61, + 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00 }; /* end rawpkt1 */ + + uint8_t rawpkt2[] = { + 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24, + 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00, + 0x00,0x8c,0x30,0x87,0x00,0x00,0x40,0x06, + 0x92,0x0e,0xc0,0xa8,0x02,0x03,0xd0,0x45, + 0x24,0xe6,0x06,0xcd,0x03,0x09,0x73,0xec, + 0xd5,0x35,0x14,0x7d,0x7c,0x12,0x50,0x00, + 0x02,0x00,0xed,0x86,0x00,0x00,0x48,0x69, + 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69, + 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20, + 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20, + 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f, + 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61, + 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00 }; /* end rawpkt2 */ + + uint8_t rawpkt3[] = { + 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24, + 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00, + 0x00,0x8c,0x57,0xd8,0x00,0x00,0x40,0x06, + 0x6a,0xbd,0xc0,0xa8,0x02,0x03,0xd0,0x45, + 0x24,0xe6,0x06,0xce,0x03,0x09,0x06,0x3d, + 0x02,0x22,0x2f,0x9b,0x6f,0x8f,0x50,0x00, + 0x02,0x00,0x1f,0xae,0x00,0x00,0x48,0x69, + 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69, + 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20, + 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20, + 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f, + 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61, + 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00 }; /* end rawpkt3 */ + + uint8_t rawpkt4[] = { + 0x00,0x04,0x76,0xd3,0xd8,0x6a,0x00,0x24, + 0xe8,0x29,0xfa,0x4f,0x08,0x00,0x45,0x00, + 0x00,0x8c,0xa7,0x2e,0x00,0x00,0x40,0x06, + 0x1b,0x67,0xc0,0xa8,0x02,0x03,0xd0,0x45, + 0x24,0xe6,0x06,0xcf,0x03,0x09,0x00,0x0e, + 0xdf,0x72,0x3d,0xc2,0x21,0xce,0x50,0x00, + 0x02,0x00,0x88,0x25,0x00,0x00,0x48,0x69, + 0x2c,0x20,0x74,0x68,0x69,0x73,0x20,0x69, + 0x73,0x20,0x61,0x20,0x62,0x69,0x67,0x20, + 0x74,0x65,0x73,0x74,0x20,0x74,0x6f,0x20, + 0x63,0x68,0x65,0x63,0x6b,0x20,0x63,0x6f, + 0x6e,0x74,0x65,0x6e,0x74,0x20,0x6d,0x61, + 0x74,0x63,0x68,0x65,0x73,0x0a,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + 0x00,0x00 }; /* end rawpkt4 */ + + memset(&dtv, 0, sizeof(DecodeThreadVars)); + memset(&th_v, 0, sizeof(th_v)); + + DetectEngineThreadCtx *det_ctx = NULL; + + FlowInitConfig(FLOW_QUIET); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->mpm_matcher = mpm_type; + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"within test\"; content:\"Hi, this is a big test to check \"; content:\"content matches\"; distance:0; within:15; sid:556;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + /* packet 1 */ + Packet p1; + memset(&p1, 0, sizeof(Packet)); + DecodeEthernet(&th_v, &dtv, &p1, rawpkt1, sizeof(rawpkt1), NULL); + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p1); + if (PacketAlertCheck(&p1, 556)) { + //printf("match of sid on packet 1\n"); + alertcnt++; + }else{ + SCLogInfo("failed to match on packet 1"); + } + + /* packet 2 */ + Packet p2; + memset(&p2, 0, sizeof(Packet)); + DecodeEthernet(&th_v, &dtv, &p2, rawpkt2, sizeof(rawpkt2), NULL); + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p2); + if (PacketAlertCheck(&p2, 556)) { + //printf("match of sid on packet 2\n"); + alertcnt++; + }else{ + SCLogInfo("failed to match on packet 2"); + } + + /* packet 3 */ + Packet p3; + memset(&p3, 0, sizeof(Packet)); + DecodeEthernet(&th_v, &dtv, &p3, rawpkt3, sizeof(rawpkt3), NULL); + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p3); + if (PacketAlertCheck(&p3, 556)){ + //printf("match of sid on packet 3\n"); + alertcnt++; + }else{ + SCLogInfo("failed to match on packet 3"); + } + + /* packet 4 */ + Packet p4; + memset(&p4, 0, sizeof(Packet)); + DecodeEthernet(&th_v, &dtv, &p4, rawpkt4, sizeof(rawpkt4), NULL); + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p4); + if (PacketAlertCheck(&p4, 556)){ + //printf("match of sid on packet 4\n"); + alertcnt++; + }else{ + SCLogInfo("failed to match on packet 4"); + } + + /* packet 5 */ + uint8_t *p5buf = (uint8_t *)"Hi, this is a big test to check content matches"; + uint16_t p5buflen = strlen((char *)p5buf); + Packet p5; + memset(&p5, 0, sizeof(p5)); + p5.src.family = AF_INET; + p5.dst.family = AF_INET; + p5.payload = p5buf; + p5.payload_len = p5buflen; + p5.proto = IPPROTO_TCP; + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p5); + if (PacketAlertCheck(&p5, 556)){ + //printf("match of sid on packet 5\n"); + alertcnt++; + }else{ + SCLogInfo("failed to match on packet 5"); + } + + /* do all five packets alert ? */ + if(alertcnt == 5){ + result = 1; + }else{ + SCLogInfo("expected 5 alerts got %i",alertcnt); + } + +end: + if(de_ctx) + { + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + } + + if(det_ctx) + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + + if(de_ctx) + DetectEngineCtxFree(de_ctx); + + FlowShutdown(); + + return result; +} + +static int SigTestWithinReal01B2g (void) { + return SigTestWithinReal01(MPM_B2G); +} +static int SigTestWithinReal01B3g (void) { + return SigTestWithinReal01(MPM_B3G); +} +static int SigTestWithinReal01Wm (void) { + return SigTestWithinReal01(MPM_WUMANBER); +} #endif /* UNITTESTS */ void SigRegisterTests(void) { @@ -7766,6 +7984,10 @@ void SigRegisterTests(void) { UtRegisterTest("SigTestContent04B2g -- 32 byte pattern, x2 + distance/within", SigTestContent04B2g, 1); UtRegisterTest("SigTestContent04B3g -- 32 byte pattern, x2 + distance/within", SigTestContent04B3g, 1); UtRegisterTest("SigTestContent04Wm -- 32 byte pattern, x2 + distance/within", SigTestContent04Wm, 1); + + UtRegisterTest("SigTestWithinReal01B2g", SigTestWithinReal01B2g, 1); + UtRegisterTest("SigTestWithinReal01B3g", SigTestWithinReal01B3g, 1); + UtRegisterTest("SigTestWithinReal01Wm", SigTestWithinReal01Wm, 1); #endif /* UNITTESTS */ }