aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect-dns-query: use unit test macros

Browse Source
pull/2732/head
Jason Ish 8 years ago committed by Victor Julien
parent a636d96b15
commit 922a27ed97
1 changed files with 77 additions and 164 deletions
Show Stats Download Patch File Download Diff File

241
src/detect-dns-query.c
Unescape Escape View File

@ -133,7 +133,6 @@ static int DetectDnsQueryTest01(void)
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00, 0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
0x00, 0x10, 0x00, 0x01, }; 0x00, 0x10, 0x00, 0x01, };
int result = 0;
Flow f; Flow f;
DNSState *dns_state = NULL; DNSState *dns_state = NULL;
Packet *p = NULL; Packet *p = NULL;
@ -160,18 +159,14 @@ static int DetectDnsQueryTest01(void)
f.alproto = ALPROTO_DNS; f.alproto = ALPROTO_DNS;
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) { FAIL_IF_NULL(de_ctx);
goto end;
}
de_ctx->mpm_matcher = mpm_default_matcher; de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; sid:1;)"); "dns_query; content:\"google\"; nocase; sid:1;)");
if (s == NULL) { FAIL_IF_NULL(s);
goto end;
}
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@ -182,27 +177,21 @@ static int DetectDnsQueryTest01(void)
if (r != 0) { if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
goto end; FAIL;
} }
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
dns_state = f.alstate; dns_state = f.alstate;
if (dns_state == NULL) { FAIL_IF_NULL(dns_state);
printf("no dns state: ");
goto end;
}
/* do detect */ /* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p); SigMatchSignatures(&tv, de_ctx, det_ctx, p);
if (!(PacketAlertCheck(p, 1))) { if (!(PacketAlertCheck(p, 1))) {
printf("sig 1 didn't alert, but it should have: "); printf("sig 1 didn't alert, but it should have: ");
goto end; FAIL;
} }
result = 1;
end:
if (alp_tctx != NULL) if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx); AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL) if (det_ctx != NULL)
@ -214,7 +203,7 @@ end:
FLOW_DESTROY(&f); FLOW_DESTROY(&f);
UTHFreePacket(p); UTHFreePacket(p);
return result; PASS;
} }
/** \test multi tx google.(com|net) query matching */ /** \test multi tx google.(com|net) query matching */
@ -249,7 +238,6 @@ static int DetectDnsQueryTest02(void)
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x6E, 0x65, 0x74, 0x00, 0x65, 0x03, 0x6E, 0x65, 0x74, 0x00,
0x00, 0x10, 0x00, 0x01, }; 0x00, 0x10, 0x00, 0x01, };
int result = 0;
Flow f; Flow f;
DNSState *dns_state = NULL; DNSState *dns_state = NULL;
Packet *p1 = NULL, *p2 = NULL, *p3 = NULL; Packet *p1 = NULL, *p2 = NULL, *p3 = NULL;
@ -293,24 +281,18 @@ static int DetectDnsQueryTest02(void)
p3->pcap_cnt = 3; p3->pcap_cnt = 3;
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) { FAIL_IF_NULL(de_ctx);
goto end;
}
de_ctx->mpm_matcher = mpm_default_matcher; de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.com\"; nocase; sid:1;)"); "dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) { FAIL_IF_NULL(s);
goto end;
}
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.net\"; nocase; sid:2;)"); "dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) { FAIL_IF_NULL(s);
goto end;
}
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@ -321,26 +303,23 @@ static int DetectDnsQueryTest02(void)
if (r != 0) { if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
goto end; FAIL;
} }
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
dns_state = f.alstate; dns_state = f.alstate;
if (dns_state == NULL) { FAIL_IF_NULL(dns_state);
printf("no dns state: ");
goto end;
}
/* do detect */ /* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p1); SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
if (!(PacketAlertCheck(p1, 1))) { if (!(PacketAlertCheck(p1, 1))) {
printf("(p1) sig 1 didn't alert, but it should have: "); printf("(p1) sig 1 didn't alert, but it should have: ");
goto end; FAIL;
} }
if (PacketAlertCheck(p1, 2)) { if (PacketAlertCheck(p1, 2)) {
printf("(p1) sig 2 did alert, but it should not have: "); printf("(p1) sig 2 did alert, but it should not have: ");
goto end; FAIL;
} }
FLOWLOCK_WRLOCK(&f); FLOWLOCK_WRLOCK(&f);
@ -349,7 +328,7 @@ static int DetectDnsQueryTest02(void)
if (r != 0) { if (r != 0) {
printf("toserver client 1 returned %" PRId32 ", expected 0: ", r); printf("toserver client 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
goto end; FAIL;
} }
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
@ -358,11 +337,11 @@ static int DetectDnsQueryTest02(void)
if (PacketAlertCheck(p2, 1)) { if (PacketAlertCheck(p2, 1)) {
printf("(p2) sig 1 alerted, but it should not have: "); printf("(p2) sig 1 alerted, but it should not have: ");
goto end; FAIL;
} }
if (PacketAlertCheck(p2, 2)) { if (PacketAlertCheck(p2, 2)) {
printf("(p2) sig 2 alerted, but it should not have: "); printf("(p2) sig 2 alerted, but it should not have: ");
goto end; FAIL;
} }
FLOWLOCK_WRLOCK(&f); FLOWLOCK_WRLOCK(&f);
@ -371,7 +350,7 @@ static int DetectDnsQueryTest02(void)
if (r != 0) { if (r != 0) {
printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r); printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
goto end; FAIL;
} }
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
@ -380,16 +359,13 @@ static int DetectDnsQueryTest02(void)
if (PacketAlertCheck(p3, 1)) { if (PacketAlertCheck(p3, 1)) {
printf("(p3) sig 1 alerted, but it should not have: "); printf("(p3) sig 1 alerted, but it should not have: ");
goto end; FAIL;
} }
if (!(PacketAlertCheck(p3, 2))) { if (!(PacketAlertCheck(p3, 2))) {
printf("(p3) sig 2 didn't alert, but it should have: "); printf("(p3) sig 2 didn't alert, but it should have: ");
goto end; FAIL;
} }
result = 1;
end:
if (alp_tctx != NULL) if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx); AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL) if (det_ctx != NULL)
@ -403,7 +379,7 @@ end:
UTHFreePacket(p1); UTHFreePacket(p1);
UTHFreePacket(p2); UTHFreePacket(p2);
UTHFreePacket(p3); UTHFreePacket(p3);
return result; PASS;
} }
/** \test simple google.com query matching (TCP) */ /** \test simple google.com query matching (TCP) */
@ -416,7 +392,6 @@ static int DetectDnsQueryTest03(void)
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00, 0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
0x00, 0x10, 0x00, 0x01, }; 0x00, 0x10, 0x00, 0x01, };
int result = 0;
Flow f; Flow f;
DNSState *dns_state = NULL; DNSState *dns_state = NULL;
Packet *p = NULL; Packet *p = NULL;
@ -448,18 +423,14 @@ static int DetectDnsQueryTest03(void)
StreamTcpInitConfig(TRUE); StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) { FAIL_IF_NULL(de_ctx);
goto end;
}
de_ctx->mpm_matcher = mpm_default_matcher; de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"content:\"google\"; nocase; dns_query; sid:1;)"); "content:\"google\"; nocase; dns_query; sid:1;)");
if (s == NULL) { FAIL_IF_NULL(s);
goto end;
}
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@ -470,27 +441,21 @@ static int DetectDnsQueryTest03(void)
if (r != 0) { if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
goto end; FAIL;
} }
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
dns_state = f.alstate; dns_state = f.alstate;
if (dns_state == NULL) { FAIL_IF_NULL(dns_state);
printf("no dns state: ");
goto end;
}
/* do detect */ /* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p); SigMatchSignatures(&tv, de_ctx, det_ctx, p);
if (!(PacketAlertCheck(p, 1))) { if (!(PacketAlertCheck(p, 1))) {
printf("sig 1 didn't alert, but it should have: "); printf("sig 1 didn't alert, but it should have: ");
goto end; FAIL;
} }
result = 1;
end:
if (alp_tctx != NULL) if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx); AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL) if (det_ctx != NULL)
@ -503,7 +468,7 @@ end:
StreamTcpFreeConfig(TRUE); StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f); FLOW_DESTROY(&f);
UTHFreePacket(p); UTHFreePacket(p);
return result; PASS;
} }
/** \test simple google.com query matching (TCP splicing) */ /** \test simple google.com query matching (TCP splicing) */
@ -516,7 +481,6 @@ static int DetectDnsQueryTest04(void)
uint8_t buf2[] = { 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C, uint8_t buf2[] = { 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00, 0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
0x00, 0x10, 0x00, 0x01, }; 0x00, 0x10, 0x00, 0x01, };
int result = 0;
Flow f; Flow f;
DNSState *dns_state = NULL; DNSState *dns_state = NULL;
Packet *p1 = NULL, *p2 = NULL; Packet *p1 = NULL, *p2 = NULL;
@ -555,18 +519,14 @@ static int DetectDnsQueryTest04(void)
StreamTcpInitConfig(TRUE); StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) { FAIL_IF_NULL(de_ctx);
goto end;
}
de_ctx->mpm_matcher = mpm_default_matcher; de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; sid:1;)"); "dns_query; content:\"google\"; nocase; sid:1;)");
if (s == NULL) { FAIL_IF_NULL(s);
goto end;
}
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@ -577,31 +537,28 @@ static int DetectDnsQueryTest04(void)
if (r != 0) { if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
goto end; FAIL;
} }
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
dns_state = f.alstate; dns_state = f.alstate;
if (dns_state == NULL) { FAIL_IF_NULL(dns_state);
printf("no dns state: ");
goto end;
}
/* do detect */ /* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p1); SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
if (PacketAlertCheck(p1, 1)) { if (PacketAlertCheck(p1, 1)) {
printf("sig 1 alerted, but it should not have: "); printf("sig 1 alerted, but it should not have: ");
goto end; FAIL;
} }
FLOWLOCK_WRLOCK(&f); FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER, r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER,
buf2, sizeof(buf2)); buf2, sizeof(buf2));
if (r != 0) { if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); printf("toserver chunk 1 returned %" PRId32 ", expected 0\n", r);
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
goto end; FAIL;
} }
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
@ -610,12 +567,9 @@ static int DetectDnsQueryTest04(void)
if (!(PacketAlertCheck(p2, 1))) { if (!(PacketAlertCheck(p2, 1))) {
printf("sig 1 didn't alert, but it should have: "); printf("sig 1 didn't alert, but it should have: ");
goto end; FAIL;
} }
result = 1;
end:
if (alp_tctx != NULL) if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx); AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL) if (det_ctx != NULL)
@ -629,7 +583,7 @@ end:
FLOW_DESTROY(&f); FLOW_DESTROY(&f);
UTHFreePacket(p1); UTHFreePacket(p1);
UTHFreePacket(p2); UTHFreePacket(p2);
return result; PASS;
} }
/** \test simple google.com query matching (TCP splicing) */ /** \test simple google.com query matching (TCP splicing) */
@ -668,7 +622,6 @@ static int DetectDnsQueryTest05(void)
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x6E, 0x65, 0x74, 0x00, 0x65, 0x03, 0x6E, 0x65, 0x74, 0x00,
0x00, 0x10, 0x00, 0x01, }; 0x00, 0x10, 0x00, 0x01, };
int result = 0;
Flow f; Flow f;
DNSState *dns_state = NULL; DNSState *dns_state = NULL;
Packet *p1 = NULL, *p2 = NULL, *p3 = NULL, *p4 = NULL; Packet *p1 = NULL, *p2 = NULL, *p3 = NULL, *p4 = NULL;
@ -721,24 +674,18 @@ static int DetectDnsQueryTest05(void)
StreamTcpInitConfig(TRUE); StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) { FAIL_IF_NULL(de_ctx);
goto end;
}
de_ctx->mpm_matcher = mpm_default_matcher; de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.com\"; nocase; sid:1;)"); "dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) { FAIL_IF_NULL(s);
goto end;
}
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.net\"; nocase; sid:2;)"); "dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) { FAIL_IF_NULL(s);
goto end;
}
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@ -749,26 +696,23 @@ static int DetectDnsQueryTest05(void)
if (r != 0) { if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
goto end; FAIL;
} }
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
dns_state = f.alstate; dns_state = f.alstate;
if (dns_state == NULL) { FAIL_IF_NULL(dns_state);
printf("no dns state: ");
goto end;
}
/* do detect */ /* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p1); SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
if (PacketAlertCheck(p1, 1)) { if (PacketAlertCheck(p1, 1)) {
printf("(p1) sig 1 alerted, but it should not have: "); printf("(p1) sig 1 alerted, but it should not have: ");
goto end; FAIL;
} }
if (PacketAlertCheck(p1, 2)) { if (PacketAlertCheck(p1, 2)) {
printf("(p1) sig 2 did alert, but it should not have: "); printf("(p1) sig 2 did alert, but it should not have: ");
goto end; FAIL;
} }
FLOWLOCK_WRLOCK(&f); FLOWLOCK_WRLOCK(&f);
@ -777,7 +721,7 @@ static int DetectDnsQueryTest05(void)
if (r != 0) { if (r != 0) {
printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r); printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
goto end; FAIL;
} }
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
@ -786,11 +730,11 @@ static int DetectDnsQueryTest05(void)
if (!(PacketAlertCheck(p2, 1))) { if (!(PacketAlertCheck(p2, 1))) {
printf("sig 1 didn't alert, but it should have: "); printf("sig 1 didn't alert, but it should have: ");
goto end; FAIL;
} }
if (PacketAlertCheck(p2, 2)) { if (PacketAlertCheck(p2, 2)) {
printf("(p2) sig 2 did alert, but it should not have: "); printf("(p2) sig 2 did alert, but it should not have: ");
goto end; FAIL;
} }
FLOWLOCK_WRLOCK(&f); FLOWLOCK_WRLOCK(&f);
@ -799,7 +743,7 @@ static int DetectDnsQueryTest05(void)
if (r != 0) { if (r != 0) {
printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r); printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
goto end; FAIL;
} }
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
@ -808,11 +752,11 @@ static int DetectDnsQueryTest05(void)
if (PacketAlertCheck(p3, 1)) { if (PacketAlertCheck(p3, 1)) {
printf("sig 1 did alert, but it should not have: "); printf("sig 1 did alert, but it should not have: ");
goto end; FAIL;
} }
if (PacketAlertCheck(p3, 2)) { if (PacketAlertCheck(p3, 2)) {
printf("(p3) sig 2 did alert, but it should not have: "); printf("(p3) sig 2 did alert, but it should not have: ");
goto end; FAIL;
} }
FLOWLOCK_WRLOCK(&f); FLOWLOCK_WRLOCK(&f);
@ -821,7 +765,7 @@ static int DetectDnsQueryTest05(void)
if (r != 0) { if (r != 0) {
printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r); printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
goto end; FAIL;
} }
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
@ -830,16 +774,13 @@ static int DetectDnsQueryTest05(void)
if (PacketAlertCheck(p4, 1)) { if (PacketAlertCheck(p4, 1)) {
printf("(p4) sig 1 did alert, but it should not have: "); printf("(p4) sig 1 did alert, but it should not have: ");
goto end; FAIL;
} }
if (!(PacketAlertCheck(p4, 2))) { if (!(PacketAlertCheck(p4, 2))) {
printf("sig 1 didn't alert, but it should have: "); printf("sig 1 didn't alert, but it should have: ");
goto end; FAIL;
} }
result = 1;
end:
if (alp_tctx != NULL) if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx); AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL) if (det_ctx != NULL)
@ -855,7 +796,7 @@ end:
UTHFreePacket(p2); UTHFreePacket(p2);
UTHFreePacket(p3); UTHFreePacket(p3);
UTHFreePacket(p4); UTHFreePacket(p4);
return result; PASS;
} }
/** \test simple google.com query matching, pcre */ /** \test simple google.com query matching, pcre */
@ -867,7 +808,6 @@ static int DetectDnsQueryTest06(void)
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00, 0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
0x00, 0x10, 0x00, 0x01, }; 0x00, 0x10, 0x00, 0x01, };
int result = 0;
Flow f; Flow f;
DNSState *dns_state = NULL; DNSState *dns_state = NULL;
Packet *p = NULL; Packet *p = NULL;
@ -894,9 +834,7 @@ static int DetectDnsQueryTest06(void)
f.alproto = ALPROTO_DNS; f.alproto = ALPROTO_DNS;
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) { FAIL_IF_NULL(de_ctx);
goto end;
}
de_ctx->mpm_matcher = mpm_default_matcher; de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
@ -904,17 +842,12 @@ static int DetectDnsQueryTest06(void)
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; " "dns_query; content:\"google\"; nocase; "
"pcre:\"/google\\.com$/i\"; sid:1;)"); "pcre:\"/google\\.com$/i\"; sid:1;)");
if (s == NULL) { FAIL_IF_NULL(s);
goto end;
}
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; " "dns_query; content:\"google\"; nocase; "
"pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)"); "pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
if (s == NULL) { FAIL_IF_NULL(s);
goto end;
}
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@ -925,31 +858,25 @@ static int DetectDnsQueryTest06(void)
if (r != 0) { if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
goto end; FAIL;
} }
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
dns_state = f.alstate; dns_state = f.alstate;
if (dns_state == NULL) { FAIL_IF_NULL(dns_state);
printf("no dns state: ");
goto end;
}
/* do detect */ /* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p); SigMatchSignatures(&tv, de_ctx, det_ctx, p);
if (!(PacketAlertCheck(p, 1))) { if (!(PacketAlertCheck(p, 1))) {
printf("sig 1 didn't alert, but it should have: "); printf("sig 1 didn't alert, but it should have: ");
goto end; FAIL;
} }
if (!(PacketAlertCheck(p, 2))) { if (!(PacketAlertCheck(p, 2))) {
printf("sig 2 didn't alert, but it should have: "); printf("sig 2 didn't alert, but it should have: ");
goto end; FAIL;
} }
result = 1;
end:
if (alp_tctx != NULL) if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx); AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL) if (det_ctx != NULL)
@ -961,7 +888,7 @@ end:
FLOW_DESTROY(&f); FLOW_DESTROY(&f);
UTHFreePacket(p); UTHFreePacket(p);
return result; PASS;
} }
/** \test multi tx google.(com|net) query matching + /** \test multi tx google.(com|net) query matching +
@ -997,7 +924,6 @@ static int DetectDnsQueryTest07(void)
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C, 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x6E, 0x65, 0x74, 0x00, 0x65, 0x03, 0x6E, 0x65, 0x74, 0x00,
0x00, 0x10, 0x00, 0x01, }; 0x00, 0x10, 0x00, 0x01, };
int result = 0;
Flow f; Flow f;
DNSState *dns_state = NULL; DNSState *dns_state = NULL;
Packet *p1 = NULL, *p2 = NULL, *p3 = NULL; Packet *p1 = NULL, *p2 = NULL, *p3 = NULL;
@ -1041,30 +967,22 @@ static int DetectDnsQueryTest07(void)
p3->pcap_cnt = 3; p3->pcap_cnt = 3;
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) { FAIL_IF_NULL(de_ctx);
goto end;
}
de_ctx->mpm_matcher = mpm_default_matcher; de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET; de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.com\"; nocase; sid:1;)"); "dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) { FAIL_IF_NULL(s);
goto end;
}
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; " "(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.net\"; nocase; sid:2;)"); "dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) { FAIL_IF_NULL(s);
goto end;
}
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any " s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test Z flag event\"; " "(msg:\"Test Z flag event\"; "
"app-layer-event:dns.z_flag_set; sid:3;)"); "app-layer-event:dns.z_flag_set; sid:3;)");
if (s == NULL) { FAIL_IF_NULL(s);
goto end;
}
SigGroupBuild(de_ctx); SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@ -1075,35 +993,32 @@ static int DetectDnsQueryTest07(void)
if (r != 0) { if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r); printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
goto end; FAIL;
} }
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
dns_state = f.alstate; dns_state = f.alstate;
if (dns_state == NULL) { FAIL_IF_NULL(dns_state);
printf("no dns state: ");
goto end;
}
/* do detect */ /* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p1); SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
if (!(PacketAlertCheck(p1, 1))) { if (!(PacketAlertCheck(p1, 1))) {
printf("(p1) sig 1 didn't alert, but it should have: "); printf("(p1) sig 1 didn't alert, but it should have: ");
goto end; FAIL;
} }
if (PacketAlertCheck(p1, 2)) { if (PacketAlertCheck(p1, 2)) {
printf("(p1) sig 2 did alert, but it should not have: "); printf("(p1) sig 2 did alert, but it should not have: ");
goto end; FAIL;
} }
FLOWLOCK_WRLOCK(&f); FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOCLIENT, r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOCLIENT,
buf2, sizeof(buf2)); buf2, sizeof(buf2));
if (r != -1) { if (r != -1) {
printf("toserver client 1 returned %" PRId32 ", expected 0: ", r); printf("toserver client 1 returned %" PRId32 ", expected -1\n", r);
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
goto end; FAIL;
} }
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
@ -1112,15 +1027,15 @@ static int DetectDnsQueryTest07(void)
if (PacketAlertCheck(p2, 1)) { if (PacketAlertCheck(p2, 1)) {
printf("(p2) sig 1 alerted, but it should not have: "); printf("(p2) sig 1 alerted, but it should not have: ");
goto end; FAIL;
} }
if (PacketAlertCheck(p2, 2)) { if (PacketAlertCheck(p2, 2)) {
printf("(p2) sig 2 alerted, but it should not have: "); printf("(p2) sig 2 alerted, but it should not have: ");
goto end; FAIL;
} }
if (!(PacketAlertCheck(p2, 3))) { if (!(PacketAlertCheck(p2, 3))) {
printf("(p2) sig 3 didn't alert, but it should have: "); printf("(p2) sig 3 didn't alert, but it should have: ");
goto end; FAIL;
} }
FLOWLOCK_WRLOCK(&f); FLOWLOCK_WRLOCK(&f);
@ -1129,7 +1044,7 @@ static int DetectDnsQueryTest07(void)
if (r != 0) { if (r != 0) {
printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r); printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
goto end; FAIL;
} }
FLOWLOCK_UNLOCK(&f); FLOWLOCK_UNLOCK(&f);
@ -1138,11 +1053,11 @@ static int DetectDnsQueryTest07(void)
if (PacketAlertCheck(p3, 1)) { if (PacketAlertCheck(p3, 1)) {
printf("(p3) sig 1 alerted, but it should not have: "); printf("(p3) sig 1 alerted, but it should not have: ");
goto end; FAIL;
} }
if (!(PacketAlertCheck(p3, 2))) { if (!(PacketAlertCheck(p3, 2))) {
printf("(p3) sig 2 didn't alert, but it should have: "); printf("(p3) sig 2 didn't alert, but it should have: ");
goto end; FAIL;
} }
/** \todo should not alert, bug #839 /** \todo should not alert, bug #839
if (PacketAlertCheck(p3, 3)) { if (PacketAlertCheck(p3, 3)) {
@ -1150,9 +1065,7 @@ static int DetectDnsQueryTest07(void)
goto end; goto end;
} }
*/ */
result = 1;
end:
if (alp_tctx != NULL) if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx); AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL) if (det_ctx != NULL)
@ -1166,7 +1079,7 @@ end:
UTHFreePacket(p1); UTHFreePacket(p1);
UTHFreePacket(p2); UTHFreePacket(p2);
UTHFreePacket(p3); UTHFreePacket(p3);
return result; PASS;
} }
static int DetectDnsQueryIsdataatParseTest(void) static int DetectDnsQueryIsdataatParseTest(void)

Write Preview
Loading…
Cancel
Save