aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect-dns-query: use unit test macros

Browse Source
pull/2732/head
Jason Ish 8 years ago committed by Victor Julien
parent a636d96b15
commit 922a27ed97
1 changed files with 77 additions and 164 deletions
Show Stats Download Patch File Download Diff File

241
src/detect-dns-query.c
Unescape Escape View File

@ -133,7 +133,6 @@ static int DetectDnsQueryTest01(void)
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
0x00, 0x10, 0x00, 0x01, };
int result = 0;
Flow f;
DNSState *dns_state = NULL;
Packet *p = NULL;
@ -160,18 +159,14 @@ static int DetectDnsQueryTest01(void)
f.alproto = ALPROTO_DNS;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@ -182,27 +177,21 @@ static int DetectDnsQueryTest01(void)
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
FAIL;
}
FLOWLOCK_UNLOCK(&f);
dns_state = f.alstate;
if (dns_state == NULL) {
printf("no dns state: ");
goto end;
}
FAIL_IF_NULL(dns_state);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
if (!(PacketAlertCheck(p, 1))) {
printf("sig 1 didn't alert, but it should have: ");
goto end;
FAIL;
}
result = 1;
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL)
@ -214,7 +203,7 @@ end:
FLOW_DESTROY(&f);
UTHFreePacket(p);
return result;
PASS;
}
/** \test multi tx google.(com|net) query matching */
@ -249,7 +238,6 @@ static int DetectDnsQueryTest02(void)
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x6E, 0x65, 0x74, 0x00,
0x00, 0x10, 0x00, 0x01, };
int result = 0;
Flow f;
DNSState *dns_state = NULL;
Packet *p1 = NULL, *p2 = NULL, *p3 = NULL;
@ -293,24 +281,18 @@ static int DetectDnsQueryTest02(void)
p3->pcap_cnt = 3;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@ -321,26 +303,23 @@ static int DetectDnsQueryTest02(void)
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
FAIL;
}
FLOWLOCK_UNLOCK(&f);
dns_state = f.alstate;
if (dns_state == NULL) {
printf("no dns state: ");
goto end;
}
FAIL_IF_NULL(dns_state);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
if (!(PacketAlertCheck(p1, 1))) {
printf("(p1) sig 1 didn't alert, but it should have: ");
goto end;
FAIL;
}
if (PacketAlertCheck(p1, 2)) {
printf("(p1) sig 2 did alert, but it should not have: ");
goto end;
FAIL;
}
FLOWLOCK_WRLOCK(&f);
@ -349,7 +328,7 @@ static int DetectDnsQueryTest02(void)
if (r != 0) {
printf("toserver client 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
FAIL;
}
FLOWLOCK_UNLOCK(&f);
@ -358,11 +337,11 @@ static int DetectDnsQueryTest02(void)
if (PacketAlertCheck(p2, 1)) {
printf("(p2) sig 1 alerted, but it should not have: ");
goto end;
FAIL;
}
if (PacketAlertCheck(p2, 2)) {
printf("(p2) sig 2 alerted, but it should not have: ");
goto end;
FAIL;
}
FLOWLOCK_WRLOCK(&f);
@ -371,7 +350,7 @@ static int DetectDnsQueryTest02(void)
if (r != 0) {
printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
FAIL;
}
FLOWLOCK_UNLOCK(&f);
@ -380,16 +359,13 @@ static int DetectDnsQueryTest02(void)
if (PacketAlertCheck(p3, 1)) {
printf("(p3) sig 1 alerted, but it should not have: ");
goto end;
FAIL;
}
if (!(PacketAlertCheck(p3, 2))) {
printf("(p3) sig 2 didn't alert, but it should have: ");
goto end;
FAIL;
}
result = 1;
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL)
@ -403,7 +379,7 @@ end:
UTHFreePacket(p1);
UTHFreePacket(p2);
UTHFreePacket(p3);
return result;
PASS;
}
/** \test simple google.com query matching (TCP) */
@ -416,7 +392,6 @@ static int DetectDnsQueryTest03(void)
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
0x00, 0x10, 0x00, 0x01, };
int result = 0;
Flow f;
DNSState *dns_state = NULL;
Packet *p = NULL;
@ -448,18 +423,14 @@ static int DetectDnsQueryTest03(void)
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"content:\"google\"; nocase; dns_query; sid:1;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@ -470,27 +441,21 @@ static int DetectDnsQueryTest03(void)
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
FAIL;
}
FLOWLOCK_UNLOCK(&f);
dns_state = f.alstate;
if (dns_state == NULL) {
printf("no dns state: ");
goto end;
}
FAIL_IF_NULL(dns_state);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
if (!(PacketAlertCheck(p, 1))) {
printf("sig 1 didn't alert, but it should have: ");
goto end;
FAIL;
}
result = 1;
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL)
@ -503,7 +468,7 @@ end:
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePacket(p);
return result;
PASS;
}
/** \test simple google.com query matching (TCP splicing) */
@ -516,7 +481,6 @@ static int DetectDnsQueryTest04(void)
uint8_t buf2[] = { 0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
0x00, 0x10, 0x00, 0x01, };
int result = 0;
Flow f;
DNSState *dns_state = NULL;
Packet *p1 = NULL, *p2 = NULL;
@ -555,18 +519,14 @@ static int DetectDnsQueryTest04(void)
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@ -577,31 +537,28 @@ static int DetectDnsQueryTest04(void)
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
FAIL;
}
FLOWLOCK_UNLOCK(&f);
dns_state = f.alstate;
if (dns_state == NULL) {
printf("no dns state: ");
goto end;
}
FAIL_IF_NULL(dns_state);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
if (PacketAlertCheck(p1, 1)) {
printf("sig 1 alerted, but it should not have: ");
goto end;
FAIL;
}
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER,
buf2, sizeof(buf2));
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
printf("toserver chunk 1 returned %" PRId32 ", expected 0\n", r);
FLOWLOCK_UNLOCK(&f);
goto end;
FAIL;
}
FLOWLOCK_UNLOCK(&f);
@ -610,12 +567,9 @@ static int DetectDnsQueryTest04(void)
if (!(PacketAlertCheck(p2, 1))) {
printf("sig 1 didn't alert, but it should have: ");
goto end;
FAIL;
}
result = 1;
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL)
@ -629,7 +583,7 @@ end:
FLOW_DESTROY(&f);
UTHFreePacket(p1);
UTHFreePacket(p2);
return result;
PASS;
}
/** \test simple google.com query matching (TCP splicing) */
@ -668,7 +622,6 @@ static int DetectDnsQueryTest05(void)
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x6E, 0x65, 0x74, 0x00,
0x00, 0x10, 0x00, 0x01, };
int result = 0;
Flow f;
DNSState *dns_state = NULL;
Packet *p1 = NULL, *p2 = NULL, *p3 = NULL, *p4 = NULL;
@ -721,24 +674,18 @@ static int DetectDnsQueryTest05(void)
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@ -749,26 +696,23 @@ static int DetectDnsQueryTest05(void)
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
FAIL;
}
FLOWLOCK_UNLOCK(&f);
dns_state = f.alstate;
if (dns_state == NULL) {
printf("no dns state: ");
goto end;
}
FAIL_IF_NULL(dns_state);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
if (PacketAlertCheck(p1, 1)) {
printf("(p1) sig 1 alerted, but it should not have: ");
goto end;
FAIL;
}
if (PacketAlertCheck(p1, 2)) {
printf("(p1) sig 2 did alert, but it should not have: ");
goto end;
FAIL;
}
FLOWLOCK_WRLOCK(&f);
@ -777,7 +721,7 @@ static int DetectDnsQueryTest05(void)
if (r != 0) {
printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
FAIL;
}
FLOWLOCK_UNLOCK(&f);
@ -786,11 +730,11 @@ static int DetectDnsQueryTest05(void)
if (!(PacketAlertCheck(p2, 1))) {
printf("sig 1 didn't alert, but it should have: ");
goto end;
FAIL;
}
if (PacketAlertCheck(p2, 2)) {
printf("(p2) sig 2 did alert, but it should not have: ");
goto end;
FAIL;
}
FLOWLOCK_WRLOCK(&f);
@ -799,7 +743,7 @@ static int DetectDnsQueryTest05(void)
if (r != 0) {
printf("toclient chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
FAIL;
}
FLOWLOCK_UNLOCK(&f);
@ -808,11 +752,11 @@ static int DetectDnsQueryTest05(void)
if (PacketAlertCheck(p3, 1)) {
printf("sig 1 did alert, but it should not have: ");
goto end;
FAIL;
}
if (PacketAlertCheck(p3, 2)) {
printf("(p3) sig 2 did alert, but it should not have: ");
goto end;
FAIL;
}
FLOWLOCK_WRLOCK(&f);
@ -821,7 +765,7 @@ static int DetectDnsQueryTest05(void)
if (r != 0) {
printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
FAIL;
}
FLOWLOCK_UNLOCK(&f);
@ -830,16 +774,13 @@ static int DetectDnsQueryTest05(void)
if (PacketAlertCheck(p4, 1)) {
printf("(p4) sig 1 did alert, but it should not have: ");
goto end;
FAIL;
}
if (!(PacketAlertCheck(p4, 2))) {
printf("sig 1 didn't alert, but it should have: ");
goto end;
FAIL;
}
result = 1;
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL)
@ -855,7 +796,7 @@ end:
UTHFreePacket(p2);
UTHFreePacket(p3);
UTHFreePacket(p4);
return result;
PASS;
}
/** \test simple google.com query matching, pcre */
@ -867,7 +808,6 @@ static int DetectDnsQueryTest06(void)
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x63, 0x6F, 0x6D, 0x00,
0x00, 0x10, 0x00, 0x01, };
int result = 0;
Flow f;
DNSState *dns_state = NULL;
Packet *p = NULL;
@ -894,9 +834,7 @@ static int DetectDnsQueryTest06(void)
f.alproto = ALPROTO_DNS;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
@ -904,17 +842,12 @@ static int DetectDnsQueryTest06(void)
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; "
"pcre:\"/google\\.com$/i\"; sid:1;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; "
"pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@ -925,31 +858,25 @@ static int DetectDnsQueryTest06(void)
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
FAIL;
}
FLOWLOCK_UNLOCK(&f);
dns_state = f.alstate;
if (dns_state == NULL) {
printf("no dns state: ");
goto end;
}
FAIL_IF_NULL(dns_state);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
if (!(PacketAlertCheck(p, 1))) {
printf("sig 1 didn't alert, but it should have: ");
goto end;
FAIL;
}
if (!(PacketAlertCheck(p, 2))) {
printf("sig 2 didn't alert, but it should have: ");
goto end;
FAIL;
}
result = 1;
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL)
@ -961,7 +888,7 @@ end:
FLOW_DESTROY(&f);
UTHFreePacket(p);
return result;
PASS;
}
/** \test multi tx google.(com|net) query matching +
@ -997,7 +924,6 @@ static int DetectDnsQueryTest07(void)
0x06, 0x67, 0x6F, 0x6F, 0x67, 0x6C,
0x65, 0x03, 0x6E, 0x65, 0x74, 0x00,
0x00, 0x10, 0x00, 0x01, };
int result = 0;
Flow f;
DNSState *dns_state = NULL;
Packet *p1 = NULL, *p2 = NULL, *p3 = NULL;
@ -1041,30 +967,22 @@ static int DetectDnsQueryTest07(void)
p3->pcap_cnt = 3;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.com\"; nocase; sid:1;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google.net\"; nocase; sid:2;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test Z flag event\"; "
"app-layer-event:dns.z_flag_set; sid:3;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@ -1075,35 +993,32 @@ static int DetectDnsQueryTest07(void)
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
FAIL;
}
FLOWLOCK_UNLOCK(&f);
dns_state = f.alstate;
if (dns_state == NULL) {
printf("no dns state: ");
goto end;
}
FAIL_IF_NULL(dns_state);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
if (!(PacketAlertCheck(p1, 1))) {
printf("(p1) sig 1 didn't alert, but it should have: ");
goto end;
FAIL;
}
if (PacketAlertCheck(p1, 2)) {
printf("(p1) sig 2 did alert, but it should not have: ");
goto end;
FAIL;
}
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOCLIENT,
buf2, sizeof(buf2));
if (r != -1) {
printf("toserver client 1 returned %" PRId32 ", expected 0: ", r);
printf("toserver client 1 returned %" PRId32 ", expected -1\n", r);
FLOWLOCK_UNLOCK(&f);
goto end;
FAIL;
}
FLOWLOCK_UNLOCK(&f);
@ -1112,15 +1027,15 @@ static int DetectDnsQueryTest07(void)
if (PacketAlertCheck(p2, 1)) {
printf("(p2) sig 1 alerted, but it should not have: ");
goto end;
FAIL;
}
if (PacketAlertCheck(p2, 2)) {
printf("(p2) sig 2 alerted, but it should not have: ");
goto end;
FAIL;
}
if (!(PacketAlertCheck(p2, 3))) {
printf("(p2) sig 3 didn't alert, but it should have: ");
goto end;
FAIL;
}
FLOWLOCK_WRLOCK(&f);
@ -1129,7 +1044,7 @@ static int DetectDnsQueryTest07(void)
if (r != 0) {
printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
FAIL;
}
FLOWLOCK_UNLOCK(&f);
@ -1138,11 +1053,11 @@ static int DetectDnsQueryTest07(void)
if (PacketAlertCheck(p3, 1)) {
printf("(p3) sig 1 alerted, but it should not have: ");
goto end;
FAIL;
}
if (!(PacketAlertCheck(p3, 2))) {
printf("(p3) sig 2 didn't alert, but it should have: ");
goto end;
FAIL;
}
/** \todo should not alert, bug #839
if (PacketAlertCheck(p3, 3)) {
@ -1150,9 +1065,7 @@ static int DetectDnsQueryTest07(void)
goto end;
}
*/
result = 1;
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL)
@ -1166,7 +1079,7 @@ end:
UTHFreePacket(p1);
UTHFreePacket(p2);
UTHFreePacket(p3);
return result;
PASS;
}
static int DetectDnsQueryIsdataatParseTest(void)

Write Preview
Loading…
Cancel
Save