aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tests to highlight that

Browse Source 
- suricata treates sigs with offset/depth without any packet keywords as stream sigs
- as a consequence suricata will FN on such sigs

The tests introduced here will fail, displaying the issues.  The
next patch in the series would fix the said issues.
remotes/origin/master
Anoop Saldanha 14 years ago committed by Victor Julien
parent c5cc9d454d
commit a34f91358d
2 changed files with 239 additions and 0 deletions
Show Stats Download Patch File Download Diff File

54
src/detect-engine-payload.c
Unescape Escape View File

@ -879,6 +879,58 @@ end:
return result;
}
/*
* \test Test packet/stream sigs
*/
static int PayloadTestSig27(void)
{
uint8_t buf[] = "dummypayload";
uint16_t buflen = sizeof(buf) - 1;
int result = 0;
Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
char sig[] = "alert tcp any any -> any any (content:\"dummy\"; "
"depth:5; sid:1;)";
p->flags |= PKT_STREAM_ADD;
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) != 1)
goto end;
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
/*
* \test Test packet/stream sigs
*/
static int PayloadTestSig28(void)
{
uint8_t buf[] = "dummypayload";
uint16_t buflen = sizeof(buf) - 1;
int result = 0;
Packet *p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
char sig[] = "alert tcp any any -> any any (content:\"payload\"; "
"offset:4; depth:12; sid:1;)";
p->flags |= PKT_STREAM_ADD;
if (UTHPacketMatchSigMpm(p, sig, MPM_AC) != 1)
goto end;
result = 1;
end:
if (p != NULL)
UTHFreePacket(p);
return result;
}
#endif /* UNITTESTS */
void PayloadRegisterTests(void) {
@ -910,6 +962,8 @@ void PayloadRegisterTests(void) {
UtRegisterTest("PayloadTestSig24", PayloadTestSig24, 1);
UtRegisterTest("PayloadTestSig25", PayloadTestSig25, 1);
UtRegisterTest("PayloadTestSig26", PayloadTestSig26, 1);
UtRegisterTest("PayloadTestSig27", PayloadTestSig27, 1);
UtRegisterTest("PayloadTestSig28", PayloadTestSig28, 1);
#endif /* UNITTESTS */
return;

185
src/detect-parse.c
Unescape Escape View File

@ -2132,6 +2132,186 @@ end:
return result;
}
/**
* \test packet/stream sig
*/
static int SigParseTest13(void) {
int result = 0;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
Signature *s = NULL;
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"abc\"; sid:1;)");
if (s == NULL) {
printf("sig 1 invalidated: failure");
goto end;
}
if (!(s->flags & SIG_FLAG_REQUIRE_STREAM)) {
printf("sig doesn't have stream flag set\n");
goto end;
}
if (s->flags & SIG_FLAG_REQUIRE_PACKET) {
printf("sig has packet flag set\n");
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test packet/stream sig
*/
static int SigParseTest14(void) {
int result = 0;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
Signature *s = NULL;
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"abc\"; dsize:>0; sid:1;)");
if (s == NULL) {
printf("sig 1 invalidated: failure");
goto end;
}
if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) {
printf("sig doesn't have packet flag set\n");
goto end;
}
if (s->flags & SIG_FLAG_REQUIRE_STREAM) {
printf("sig has stream flag set\n");
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test packet/stream sig
*/
static int SigParseTest15(void) {
int result = 0;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
Signature *s = NULL;
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"abc\"; offset:5; sid:1;)");
if (s == NULL) {
printf("sig 1 invalidated: failure");
goto end;
}
if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) {
printf("sig doesn't have packet flag set\n");
goto end;
}
if (!(s->flags & SIG_FLAG_REQUIRE_STREAM)) {
printf("sig doesn't have stream flag set\n");
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test packet/stream sig
*/
static int SigParseTest16(void) {
int result = 0;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
Signature *s = NULL;
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"abc\"; depth:5; sid:1;)");
if (s == NULL) {
printf("sig 1 invalidated: failure");
goto end;
}
if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) {
printf("sig doesn't have packet flag set\n");
goto end;
}
if (!(s->flags & SIG_FLAG_REQUIRE_STREAM)) {
printf("sig doesn't have stream flag set\n");
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test packet/stream sig
*/
static int SigParseTest17(void) {
int result = 0;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
Signature *s = NULL;
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"abc\"; offset:1; depth:5; sid:1;)");
if (s == NULL) {
printf("sig 1 invalidated: failure");
goto end;
}
if (!(s->flags & SIG_FLAG_REQUIRE_PACKET)) {
printf("sig doesn't have packet flag set\n");
goto end;
}
if (!(s->flags & SIG_FLAG_REQUIRE_STREAM)) {
printf("sig doesn't have stream flag set\n");
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/** \test Direction operator validation (invalid) */
int SigParseBidirecTest06 (void) {
int result = 1;
@ -3006,6 +3186,11 @@ void SigParseRegisterTests(void) {
UtRegisterTest("SigParseTest10", SigParseTest10, 1);
UtRegisterTest("SigParseTest11", SigParseTest11, 1);
UtRegisterTest("SigParseTest12", SigParseTest12, 1);
UtRegisterTest("SigParseTest13", SigParseTest13, 1);
UtRegisterTest("SigParseTest14", SigParseTest14, 1);
UtRegisterTest("SigParseTest15", SigParseTest15, 1);
UtRegisterTest("SigParseTest16", SigParseTest16, 1);
UtRegisterTest("SigParseTest17", SigParseTest17, 1);
UtRegisterTest("SigParseBidirecTest06", SigParseBidirecTest06, 1);
UtRegisterTest("SigParseBidirecTest07", SigParseBidirecTest07, 1);

Write Preview
Loading…
Cancel
Save