aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: update tests that mix state/stream inspect

Browse Source
pull/2673/head
Victor Julien 8 years ago
parent eb5857b68a
commit d31cb083e9
4 changed files with 139 additions and 246 deletions
Show Stats Download Patch File Download Diff File

10
src/detect-engine-state.c
Unescape Escape View File

@ -1204,9 +1204,9 @@ static int DeStateSigTest02(void)
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"POST\"; http_method; content:\"/\"; http_uri; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; content:\"body\"; nocase; http_client_body; sid:1; rev:1;)");
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:to_server; content:\"POST\"; http_method; content:\"/\"; http_uri; content:\"Mozilla\"; http_header; content:\"dummy\"; http_cookie; content:\"body\"; nocase; http_client_body; sid:1; rev:1;)");
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; sid:2; rev:1;)");
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (flow:to_server; content:\"GET\"; http_method; content:\"Firefox\"; http_header; content:\"dummy2\"; http_cookie; sid:2; rev:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
@ -1251,7 +1251,9 @@ static int DeStateSigTest02(void)
DetectEngineState *tx_de_state = AppLayerParserGetTxDetectState(IPPROTO_TCP, ALPROTO_HTTP, tx);
FAIL_IF_NULL(tx_de_state);
FAIL_IF(tx_de_state->dir_state[0].cnt != 1);
FAIL_IF(tx_de_state->dir_state[0].head->store[0].flags != BIT_U32(DE_STATE_FLAG_BASE));
/* http_header(mpm): 6, uri: 4, method: 7, cookie: 8 */
uint32_t expected_flags = (BIT_U32(6) | BIT_U32(4) | BIT_U32(7) |BIT_U32(8));
FAIL_IF(tx_de_state->dir_state[0].head->store[0].flags != expected_flags);
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
@ -1337,7 +1339,7 @@ static int DeStateSigTest03(void)
de_ctx->flags |= DE_QUIET;
Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filestore; sid:1; rev:1;)");
Signature *s = DetectEngineAppendSig(de_ctx, "alert http any any -> any any (flow:to_server; content:\"POST\"; http_method; content:\"upload.cgi\"; http_uri; filestore; sid:1; rev:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);

40
src/detect-engine-uri.c
Unescape Escape View File

@ -1983,7 +1983,6 @@ end:
/** \test Test pcre /U with anchored regex (bug 155) */
static int UriTestSig16(void)
{
Flow f;
HtpState *http_state = NULL;
uint8_t http_buf1[] = "POST /search?q=123&aq=7123abcee HTTP/1.0\r\n"
"User-Agent: Mozilla/1.0/\r\n"
@ -1994,45 +1993,48 @@ static int UriTestSig16(void)
"Cookie: hellocatch\r\n\r\n";
uint32_t http_buf2_len = sizeof(http_buf2) - 1;
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
StreamTcpInitConfig(TRUE);
p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
Packet *p = UTHBuildPacket(http_buf1, http_buf1_len, IPPROTO_TCP);
FAIL_IF_NULL(p);
p->tcph->th_seq = htonl(1000);
Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80);
FAIL_IF_NULL(f);
f->proto = IPPROTO_TCP;
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
f.flags |= FLOW_IPV4;
p->flow = &f;
UTHAddSessionToFlow(f, 1000, 1000);
UTHAddStreamToFlow(f, 0, http_buf1, http_buf1_len);
p->flow = f;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
f->alproto = ALPROTO_HTTP;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any any (msg:\"ET TROJAN Downadup/Conficker A or B Worm reporting\"; flow:to_server,established; uricontent:\"/search?q=\"; pcre:\"/^\\/search\\?q=[0-9]{1,3}(&aq=7(\\?[0-9a-f]{8})?)?/U\"; pcre:\"/\\x0d\\x0aHost\\: \\d+\\.\\d+\\.\\d+\\.\\d+\\x0d\\x0a/\"; sid:2009024; rev:9;)");
s = de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any any (flow:to_server,established; uricontent:\"/search?q=\"; pcre:\"/^\\/search\\?q=[0-9]{1,3}(&aq=7(\\?[0-9a-f]{8})?)?/U\"; pcre:\"/\\x0d\\x0aHost\\: \\d+\\.\\d+\\.\\d+\\.\\d+\\x0d\\x0a/\"; sid:2009024; rev:9;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
UTHAddStreamToFlow(f, 0, http_buf2, http_buf2_len);
int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP,
STREAM_TOSERVER, http_buf1, http_buf1_len);
FAIL_IF(r != 0);
http_state = f.alstate;
http_state = f->alstate;
FAIL_IF_NULL(http_state);
/* do detect */
@ -2043,11 +2045,11 @@ static int UriTestSig16(void)
p->payload = http_buf2;
p->payload_len = http_buf2_len;
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP,
STREAM_TOSERVER, http_buf2, http_buf2_len);
FAIL_IF(r != 0);
http_state = f.alstate;
http_state = f->alstate;
FAIL_IF_NULL(http_state);
/* do detect */
@ -2058,8 +2060,10 @@ static int UriTestSig16(void)
DetectEngineThreadCtxDeinit(&tv, det_ctx);
DetectEngineCtxFree(de_ctx);
UTHRemoveSessionFromFlow(f);
UTHFreeFlow(f);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePacket(p);
PASS;
}

40
src/detect-pcre.c
Unescape Escape View File

@ -1563,30 +1563,29 @@ static int DetectPcreTestSig01(void)
"Host: two.example.org\r\n"
"\r\n\r\n";
uint16_t buflen = strlen((char *)buf);
TcpSession ssn;
Packet *p = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
Flow f;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&f, 0, sizeof(f));
memset(&th_v, 0, sizeof(th_v));
memset(&ssn, 0, sizeof(TcpSession));
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
f.flags |= FLOW_IPV4;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
p->flow = &f;
FAIL_IF_NULL(p);
p->tcph->th_seq = htonl(1000);
Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80);
FAIL_IF_NULL(f);
f->proto = IPPROTO_TCP;
UTHAddSessionToFlow(f, 1000, 1000);
UTHAddStreamToFlow(f, 0, buf, buflen);
p->flow = f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
StreamTcpInitConfig(TRUE);
f->alproto = ALPROTO_HTTP;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF(de_ctx == NULL);
@ -1599,26 +1598,21 @@ static int DetectPcreTestSig01(void)
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP,
STREAM_TOSERVER | STREAM_START, buf, buflen);
FAIL_IF(r != 0);
FLOWLOCK_UNLOCK(&f);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF_NOT(PacketAlertCheck(p, 1) == 1);
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHRemoveSessionFromFlow(f);
UTHFreeFlow(f);
StreamTcpFreeConfig(TRUE);
UTHFreePackets(&p, 1);
PASS;
}

295
src/detect-uricontent.c
Unescape Escape View File

@ -964,14 +964,10 @@ end:
*/
static int DetectUriSigTest05(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
Flow f;
HtpState *http_state = NULL;
uint8_t httpbuf1[] = "POST /one/two/three HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
" hellocatch\r\n\r\n";
uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
@ -979,98 +975,67 @@ static int DetectUriSigTest05(void)
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
StreamTcpInitConfig(TRUE);
p = UTHBuildPacket(httpbuf1, httplen1, IPPROTO_TCP);
FAIL_IF_NULL(p);
p->tcph->th_seq = htonl(1000);
Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80);
FAIL_IF_NULL(f);
f->proto = IPPROTO_TCP;
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.flags |= FLOW_IPV4;
UTHAddSessionToFlow(f, 1000, 1000);
UTHAddStreamToFlow(f, 0, httpbuf1, httplen1);
p->flow = &f;
p->flow = f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_HTTP;
f.proto = p->proto;
f->alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
"\" Test uricontent\"; uricontent:\"foo\"; sid:1;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
s = s->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
"\" Test uricontent\"; uricontent:\"one\"; content:\"two\"; sid:2;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
s = s->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
"\" Test uricontent\"; uricontent:\"one\"; offset:1; depth:10; "
"uricontent:\"two\"; distance:1; within: 4; uricontent:\"three\"; "
"distance:1; within: 6; sid:3;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP,
STREAM_TOSERVER, httpbuf1, httplen1);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
}
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
http_state = f->alstate;
FAIL_IF_NULL(http_state);
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
http_state = f.alstate;
if (http_state == NULL) {
printf("no http state: ");
goto end;
}
if ((PacketAlertCheck(p, 1))) {
printf("sig: 1 alerted, but it should not: ");
goto end;
} else if (! PacketAlertCheck(p, 2)) {
printf("sig: 2 did not alert, but it should: ");
goto end;
} else if (! (PacketAlertCheck(p, 3))) {
printf("sig: 3 did not alert, but it should: ");
goto end;
}
FAIL_IF((PacketAlertCheck(p, 1)));
FAIL_IF(!PacketAlertCheck(p, 2));
FAIL_IF(!(PacketAlertCheck(p, 3)));
result = 1;
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (de_ctx != NULL) SigGroupCleanup(de_ctx);
if (de_ctx != NULL) SigCleanSignatures(de_ctx);
if (det_ctx != NULL) DetectEngineThreadCtxDeinit(&th_v, det_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineThreadCtxDeinit(&th_v, det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHRemoveSessionFromFlow(f);
UTHFreeFlow(f);
UTHFreePackets(&p, 1);
return result;
StreamTcpFreeConfig(TRUE);
PASS;
}
/** \test Check the modifiers for uricontent and content
@ -1078,56 +1043,45 @@ end:
*/
static int DetectUriSigTest06(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 0;
Flow f;
HtpState *http_state = NULL;
uint8_t httpbuf1[] = "POST /one/two/three HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
" hellocatch\r\n\r\n";
uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
TCPHdr tcp_hdr;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
memset(&tcp_hdr, 0, sizeof(tcp_hdr));
StreamTcpInitConfig(TRUE);
p = UTHBuildPacket(httpbuf1, httplen1, IPPROTO_TCP);
FAIL_IF_NULL(p);
p->tcph->th_seq = htonl(1000);
Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80);
FAIL_IF_NULL(f);
f->proto = IPPROTO_TCP;
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.flags |= FLOW_IPV4;
UTHAddSessionToFlow(f, 1000, 1000);
UTHAddStreamToFlow(f, 0, httpbuf1, httplen1);
p->flow = &f;
p->flow = f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_HTTP;
f.proto = p->proto;
f->alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
"\" Test uricontent\"; "
"uricontent:\"foo\"; content:\"bar\"; sid:1;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
s = s->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
"\" Test uricontent\"; "
"uricontent:\"one\"; offset:1; depth:10; "
"content:\"one\"; offset:1; depth:10; "
@ -1136,68 +1090,41 @@ static int DetectUriSigTest06(void)
"uricontent:\"three\"; distance:1; within: 6; "
"content:\"/three\"; distance:0; within: 7; "
"sid:2;)");
FAIL_IF_NULL(s);
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
"\" Test uricontent\"; "
"uricontent:\"one\"; offset:1; depth:10; "
"uricontent:\"two\"; distance:1; within: 4; "
"uricontent:\"three\"; distance:1; within: 6; "
"sid:3;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP,
STREAM_TOSERVER, httpbuf1, httplen1);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
}
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
http_state = f->alstate;
FAIL_IF_NULL(http_state);
/* do detect */
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
http_state = f.alstate;
if (http_state == NULL) {
printf("no http state: ");
goto end;
}
if ((PacketAlertCheck(p, 1))) {
printf("sig: 1 alerted, but it should not:");
goto end;
} else if (! PacketAlertCheck(p, 2)) {
printf("sig: 2 did not alert, but it should:");
goto end;
} else if (! (PacketAlertCheck(p, 3))) {
printf("sig: 3 did not alert, but it should:");
goto end;
}
FAIL_IF((PacketAlertCheck(p, 1)));
FAIL_IF(!PacketAlertCheck(p, 2));
FAIL_IF(!(PacketAlertCheck(p, 3)));
result = 1;
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (de_ctx != NULL) SigGroupCleanup(de_ctx);
if (de_ctx != NULL) SigCleanSignatures(de_ctx);
if (det_ctx != NULL) DetectEngineThreadCtxDeinit(&th_v, det_ctx);
if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineThreadCtxDeinit(&th_v, det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHRemoveSessionFromFlow(f);
UTHFreeFlow(f);
UTHFreePackets(&p, 1);
return result;
StreamTcpFreeConfig(TRUE);
PASS;
}
/** \test Check the modifiers for uricontent and content
@ -1205,13 +1132,10 @@ end:
*/
static int DetectUriSigTest07(void)
{
int result = 0;
Flow f;
HtpState *http_state = NULL;
uint8_t httpbuf1[] = "POST /one/two/three HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie:"
" hellocatch\r\n\r\n";
uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
@ -1219,38 +1143,34 @@ static int DetectUriSigTest07(void)
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
StreamTcpInitConfig(TRUE);
p = UTHBuildPacket(httpbuf1, httplen1, IPPROTO_TCP);
FAIL_IF_NULL(p);
p->tcph->th_seq = htonl(1000);
Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1", 41424, 80);
FAIL_IF_NULL(f);
f->proto = IPPROTO_TCP;
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
f.flags |= FLOW_IPV4;
UTHAddSessionToFlow(f, 1000, 1000);
UTHAddStreamToFlow(f, 0, httpbuf1, httplen1);
p->flow = &f;
p->flow = f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
f->alproto = ALPROTO_HTTP;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
"\" Test uricontent\"; "
"uricontent:\"foo\"; content:\"bar\"; sid:1;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
s = s->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
"\" Test uricontent\"; "
"uricontent:\"one\"; offset:1; depth:10; "
"content:\"one\"; offset:1; depth:10; "
@ -1259,68 +1179,41 @@ static int DetectUriSigTest07(void)
"uricontent:\"three\"; distance:1; within: 6; "
"content:\"/three\"; distance:0; within: 7; "
"sid:2;)");
FAIL_IF_NULL(s);
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:"
s = DetectEngineAppendSig(de_ctx,"alert tcp any any -> any any (msg:"
"\" Test uricontent\"; "
"uricontent:\"one\"; offset:1; depth:10; "
"uricontent:\"two\"; distance:1; within: 4; "
"uricontent:\"six\"; distance:1; within: 6; "
"sid:3;)");
if (s == NULL) {
goto end;
}
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
int r = AppLayerParserParse(NULL, alp_tctx, f, ALPROTO_HTTP,
STREAM_TOSERVER, httpbuf1, httplen1);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
}
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
http_state = f->alstate;
FAIL_IF_NULL(http_state);
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
http_state = f.alstate;
if (http_state == NULL) {
printf("no http state: ");
goto end;
}
FAIL_IF((PacketAlertCheck(p, 1)));
FAIL_IF((PacketAlertCheck(p, 2)));
FAIL_IF((PacketAlertCheck(p, 3)));
if (PacketAlertCheck(p, 1)) {
printf("sig: 1 alerted, but it should not:");
goto end;
} else if (PacketAlertCheck(p, 2)) {
printf("sig: 2 alerted, but it should not:");
goto end;
} else if (PacketAlertCheck(p, 3)) {
printf("sig: 3 alerted, but it should not:");
goto end;
}
result = 1;
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (de_ctx != NULL) SigGroupCleanup(de_ctx);
if (de_ctx != NULL) SigCleanSignatures(de_ctx);
if (det_ctx != NULL) DetectEngineThreadCtxDeinit(&th_v, det_ctx);
if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineThreadCtxDeinit(&th_v, det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHRemoveSessionFromFlow(f);
UTHFreeFlow(f);
UTHFreePackets(&p, 1);
return result;
StreamTcpFreeConfig(TRUE);
PASS;
}
/**

Write Preview
Loading…
Cancel
Save