Support vars lookup from conf file. Current patch support address and port group vars lookup

remotes/origin/master-1.0.x
Anoop Saldanha 17 years ago committed by Victor Julien
parent 951b4d5cf4
commit dc44700ce5

@ -66,3 +66,38 @@ pfring:
rule-files:
- netbios.rules
- x11.rules
# Holds variables that would be used by the engine.
vars:
# Holds the address group vars that would be passed in a Signature.
# These would be retrieved during the Signature address parsing stage.
address-groups:
HOME_NET: "[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:13c5:5AFE::/64,2001:888:13c5:CAFE::/64]"
EXTERNAL_NET: "[!192.168.0.0/16,2000::/3]"
HTTP_SERVERS: "!192.168.0.0/16"
SMTP_SERVERS: "!192.168.0.0/16"
SQL_SERVERS: "!192.168.0.0/16"
DNS_SERVERS: any
TELNET_SERVERS: any
AIM_SERVERS: any
# Holds the port group vars that would be passed in a Signature.
# These would be retrieved during the Signature port parsing stage.
port-groups:
HTTP_PORTS: "80:81,88"
SHELLCODE_PORTS: 80
ORACLE_PORTS: 1521
SSH_PORTS: 22

@ -103,6 +103,7 @@ util-error.c util-error.h \
util-enum.c util-enum.h \
util-radix-tree.c util-radix-tree.h \
util-host-os-info.c util-host-os-info.h \
util-rule-vars.c util-rule-vars.h \
tm-modules.c tm-modules.h \
tm-queues.c tm-queues.h \
tm-queuehandlers.c tm-queuehandlers.h \

@ -272,7 +272,7 @@ ConfYamlLoadFile(const char *filename)
/**
* \brief Load configuration from a YAML string.
*/
static void
void
ConfYamlLoadString(const u_char *string, size_t len)
{
yaml_parser_t parser;

@ -4,6 +4,7 @@
#define __CONF_YAML_LOADER_H__
void ConfYamlLoadFile(const char *);
void ConfYamlLoadString(const u_char *, size_t);
void ConfYamlRegisterTests(void);
#endif /* !__CONF_YAML_LOADER_H__ */

@ -24,6 +24,12 @@
static HashTable *conf_hash = NULL;
/* temporary variable that would be used to hold the hash_table instance
* present in conf_hash. Used while running tests that require their
* own yaml conf file. The backup can be set and then be reused by using
* the function ConfCreateContextBackup() and ConfRestoreContextBackup() */
static HashTable *backup_conf_hash = NULL;
/**
* \brief Function to generate the hash of a configuration value.
*
@ -336,6 +342,45 @@ ConfRemove(char *name)
return 0;
}
/**
* \brief Creates a backup of the conf_hash hash_table used by the conf API.
*/
void
ConfCreateContextBackup(void)
{
backup_conf_hash = conf_hash;
conf_hash = NULL;
return;
}
/**
* \brief Restores the backup of the hash_table present in backup_conf_hash
* back to conf_hash.
*/
void
ConfRestoreContextBackup(void)
{
conf_hash = backup_conf_hash;
return;
}
/**
* \brief De-initializes the configuration system.
*/
void
ConfDeInit(void)
{
if (conf_hash == NULL)
return;
HashTableFree(conf_hash);
conf_hash = NULL;
SCLogDebug("configuration module de-initialized");
}
/**
* \brief Dump configuration to stdout.
*/

@ -39,6 +39,9 @@ ConfNode *ConfNodeNew(void);
void ConfNodeFree(ConfNode *);
int ConfSetNode(ConfNode *node);
ConfNode *ConfGetNode(char *key);
void ConfCreateContextBackup(void);
void ConfRestoreContextBackup(void);
void ConfDeInit(void);
void ConfRegisterTests();
#endif /* ! __CONF_H__ */

@ -15,6 +15,7 @@
#include "util-cidr.h"
#include "util-unittest.h"
#include "util-rule-vars.h"
#include "detect-engine-siggroup.h"
#include "detect-engine-address.h"
@ -727,10 +728,12 @@ int DetectAddressParse2(DetectAddressHead *gh,
DetectAddressHead *ghn,
char *s, int negate) {
int i, x;
int o_set = 0, n_set = 0;
int o_set = 0, n_set = 0, d_set = 0;
int depth = 0;
size_t size = strlen(s);
char address[1024] = "";
char *rule_var_address = NULL;
char *temp_rule_var_address = NULL;
SCLogDebug("s %s negate %s", s, negate ? "true" : "false");
@ -760,6 +763,29 @@ int DetectAddressParse2(DetectAddressHead *gh,
} else if (depth == 0 && s[i] == ',') {
if (o_set == 1) {
o_set = 0;
} else if (d_set == 1) {
address[x - 1] = '\0';
x = 0;
rule_var_address = SCRuleVarsGetConfVar(address,
SC_RULE_VARS_ADDRESS_GROUPS);
if (rule_var_address == NULL)
goto error;
temp_rule_var_address = rule_var_address;
if (negate == 1 || n_set == 1) {
temp_rule_var_address = malloc(strlen(rule_var_address) + 3);
if (temp_rule_var_address == NULL) {
SCLogDebug(SC_ERR_MEM_ALLOC, "Error allocating memory");
goto error;
}
snprintf(temp_rule_var_address, strlen(rule_var_address) + 3,
"[%s]", rule_var_address);
}
DetectAddressParse2(gh, ghn, temp_rule_var_address,
negate? negate: n_set);
d_set = 0;
n_set = 0;
if (temp_rule_var_address != rule_var_address)
free(temp_rule_var_address);
} else {
address[x - 1] = '\0';
@ -773,16 +799,40 @@ int DetectAddressParse2(DetectAddressHead *gh,
n_set = 0;
}
x = 0;
} else if (depth == 0 && s[i] == '$') {
d_set = 1;
} else if (depth == 0 && i == size - 1) {
address[x] = '\0';
x = 0;
if (negate == 0 && n_set == 0) {
if (DetectAddressSetup(gh, address) < 0)
if (d_set == 1) {
rule_var_address = SCRuleVarsGetConfVar(address,
SC_RULE_VARS_ADDRESS_GROUPS);
if (rule_var_address == NULL)
goto error;
temp_rule_var_address = rule_var_address;
if (negate == 1 || n_set == 1) {
temp_rule_var_address = malloc(strlen(rule_var_address) + 3);
if (temp_rule_var_address == NULL) {
SCLogDebug(SC_ERR_MEM_ALLOC, "Error allocating memory");
goto error;
}
snprintf(temp_rule_var_address, strlen(rule_var_address) + 3,
"[%s]", rule_var_address);
}
DetectAddressParse2(gh, ghn, temp_rule_var_address,
negate? negate: n_set);
d_set = 0;
if (temp_rule_var_address != rule_var_address)
free(temp_rule_var_address);
} else {
if (DetectAddressSetup(ghn, address) < 0)
goto error;
if (negate == 0 && n_set == 0) {
if (DetectAddressSetup(gh, address) < 0)
goto error;
} else {
if (DetectAddressSetup(ghn, address) < 0)
goto error;
}
}
n_set = 0;
}

@ -15,6 +15,7 @@
#include "util-cidr.h"
#include "util-unittest.h"
#include "util-rule-vars.h"
#include "detect-parse.h"
#include "detect-engine.h"
@ -981,11 +982,13 @@ error:
static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,
int negate) {
int i, x;
int o_set = 0, n_set = 0;
int o_set = 0, n_set = 0, d_set = 0;
int range = 0;
int depth = 0;
size_t size = strlen(s);
char address[1024] = "";
char *rule_var_port = NULL;
char *temp_rule_var_port = NULL;
SCLogDebug("head %p, *head %p", head, *head);
@ -1022,6 +1025,29 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,
} else if (depth == 0 && s[i] == ',') {
if (o_set == 1) {
o_set = 0;
} else if (d_set == 1) {
address[x - 1] = '\0';
x = 0;
rule_var_port = SCRuleVarsGetConfVar(address,
SC_RULE_VARS_PORT_GROUPS);
if (rule_var_port == NULL)
goto error;
temp_rule_var_port = rule_var_port;
if (negate == 1 || n_set == 1) {
temp_rule_var_port = malloc(strlen(rule_var_port) + 3);
if (temp_rule_var_port == NULL) {
SCLogDebug(SC_ERR_MEM_ALLOC, "Error allocating memory");
goto error;
}
snprintf(temp_rule_var_port, strlen(rule_var_port) + 3,
"[%s]", rule_var_port);
}
DetectPortParseDo(head, nhead, temp_rule_var_port,
negate? negate: n_set);
d_set = 0;
n_set = 0;
if (temp_rule_var_port != rule_var_port)
free(temp_rule_var_port);
} else {
address[x - 1] = '\0';
SCLogDebug("Parsed port from DetectPortParseDo - %s", address);
@ -1035,25 +1061,47 @@ static int DetectPortParseDo(DetectPort **head, DetectPort **nhead, char *s,
}
x = 0;
range = 0;
} else if (depth == 0 && s[i] == '$') {
d_set = 1;
} else if (depth == 0 && i == size-1) {
range = 0;
address[x] = '\0';
SCLogDebug("%s", address);
x = 0;
if (negate == 0 && n_set == 0) {
DetectPortParseInsertString(head,address);
if (d_set == 1) {
rule_var_port = SCRuleVarsGetConfVar(address,
SC_RULE_VARS_PORT_GROUPS);
if (rule_var_port == NULL)
goto error;
temp_rule_var_port = rule_var_port;
if (negate == 1 || n_set == 1) {
temp_rule_var_port = malloc(strlen(rule_var_port) + 3);
if (temp_rule_var_port == NULL) {
SCLogDebug(SC_ERR_MEM_ALLOC, "Error allocating memory");
goto error;
}
snprintf(temp_rule_var_port, strlen(rule_var_port) + 3,
"[%s]", rule_var_port);
}
DetectPortParseDo(head, nhead, temp_rule_var_port,
negate? negate: n_set);
d_set = 0;
if (temp_rule_var_port != rule_var_port)
free(temp_rule_var_port);
} else {
DetectPortParseInsertString(nhead,address);
if (negate == 0 && n_set == 0) {
DetectPortParseInsertString(head,address);
} else {
DetectPortParseInsertString(nhead,address);
}
}
n_set = 0;
}
}
return 0;
//error:
// return -1;
error:
return -1;
}
/**

@ -13,6 +13,9 @@
#include "flow.h"
#include "util-rule-vars.h"
#include "conf.h"
#include "conf-yaml-loader.h"
#include "util-unittest.h"
#include "util-debug.h"
@ -238,45 +241,22 @@ error:
/* XXX implement this for real
*
*/
int SigParseAddress(Signature *s, const char *addrstr, char flag) {
char *addr = NULL;
if (strcmp(addrstr, "$HOME_NET") == 0) {
addr = "[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:13c5:5AFE::/64,2001:888:13c5:CAFE::/64]";
//addr = "[192.168.0.0/16,10.8.0.0/16,2001:888:13c5:5AFE::/64,2001:888:13c5:CAFE::/64]";
} else if (strcmp(addrstr, "$EXTERNAL_NET") == 0) {
addr = "[!192.168.0.0/16,2000::/3]";
} else if (strcmp(addrstr, "$HTTP_SERVERS") == 0) {
addr = "!192.168.0.0/16";
} else if (strcmp(addrstr, "$SMTP_SERVERS") == 0) {
addr = "!192.168.0.0/16";
} else if (strcmp(addrstr, "$SQL_SERVERS") == 0) {
addr = "!192.168.0.0/16";
} else if (strcmp(addrstr, "$DNS_SERVERS") == 0) {
addr = "any";
} else if (strcmp(addrstr, "$TELNET_SERVERS") == 0) {
addr = "any";
} else if (strcmp(addrstr, "$AIM_SERVERS") == 0) {
addr = "any";
} else if (strcmp(addrstr, "any") == 0) {
addr = "any";
} else {
addr = (char *)addrstr;
//printf("SigParseAddress: addr \"%s\"\n", addrstr);
}
int SigParseAddress(Signature *s, const char *addrstr, char flag)
{
SCLogDebug("Address Group \"%s\" to be parsed now", addrstr);
/* pass on to the address(list) parser */
if (flag == 0) {
if (strcasecmp(addrstr, "any") == 0)
s->flags |= SIG_FLAG_SRC_ANY;
if (DetectAddressParse(&s->src, addr) < 0)
if (DetectAddressParse(&s->src, (char *)addrstr) < 0)
goto error;
} else {
if (strcasecmp(addrstr, "any") == 0)
s->flags |= SIG_FLAG_DST_ANY;
if (DetectAddressParse(&s->dst, addr) < 0)
if (DetectAddressParse(&s->dst, (char *)addrstr) < 0)
goto error;
}
@ -307,55 +287,35 @@ int SigParseProto(Signature *s, const char *protostr) {
}
/**
* \brief Parses the port(source or destination) field, from a Signature
* \brief Parses the port(source or destination) field, from a Signature.
*
* \param s Pointer to the signature which has to be updated with the
* port information
* \param portstr Pointer to the character string containing the port info
* \param Flag which indicates if the portstr received is sort or dst
* port. For src port: flag = 0, dst port: flag = 1
* port information.
* \param portstr Pointer to the character string containing the port info.
* \param Flag which indicates if the portstr received is src or dst
* port. For src port: flag = 0, dst port: flag = 1.
*
* \retval 0 On success
* \retval -1 On failure
* \retval 0 On success.
* \retval -1 On failure.
*/
int SigParsePort(Signature *s, const char *portstr, char flag) {
int SigParsePort(Signature *s, const char *portstr, char flag)
{
int r = 0;
char *port;
char negate = 0;
/* XXX VJ exclude handling this for none UDP/TCP proto's */
/* XXX hack, fix this */
if (portstr[0] == '!' && portstr[1] == '$') {
portstr++;
negate = 1;
}
if (strcmp(portstr, "$HTTP_PORTS") == 0) {
if (negate) port = "![80:81,88]";
else port = "80:81,88";
} else if (strcmp(portstr, "$SHELLCODE_PORTS") == 0) {
port = "!80";
} else if (strcmp(portstr, "$ORACLE_PORTS") == 0) {
if (negate) port = "!1521";
else port = "1521";
} else if (strcmp(portstr, "$SSH_PORTS") == 0) {
if (negate) port = "!22";
else port = "22";
} else {
port = (char *)portstr;
}
SCLogDebug("Port group \"%s\" to be parsed", portstr);
if (flag == 0) {
if (strcasecmp(port, "any") == 0)
if (strcasecmp(portstr, "any") == 0)
s->flags |= SIG_FLAG_SP_ANY;
r = DetectPortParse(&s->sp, (char *)port);
r = DetectPortParse(&s->sp, (char *)portstr);
} else if (flag == 1) {
if (strcasecmp(port, "any") == 0)
if (strcasecmp(portstr, "any") == 0)
s->flags |= SIG_FLAG_DP_ANY;
r = DetectPortParse(&s->dp, (char *)port);
r = DetectPortParse(&s->dp, (char *)portstr);
}
if (r < 0)
@ -992,4 +952,3 @@ void SigParseRegisterTests(void) {
UtRegisterTest("SigParseTestMpm02", SigParseTestMpm02, 1);
#endif /* UNITTESTS */
}

@ -60,11 +60,14 @@
#include "detect-engine-sigorder.h"
#include "detect-ttl.h"
#include "util-rule-vars.h"
#include "action-globals.h"
#include "tm-modules.h"
#include "pkt-var.h"
#include "conf.h"
#include "conf-yaml-loader.h"
#include "util-print.h"
#include "util-unittest.h"
#include "util-debug.h"
@ -2611,6 +2614,69 @@ void SigTableRegisterTests(void) {
#ifdef UNITTESTS
#include "flow-util.h"
static const char *dummy_conf_string =
"default-log-dir: /var/log/eidps\n"
"\n"
"logging:\n"
"\n"
" default-log-level: debug\n"
"\n"
" default-format: \"<%t> - <%l>\"\n"
"\n"
" default-startup-message: Your IDS has started.\n"
"\n"
" default-output-filter:\n"
"\n"
" output:\n"
"\n"
" - interface: console\n"
" log-level: info\n"
"\n"
" - interface: file\n"
" filename: /var/log/eidps.log\n"
"\n"
" - interface: syslog\n"
" facility: local5\n"
" format: \"%l\"\n"
"\n"
"pfring:\n"
"\n"
" interface: eth0\n"
"\n"
" clusterid: 99\n"
"\n"
"vars:\n"
"\n"
" address-groups:\n"
"\n"
" HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
"13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
"\n"
" EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
"\n"
" HTTP_SERVERS: \"!192.168.0.0/16\"\n"
"\n"
" SMTP_SERVERS: \"!192.168.0.0/16\"\n"
"\n"
" SQL_SERVERS: \"!192.168.0.0/16\"\n"
"\n"
" DNS_SERVERS: any\n"
"\n"
" TELNET_SERVERS: any\n"
"\n"
" AIM_SERVERS: any\n"
"\n"
" port-groups:\n"
"\n"
" HTTP_PORTS: \"80:81,88\"\n"
"\n"
" SHELLCODE_PORTS: 80\n"
"\n"
" ORACLE_PORTS: 1521\n"
"\n"
" SSH_PORTS: 22\n"
"\n";
static int SigTest01Real (int mpm_type) {
uint8_t *buf = (uint8_t *)
"GET /one/ HTTP/1.1\r\n"
@ -3554,6 +3620,10 @@ static int SigTest15Real (int mpm_type) {
p.proto = IPPROTO_TCP;
p.dp = 80;
ConfCreateContextBackup();
ConfInit();
ConfYamlLoadString((u_char *)dummy_conf_string, strlen(dummy_conf_string));
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
@ -3584,6 +3654,8 @@ static int SigTest15Real (int mpm_type) {
//PatternMatchDestroy(mpm_ctx);
DetectEngineCtxFree(de_ctx);
end:
ConfDeInit();
ConfRestoreContextBackup();
return result;
}
static int SigTest15B2g (void) {
@ -3615,6 +3687,10 @@ static int SigTest16Real (int mpm_type) {
p.proto = IPPROTO_TCP;
p.dp = 1234;
ConfCreateContextBackup();
ConfInit();
ConfYamlLoadString((u_char *)dummy_conf_string, strlen(dummy_conf_string));
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
@ -3641,6 +3717,8 @@ static int SigTest16Real (int mpm_type) {
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
ConfDeInit();
ConfRestoreContextBackup();
return result;
}
static int SigTest16B2g (void) {
@ -3677,6 +3755,10 @@ static int SigTest17Real (int mpm_type) {
p.proto = IPPROTO_TCP;
p.dp = 80;
ConfCreateContextBackup();
ConfInit();
ConfYamlLoadString((u_char *)dummy_conf_string, strlen(dummy_conf_string));
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
@ -3714,6 +3796,8 @@ static int SigTest17Real (int mpm_type) {
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
ConfDeInit();
ConfRestoreContextBackup();
return result;
}
static int SigTest17B2g (void) {
@ -3809,6 +3893,10 @@ int SigTest19Real (int mpm_type) {
p.sp = 21;
p.flowflags |= FLOW_PKT_TOSERVER;
ConfCreateContextBackup();
ConfInit();
ConfYamlLoadString((u_char *)dummy_conf_string, strlen(dummy_conf_string));
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
@ -3836,6 +3924,8 @@ int SigTest19Real (int mpm_type) {
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
ConfDeInit();
ConfRestoreContextBackup();
return result;
}
static int SigTest19B2g (void) {
@ -3870,6 +3960,10 @@ static int SigTest20Real (int mpm_type) {
p.sp = 21;
p.flowflags |= FLOW_PKT_TOSERVER;
ConfCreateContextBackup();
ConfInit();
ConfYamlLoadString((u_char *)dummy_conf_string, strlen(dummy_conf_string));
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
@ -3901,6 +3995,8 @@ static int SigTest20Real (int mpm_type) {
//PatternMatchDestroy(mpm_ctx);
DetectEngineCtxFree(de_ctx);
end:
ConfDeInit();
ConfRestoreContextBackup();
return result;
}
static int SigTest20B2g (void) {

@ -68,6 +68,7 @@
#include "util-cidr.h"
#include "util-unittest.h"
#include "util-time.h"
#include "util-rule-vars.h"
#include "conf.h"
#include "conf-yaml-loader.h"
@ -469,6 +470,7 @@ int main(int argc, char **argv)
DefragRegisterTests();
SigGroupHeadRegisterTests();
SCHInfoRegisterTests();
SCRuleVarsRegisterTests();
if (list_unittests) {
UtListTests(regex_arg);
}

@ -22,6 +22,7 @@ typedef enum {
SC_INVALID_IP_NETBLOCK,
SC_INVALID_IPV4_ADDR,
SC_INVALID_IPV6_ADDR,
SC_ERR_INVALID_SIGNATURE,
} SCError;
const char *SCErrorToString(SCError);

@ -0,0 +1,419 @@
/** Copyright (c) 2009 Open Information Security Foundation.
* \author Anoop Saldanha <poonaatsoc@gmail.com>
*/
#include "eidps-common.h"
#include "conf.h"
#include "conf-yaml-loader.h"
#include "detect.h"
#include "detect-content.h"
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "util-rule-vars.h"
#include "util-enum.h"
#include "util-debug.h"
#include "util-unittest.h"
/** An enum-string map, that maps the different vars type in the yaml conf
* type with the mapping path in the yaml conf file */
SCEnumCharMap sc_rule_vars_type_map[ ] = {
{ "vars.address-groups", SC_RULE_VARS_ADDRESS_GROUPS },
{ "vars.port-groups", SC_RULE_VARS_PORT_GROUPS }
};
/**
* \internal
* \brief Retrieves a value for a yaml mapping. The sequence from the yaml
* conf file, from which the conf value has to be retrieved can be
* specified by supplying a SCRuleVarsType enum. The string mapping
* for each of the SCRuleVarsType is present in sc_rule_vars_type_map.
*
* \param conf_var_name Pointer to a character string containing the conf var
* name, whose value has to be retrieved from the yaml
* conf file.
* \param conf_vars_type Holds an enum value that indicates the kind of yaml
* mapping that has to be retrieved. Can be one of the
* values in SCRuleVarsType.
*
* \retval conf_var_name_value Pointer to the string containing the conf value
* on success; NULL on failure.
*/
char *SCRuleVarsGetConfVar(const char *conf_var_name,
SCRuleVarsType conf_vars_type)
{
SCEnter();
const char *conf_var_type_name = NULL;
char *conf_var_full_name = NULL;
char *conf_var_full_name_value = NULL;
if (conf_var_name == NULL)
goto end;
(conf_var_name[0] == '$') ? conf_var_name++ : conf_var_name;
conf_var_type_name = SCMapEnumValueToName(conf_vars_type,
sc_rule_vars_type_map);
if (conf_var_type_name == NULL)
goto end;
/* the + 2 is for the '.' and the string termination character '\0' */
conf_var_full_name = (char *)malloc(strlen(conf_var_type_name) +
strlen(conf_var_name) + 2);
if (conf_var_full_name == NULL) {
SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory");
goto end;
}
if (snprintf(conf_var_full_name,
strlen(conf_var_type_name) + strlen(conf_var_name) + 2, "%s.%s",
conf_var_type_name, conf_var_name) < 0) {
goto end;
}
if (ConfGet(conf_var_full_name, &conf_var_full_name_value) != 1)
goto end;
SCLogDebug("Value obtained from the yaml conf file, for the var "
"\"%s\" is \"%s\"", conf_var_name, conf_var_full_name_value);
end:
if (conf_var_full_name != NULL)
free(conf_var_full_name);
SCReturnCharPtr(conf_var_full_name_value);
}
/**********************************Unittests***********************************/
static const char *dummy_conf_string =
"default-log-dir: /var/log/eidps\n"
"\n"
"logging:\n"
"\n"
" default-log-level: debug\n"
"\n"
" default-format: \"<%t> - <%l>\"\n"
"\n"
" default-startup-message: Your IDS has started.\n"
"\n"
" default-output-filter:\n"
"\n"
" output:\n"
"\n"
" - interface: console\n"
" log-level: info\n"
"\n"
" - interface: file\n"
" filename: /var/log/eidps.log\n"
"\n"
" - interface: syslog\n"
" facility: local5\n"
" format: \"%l\"\n"
"\n"
"pfring:\n"
"\n"
" interface: eth0\n"
"\n"
" clusterid: 99\n"
"\n"
"vars:\n"
"\n"
" address-groups:\n"
"\n"
" HOME_NET: \"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:"
"13c5:5AFE::/64,2001:888:13c5:CAFE::/64]\"\n"
"\n"
" EXTERNAL_NET: \"[!192.168.0.0/16,2000::/3]\"\n"
"\n"
" HTTP_SERVERS: \"!192.168.0.0/16\"\n"
"\n"
" SMTP_SERVERS: \"!192.168.0.0/16\"\n"
"\n"
" SQL_SERVERS: \"!192.168.0.0/16\"\n"
"\n"
" DNS_SERVERS: any\n"
"\n"
" TELNET_SERVERS: any\n"
"\n"
" AIM_SERVERS: any\n"
"\n"
" port-groups:\n"
"\n"
" HTTP_PORTS: \"80:81,88\"\n"
"\n"
" SHELLCODE_PORTS: 80\n"
"\n"
" ORACLE_PORTS: 1521\n"
"\n"
" SSH_PORTS: 22\n"
"\n";
/**
* \test Check that valid address and port group vars are correctly retrieved
* from the configuration.
*/
int SCRuleVarsPositiveTest01(void)
{
int result = 1;
ConfCreateContextBackup();
ConfInit();
ConfYamlLoadString((u_char *)dummy_conf_string, strlen(dummy_conf_string));
/* check for address-groups */
result &= (SCRuleVarsGetConfVar("$HOME_NET", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
strcmp(SCRuleVarsGetConfVar("$HOME_NET", SC_RULE_VARS_ADDRESS_GROUPS),
"[192.168.0.0/16,10.8.0.0/16,127.0.0.1,2001:888:13c5:"
"5AFE::/64,2001:888:13c5:CAFE::/64]") == 0);
result &= (SCRuleVarsGetConfVar("$EXTERNAL_NET", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
strcmp(SCRuleVarsGetConfVar("$EXTERNAL_NET", SC_RULE_VARS_ADDRESS_GROUPS),
"[!192.168.0.0/16,2000::/3]") == 0);
result &= (SCRuleVarsGetConfVar("$HTTP_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
strcmp(SCRuleVarsGetConfVar("$HTTP_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
"!192.168.0.0/16") == 0);
result &= (SCRuleVarsGetConfVar("$SMTP_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
strcmp(SCRuleVarsGetConfVar("$SMTP_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
"!192.168.0.0/16") == 0);
result &= (SCRuleVarsGetConfVar("$SQL_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
strcmp(SCRuleVarsGetConfVar("$SQL_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
"!192.168.0.0/16") == 0);
result &= (SCRuleVarsGetConfVar("$DNS_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
strcmp(SCRuleVarsGetConfVar("$DNS_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
"any") == 0);
result &= (SCRuleVarsGetConfVar("$TELNET_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
strcmp(SCRuleVarsGetConfVar("$TELNET_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
"any") == 0);
result &= (SCRuleVarsGetConfVar("$AIM_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS) != NULL &&
strcmp(SCRuleVarsGetConfVar("$AIM_SERVERS", SC_RULE_VARS_ADDRESS_GROUPS),
"any") == 0);
/* check for port-groups */
result &= (SCRuleVarsGetConfVar("$HTTP_PORTS", SC_RULE_VARS_PORT_GROUPS) != NULL &&
strcmp(SCRuleVarsGetConfVar("$HTTP_PORTS", SC_RULE_VARS_PORT_GROUPS),
"80:81,88") == 0);
result &= (SCRuleVarsGetConfVar("$SHELLCODE_PORTS", SC_RULE_VARS_PORT_GROUPS) != NULL &&
strcmp(SCRuleVarsGetConfVar("$SHELLCODE_PORTS", SC_RULE_VARS_PORT_GROUPS),
"80") == 0);
result &= (SCRuleVarsGetConfVar("$ORACLE_PORTS", SC_RULE_VARS_PORT_GROUPS) != NULL &&
strcmp(SCRuleVarsGetConfVar("$ORACLE_PORTS", SC_RULE_VARS_PORT_GROUPS),
"1521") == 0);
result &= (SCRuleVarsGetConfVar("$SSH_PORTS", SC_RULE_VARS_PORT_GROUPS) != NULL &&
strcmp(SCRuleVarsGetConfVar("$SSH_PORTS", SC_RULE_VARS_PORT_GROUPS),
"22") == 0);
ConfDeInit();
ConfRestoreContextBackup();
return result;
}
/**
* \test Check that invalid address and port groups are properly handled by the
* API.
*/
int SCRuleVarsNegativeTest02(void)
{
int result = 1;
ConfCreateContextBackup();
ConfInit();
ConfYamlLoadString((u_char *)dummy_conf_string, strlen(dummy_conf_string));
result &= (SCRuleVarsGetConfVar("$HOME_NETW", SC_RULE_VARS_ADDRESS_GROUPS) == NULL);
result &= (SCRuleVarsGetConfVar("$home_net", SC_RULE_VARS_ADDRESS_GROUPS) == NULL);
result &= (SCRuleVarsGetConfVar("$TOMCAT_PORTSW", SC_RULE_VARS_PORT_GROUPS) == NULL);
result &= (SCRuleVarsGetConfVar("$tomcat_ports", SC_RULE_VARS_PORT_GROUPS) == NULL);
ConfDeInit();
ConfRestoreContextBackup();
return result;
}
/**
* \test Check that Signatures with valid address and port groups are parsed
* without any errors by the Signature parsing API.
*/
int SCRuleVarsPositiveTest03(void)
{
int result = 0;
Signature *s = NULL;
DetectEngineCtx *de_ctx = NULL;
ConfCreateContextBackup();
ConfInit();
ConfYamlLoadString((u_char *)dummy_conf_string, strlen(dummy_conf_string));
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx, "alert tcp $HTTP_SERVERS any -> any any (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp $SMTP_SERVERS any -> $HTTP_SERVERS any (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp $AIM_SERVERS any -> $AIM_SERVERS any (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp $TELNET_SERVERS any -> any $SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp $TELNET_SERVERS any -> any !$SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp $TELNET_SERVERS 80 -> any !$SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp $TELNET_SERVERS !80 -> any !$SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp !$HTTP_SERVERS !80 -> any !$SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp 192.168.1.2 any -> any $HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp !192.168.1.2 any -> any $HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp !192.168.1.2 any -> any !$HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp !192.168.1.2 any -> !$HTTP_SERVERS !$HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp !192.168.1.2 $HTTP_PORTS -> !$HTTP_SERVERS !$HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp [!192.168.24.0/23,!167.12.0.0/24] any -> any $HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp ![192.168.24.0/23,!167.12.0.0/24] any -> any $HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp [$HOME_NET,!192.168.1.2] $HTTP_PORTS -> !$HTTP_SERVERS !$HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp [[192.168.1.3,$EXTERNAL_NET],192.168.2.5] $HTTP_PORTS -> !$HTTP_SERVERS !$HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp [[192.168.1.3,$EXTERNAL_NET],192.168.2.5] $HTTP_PORTS -> !$HTTP_SERVERS [80,[!$HTTP_PORTS,$ORACLE_PORTS]] (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp [![192.168.1.3,$EXTERNAL_NET],[$HTTP_SERVERS,!$HOME_NET],192.168.2.5] $HTTP_PORTS -> !$HTTP_SERVERS [80,[!$HTTP_PORTS,$ORACLE_PORTS]] (msg:\"Rule Vars Test\"; sid:1;)");
if (s == NULL)
goto end;
SigFree(s);
result = 1;
end:
ConfDeInit();
ConfRestoreContextBackup();
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/**
* \test Check that Signatures with invalid address and port groups, are
* are invalidated by the Singature parsing API.
*/
int SCRuleVarsNegativeTest04(void)
{
int result = 0;
Signature *s = NULL;
DetectEngineCtx *de_ctx = NULL;
ConfCreateContextBackup();
ConfInit();
ConfYamlLoadString((u_char *)dummy_conf_string, strlen(dummy_conf_string));
if ( (de_ctx = DetectEngineCtxInit()) == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx, "alert tcp $HTTP_SERVER any -> any any (msg:\"Rule Vars Test\"; sid:1;)");
if (s != NULL)
goto end;
s = SigInit(de_ctx, "alert tcp $http_servers any -> any any (msg:\"Rule Vars Test\"; sid:1;)");
if (s != NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp $http_servers any -> any $HTTP_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s != NULL)
goto end;
SigFree(s);
s = SigInit(de_ctx, "alert tcp !$TELNET_SERVERS !80 -> any !$SSH_PORTS (msg:\"Rule Vars Test\"; sid:1;)");
if (s != NULL)
goto end;
SigFree(s);
result = 1;
end:
ConfDeInit();
ConfRestoreContextBackup();
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
void SCRuleVarsRegisterTests(void)
{
#ifdef UNITTESTS
UtRegisterTest("SCRuleVarsPositiveTest01", SCRuleVarsPositiveTest01, 1);
UtRegisterTest("SCRuleVarsNegativeTest02", SCRuleVarsNegativeTest02, 1);
UtRegisterTest("SCRuleVarsPositiveTest03", SCRuleVarsPositiveTest03, 1);
UtRegisterTest("SCRuleVarsNegativeTest04", SCRuleVarsNegativeTest04, 1);
#endif
return;
}

@ -0,0 +1,17 @@
/** Copyright (c) 2009 Open Information Security Foundation.
* \author Anoop Saldanha <poonaatsoc@gmail.com>
*/
#ifndef __UTIL_RULE_VARS_H__
#define __UTIL_RULE_VARS_H__
/** Enum indicating the various vars type in the yaml conf file */
typedef enum {
SC_RULE_VARS_ADDRESS_GROUPS,
SC_RULE_VARS_PORT_GROUPS,
} SCRuleVarsType;
char *SCRuleVarsGetConfVar(const char *, SCRuleVarsType);
void SCRuleVarsRegisterTests(void);
#endif /* __UTIL_RULE_VARS_H__ */
Loading…
Cancel
Save