aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

signature address parsing improvements and tests

Browse Source 
Fix sigatures not supporting [10.0.0.0/24, !10.1.1.1] notation when
used directly in a rule instead of through a variable.

Add tests for Bugs #815 and #920.
pull/660/head
Victor Julien 11 years ago
parent 614133b4ca
commit e7f6107e79
2 changed files with 252 additions and 2 deletions
Show Stats Download Patch File Download Diff File

64
src/detect-parse.c
Unescape Escape View File

@ -99,8 +99,30 @@ typedef struct SigDuplWrapper_ {
#define CONFIG_DP 6
#define CONFIG_OPTS 7
// action protocol src sp dir dst dp options
#define CONFIG_PCRE "^([A-z]+)\\s+([A-z0-9\\-]+)\\s+([\\[\\]A-z0-9\\.\\:_\\$\\!\\-,\\/]+)\\s+([\\:A-z0-9_\\$\\!,]+)\\s+(-\\>|\\<\\>|\\<\\-)\\s+([\\[\\]A-z0-9\\.\\:_\\$\\!\\-,/]+)\\s+([\\:A-z0-9_\\$\\!,]+)(?:\\s+\\((.*)?(?:\\s*)\\))?(?:(?:\\s*)\\n)?\\s*$"
/* if enclosed in [], spaces are allowed */
#define CONFIG_PCRE_SRCDST "(" \
"[\\[\\]A-z0-9\\.\\:_\\$\\!\\-,\\/]+" \
"|" \
"\\[[\\[\\]A-z0-9\\.\\:_\\$\\!\\-,\\/\\s]+\\]"\
")"
/* if enclosed in [], spaces are allowed */
#define CONFIG_PCRE_PORT "(" \
"[\\:A-z0-9_\\$\\!,]+"\
"|"\
"\\[[\\:A-z0-9_\\$\\!,\\s]+\\]"\
")"
/* format: action space(s) protocol spaces(s) src space(s) sp spaces(s) dir spaces(s) dst spaces(s) dp spaces(s) options */
#define CONFIG_PCRE "^([A-z]+)\\s+([A-z0-9\\-]+)\\s+" \
CONFIG_PCRE_SRCDST \
"\\s+"\
CONFIG_PCRE_PORT \
"\\s+(-\\>|\\<\\>|\\<\\-)\\s+" \
CONFIG_PCRE_SRCDST \
"\\s+" \
CONFIG_PCRE_PORT \
"(?:\\s+\\((.*)?(?:\\s*)\\))?(?:(?:\\s*)\\n)?\\s*$"
#define OPTION_PARTS 3
#define OPTION_PCRE "^\\s*([A-z_0-9-\\.]+)(?:\\s*\\:\\s*(.*)(?<!\\\\))?\\s*;\\s*(?:\\s*(.*))?\\s*$"
@ -2462,6 +2484,42 @@ end:
return result;
}
/** \test address parsing */
static int SigParseTest21 (void) {
int result = 0;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
if (DetectEngineAppendSig(de_ctx, "alert tcp [1.2.3.4, 1.2.3.5] any -> !1.2.3.4 any (sid:1;)") == NULL)
goto end;
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/** \test address parsing */
static int SigParseTest22 (void) {
int result = 0;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
if (DetectEngineAppendSig(de_ctx, "alert tcp [10.10.10.0/24, !10.10.10.247] any -> [10.10.10.0/24, !10.10.10.247] any (sid:1;)") == NULL)
goto end;
result = 1;
end:
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
/** \test Direction operator validation (invalid) */
int SigParseBidirecTest06 (void) {
int result = 1;
@ -3349,6 +3407,8 @@ void SigParseRegisterTests(void) {
UtRegisterTest("SigParseTest18", SigParseTest18, 1);
UtRegisterTest("SigParseTest19", SigParseTest19, 1);
UtRegisterTest("SigParseTest20", SigParseTest20, 1);
UtRegisterTest("SigParseTest21 -- address with space", SigParseTest21, 1);
UtRegisterTest("SigParseTest22 -- address with space", SigParseTest22, 1);
UtRegisterTest("SigParseBidirecTest06", SigParseBidirecTest06, 1);
UtRegisterTest("SigParseBidirecTest07", SigParseBidirecTest07, 1);

190
src/detect.c
Unescape Escape View File

@ -11328,6 +11328,191 @@ end:
return result;
}
static const char *dummy_conf_string2 =
"%YAML 1.1\n"
"---\n"
"vars:\n"
"\n"
" address-groups:\n"
"\n"
" HOME_NET: \"[10.10.10.0/24, !10.10.10.247]\"\n"
"\n"
" EXTERNAL_NET: \"any\"\n"
"\n"
" port-groups:\n"
"\n"
" HTTP_PORTS: \"80:81,88\"\n"
"\n";
static int DetectAddressYamlParsing01 (void) {
int result = 0;
ConfCreateContextBackup();
ConfInit();
ConfYamlLoadString(dummy_conf_string2, strlen(dummy_conf_string2));
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
goto end;
if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
goto end;
if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
goto end;
result = 1;
DetectEngineCtxFree(de_ctx);
end:
ConfDeInit();
ConfRestoreContextBackup();
return result;
}
static const char *dummy_conf_string3 =
"%YAML 1.1\n"
"---\n"
"vars:\n"
"\n"
" address-groups:\n"
"\n"
" HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
"\n"
" EXTERNAL_NET: \"any\"\n"
"\n"
" port-groups:\n"
"\n"
" HTTP_PORTS: \"80:81,88\"\n"
"\n";
static int DetectAddressYamlParsing02 (void) {
int result = 0;
ConfCreateContextBackup();
ConfInit();
ConfYamlLoadString(dummy_conf_string3, strlen(dummy_conf_string3));
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
goto end;
if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
goto end;
if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
goto end;
result = 1;
DetectEngineCtxFree(de_ctx);
end:
ConfDeInit();
ConfRestoreContextBackup();
return result;
}
static const char *dummy_conf_string4 =
"%YAML 1.1\n"
"---\n"
"vars:\n"
"\n"
" address-groups:\n"
"\n"
" HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n"
"\n"
" EXTERNAL_NET: \"any\"\n"
"\n"
" port-groups:\n"
"\n"
" HTTP_PORTS: \"80:81,88\"\n"
"\n";
static int DetectAddressYamlParsing03 (void) {
int result = 0;
ConfCreateContextBackup();
ConfInit();
ConfYamlLoadString(dummy_conf_string4, strlen(dummy_conf_string4));
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
goto end;
if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
goto end;
if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
goto end;
result = 1;
DetectEngineCtxFree(de_ctx);
end:
ConfDeInit();
ConfRestoreContextBackup();
return result;
}
static const char *dummy_conf_string5 =
"%YAML 1.1\n"
"---\n"
"vars:\n"
"\n"
" address-groups:\n"
"\n"
" HOME_NET: \"[10.196.0.0/24, !10.196.0.15]\"\n"
"\n"
" EXTERNAL_NET: \"any\"\n"
"\n"
" port-groups:\n"
"\n"
" HTTP_PORTS: \"80:81,88\"\n"
"\n";
/** \test bug #815 */
static int DetectAddressYamlParsing04 (void) {
int result = 0;
ConfCreateContextBackup();
ConfInit();
ConfYamlLoadString(dummy_conf_string5, strlen(dummy_conf_string5));
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL)
goto end;
if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL)
goto end;
if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL)
goto end;
result = 1;
DetectEngineCtxFree(de_ctx);
end:
ConfDeInit();
ConfRestoreContextBackup();
return result;
}
#endif /* UNITTESTS */
void SigRegisterTests(void) {
@ -11537,6 +11722,11 @@ void SigRegisterTests(void) {
UtRegisterTest("SigTestDropFlow03", SigTestDropFlow03, 1);
UtRegisterTest("SigTestDropFlow04", SigTestDropFlow04, 1);
UtRegisterTest("DetectAddressYamlParsing01", DetectAddressYamlParsing01, 1);
UtRegisterTest("DetectAddressYamlParsing02", DetectAddressYamlParsing02, 1);
UtRegisterTest("DetectAddressYamlParsing03", DetectAddressYamlParsing03, 1);
UtRegisterTest("DetectAddressYamlParsing04", DetectAddressYamlParsing04, 1);
DetectSimdRegisterTests();
#endif /* UNITTESTS */
}

Write Preview
Loading…
Cancel
Save