From e7f6107e794065b283e3418dbf9d6d0944328073 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 27 Nov 2013 11:43:52 +0100 Subject: [PATCH] signature address parsing improvements and tests Fix sigatures not supporting [10.0.0.0/24, !10.1.1.1] notation when used directly in a rule instead of through a variable. Add tests for Bugs #815 and #920. --- src/detect-parse.c | 64 ++++++++++++++- src/detect.c | 190 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 252 insertions(+), 2 deletions(-) diff --git a/src/detect-parse.c b/src/detect-parse.c index 72ba752d8b..8058cb9c7c 100644 --- a/src/detect-parse.c +++ b/src/detect-parse.c @@ -99,8 +99,30 @@ typedef struct SigDuplWrapper_ { #define CONFIG_DP 6 #define CONFIG_OPTS 7 -// action protocol src sp dir dst dp options -#define CONFIG_PCRE "^([A-z]+)\\s+([A-z0-9\\-]+)\\s+([\\[\\]A-z0-9\\.\\:_\\$\\!\\-,\\/]+)\\s+([\\:A-z0-9_\\$\\!,]+)\\s+(-\\>|\\<\\>|\\<\\-)\\s+([\\[\\]A-z0-9\\.\\:_\\$\\!\\-,/]+)\\s+([\\:A-z0-9_\\$\\!,]+)(?:\\s+\\((.*)?(?:\\s*)\\))?(?:(?:\\s*)\\n)?\\s*$" +/* if enclosed in [], spaces are allowed */ +#define CONFIG_PCRE_SRCDST "(" \ + "[\\[\\]A-z0-9\\.\\:_\\$\\!\\-,\\/]+" \ + "|" \ + "\\[[\\[\\]A-z0-9\\.\\:_\\$\\!\\-,\\/\\s]+\\]"\ + ")" + +/* if enclosed in [], spaces are allowed */ +#define CONFIG_PCRE_PORT "(" \ + "[\\:A-z0-9_\\$\\!,]+"\ + "|"\ + "\\[[\\:A-z0-9_\\$\\!,\\s]+\\]"\ + ")" + +/* format: action space(s) protocol spaces(s) src space(s) sp spaces(s) dir spaces(s) dst spaces(s) dp spaces(s) options */ +#define CONFIG_PCRE "^([A-z]+)\\s+([A-z0-9\\-]+)\\s+" \ + CONFIG_PCRE_SRCDST \ + "\\s+"\ + CONFIG_PCRE_PORT \ + "\\s+(-\\>|\\<\\>|\\<\\-)\\s+" \ + CONFIG_PCRE_SRCDST \ + "\\s+" \ + CONFIG_PCRE_PORT \ + "(?:\\s+\\((.*)?(?:\\s*)\\))?(?:(?:\\s*)\\n)?\\s*$" #define OPTION_PARTS 3 #define OPTION_PCRE "^\\s*([A-z_0-9-\\.]+)(?:\\s*\\:\\s*(.*)(? !1.2.3.4 any (sid:1;)") == NULL) + goto end; + + result = 1; +end: + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + return result; +} + +/** \test address parsing */ +static int SigParseTest22 (void) { + int result = 0; + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + if (DetectEngineAppendSig(de_ctx, "alert tcp [10.10.10.0/24, !10.10.10.247] any -> [10.10.10.0/24, !10.10.10.247] any (sid:1;)") == NULL) + goto end; + + result = 1; +end: + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + return result; +} + /** \test Direction operator validation (invalid) */ int SigParseBidirecTest06 (void) { int result = 1; @@ -3349,6 +3407,8 @@ void SigParseRegisterTests(void) { UtRegisterTest("SigParseTest18", SigParseTest18, 1); UtRegisterTest("SigParseTest19", SigParseTest19, 1); UtRegisterTest("SigParseTest20", SigParseTest20, 1); + UtRegisterTest("SigParseTest21 -- address with space", SigParseTest21, 1); + UtRegisterTest("SigParseTest22 -- address with space", SigParseTest22, 1); UtRegisterTest("SigParseBidirecTest06", SigParseBidirecTest06, 1); UtRegisterTest("SigParseBidirecTest07", SigParseBidirecTest07, 1); diff --git a/src/detect.c b/src/detect.c index a6b47f4ed2..809d057bc2 100644 --- a/src/detect.c +++ b/src/detect.c @@ -11328,6 +11328,191 @@ end: return result; } + +static const char *dummy_conf_string2 = + "%YAML 1.1\n" + "---\n" + "vars:\n" + "\n" + " address-groups:\n" + "\n" + " HOME_NET: \"[10.10.10.0/24, !10.10.10.247]\"\n" + "\n" + " EXTERNAL_NET: \"any\"\n" + "\n" + " port-groups:\n" + "\n" + " HTTP_PORTS: \"80:81,88\"\n" + "\n"; + +static int DetectAddressYamlParsing01 (void) { + int result = 0; + + ConfCreateContextBackup(); + ConfInit(); + ConfYamlLoadString(dummy_conf_string2, strlen(dummy_conf_string2)); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + + if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL) + goto end; + if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL) + goto end; + if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL) + goto end; + + result = 1; + + DetectEngineCtxFree(de_ctx); +end: + ConfDeInit(); + ConfRestoreContextBackup(); + return result; +} + +static const char *dummy_conf_string3 = + "%YAML 1.1\n" + "---\n" + "vars:\n" + "\n" + " address-groups:\n" + "\n" + " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n" + "\n" + " EXTERNAL_NET: \"any\"\n" + "\n" + " port-groups:\n" + "\n" + " HTTP_PORTS: \"80:81,88\"\n" + "\n"; + +static int DetectAddressYamlParsing02 (void) { + int result = 0; + + ConfCreateContextBackup(); + ConfInit(); + ConfYamlLoadString(dummy_conf_string3, strlen(dummy_conf_string3)); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + + if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL) + goto end; + if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL) + goto end; + if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL) + goto end; + + result = 1; + + DetectEngineCtxFree(de_ctx); +end: + ConfDeInit(); + ConfRestoreContextBackup(); + return result; +} + +static const char *dummy_conf_string4 = + "%YAML 1.1\n" + "---\n" + "vars:\n" + "\n" + " address-groups:\n" + "\n" + " HOME_NET: \"[10.10.10.0/24, !10.10.10.247/32]\"\n" + "\n" + " EXTERNAL_NET: \"any\"\n" + "\n" + " port-groups:\n" + "\n" + " HTTP_PORTS: \"80:81,88\"\n" + "\n"; + +static int DetectAddressYamlParsing03 (void) { + int result = 0; + + ConfCreateContextBackup(); + ConfInit(); + ConfYamlLoadString(dummy_conf_string4, strlen(dummy_conf_string4)); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + + if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL) + goto end; + if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL) + goto end; + if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL) + goto end; + + result = 1; + + DetectEngineCtxFree(de_ctx); +end: + ConfDeInit(); + ConfRestoreContextBackup(); + return result; +} + +static const char *dummy_conf_string5 = + "%YAML 1.1\n" + "---\n" + "vars:\n" + "\n" + " address-groups:\n" + "\n" + " HOME_NET: \"[10.196.0.0/24, !10.196.0.15]\"\n" + "\n" + " EXTERNAL_NET: \"any\"\n" + "\n" + " port-groups:\n" + "\n" + " HTTP_PORTS: \"80:81,88\"\n" + "\n"; + +/** \test bug #815 */ +static int DetectAddressYamlParsing04 (void) { + int result = 0; + + ConfCreateContextBackup(); + ConfInit(); + ConfYamlLoadString(dummy_conf_string5, strlen(dummy_conf_string5)); + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + + if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> any any (sid:1;)")) == NULL) + goto end; + if ((DetectEngineAppendSig(de_ctx, "alert tcp any any -> $HOME_NET any (sid:2;)")) == NULL) + goto end; + if ((DetectEngineAppendSig(de_ctx, "alert tcp $HOME_NET any -> $HOME_NET any (sid:3;)")) == NULL) + goto end; + + result = 1; + + DetectEngineCtxFree(de_ctx); +end: + ConfDeInit(); + ConfRestoreContextBackup(); + return result; +} #endif /* UNITTESTS */ void SigRegisterTests(void) { @@ -11537,6 +11722,11 @@ void SigRegisterTests(void) { UtRegisterTest("SigTestDropFlow03", SigTestDropFlow03, 1); UtRegisterTest("SigTestDropFlow04", SigTestDropFlow04, 1); + UtRegisterTest("DetectAddressYamlParsing01", DetectAddressYamlParsing01, 1); + UtRegisterTest("DetectAddressYamlParsing02", DetectAddressYamlParsing02, 1); + UtRegisterTest("DetectAddressYamlParsing03", DetectAddressYamlParsing03, 1); + UtRegisterTest("DetectAddressYamlParsing04", DetectAddressYamlParsing04, 1); + DetectSimdRegisterTests(); #endif /* UNITTESTS */ }