aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove contents of VRT classification.config.

Browse Source
remotes/origin/master-1.0.x
Victor Julien 15 years ago
parent 011b74df63
commit ecab1fae36
6 changed files with 52 additions and 134 deletions
Show Stats Download Patch File Download Diff File

9
src/alert-fastlog.c
Unescape Escape View File

@ -308,7 +308,7 @@ int AlertFastLogTest01()
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
if (p.alerts.cnt == 1)
result = (strcmp(p.alerts.alerts[0].class_msg, "Unknown Traffic") == 0);
result = (strcmp(p.alerts.alerts[0].class_msg, "Unknown are we") == 0);
else
result = 0;
@ -352,8 +352,9 @@ int AlertFastLogTest02()
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Fastlog test\"; content:GET; "
"Classtype:attempted-admin; sid:1;)");
"Classtype:unknown; sid:1;)");
result = (de_ctx->sig_list != NULL);
if (result == 0) printf("sig parse failed: ");
SigGroupBuild(de_ctx);
//PatternMatchPrepare(mpm_ctx, MPM_B2G);
@ -362,8 +363,10 @@ int AlertFastLogTest02()
SigMatchSignatures(&th_v, de_ctx, det_ctx, &p);
if (p.alerts.cnt == 1) {
result = (strcmp(p.alerts.alerts[0].class_msg, "Unknown Traffic") != 0);
if (result == 0) printf("p.alerts.alerts[0].class_msg %s: ", p.alerts.alerts[0].class_msg);
result = (strcmp(p.alerts.alerts[0].class_msg,
"Attempted Administrator Privilege Gain") == 0);
"Unknown are we") == 0);
if (result == 0) printf("p.alerts.alerts[0].class_msg %s: ", p.alerts.alerts[0].class_msg);
} else {
result = 0;
}

70
src/detect-classtype.c
Unescape Escape View File

@ -220,7 +220,12 @@ int DetectClasstypeTest02()
SCClassConfDeleteDummyClassificationConfigFD();
sig = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Classtype test\"; Classtype:unknown; sid:1;)");
"(msg:\"Classtype test\"; Classtype:bad-unknown; sid:1;)");
if (sig == NULL) {
printf("first sig failed to parse: ");
result = 0;
goto end;
}
de_ctx->sig_list = last = sig;
result = (sig != NULL);
@ -230,13 +235,22 @@ int DetectClasstypeTest02()
result &= (sig == NULL);
sig = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Classtype test\"; Classtype:atteMPted-dos; sid:1;)");
"(msg:\"Classtype test\"; Classtype:Bad-UnkNown; sid:1;)");
if (sig == NULL) {
printf("second sig failed to parse: ");
result = 0;
goto end;
}
last->next = sig;
last = sig;
result &= (sig != NULL);
sig = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Classtype test\"; Classtype:attempted-dos; sid:1;)");
"(msg:\"Classtype test\"; Classtype:nothing-wrong; sid:1;)");
if (sig == NULL) {
result = 0;
goto end;
}
last->next = sig;
last = sig;
result &= (sig != NULL);
@ -274,59 +288,37 @@ int DetectClasstypeTest03()
sig = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Classtype test\"; Classtype:bad-unknown; priority:1; sid:1;)");
if (sig == NULL) {
result = 0;
goto end;
}
de_ctx->sig_list = last = sig;
result = (sig != NULL);
result &= (sig->prio == 1);
sig = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Classtype test\"; Classtype:atteMPted-dos; "
"(msg:\"Classtype test\"; Classtype:unKnoWn; "
"priority:3; sid:1;)");
if (sig == NULL) {
result = 0;
goto end;
}
last->next = sig;
last = sig;
result &= (sig != NULL);
result &= (sig->prio == 3);
sig = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Classtype test\"; "
"Classtype:attempted-dos; priority:1; sid:1;)");
last->next = sig;
last = sig;
result &= (sig != NULL);
result &= (sig->prio == 1);
sig = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Classtype test\"; "
"priority:1; Classtype:unknown; sid:1;)");
"Classtype:nothing-wrong; priority:1; sid:1;)");
if (sig == NULL) {
result = 0;
goto end;
}
last->next = sig;
last = sig;
result &= (sig != NULL);
result &= (sig->prio == 1);
sig = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Classtype test\"; "
"priority:2; Classtype:unknown; sid:1;)");
last->next = sig;
last = sig;
result &= (sig != NULL);
result &= (sig->prio == 2);
sig = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Classtype test\"; "
"sid:1;)");
last->next = sig;
last = sig;
result &= (sig != NULL);
result &= (sig->prio == 3);
sig = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Classtype test\"; "
"Classtype:unknown; sid:1;)");
last->next = sig;
last = sig;
result &= (sig != NULL);
result &= (sig->prio == 3);
sig = SigInit(de_ctx, "alert tcp any any -> any any (msg:\"Classtype test\"; "
"Classtype:bad-unknown; sid:1;)");
last->next = sig;
last = sig;
result &= (sig != NULL);
result &= (sig->prio == 2);
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);

12
src/detect-engine-iponly.c
Unescape Escape View File

@ -500,13 +500,9 @@ static int IPOnlyTestSig01(void) {
memset(&de_ctx, 0, sizeof(DetectEngineCtx));
SCClassConfGenerateValidDummyClassConfigFD01();
SCClassConfLoadClassficationConfigFile(&de_ctx);
SCClassConfDeleteDummyClassificationConfigFD();
de_ctx.flags |= DE_QUIET;
Signature *s = SigInit(&de_ctx,"alert tcp any any -> any any (msg:\"SigTest40-01 sig is IPOnly \"; classtype:misc-activity; sid:400001; rev:1;)");
Signature *s = SigInit(&de_ctx,"alert tcp any any -> any any (msg:\"SigTest40-01 sig is IPOnly \"; sid:400001; rev:1;)");
if (s == NULL) {
goto end;
}
@ -532,13 +528,9 @@ static int IPOnlyTestSig02 (void) {
memset(&de_ctx, 0, sizeof(DetectEngineCtx));
SCClassConfGenerateValidDummyClassConfigFD01();
SCClassConfLoadClassficationConfigFile(&de_ctx);
SCClassConfDeleteDummyClassificationConfigFD();
de_ctx.flags |= DE_QUIET;
Signature *s = SigInit(&de_ctx,"alert tcp any any -> any 80 (msg:\"SigTest40-02 sig is not IPOnly \"; classtype:misc-activity; sid:400001; rev:1;)");
Signature *s = SigInit(&de_ctx,"alert tcp any any -> any 80 (msg:\"SigTest40-02 sig is not IPOnly \"; sid:400001; rev:1;)");
if (s == NULL) {
goto end;
}

9
src/detect-parse.c
Unescape Escape View File

@ -888,7 +888,7 @@ end:
int SigParseTest02 (void) {
int result = 0;
Signature *sig = NULL;
DetectPort *port = NULL;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
@ -899,12 +899,11 @@ int SigParseTest02 (void) {
SCClassConfLoadClassficationConfigFile(de_ctx);
SCClassConfDeleteDummyClassificationConfigFD();
sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; classtype:non-standard-protocol; sid:2003055; rev:4;)");
sig = SigInit(de_ctx, "alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
if (sig == NULL) {
goto end;
}
DetectPort *port = NULL;
int r = DetectPortParse(&port, "0:20");
if (r < 0)
goto end;
@ -916,7 +915,7 @@ int SigParseTest02 (void) {
}
end:
DetectPortCleanupList(port);
if (port != NULL) DetectPortCleanupList(port);
if (sig != NULL) SigFree(sig);
if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
return result;
@ -1834,7 +1833,7 @@ static int SigParseTestAppLayerTLS03(void) {
goto end;
de_ctx->flags |= DE_QUIET;
s = SigInit(de_ctx,"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS03 \"; tls.version:2.5; classtype:misc-activity; sid:410006; rev:1;)");
s = SigInit(de_ctx,"alert tls any any -> any any (msg:\"SigParseTestAppLayerTLS03 \"; tls.version:2.5; sid:410006; rev:1;)");
if (s != NULL) {
SigFree(s);
goto end;

18
src/detect.c
Unescape Escape View File

@ -4041,13 +4041,9 @@ static int SigTest15Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
SCClassConfGenerateValidDummyClassConfigFD01();
SCClassConfLoadClassficationConfigFile(de_ctx);
SCClassConfDeleteDummyClassificationConfigFD();
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; classtype:misc-activity; sid:2008284; rev:2;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
@ -4111,13 +4107,9 @@ static int SigTest16Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
SCClassConfGenerateValidDummyClassConfigFD01();
SCClassConfLoadClassficationConfigFile(de_ctx);
SCClassConfDeleteDummyClassificationConfigFD();
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; classtype:misc-activity; sid:2008284; rev:2;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any !$HTTP_PORTS (msg:\"ET POLICY Inbound HTTP CONNECT Attempt on Off-Port\"; content:\"CONNECT \"; nocase; depth:8; content:\" HTTP/1.\"; nocase; within:1000; sid:2008284; rev:2;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
@ -4255,13 +4247,9 @@ static int SigTest18Real (int mpm_type) {
de_ctx->mpm_matcher = mpm_type;
SCClassConfGenerateValidDummyClassConfigFD01();
SCClassConfLoadClassficationConfigFile(de_ctx);
SCClassConfDeleteDummyClassificationConfigFD();
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; classtype:non-standard-protocol; sid:2003055; rev:4;)");
de_ctx->sig_list = SigInit(de_ctx,"alert tcp any !21:902 -> any any (msg:\"ET MALWARE Suspicious 220 Banner on Local Port\"; content:\"220\"; offset:0; depth:4; pcre:\"/220[- ]/\"; sid:2003055; rev:4;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;

68
src/util-classification-config.c
Unescape Escape View File

@ -464,66 +464,9 @@ void SCClassConfLoadClassficationConfigFile(DetectEngineCtx *de_ctx)
void SCClassConfGenerateValidDummyClassConfigFD01(void)
{
const char *buffer =
"config classification: not-suspicious,Not Suspicious Traffic,3\n"
"config classification: unknown,Unknown Traffic,3\n"
"config classification: bad-unknown,Potentially Bad Traffic, 2\n"
"config classification: attempted-recon,Attempted Information "
"Leak,2\n"
"config classification: successful-recon-limited,Information "
"Leak,2\n"
"config classification: successful-recon-largescale,Large Scale "
"Information Leak,2\n"
"config classification: attempted-dos,Attempted Denial of "
"Service,2\n"
"config classification: successful-dos,Denial of Service,2\n"
"config classification: attempted-user,Attempted User Privilege "
"Gain,1\n"
"config classification: unsuccessful-user,Unsuccessful User "
"Privilege Gain,1\n"
"config classification: successful-user,Successful User Privilege "
"Gain,1\n"
"config classification: attempted-admin,Attempted Administrator "
"Privilege Gain,1\n"
"config classification: successful-admin,Successful Administrator "
"Privilege Gain,1\n"
"config classification: rpc-portmap-decode,Decode of an RPC "
"Query,2\n"
"config classification: shellcode-detect,Executable code was "
"detected,1\n"
"config classification: string-detect,A suspicious string was "
"detected,3\n"
"config classification: suspicious-filename-detect,A suspicious "
"filename was detected,2\n"
"config classification: suspicious-login,An attempted login using "
"a suspicious username was detected,2\n"
"config classification: system-call-detect,A system call was "
"detected,2\n"
"config classification: tcp-connection,A TCP connection was "
"detected,4\n"
"config classification: trojan-activity,A Network Trojan was "
"detected, 1\n"
"config classification: unusual-client-port-connection,A client "
"was using an unusual port,2\n"
"config classification: network-scan,Detection of a Network "
"Scan,3\n"
"config classification: denial-of-service,Detection of a Denial "
"of Service Attack,2\n"
"config classification: non-standard-protocol,Detection of a "
"non-standard protocol or event,2\n"
"config classification: protocol-command-decode,Generic Protocol "
"Command Decode,3\n"
"config classification: web-application-activity,access to a "
"potentially vulnerable web application,2\n"
"config classification: web-application-attack,Web Application "
"Attack,1\n"
"config classification: misc-activity,Misc activity,3\n"
"config classification: misc-attack,Misc Attack,2\n"
"config classification: icmp-event,Generic ICMP event,3\n"
"config classification: kickass-porn,SCORE! Get the lotion!,1\n"
"config classification: policy-violation,Potential Corporate "
"Privacy Violation,1\n"
"config classification: default-login-attempt,Attempt to login by "
"a default username and password,2\n";
"config classification: nothing-wrong,Nothing Wrong With Us,3\n"
"config classification: unknown,Unknown are we,3\n"
"config classification: bad-unknown,We think it's bad, 2\n";
fd = fmemopen((void *)buffer, strlen(buffer), "r");
if (fd == NULL)
@ -611,7 +554,8 @@ int SCClassConfTest01(void)
if (de_ctx->class_conf_ht == NULL)
return result;
result = (de_ctx->class_conf_ht->count == 34);
result = (de_ctx->class_conf_ht->count == 3);
if (result == 0) printf("de_ctx->class_conf_ht->count %u: ", de_ctx->class_conf_ht->count);
DetectEngineCtxFree(de_ctx);
@ -690,7 +634,7 @@ int SCClassConfTest04(void)
if (de_ctx->class_conf_ht == NULL)
return 0;
result = (de_ctx->class_conf_ht->count == 34);
result = (de_ctx->class_conf_ht->count == 3);
ct = SCClassConfAllocClasstype("unknown", NULL, 0);
result &= (HashTableLookup(de_ctx->class_conf_ht, ct, 0) != NULL);

Write Preview
Loading…
Cancel
Save