mirror of https://github.com/OISF/suricata
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
125 lines
4.2 KiB
C
125 lines
4.2 KiB
C
/* Copyright (C) 2007-2012 Open Information Security Foundation
|
|
*
|
|
* You can copy, redistribute or modify this Program under the terms of
|
|
* the GNU General Public License version 2 as published by the Free
|
|
* Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* version 2 along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
|
|
* 02110-1301, USA.
|
|
*/
|
|
|
|
/**
|
|
* \file
|
|
*
|
|
* \author Victor Julien <victor@inliniac.net>
|
|
*
|
|
*/
|
|
|
|
#include "suricata-common.h"
|
|
|
|
#include "detect-engine.h"
|
|
#include "detect-file-hash-common.h"
|
|
#include "util-unittest.h"
|
|
#include "util-unittest-helper.h"
|
|
|
|
#include "detect-filemd5.h"
|
|
|
|
static int g_file_match_list_id = 0;
|
|
|
|
static int DetectFileMd5Setup (DetectEngineCtx *, Signature *, const char *);
|
|
#ifdef UNITTESTS
|
|
static void DetectFileMd5RegisterTests(void);
|
|
#endif
|
|
|
|
/**
|
|
* \brief Registration function for keyword: filemd5
|
|
*/
|
|
void DetectFileMd5Register(void)
|
|
{
|
|
sigmatch_table[DETECT_FILEMD5].name = "filemd5";
|
|
sigmatch_table[DETECT_FILEMD5].desc = "match file MD5 against list of MD5 checksums";
|
|
sigmatch_table[DETECT_FILEMD5].url = "/rules/file-keywords.html#filemd5";
|
|
sigmatch_table[DETECT_FILEMD5].FileMatch = DetectFileHashMatch;
|
|
sigmatch_table[DETECT_FILEMD5].Setup = DetectFileMd5Setup;
|
|
sigmatch_table[DETECT_FILEMD5].Free = DetectFileHashFree;
|
|
#ifdef UNITTESTS
|
|
sigmatch_table[DETECT_FILEMD5].RegisterTests = DetectFileMd5RegisterTests;
|
|
#endif
|
|
g_file_match_list_id = DetectBufferTypeRegister("files");
|
|
|
|
SCLogDebug("registering filemd5 rule option");
|
|
return;
|
|
}
|
|
|
|
/**
|
|
* \brief this function is used to parse filemd5 options
|
|
* \brief into the current signature
|
|
*
|
|
* \param de_ctx pointer to the Detection Engine Context
|
|
* \param s pointer to the Current Signature
|
|
* \param str pointer to the user provided "filemd5" option
|
|
*
|
|
* \retval 0 on Success
|
|
* \retval -1 on Failure
|
|
*/
|
|
static int DetectFileMd5Setup (DetectEngineCtx *de_ctx, Signature *s, const char *str)
|
|
{
|
|
return DetectFileHashSetup(de_ctx, s, str, DETECT_FILEMD5, g_file_match_list_id);
|
|
}
|
|
|
|
#ifdef UNITTESTS
|
|
static int MD5MatchLookupString(ROHashTable *hash, const char *string)
|
|
{
|
|
uint8_t md5[16];
|
|
if (ReadHashString(md5, string, "file", 88, 32) == 1) {
|
|
void *ptr = ROHashLookup(hash, &md5, (uint16_t)sizeof(md5));
|
|
if (ptr == NULL)
|
|
return 0;
|
|
else
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int MD5MatchTest01(void)
|
|
{
|
|
ROHashTable *hash = ROHashInit(4, 16);
|
|
FAIL_IF_NULL(hash);
|
|
FAIL_IF(LoadHashTable(hash, "d80f93a93dc5f3ee945704754d6e0a36", "file", 1, DETECT_FILEMD5) !=
|
|
1);
|
|
FAIL_IF(LoadHashTable(hash, "92a49985b384f0d993a36e4c2d45e206", "file", 2, DETECT_FILEMD5) !=
|
|
1);
|
|
FAIL_IF(LoadHashTable(hash, "11adeaacc8c309815f7bc3e33888f281", "file", 3, DETECT_FILEMD5) !=
|
|
1);
|
|
FAIL_IF(LoadHashTable(hash, "22e10a8fe02344ade0bea8836a1714af", "file", 4, DETECT_FILEMD5) !=
|
|
1);
|
|
FAIL_IF(LoadHashTable(hash, "c3db2cbf02c68f073afcaee5634677bc", "file", 5, DETECT_FILEMD5) !=
|
|
1);
|
|
FAIL_IF(LoadHashTable(hash, "7ed095da259638f42402fb9e74287a17", "file", 6, DETECT_FILEMD5) !=
|
|
1);
|
|
FAIL_IF(ROHashInitFinalize(hash) != 1);
|
|
FAIL_IF(MD5MatchLookupString(hash, "d80f93a93dc5f3ee945704754d6e0a36") != 1);
|
|
FAIL_IF(MD5MatchLookupString(hash, "92a49985b384f0d993a36e4c2d45e206") != 1);
|
|
FAIL_IF(MD5MatchLookupString(hash, "11adeaacc8c309815f7bc3e33888f281") != 1);
|
|
FAIL_IF(MD5MatchLookupString(hash, "22e10a8fe02344ade0bea8836a1714af") != 1);
|
|
FAIL_IF(MD5MatchLookupString(hash, "c3db2cbf02c68f073afcaee5634677bc") != 1);
|
|
FAIL_IF(MD5MatchLookupString(hash, "7ed095da259638f42402fb9e74287a17") != 1);
|
|
/* shouldn't match */
|
|
FAIL_IF(MD5MatchLookupString(hash, "33333333333333333333333333333333") == 1);
|
|
ROHashFree(hash);
|
|
PASS;
|
|
}
|
|
|
|
void DetectFileMd5RegisterTests(void)
|
|
{
|
|
UtRegisterTest("MD5MatchTest01", MD5MatchTest01);
|
|
}
|
|
#endif
|