aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-8.0.x
main
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.4
suricata-7.0.15
suricata-8.0.3
suricata-7.0.14
suricata-8.0.2
suricata-7.0.13
suricata-8.0.1
suricata-7.0.12
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd005fff7b9'
${ noResults }
suricata/src/tests/detect-bsize.c

176 lines
7.8 KiB
C
Raw Blame History

/* Copyright (C) 2017-2022 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
#include "../util-unittest.h"
#define TEST_OK(str, m, lo, hi) \
{ \
DetectU64Data *bsz = DetectBsizeParse((str)); \
FAIL_IF_NULL(bsz); \
FAIL_IF_NOT(bsz->mode == (m)); \
DetectBsizeFree(NULL, bsz); \
SCLogDebug("str %s OK", (str)); \
}
#define TEST_FAIL(str) \
{ \
DetectU64Data *bsz = DetectBsizeParse((str)); \
FAIL_IF_NOT_NULL(bsz); \
}
static int DetectBsizeTest01(void)
{
TEST_OK("50", DETECT_UINT_EQ, 50, 0);
TEST_OK(" 50", DETECT_UINT_EQ, 50, 0);
TEST_OK(" 50", DETECT_UINT_EQ, 50, 0);
TEST_OK(" 50 ", DETECT_UINT_EQ, 50, 0);
TEST_OK(" 50 ", DETECT_UINT_EQ, 50, 0);
TEST_FAIL("AA");
TEST_FAIL("5A");
TEST_FAIL("A5");
// bigger than UINT64_MAX
TEST_FAIL("100000000000000000001");
TEST_OK(" 1000000001 ", DETECT_UINT_EQ, 1000000001, 0);
PASS;
}
static int DetectBsizeTest02(void)
{
TEST_OK(">50", DETECT_UINT_GT, 50, 0);
TEST_OK("> 50", DETECT_UINT_GT, 50, 0);
TEST_OK("> 50", DETECT_UINT_GT, 50, 0);
TEST_OK(" >50", DETECT_UINT_GT, 50, 0);
TEST_OK(" > 50", DETECT_UINT_GT, 50, 0);
TEST_OK(" > 50", DETECT_UINT_GT, 50, 0);
TEST_OK(" >50 ", DETECT_UINT_GT, 50, 0);
TEST_OK(" > 50 ", DETECT_UINT_GT, 50, 0);
TEST_OK(" > 50 ", DETECT_UINT_GT, 50, 0);
TEST_FAIL(">>50");
TEST_FAIL("<>50");
TEST_FAIL(" > 50A");
PASS;
}
static int DetectBsizeTest03(void)
{
TEST_OK("<50", DETECT_UINT_LT, 50, 0);
TEST_OK("< 50", DETECT_UINT_LT, 50, 0);
TEST_OK("< 50", DETECT_UINT_LT, 50, 0);
TEST_OK(" <50", DETECT_UINT_LT, 50, 0);
TEST_OK(" < 50", DETECT_UINT_LT, 50, 0);
TEST_OK(" < 50", DETECT_UINT_LT, 50, 0);
TEST_OK(" <50 ", DETECT_UINT_LT, 50, 0);
TEST_OK(" < 50 ", DETECT_UINT_LT, 50, 0);
TEST_OK(" < 50 ", DETECT_UINT_LT, 50, 0);
TEST_FAIL(">>50");
TEST_FAIL(" < 50A");
PASS;
}
static int DetectBsizeTest04(void)
{
TEST_OK("50<>100", DETECT_UINT_RA, 50, 100);
TEST_FAIL("50<$50");
TEST_FAIL("100<>50");
TEST_FAIL(">50<>100");
PASS;
}
#undef TEST_OK
#undef TEST_FAIL
#define TEST_OK(rule) \
{ \
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
FAIL_IF_NULL(de_ctx); \
SCLogNotice("rule: %s", rule); \
Signature *s = DetectEngineAppendSig(de_ctx, (rule)); \
FAIL_IF_NULL(s); \
DetectEngineCtxFree(de_ctx); \
}
#define TEST_FAIL(rule) \
{ \
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
FAIL_IF_NULL(de_ctx); \
SCLogNotice("rule: %s", rule); \
Signature *s = DetectEngineAppendSig(de_ctx, (rule)); \
FAIL_IF_NOT_NULL(s); \
DetectEngineCtxFree(de_ctx); \
}
static int DetectBsizeSigTest01(void)
{
TEST_OK("alert http any any -> any any (http_request_line; bsize:10; sid:1;)");
TEST_OK("alert http any any -> any any (file_data; bsize:>1000; sid:2;)");
/* bsize validation with buffer */
TEST_OK("alert http any any -> any any (http.uri; content:\"/index.php\"; bsize:>1024; "
"sid:6;)");
TEST_OK("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:<20; "
" sid:9;)");
TEST_OK("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:15<>25; "
"sid:10;)");
TEST_OK("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:10<>15; "
"sid:13;)");
TEST_FAIL("alert tcp any any -> any any (content:\"abc\"; bsize:10; sid:3;)");
TEST_FAIL("alert http any any -> any any (content:\"GET\"; http_method; bsize:10; sid:4;)");
TEST_FAIL("alert http any any -> any any (http_request_line; content:\"GET\"; bsize:<10>; "
"sid:5;)");
TEST_FAIL("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:2; "
"sid:11;)");
TEST_FAIL("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:<13; "
"sid:12;)");
TEST_FAIL(
"alert http any any -> any any (http.uri; content:\"abcdef\"; content: \"g\"; bsize:1; "
"sid:7;)");
TEST_FAIL(
"alert http any any -> any any (http.uri; content:\"abcdef\"; content: \"g\"; bsize:4; "
"sid:8;)");
TEST_FAIL("alert http any any -> any any (http.uri; content:\"abcdefghi123456\"; offset:12; "
"bsize:3; sid:14;)");
TEST_FAIL("alert http any any -> any any (http.uri; content:\"abc\"; offset:3; depth:3; "
"bsize:3; sid:15;)");
TEST_FAIL("alert http any any -> any any (http.uri; content:\"abcdef\"; content: \"gh\"; "
"bsize:1; sid:16;)");
TEST_FAIL("alert http any any -> any any (http.uri; content:\"abc\"; offset:3; bsize:3; "
"sid:17;)");
TEST_FAIL("alert http any any -> any any (http.uri; content:\"abc\"; offset:65535; bsize:3; "
"sid:18;)");
TEST_FAIL("alert http any any -> any any (http.user_agent; content:\"Suricata-UA\"; bsize:11; "
"content:!\"abc\"; distance:2; within:3; sid: 19;)");
PASS;
}
#undef TEST_OK
#undef TEST_FAIL
static void DetectBsizeRegisterTests(void)
{
UtRegisterTest("DetectBsizeTest01 EQ", DetectBsizeTest01);
UtRegisterTest("DetectBsizeTest02 GT", DetectBsizeTest02);
UtRegisterTest("DetectBsizeTest03 LT", DetectBsizeTest03);
UtRegisterTest("DetectBsizeTest04 RA", DetectBsizeTest04);
UtRegisterTest("DetectBsizeSigTest01", DetectBsizeSigTest01);
}
Reference in New Issue View Git Blame Copy Permalink