aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '0857a60fce'
${ noResults }
suricata/src/detect-threshold.c

1522 lines
42 KiB
C
Raw Normal View History Unescape Escape

Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
/* Copyright (C) 2007-2013 Open Information Security Foundation
Import of GPLv2 Header 050410
15 years ago
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
Threshold Rule
16 years ago
doc: introduce doxygen group "threshold" This patch introduces a doxygen group to put together the documentation relative to threshold. Group appear in a separate page and they can have their own documentation. This is useful when a feature is splitted into different files.
14 years ago
/**
* \ingroup threshold
* @{
*/
Import of GPLv2 Header 050410
15 years ago
/**
* \file
*
* \author Breno Silva <breno.silva@gmail.com>
Use Host Storage API for per host thresholding
12 years ago
* \author Victor Julien <victor@inliniac.net>
Import of GPLv2 Header 050410
15 years ago
*
doc: introduce doxygen group "threshold" This patch introduces a doxygen group to put together the documentation relative to threshold. Group appear in a separate page and they can have their own documentation. This is useful when a feature is splitted into different files.
14 years ago
* Implements the threshold keyword.
*
* The feature depends on what is provided
* by detect-engine-threshold.c and util-threshold-config.c
Threshold Rule
16 years ago
*/
Initial add of the files.
17 years ago
Rename to Suricata.
16 years ago
#include "suricata-common.h"
Threshold Rule
16 years ago
#include "suricata.h"
#include "decode.h"
Convert uricontent to use new scanning methods as well. Move http_method and http_cookie keywords out of pmatch list for now.
16 years ago
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
#include "host.h"
Use Host Storage API for per host thresholding
12 years ago
#include "host-storage.h"
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
Initial add of the files.
17 years ago
#include "detect.h"
Convert uricontent to use new scanning methods as well. Move http_method and http_cookie keywords out of pmatch list for now.
16 years ago
#include "detect-parse.h"
Threshold Rule
16 years ago
#include "flow-var.h"
#include "decode-events.h"
#include "stream-tcp.h"
#include "detect-threshold.h"
Use Host Storage API for per host thresholding
12 years ago
#include "detect-engine-threshold.h"
Add support for detection_filter keyword
16 years ago
#include "detect-parse.h"
suppress: use DetectAddress instead of DetectAddressHead
14 years ago
#include "detect-engine-address.h"
Fix thresholding coding changing unlocked and supposed to be static memory areas.
16 years ago
Threshold Rule
16 years ago
#include "util-unittest.h"
Fix unittests after ip_proto keyword change.
15 years ago
#include "util-unittest-helper.h"
Threshold Rule
16 years ago
#include "util-byte.h"
Fix thresholding coding changing unlocked and supposed to be static memory areas.
16 years ago
#include "util-debug.h"
Threshold Rule
16 years ago
Cleanup thresholding code.
15 years ago
#ifdef UNITTESTS
#include "util-cpu.h"
#endif
Allow threshold options in any order
16 years ago
#define PARSE_REGEX "^\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|\\d+)\\s*,\\s*(track|type|count|seconds)\\s+(limit|both|threshold|by_dst|by_src|\\d+)\\s*"
Threshold Rule
16 years ago
static pcre *parse_regex;
static pcre_extra *parse_regex_study;
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int DetectThresholdMatch(ThreadVars *, DetectEngineThreadCtx *, Packet *, Signature *, SigMatch *);
static int DetectThresholdSetup(DetectEngineCtx *, Signature *, char *);
Threshold Rule
16 years ago
static void DetectThresholdFree(void *);
Initial add of the files.
17 years ago
Threshold Rule
16 years ago
/**
* \brief Registration function for threshold: keyword
*/
Initial add of the files.
17 years ago
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
void DetectThresholdRegister(void)
{
Initial add of the files.
17 years ago
sigmatch_table[DETECT_THRESHOLD].name = "threshold";
Add documentation url in list-keyword output. The output of the list-keyword is modified to include the url to the keyword documentation when this is available. All documented keywords should have their link set. list-keyword can be used with an optional value: no option or short: display list of keywords csv: display a csv output on info an all keywords all: display a human readable output of keywords info $KWD: display the info about one keyword.
13 years ago
sigmatch_table[DETECT_THRESHOLD].desc = "control the rule's alert frequency";
sigmatch_table[DETECT_THRESHOLD].url = "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule-Thresholding#threshold";
Threshold Rule
16 years ago
sigmatch_table[DETECT_THRESHOLD].Match = DetectThresholdMatch;
Initial add of the files.
17 years ago
sigmatch_table[DETECT_THRESHOLD].Setup = DetectThresholdSetup;
Threshold Rule
16 years ago
sigmatch_table[DETECT_THRESHOLD].Free = DetectThresholdFree;
sigmatch_table[DETECT_THRESHOLD].RegisterTests = ThresholdRegisterTests;
Fix rules with thresholding set not being able to be ip-only.
16 years ago
/* this is compatible to ip-only signatures */
sigmatch_table[DETECT_THRESHOLD].flags |= SIGMATCH_IPONLY_COMPAT;
Threshold Rule
16 years ago
const char *eb;
int opts = 0;
int eo;
parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL);
if (parse_regex == NULL)
{
Improve information about errors on signature failure
16 years ago
SCLogError(SC_ERR_PCRE_COMPILE, "pcre compile of \"%s\" failed at offset %" PRId32 ": %s", PARSE_REGEX, eo, eb);
Threshold Rule
16 years ago
goto error;
}
parse_regex_study = pcre_study(parse_regex, 0, &eb);
if (eb != NULL)
{
Improve information about errors on signature failure
16 years ago
SCLogError(SC_ERR_PCRE_STUDY, "pcre study failed: %s", eb);
Threshold Rule
16 years ago
goto error;
}
error:
return;
}
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int DetectThresholdMatch(ThreadVars *thv, DetectEngineThreadCtx *det_ctx, Packet *p, Signature *s, SigMatch *sm)
Threshold Rule
16 years ago
{
return 1;
Initial add of the files.
17 years ago
}
Threshold Rule
16 years ago
/**
* \internal
* \brief This function is used to parse threshold options passed via threshold: keyword
*
* \param rawstr Pointer to the user provided threshold options
*
* \retval de pointer to DetectThresholdData on success
* \retval NULL on failure
*/
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static DetectThresholdData *DetectThresholdParse(char *rawstr)
Initial add of the files.
17 years ago
{
Threshold Rule
16 years ago
DetectThresholdData *de = NULL;
#define MAX_SUBSTRINGS 30
int ret = 0, res = 0;
int ov[MAX_SUBSTRINGS];
const char *str_ptr = NULL;
Allow threshold options in any order
16 years ago
char *args[9] = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL };
char *copy_str = NULL, *threshold_opt = NULL;
int second_found = 0, count_found = 0;
int type_found = 0, track_found = 0;
int second_pos = 0, count_pos = 0;
uint16_t pos = 0;
int i = 0;
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
copy_str = SCStrdup(rawstr);
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(copy_str == NULL)) {
Various fixes for issues reported by clang.
14 years ago
goto error;
}
Allow threshold options in any order
16 years ago
for(pos = 0, threshold_opt = strtok(copy_str,","); pos < strlen(copy_str) && threshold_opt != NULL; pos++, threshold_opt = strtok(NULL,",")) {
if(strstr(threshold_opt,"count"))
count_found++;
if(strstr(threshold_opt,"second"))
second_found++;
if(strstr(threshold_opt,"type"))
type_found++;
if(strstr(threshold_opt,"track"))
track_found++;
}
Coverity 1038138 fix Clean up parsing code to suppress Coverity: Dereference before null check (REVERSE_INULL) Proper checking was already done.
12 years ago
SCFree(copy_str);
copy_str = NULL;
Allow threshold options in any order
16 years ago
if(count_found != 1 || second_found != 1 || type_found != 1 || track_found != 1)
goto error;
Initial add of the files.
17 years ago
Threshold Rule
16 years ago
ret = pcre_exec(parse_regex, parse_regex_study, rawstr, strlen(rawstr), 0, 0, ov, MAX_SUBSTRINGS);
Improve information about errors on signature failure
16 years ago
if (ret < 5) {
SCLogError(SC_ERR_PCRE_MATCH, "pcre_exec parse error, ret %" PRId32 ", string %s", ret, rawstr);
Threshold Rule
16 years ago
goto error;
Improve information about errors on signature failure
16 years ago
}
Threshold Rule
16 years ago
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
de = SCMalloc(sizeof(DetectThresholdData));
Use unlikely for error treatment. When handling error case on SCMallog, SCCalloc or SCStrdup we are in an unlikely case. This patch adds the unlikely() expression to indicate this to gcc. This patch has been obtained via coccinelle. The transformation is the following: @istested@ identifier x; statement S1; identifier func =~ "(SCMalloc|SCStrdup|SCCalloc)"; @@ x = func(...) ... when != x - if (x == NULL) S1 + if (unlikely(x == NULL)) S1
13 years ago
if (unlikely(de == NULL))
Threshold Rule
16 years ago
goto error;
Initial add of the files.
17 years ago
Threshold Rule
16 years ago
memset(de,0,sizeof(DetectThresholdData));
for (i = 0; i < (ret - 1); i++) {
res = pcre_get_substring((char *)rawstr, ov, MAX_SUBSTRINGS,i + 1, &str_ptr);
Improve information about errors on signature failure
16 years ago
if (res < 0) {
SCLogError(SC_ERR_PCRE_GET_SUBSTRING, "pcre_get_substring failed");
Threshold Rule
16 years ago
goto error;
Improve information about errors on signature failure
16 years ago
}
Threshold Rule
16 years ago
args[i] = (char *)str_ptr;
if (strncasecmp(args[i],"limit",strlen("limit")) == 0)
de->type = TYPE_LIMIT;
if (strncasecmp(args[i],"both",strlen("both")) == 0)
de->type = TYPE_BOTH;
if (strncasecmp(args[i],"threshold",strlen("threshold")) == 0)
de->type = TYPE_THRESHOLD;
if (strncasecmp(args[i],"by_dst",strlen("by_dst")) == 0)
de->track = TRACK_DST;
if (strncasecmp(args[i],"by_src",strlen("by_src")) == 0)
de->track = TRACK_SRC;
threshold: fix trivial typo in parsing.
14 years ago
if (strncasecmp(args[i],"count",strlen("count")) == 0)
Allow threshold options in any order
16 years ago
count_pos = i+1;
if (strncasecmp(args[i],"seconds",strlen("seconds")) == 0)
second_pos = i+1;
Threshold Rule
16 years ago
}
Small error checking rewrite.
15 years ago
if (args[count_pos] == NULL || args[second_pos] == NULL) {
Threshold Rule
16 years ago
goto error;
}
Small error checking rewrite.
15 years ago
if (ByteExtractStringUint32(&de->count, 10, strlen(args[count_pos]),
args[count_pos]) <= 0) {
goto error;
}
if (ByteExtractStringUint32(&de->seconds, 10, strlen(args[second_pos]),
args[second_pos]) <= 0) {
Threshold Rule
16 years ago
goto error;
}
for (i = 0; i < (ret - 1); i++){
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
if (args[i] != NULL) SCFree(args[i]);
Threshold Rule
16 years ago
}
return de;
error:
for (i = 0; i < (ret - 1); i++){
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
if (args[i] != NULL) SCFree(args[i]);
Threshold Rule
16 years ago
}
Various fixes for issues reported by clang.
14 years ago
if (de != NULL)
SCFree(de);
Threshold Rule
16 years ago
return NULL;
}
/**
* \internal
* \brief this function is used to add the parsed threshold into the current signature
*
* \param de_ctx pointer to the Detection Engine Context
* \param s pointer to the Current Signature
* \param rawstr pointer to the user provided threshold options
*
* \retval 0 on Success
* \retval -1 on Failure
*/
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int DetectThresholdSetup(DetectEngineCtx *de_ctx, Signature *s, char *rawstr)
Threshold Rule
16 years ago
{
DetectThresholdData *de = NULL;
SigMatch *sm = NULL;
Add support for detection_filter keyword
16 years ago
SigMatch *tmpm = NULL;
/* checks if there is a previous instance of detection_filter */
code cleanup - replace SigMatchGetLastSM with SigMatchGetLastSMFromLists
14 years ago
tmpm = SigMatchGetLastSMFromLists(s, 2,
DETECT_DETECTION_FILTER, s->sm_lists[DETECT_SM_LIST_MATCH]);
Add support for detection_filter keyword
16 years ago
if (tmpm != NULL) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "\"detection_filter\" and \"threshold\" are not allowed in the same rule");
SCReturnInt(-1);
}
Threshold Rule
16 years ago
de = DetectThresholdParse(rawstr);
if (de == NULL)
goto error;
sm = SigMatchAlloc();
if (sm == NULL)
goto error;
sm->type = DETECT_THRESHOLD;
sm->ctx = (void *)de;
code cleanup - replace SigMatchAppendThreshold with SigMatchAppendSMToList
14 years ago
SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_THRESHOLD);
Initial add of the files.
17 years ago
return 0;
Threshold Rule
16 years ago
error:
Adding mem wrapper to debug runtime alloc()/free() functions. Fixing some memory leaks.
16 years ago
if (de) SCFree(de);
if (sm) SCFree(sm);
Threshold Rule
16 years ago
return -1;
Initial add of the files.
17 years ago
}
Threshold Rule
16 years ago
/**
* \internal
* \brief this function will free memory associated with DetectThresholdData
*
* \param de pointer to DetectThresholdData
*/
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static void DetectThresholdFree(void *de_ptr)
{
Threshold Rule
16 years ago
DetectThresholdData *de = (DetectThresholdData *)de_ptr;
suppress: use DetectAddress instead of DetectAddressHead
14 years ago
if (de) {
DetectAddressFree(de->addr);
SCFree(de);
}
Threshold Rule
16 years ago
}
/*
* ONLY TESTS BELOW THIS COMMENT
*/
#ifdef UNITTESTS
#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-engine-threshold.h"
#include "util-time.h"
#include "util-hashlist.h"
/**
* \test ThresholdTestParse01 is a test for a valid threshold options
*
* \retval 1 on succces
* \retval 0 on failure
*/
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int ThresholdTestParse01(void)
{
Threshold Rule
16 years ago
DetectThresholdData *de = NULL;
de = DetectThresholdParse("type limit,track by_dst,count 10,seconds 60");
if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
DetectThresholdFree(de);
return 1;
}
return 0;
}
/**
* \test ThresholdTestParse02 is a test for a invalid threshold options
*
* \retval 1 on succces
* \retval 0 on failure
*/
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int ThresholdTestParse02(void)
{
Threshold Rule
16 years ago
DetectThresholdData *de = NULL;
de = DetectThresholdParse("type any,track by_dst,count 10,seconds 60");
if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
DetectThresholdFree(de);
return 1;
}
return 0;
}
Allow threshold options in any order
16 years ago
/**
* \test ThresholdTestParse03 is a test for a valid threshold options in any order
*
* \retval 1 on succces
* \retval 0 on failure
*/
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int ThresholdTestParse03(void)
{
Allow threshold options in any order
16 years ago
DetectThresholdData *de = NULL;
de = DetectThresholdParse("track by_dst, type limit, seconds 60, count 10");
if (de && (de->type == TYPE_LIMIT) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
DetectThresholdFree(de);
return 1;
}
return 0;
}
/**
* \test ThresholdTestParse04 is a test for an invalid threshold options in any order
*
* \retval 1 on succces
* \retval 0 on failure
*/
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int ThresholdTestParse04(void)
{
Allow threshold options in any order
16 years ago
DetectThresholdData *de = NULL;
de = DetectThresholdParse("count 10, track by_dst, seconds 60, type both, count 10");
if (de && (de->type == TYPE_BOTH) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
DetectThresholdFree(de);
return 1;
}
return 0;
}
/**
* \test ThresholdTestParse05 is a test for a valid threshold options in any order
*
* \retval 1 on succces
* \retval 0 on failure
*/
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int ThresholdTestParse05(void)
{
Allow threshold options in any order
16 years ago
DetectThresholdData *de = NULL;
de = DetectThresholdParse("count 10, track by_dst, seconds 60, type both");
if (de && (de->type == TYPE_BOTH) && (de->track == TRACK_DST) && (de->count == 10) && (de->seconds == 60)) {
DetectThresholdFree(de);
return 1;
}
return 0;
}
Threshold Rule
16 years ago
/**
* \test DetectThresholdTestSig1 is a test for checking the working of limit keyword
* by setting up the signature and later testing its working by matching
* the received packet against the sig.
*
* \retval 1 on succces
* \retval 0 on failure
*/
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int DetectThresholdTestSig1(void)
{
Fix unittests after ip_proto keyword change.
15 years ago
Packet *p = NULL;
Threshold Rule
16 years ago
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
HostInitConfig(HOST_QUIET);
Threshold Rule
16 years ago
memset(&th_v, 0, sizeof(th_v));
Fix unittests after ip_proto keyword change.
15 years ago
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
Threshold Rule
16 years ago
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
undo this commit - commit eff08f93d8f51a06d6bee19b739b7db44cadb116 Author: Anoop Saldanha <poonaatsoc@gmail.com> Date: Thu Nov 3 14:31:24 2011 +0530 update failing unittest to reflect the mpm design update Fixed a bug in the mpm code that would make all the changes in the commit just undone wrong.
14 years ago
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; content:\"A\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
Threshold Rule
16 years ago
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
Fix thresholding signature unittests. Because of the bug fix that made thresholding compatible to ip-only sigs the test sigs needed to be made non-ip-only.
16 years ago
if (s->flags & SIG_FLAG_IPONLY) {
printf("signature is ip-only: ");
goto end;
}
Threshold Rule
16 years ago
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
Fix unittests after ip_proto keyword change.
15 years ago
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 1);
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
if (alerts != 1) {
printf("alerts %"PRIi32", expected 1: ", alerts);
}
Fix unittests after ip_proto keyword change.
15 years ago
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
if (alerts != 2) {
printf("alerts %"PRIi32", expected 2: ", alerts);
}
Fix unittests after ip_proto keyword change.
15 years ago
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
if (alerts != 3) {
printf("alerts %"PRIi32", expected 3: ", alerts);
}
Fix unittests after ip_proto keyword change.
15 years ago
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
if (alerts != 4) {
printf("alerts %"PRIi32", expected 4: ", alerts);
}
Fix unittests after ip_proto keyword change.
15 years ago
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
if (alerts != 5) {
printf("alerts %"PRIi32", expected 5: ", alerts);
}
Fix unittests after ip_proto keyword change.
15 years ago
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
if (alerts != 5) {
printf("alerts %"PRIi32", expected 5: ", alerts);
}
Fix unittests after ip_proto keyword change.
15 years ago
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
if (alerts != 5) {
printf("alerts %"PRIi32", expected 5: ", alerts);
}
Fix unittests after ip_proto keyword change.
15 years ago
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
if (alerts != 5) {
printf("alerts %"PRIi32", expected 5: ", alerts);
}
Threshold Rule
16 years ago
if(alerts == 5)
result = 1;
else
Fix thresholding signature unittests. Because of the bug fix that made thresholding compatible to ip-only sigs the test sigs needed to be made non-ip-only.
16 years ago
printf("alerts %"PRIi32", expected 5: ", alerts);
Threshold Rule
16 years ago
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
Fix unittests after ip_proto keyword change.
15 years ago
UTHFreePackets(&p, 1);
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
HostShutdown();
Threshold Rule
16 years ago
end:
return result;
}
/**
* \test DetectThresholdTestSig2 is a test for checking the working of threshold keyword
* by setting up the signature and later testing its working by matching
* the received packet against the sig.
*
* \retval 1 on succces
* \retval 0 on failure
*/
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int DetectThresholdTestSig2(void)
{
Fix unittests after ip_proto keyword change.
15 years ago
Packet *p = NULL;
Threshold Rule
16 years ago
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
HostInitConfig(HOST_QUIET);
Threshold Rule
16 years ago
memset(&th_v, 0, sizeof(th_v));
Fix unittests after ip_proto keyword change.
15 years ago
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
Threshold Rule
16 years ago
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
Fix thresholding signature unittests. Because of the bug fix that made thresholding compatible to ip-only sigs the test sigs needed to be made non-ip-only.
16 years ago
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold\"; threshold: type threshold, track by_dst, count 5, seconds 60; sid:1;)");
Threshold Rule
16 years ago
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
Fix unittests after ip_proto keyword change.
15 years ago
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
Threshold Rule
16 years ago
if (alerts == 2)
result = 1;
else
goto cleanup;
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
Fix unittests after ip_proto keyword change.
15 years ago
UTHFreePackets(&p, 1);
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
HostShutdown();
Threshold Rule
16 years ago
return result;
}
/**
* \test DetectThresholdTestSig3 is a test for checking the working of limit keyword
* by setting up the signature and later testing its working by matching
* the received packet against the sig.
*
* \retval 1 on succces
* \retval 0 on failure
*/
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int DetectThresholdTestSig3(void)
{
Fix unittests after ip_proto keyword change.
15 years ago
Packet *p = NULL;
Threshold Rule
16 years ago
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
struct timeval ts;
Fix thresholding coding changing unlocked and supposed to be static memory areas.
16 years ago
DetectThresholdEntry *lookup_tsh = NULL;
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
HostInitConfig(HOST_QUIET);
Threshold Rule
16 years ago
memset (&ts, 0, sizeof(struct timeval));
TimeGet(&ts);
memset(&th_v, 0, sizeof(th_v));
Fix unittests after ip_proto keyword change.
15 years ago
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
Threshold Rule
16 years ago
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
Fix thresholding signature unittests. Because of the bug fix that made thresholding compatible to ip-only sigs the test sigs needed to be made non-ip-only.
16 years ago
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:10;)");
Threshold Rule
16 years ago
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
Fix unittests after ip_proto keyword change.
15 years ago
TimeGet(&p->ts);
Cleanup thresholding code.
15 years ago
Fix unittests after ip_proto keyword change.
15 years ago
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
Threshold Rule
16 years ago
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
Host *host = HostLookupHostFromHash(&p->dst);
if (host == NULL) {
printf("host not found: ");
goto cleanup;
}
Use Host Storage API for per host thresholding
12 years ago
if (!(ThresholdHostHasThreshold(host))) {
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
HostRelease(host);
Use Host Storage API for per host thresholding
12 years ago
printf("host has no threshold: ");
Fix thresholding coding changing unlocked and supposed to be static memory areas.
16 years ago
goto cleanup;
}
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
HostRelease(host);
Threshold Rule
16 years ago
TimeSetIncrementTime(200);
Fix unittests after ip_proto keyword change.
15 years ago
TimeGet(&p->ts);
Threshold Rule
16 years ago
Fix unittests after ip_proto keyword change.
15 years ago
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
Threshold Rule
16 years ago
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
host = HostLookupHostFromHash(&p->dst);
if (host == NULL) {
printf("host not found: ");
goto cleanup;
}
HostRelease(host);
Use Host Storage API for per host thresholding
12 years ago
lookup_tsh = HostGetStorageById(host, ThresholdHostStorageId());
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
if (lookup_tsh == NULL) {
HostRelease(host);
printf("lookup_tsh is NULL: ");
goto cleanup;
}
alerts = lookup_tsh->current_count;
Threshold Rule
16 years ago
if (alerts == 3)
result = 1;
Fix thresholding coding changing unlocked and supposed to be static memory areas.
16 years ago
else {
printf("alerts %u != 3: ", alerts);
Threshold Rule
16 years ago
goto cleanup;
Fix thresholding coding changing unlocked and supposed to be static memory areas.
16 years ago
}
Threshold Rule
16 years ago
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
Fix unittests after ip_proto keyword change.
15 years ago
UTHFreePackets(&p, 1);
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
HostShutdown();
Threshold Rule
16 years ago
return result;
}
/**
* \test DetectThresholdTestSig4 is a test for checking the working of both keyword
* by setting up the signature and later testing its working by matching
* the received packet against the sig.
*
* \retval 1 on succces
* \retval 0 on failure
*/
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int DetectThresholdTestSig4(void)
{
Fix unittests after ip_proto keyword change.
15 years ago
Packet *p = NULL;
Threshold Rule
16 years ago
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
struct timeval ts;
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
HostInitConfig(HOST_QUIET);
Threshold Rule
16 years ago
memset (&ts, 0, sizeof(struct timeval));
TimeGet(&ts);
memset(&th_v, 0, sizeof(th_v));
Fix unittests after ip_proto keyword change.
15 years ago
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
Threshold Rule
16 years ago
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
Fix thresholding signature unittests. Because of the bug fix that made thresholding compatible to ip-only sigs the test sigs needed to be made non-ip-only.
16 years ago
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold both\"; threshold: type both, track by_dst, count 2, seconds 60; sid:10;)");
Threshold Rule
16 years ago
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
Fix unittests after ip_proto keyword change.
15 years ago
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 10);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
Threshold Rule
16 years ago
TimeSetIncrementTime(200);
Fix unittests after ip_proto keyword change.
15 years ago
TimeGet(&p->ts);
Threshold Rule
16 years ago
Fix unittests after ip_proto keyword change.
15 years ago
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
Threshold Rule
16 years ago
if (alerts == 2)
result = 1;
else
goto cleanup;
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
Fix unittests after ip_proto keyword change.
15 years ago
UTHFreePackets(&p, 1);
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
HostShutdown();
Threshold Rule
16 years ago
return result;
}
/**
* \test DetectThresholdTestSig5 is a test for checking the working of limit keyword
* by setting up the signature and later testing its working by matching
* the received packet against the sig.
*
* \retval 1 on succces
* \retval 0 on failure
*/
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int DetectThresholdTestSig5(void)
{
Fix unittests after ip_proto keyword change.
15 years ago
Packet *p = NULL;
Threshold Rule
16 years ago
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
HostInitConfig(HOST_QUIET);
Threshold Rule
16 years ago
memset(&th_v, 0, sizeof(th_v));
Fix unittests after ip_proto keyword change.
15 years ago
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
Threshold Rule
16 years ago
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
Fix thresholding signature unittests. Because of the bug fix that made thresholding compatible to ip-only sigs the test sigs needed to be made non-ip-only.
16 years ago
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
Threshold Rule
16 years ago
if (s == NULL) {
goto end;
}
Fix thresholding signature unittests. Because of the bug fix that made thresholding compatible to ip-only sigs the test sigs needed to be made non-ip-only.
16 years ago
s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
Threshold Rule
16 years ago
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
Fix unittests after ip_proto keyword change.
15 years ago
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
Threshold Rule
16 years ago
if(alerts == 10)
result = 1;
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
else {
printf("alerts %d != 10: ", alerts);
Threshold Rule
16 years ago
goto cleanup;
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
}
Threshold Rule
16 years ago
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
Cleanup thresholding code.
15 years ago
end:
Fix unittests after ip_proto keyword change.
15 years ago
UTHFreePackets(&p, 1);
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
HostShutdown();
Cleanup thresholding code.
15 years ago
return result;
}
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int DetectThresholdTestSig6Ticks(void)
{
Fix unittests after ip_proto keyword change.
15 years ago
Packet *p = NULL;
Cleanup thresholding code.
15 years ago
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
HostInitConfig(HOST_QUIET);
Cleanup thresholding code.
15 years ago
memset(&th_v, 0, sizeof(th_v));
Fix unittests after ip_proto keyword change.
15 years ago
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
Cleanup thresholding code.
15 years ago
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
uint64_t ticks_start = 0;
uint64_t ticks_end = 0;
ticks_start = UtilCpuGetTicks();
Fix unittests after ip_proto keyword change.
15 years ago
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
Cleanup thresholding code.
15 years ago
ticks_end = UtilCpuGetTicks();
printf("test run %"PRIu64"\n", (ticks_end - ticks_start));
if(alerts == 10)
result = 1;
else
goto cleanup;
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
Threshold Rule
16 years ago
end:
Fix unittests after ip_proto keyword change.
15 years ago
UTHFreePackets(&p, 1);
Move over src and dst thresholding to use host table. Fix a bug in threshold 'both' handling.
14 years ago
HostShutdown();
Threshold Rule
16 years ago
return result;
}
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
/**
* \test Test drop action being set even if thresholded
*/
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int DetectThresholdTestSig7(void)
{
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
int drops = 0;
struct timeval ts;
HostInitConfig(HOST_QUIET);
memset (&ts, 0, sizeof(struct timeval));
TimeGet(&ts);
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type limit, track by_src, count 1, seconds 300; sid:10;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
TimeSetIncrementTime(200);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
if (alerts == 1 && drops == 6)
result = 1;
else {
if (alerts != 1)
printf("alerts: %d != 1: ", alerts);
if (drops != 6)
printf("drops: %d != 6: ", drops);
goto cleanup;
}
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
UTHFreePackets(&p, 1);
HostShutdown();
return result;
}
/**
* \test Test drop action being set even if thresholded
*/
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int DetectThresholdTestSig8(void)
{
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
int drops = 0;
struct timeval ts;
HostInitConfig(HOST_QUIET);
memset (&ts, 0, sizeof(struct timeval));
TimeGet(&ts);
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type limit, track by_src, count 2, seconds 300; sid:10;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
TimeSetIncrementTime(200);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
if (alerts == 2 && drops == 6)
result = 1;
else {
if (alerts != 1)
printf("alerts: %d != 1: ", alerts);
if (drops != 6)
printf("drops: %d != 6: ", drops);
goto cleanup;
}
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
UTHFreePackets(&p, 1);
HostShutdown();
return result;
}
/**
* \test Test drop action being set even if thresholded
*/
static int DetectThresholdTestSig9(void) {
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
int drops = 0;
struct timeval ts;
HostInitConfig(HOST_QUIET);
memset (&ts, 0, sizeof(struct timeval));
TimeGet(&ts);
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type threshold, track by_src, count 3, seconds 100; sid:10;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
TimeSetIncrementTime(200);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
if (alerts == 2 && drops == 2)
result = 1;
else {
if (alerts != 2)
printf("alerts: %d != 2: ", alerts);
if (drops != 2)
printf("drops: %d != 2: ", drops);
goto cleanup;
}
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
UTHFreePackets(&p, 1);
HostShutdown();
return result;
}
/**
* \test Test drop action being set even if thresholded
*/
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int DetectThresholdTestSig10(void)
{
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
int drops = 0;
struct timeval ts;
HostInitConfig(HOST_QUIET);
memset (&ts, 0, sizeof(struct timeval));
TimeGet(&ts);
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type threshold, track by_src, count 5, seconds 300; sid:10;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
TimeSetIncrementTime(200);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
if (alerts == 1 && drops == 1)
result = 1;
else {
if (alerts != 1)
printf("alerts: %d != 1: ", alerts);
if (drops != 1)
printf("drops: %d != 1: ", drops);
goto cleanup;
}
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
UTHFreePackets(&p, 1);
HostShutdown();
return result;
}
/**
* \test Test drop action being set even if thresholded
*/
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int DetectThresholdTestSig11(void)
{
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
int drops = 0;
struct timeval ts;
HostInitConfig(HOST_QUIET);
memset (&ts, 0, sizeof(struct timeval));
TimeGet(&ts);
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type both, track by_src, count 3, seconds 300; sid:10;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
TimeSetIncrementTime(200);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
if (alerts == 1 && drops == 4)
result = 1;
else {
if (alerts != 1)
printf("alerts: %d != 1: ", alerts);
if (drops != 4)
printf("drops: %d != 4: ", drops);
goto cleanup;
}
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
UTHFreePackets(&p, 1);
HostShutdown();
return result;
}
/**
* \test Test drop action being set even if thresholded
*/
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
static int DetectThresholdTestSig12(void)
{
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
int drops = 0;
struct timeval ts;
HostInitConfig(HOST_QUIET);
memset (&ts, 0, sizeof(struct timeval));
TimeGet(&ts);
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (threshold: type both, track by_src, count 5, seconds 300; sid:10;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
TimeSetIncrementTime(200);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
decode: Packet action start with PACKET Rename all Packet action macro to have them prefixed by PACKET.
12 years ago
drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
p->action = 0;
if (alerts == 1 && drops == 2)
result = 1;
else {
if (alerts != 1)
printf("alerts: %d != 1: ", alerts);
if (drops != 2)
printf("drops: %d != 2: ", drops);
goto cleanup;
}
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
UTHFreePackets(&p, 1);
HostShutdown();
return result;
}
Threshold Rule
16 years ago
#endif /* UNITTESTS */
Clean up function syntax Remove space before ( in function names. Put { on new line. Make tests static.
12 years ago
void ThresholdRegisterTests(void)
{
Threshold Rule
16 years ago
#ifdef UNITTESTS
UtRegisterTest("ThresholdTestParse01", ThresholdTestParse01, 1);
UtRegisterTest("ThresholdTestParse02", ThresholdTestParse02, 0);
Allow threshold options in any order
16 years ago
UtRegisterTest("ThresholdTestParse03", ThresholdTestParse03, 1);
UtRegisterTest("ThresholdTestParse04", ThresholdTestParse04, 0);
UtRegisterTest("ThresholdTestParse05", ThresholdTestParse05, 1);
Threshold Rule
16 years ago
UtRegisterTest("DetectThresholdTestSig1", DetectThresholdTestSig1, 1);
UtRegisterTest("DetectThresholdTestSig2", DetectThresholdTestSig2, 1);
UtRegisterTest("DetectThresholdTestSig3", DetectThresholdTestSig3, 1);
UtRegisterTest("DetectThresholdTestSig4", DetectThresholdTestSig4, 1);
UtRegisterTest("DetectThresholdTestSig5", DetectThresholdTestSig5, 1);
Cleanup thresholding code.
15 years ago
UtRegisterTest("DetectThresholdTestSig6Ticks", DetectThresholdTestSig6Ticks, 1);
Fix drop (and other actions) not being applied to thresholded packets. Bug #613.
13 years ago
UtRegisterTest("DetectThresholdTestSig7", DetectThresholdTestSig7, 1);
UtRegisterTest("DetectThresholdTestSig8", DetectThresholdTestSig8, 1);
UtRegisterTest("DetectThresholdTestSig9", DetectThresholdTestSig9, 1);
UtRegisterTest("DetectThresholdTestSig10", DetectThresholdTestSig10, 1);
UtRegisterTest("DetectThresholdTestSig11", DetectThresholdTestSig11, 1);
UtRegisterTest("DetectThresholdTestSig12", DetectThresholdTestSig12, 1);
Threshold Rule
16 years ago
#endif /* UNITTESTS */
}
doc: introduce doxygen group "threshold" This patch introduces a doxygen group to put together the documentation relative to threshold. Group appear in a separate page and they can have their own documentation. This is useful when a feature is splitted into different files.
14 years ago
/**
* @}
*/