aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main-7.0.x
master
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-8.0.0
suricata-7.0.11
suricata-8.0.0-rc1
suricata-8.0.0-beta1
suricata-7.0.10
suricata-7.0.9
suricata-7.0.8
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c0275c2b29'
${ noResults }
suricata/src/tests/detect-engine-content-inspe...

232 lines
14 KiB
C
Raw Normal View History Unescape Escape

detect: content-inspection tests Add tests for the content inspection engine that count the number of steps it takes to eval a rule.
9 years ago
/* Copyright (C) 2007-2017 Open Information Security Foundation
*
* You can copy, redistribute or modify this Program under the terms of
* the GNU General Public License version 2 as published by the Free
* Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* version 2 along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
/**
* \file
*
* \author Victor Julien <victor@inliniac.net>
*
* Tests for the content inspection engine.
*/
#include "../suricata-common.h"
#include "../decode.h"
#include "../flow.h"
#include "../detect.h"
#define TEST_HEADER \
ThreadVars tv; \
memset(&tv, 0, sizeof(tv)); \
Flow f; \
memset(&f, 0, sizeof(f));
#define TEST_RUN(buf, buflen, sig, match, steps) \
{ \
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
FAIL_IF_NULL(de_ctx); \
DetectEngineThreadCtx *det_ctx = NULL; \
char rule[2048]; \
snprintf(rule, sizeof(rule), "alert tcp any any -> any any (%s sid:1; rev:1;)", (sig)); \
Signature *s = DetectEngineAppendSig(de_ctx, rule); \
FAIL_IF_NULL(s); \
SigGroupBuild(de_ctx); \
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx); \
FAIL_IF_NULL(det_ctx); \
int r = DetectEngineContentInspection(de_ctx, det_ctx, \
s, s->sm_arrays[DETECT_SM_LIST_PMATCH], &f, \
(uint8_t *)(buf), (buflen), 0, \
DETECT_ENGINE_CONTENT_INSPECTION_MODE_PAYLOAD, NULL); \
FAIL_IF_NOT(r == (match)); \
FAIL_IF_NOT(det_ctx->inspection_recursion_counter == (steps)); \
DetectEngineThreadCtxDeinit(&tv, det_ctx); \
DetectEngineCtxFree(de_ctx); \
}
#define TEST_FOOTER \
PASS
/** \test simple match with distance */
static int DetectEngineContentInspectionTest01(void) {
TEST_HEADER;
TEST_RUN("ab", 2, "content:\"a\"; content:\"b\";", true, 2);
TEST_RUN("ab", 2, "content:\"a\"; content:\"b\"; distance:0; ", true, 2);
TEST_RUN("ba", 2, "content:\"a\"; content:\"b\"; distance:0; ", false, 2);
TEST_FOOTER;
}
/** \test simple match with pcre/R */
static int DetectEngineContentInspectionTest02(void) {
TEST_HEADER;
TEST_RUN("ab", 2, "content:\"a\"; pcre:\"/b/\";", true, 2);
TEST_RUN("ab", 2, "content:\"a\"; pcre:\"/b/R\";", true, 2);
TEST_RUN("ba", 2, "content:\"a\"; pcre:\"/b/R\";", false, 2);
TEST_FOOTER;
}
/** \test simple recursion logic */
static int DetectEngineContentInspectionTest03(void) {
TEST_HEADER;
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; content:\"c\";", true, 3);
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; content:\"d\";", false, 3);
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; distance:0; content:\"c\"; distance:0;", true, 3);
detect: don't rescan when just distance is used Content inspection optimization: when just distance is used without within we don't need to search recursively. E.g. content:"a"; content:"b"; distance:1; will scan the buffer for 'a' and when it finds 'a' it will scan the remainder for 'b'. Until now, the failure to find 'b' would lead to looking for the next 'a' and then for 'b' after that. However, we already inspected the entire buffer for 'b', so we know this will fail.
9 years ago
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; distance:0; content:\"d\"; distance:0;", false, 3);
detect: content-inspection tests Add tests for the content inspection engine that count the number of steps it takes to eval a rule.
9 years ago
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; distance:0; within:1; content:\"d\"; distance:0; within:1;", false, 5);
// 5 steps: (1) a, (2) 1st b, (3) c not found, (4) 2nd b, (5) c found
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; distance:0; within:1; content:\"c\"; distance:0; within:1;", true, 5);
// 6 steps: (1) a, (2) 1st b, (3) c not found, (4) 2nd b, (5) c found, (6) bab
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; distance:0; within:1; content:\"c\"; distance:0; within:1; content:\"bab\";", true, 6);
// 6 steps: (1) a, (2) 1st b, (3) c not found, (4) 2nd b, (5) c found, (6) no not found
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; distance:0; within:1; content:\"c\"; distance:0; within:1; content:\"no\";", false, 6);
// 5 steps: (1) a, (2) 1st b, (3) c not found, (4) 2nd b, (5) c found
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; distance:0; within:1; pcre:\"/^c$/R\";", true, 5);
// 6 steps: (1) a, (2) 1st b, (3) c not found, (4) 2nd b, (5) c found, (6) bab
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; distance:0; within:1; pcre:\"/^c$/R\"; content:\"bab\";", true, 6);
// 6 steps: (1) a, (2) 1st b, (3) c not found, (4) 2nd b, (5) c found, (6) no not found
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; distance:0; within:1; pcre:\"/^c$/R\"; content:\"no\";", false, 6);
TEST_FOOTER;
}
/** \test pcre recursion logic */
static int DetectEngineContentInspectionTest04(void) {
TEST_HEADER;
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; content:\"c\";", true, 3);
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; content:\"d\";", false, 3);
// simple chain of pcre
TEST_RUN("ababc", 5, "pcre:\"/^a/\"; pcre:\"/^b/R\"; pcre:\"/c/R\"; ", true, 3);
TEST_RUN("ababc", 5, "pcre:\"/a/\"; pcre:\"/^b/R\"; pcre:\"/^c/R\"; ", true, 5);
TEST_RUN("ababc", 5, "pcre:\"/^a/\"; pcre:\"/^b/R\"; pcre:\"/d/R\"; ", false, 3);
TEST_RUN("ababc", 5, "pcre:\"/^a/\"; pcre:\"/^b/R\"; pcre:\"/c/R\"; pcre:\"/d/\"; ", false, 4);
TEST_FOOTER;
}
/** \test multiple independent blocks recursion logic */
static int DetectEngineContentInspectionTest05(void) {
TEST_HEADER;
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; content:\"c\";", true, 3);
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; content:\"d\";", false, 3);
// first block 2: (1) a, (2) b
// second block 3: (1) b, (2) c not found, (x) b continues within loop, (3) c found
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; distance:0; within:1; content:\"b\"; content:\"c\"; distance:0; within:1;", true, 5);
TEST_FOOTER;
}
/** \test isdataat recursion logic */
static int DetectEngineContentInspectionTest06(void) {
TEST_HEADER;
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; content:\"c\";", true, 3);
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; content:\"d\";", false, 3);
// 6 steps: (1) a, (2) 1st b, (3) c not found, (4) 2nd b, (5) c found, isdataat
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; distance:0; within:1; content:\"c\"; distance:0; within:1; isdataat:!1,relative;", true, 6);
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; distance:0; within:1; content:\"c\"; distance:0; within:1; isdataat:1,relative;", false, 6);
TEST_RUN("ababcabc", 8, "content:\"a\"; content:\"b\"; distance:0; within:1; content:\"c\"; distance:0; within:1; isdataat:!1,relative;", true, 9);
TEST_RUN("ababcabc", 8, "content:\"a\"; content:\"b\"; distance:0; within:1; content:\"c\"; distance:0; within:1; isdataat:1,relative;", true, 6);
TEST_FOOTER;
}
/** \test extreme recursion */
static int DetectEngineContentInspectionTest07(void) {
TEST_HEADER;
TEST_RUN("abcabcabcabcabcabcabcabcabcabcd", 31, "content:\"a\"; content:\"b\"; within:1; distance:0; content:\"c\"; distance:0; within:1; content:\"d\";", true, 4);
TEST_RUN("abcabcabcabcabcabcabcabcabcabcd", 31, "content:\"a\"; content:\"b\"; within:1; distance:0; content:\"c\"; distance:0; within:1; content:\"d\"; within:1; distance:0; ", true, 31);
TEST_RUN("abcabcabcabcabcabcabcabcabcabcx", 31, "content:\"a\"; content:\"b\"; within:1; distance:0; content:\"c\"; distance:0; within:1; content:\"d\"; within:1; distance:0; ", false, 31);
detect: don't rescan when just distance is used Content inspection optimization: when just distance is used without within we don't need to search recursively. E.g. content:"a"; content:"b"; distance:1; will scan the buffer for 'a' and when it finds 'a' it will scan the remainder for 'b'. Until now, the failure to find 'b' would lead to looking for the next 'a' and then for 'b' after that. However, we already inspected the entire buffer for 'b', so we know this will fail.
9 years ago
TEST_RUN("abcabcabcabcabcabcabcabcabcabcx", 31, "content:\"a\"; content:\"b\"; distance:0; content:\"c\"; distance:0; content:\"d\"; distance:0; ", false, 4);
TEST_RUN("abcabcabcabcabcabcabcabcabcabcx", 31, "content:\"a\"; content:\"b\"; distance:0; content:\"c\"; distance:0; pcre:\"/^d/R\"; ", false, 13);
TEST_RUN("abcabcabcabcabcabcabcabcabcabcx", 31, "content:\"a\"; content:\"b\"; distance:0; content:\"c\"; distance:0; isdataat:!1,relative; ", false, 13); // TODO should be 4?
detect: content-inspection tests Add tests for the content inspection engine that count the number of steps it takes to eval a rule.
9 years ago
TEST_RUN("abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdx", 41,
detect: don't rescan when just distance is used Content inspection optimization: when just distance is used without within we don't need to search recursively. E.g. content:"a"; content:"b"; distance:1; will scan the buffer for 'a' and when it finds 'a' it will scan the remainder for 'b'. Until now, the failure to find 'b' would lead to looking for the next 'a' and then for 'b' after that. However, we already inspected the entire buffer for 'b', so we know this will fail.
9 years ago
"content:\"a\"; content:\"b\"; distance:0; content:\"c\"; distance:0; content:\"d\"; distance:0; content:\"e\"; distance:0; ", false, 5);
detect: content-inspection tests Add tests for the content inspection engine that count the number of steps it takes to eval a rule.
9 years ago
TEST_RUN("abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdx", 41,
detect: don't rescan when just distance is used Content inspection optimization: when just distance is used without within we don't need to search recursively. E.g. content:"a"; content:"b"; distance:1; will scan the buffer for 'a' and when it finds 'a' it will scan the remainder for 'b'. Until now, the failure to find 'b' would lead to looking for the next 'a' and then for 'b' after that. However, we already inspected the entire buffer for 'b', so we know this will fail.
9 years ago
"content:\"a\"; content:\"b\"; distance:0; content:\"c\"; distance:0; content:\"d\"; distance:0; pcre:\"/^e/R\"; ", false, 14); // TODO should be 5?
detect: content-inspection tests Add tests for the content inspection engine that count the number of steps it takes to eval a rule.
9 years ago
TEST_RUN("abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdx", 41,
detect: don't rescan when just distance is used Content inspection optimization: when just distance is used without within we don't need to search recursively. E.g. content:"a"; content:"b"; distance:1; will scan the buffer for 'a' and when it finds 'a' it will scan the remainder for 'b'. Until now, the failure to find 'b' would lead to looking for the next 'a' and then for 'b' after that. However, we already inspected the entire buffer for 'b', so we know this will fail.
9 years ago
"content:\"a\"; content:\"b\"; distance:0; content:\"c\"; distance:0; content:\"d\"; distance:0; isdataat:!1,relative; ", false, 14); // TODO should be 5?
detect: content-inspection tests Add tests for the content inspection engine that count the number of steps it takes to eval a rule.
9 years ago
TEST_RUN("abcabcabcabcabcabcabcabcabcabcd", 31, "content:\"a\"; content:\"b\"; within:1; distance:0; content:\"c\"; distance:0; within:1; pcre:\"/d/\";", true, 4);
TEST_RUN("abcabcabcabcabcabcabcabcabcabcd", 31, "content:\"a\"; content:\"b\"; within:1; distance:0; content:\"c\"; distance:0; within:1; pcre:\"/d/R\";", true, 4);
TEST_RUN("abcabcabcabcabcabcabcabcabcabcd", 31, "content:\"a\"; content:\"b\"; within:1; distance:0; content:\"c\"; distance:0; within:1; pcre:\"/^d/R\";", true, 31);
TEST_RUN("abcabcabcabcabcabcabcabcabcabcx", 31, "content:\"a\"; content:\"b\"; within:1; distance:0; content:\"c\"; distance:0; within:1; pcre:\"/d/\";", false, 4);
TEST_RUN("abcabcabcabcabcabcabcabcabcabcx", 31, "content:\"a\"; content:\"b\"; within:1; distance:0; content:\"c\"; distance:0; within:1; pcre:\"/d/R\";", false, 31);
TEST_RUN("abcabcabcabcabcabcabcabcabcabcx", 31, "content:\"a\"; content:\"b\"; within:1; distance:0; content:\"c\"; distance:0; within:1; pcre:\"/^d/R\";", false, 31);
TEST_FOOTER;
}
detect: don't rescan when just distance is used Content inspection optimization: when just distance is used without within we don't need to search recursively. E.g. content:"a"; content:"b"; distance:1; will scan the buffer for 'a' and when it finds 'a' it will scan the remainder for 'b'. Until now, the failure to find 'b' would lead to looking for the next 'a' and then for 'b' after that. However, we already inspected the entire buffer for 'b', so we know this will fail.
9 years ago
/** \test mix in negation */
static int DetectEngineContentInspectionTest08(void) {
TEST_HEADER;
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; content:!\"d\";", true, 3);
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; content:!\"c\";", false, 3);
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; distance:0; within:1; content:!\"a\"; distance:0; within:1;", true, 5);
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; distance:0; within:1; content:!\"a\"; distance:0; ", true, 5);
TEST_FOOTER;
}
detect: more content inspection tests
9 years ago
/** \test mix in byte_jump */
static int DetectEngineContentInspectionTest09(void) {
TEST_HEADER;
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; content:!\"d\";", true, 3);
TEST_RUN("ababc", 5, "content:\"a\"; content:\"b\"; content:!\"c\";", false, 3);
TEST_RUN("abc03abcxyz", 11, "content:\"abc\"; byte_jump:2,0,relative,string,dec; content:\"xyz\"; within:3;", true, 3);
TEST_RUN("abc03abc03abcxyz", 16, "content:\"abc\"; byte_jump:2,0,relative,string,dec; content:\"xyz\"; within:3;", true, 5);
TEST_RUN("abc03abc03abcxyz", 16, "content:\"abc\"; byte_jump:2,0,relative,string,dec; content:\"xyz\"; within:3; isdataat:!1,relative;", true, 6);
TEST_RUN("abc03abc03abcxyz", 16, "content:\"abc\"; byte_jump:2,0,relative,string,dec; content:\"xyz\"; within:3; pcre:\"/klm$/R\";", false, 7);
TEST_RUN("abc03abc03abcxyzklm", 19, "content:\"abc\"; byte_jump:2,0,relative,string,dec; content:\"xyz\"; within:3; pcre:\"/klm$/R\";", true, 6);
TEST_RUN("abc03abc03abcxyzklx", 19, "content:\"abc\"; byte_jump:2,0,relative,string,dec; content:\"xyz\"; within:3; pcre:\"/^klm$/R\";", false, 7);
TEST_RUN("abc03abc03abc03abcxyzklm", 24, "content:\"abc\"; byte_jump:2,0,relative,string,dec; content:\"xyz\"; within:3; pcre:\"/^klm$/R\";", true, 8);
TEST_FOOTER;
}
detect: content-inspection tests Add tests for the content inspection engine that count the number of steps it takes to eval a rule.
9 years ago
void DetectEngineContentInspectionRegisterTests(void)
{
UtRegisterTest("DetectEngineContentInspectionTest01",
DetectEngineContentInspectionTest01);
UtRegisterTest("DetectEngineContentInspectionTest02",
DetectEngineContentInspectionTest02);
UtRegisterTest("DetectEngineContentInspectionTest03",
DetectEngineContentInspectionTest03);
UtRegisterTest("DetectEngineContentInspectionTest04",
DetectEngineContentInspectionTest04);
UtRegisterTest("DetectEngineContentInspectionTest05",
DetectEngineContentInspectionTest05);
UtRegisterTest("DetectEngineContentInspectionTest06",
DetectEngineContentInspectionTest06);
UtRegisterTest("DetectEngineContentInspectionTest07",
DetectEngineContentInspectionTest07);
detect: don't rescan when just distance is used Content inspection optimization: when just distance is used without within we don't need to search recursively. E.g. content:"a"; content:"b"; distance:1; will scan the buffer for 'a' and when it finds 'a' it will scan the remainder for 'b'. Until now, the failure to find 'b' would lead to looking for the next 'a' and then for 'b' after that. However, we already inspected the entire buffer for 'b', so we know this will fail.
9 years ago
UtRegisterTest("DetectEngineContentInspectionTest08",
DetectEngineContentInspectionTest08);
detect: more content inspection tests
9 years ago
UtRegisterTest("DetectEngineContentInspectionTest09",
DetectEngineContentInspectionTest09);
detect: content-inspection tests Add tests for the content inspection engine that count the number of steps it takes to eval a rule.
9 years ago
}
#undef TEST_HEADER
#undef TEST_RUN
#undef TEST_FOOTER