From 10e2731f18d93685fdc75be3fcb6129de830add1 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sun, 25 Nov 2018 11:39:28 +0100 Subject: [PATCH] detect/http-uri: move tests into tests/ --- src/Makefile.am | 1 - src/detect-engine-file.c | 1 - src/detect-engine-mpm.c | 1 - src/detect-engine-register.c | 1 - src/detect-engine-uri.h | 38 -- src/detect-engine.c | 1 - src/detect-http-uri.c | 487 +---------------- src/runmode-unittests.c | 2 - .../detect-http-uri.c} | 511 ++++++++++++++++-- 9 files changed, 482 insertions(+), 561 deletions(-) delete mode 100644 src/detect-engine-uri.h rename src/{detect-engine-uri.c => tests/detect-http-uri.c} (87%) diff --git a/src/Makefile.am b/src/Makefile.am index ade4eaef84..c216df4476 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -156,7 +156,6 @@ detect-engine-sigorder.c detect-engine-sigorder.h \ detect-engine-state.c detect-engine-state.h \ detect-engine-tag.c detect-engine-tag.h \ detect-engine-threshold.c detect-engine-threshold.h \ -detect-engine-uri.c detect-engine-uri.h \ detect-fast-pattern.c detect-fast-pattern.h \ detect-file-data.c detect-file-data.h \ detect-file-hash-common.c detect-file-hash-common.h \ diff --git a/src/detect-engine-file.c b/src/detect-engine-file.c index 26a5239305..ffc73d7e0c 100644 --- a/src/detect-engine-file.c +++ b/src/detect-engine-file.c @@ -32,7 +32,6 @@ #include "detect-filestore.h" -#include "detect-engine-uri.h" #include "detect-engine-hcbd.h" #include "detect-engine-hrhd.h" #include "detect-engine-hmd.h" diff --git a/src/detect-engine-mpm.c b/src/detect-engine-mpm.c index ffd2818a82..1069b31d5b 100644 --- a/src/detect-engine-mpm.c +++ b/src/detect-engine-mpm.c @@ -50,7 +50,6 @@ #include "detect-content.h" #include "detect-engine-payload.h" -#include "detect-engine-uri.h" #include "detect-engine-hrud.h" #include "detect-engine-hmd.h" #include "detect-engine-hrhd.h" diff --git a/src/detect-engine-register.c b/src/detect-engine-register.c index 245cc760bf..de2ecf7363 100644 --- a/src/detect-engine-register.c +++ b/src/detect-engine-register.c @@ -45,7 +45,6 @@ #include "detect-engine-payload.h" #include "detect-engine-dcepayload.h" -#include "detect-engine-uri.h" #include "detect-dns-query.h" #include "detect-tls-sni.h" #include "detect-tls-cert-fingerprint.h" diff --git a/src/detect-engine-uri.h b/src/detect-engine-uri.h deleted file mode 100644 index 28c21d6ec2..0000000000 --- a/src/detect-engine-uri.h +++ /dev/null @@ -1,38 +0,0 @@ -/* Copyright (C) 2007-2010 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** \file - * - * \author Victor Julien - * \author Pablo Rincon Crespo - */ - -#ifndef __DETECT_ENGINE_URICONTENT_H__ -#define __DETECT_ENGINE_URICONTENT_H__ - -int PrefilterTxUriRegister(DetectEngineCtx *de_ctx, - SigGroupHead *sgh, MpmCtx *mpm_ctx); - -int DetectEngineInspectHttpUri(ThreadVars *tv, - DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, - const Signature *s, const SigMatchData *smd, - Flow *f, uint8_t flags, void *alstate, void *tx, uint64_t tx_id); - -void UriRegisterTests(void); - -#endif /* __DETECT_ENGINE_URICONTENT_H__ */ - diff --git a/src/detect-engine.c b/src/detect-engine.c index 376a852730..34c0b0884a 100644 --- a/src/detect-engine.c +++ b/src/detect-engine.c @@ -46,7 +46,6 @@ #include "detect-engine-iponly.h" #include "detect-engine-tag.h" -#include "detect-engine-uri.h" #include "detect-engine-hrhd.h" #include "detect-engine-file.h" diff --git a/src/detect-http-uri.c b/src/detect-http-uri.c index e55bea8d54..370290023f 100644 --- a/src/detect-http-uri.c +++ b/src/detect-http-uri.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2010 Open Information Security Foundation +/* Copyright (C) 2007-2018 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -26,6 +26,7 @@ * \file * * \author Gerardo Iglesias + * \author Victor Julien */ #include "suricata-common.h" @@ -55,10 +56,11 @@ #include "app-layer-htp.h" #include "detect-http-uri.h" #include "detect-uricontent.h" -#include "detect-engine-uri.h" #include "stream-tcp.h" +#ifdef UNITTESTS static void DetectHttpUriRegisterTests(void); +#endif static void DetectHttpUriSetupCallback(const DetectEngineCtx *de_ctx, Signature *s); static bool DetectHttpUriValidateCallback(const Signature *s, const char **sigerror); @@ -79,7 +81,9 @@ void DetectHttpUriRegister (void) sigmatch_table[DETECT_AL_HTTP_URI].desc = "content modifier to match specifically and only on the HTTP uri-buffer"; sigmatch_table[DETECT_AL_HTTP_URI].url = DOC_URL DOC_VERSION "/rules/http-keywords.html#http-uri-and-http-raw-uri"; sigmatch_table[DETECT_AL_HTTP_URI].Setup = DetectHttpUriSetup; +#ifdef UNITTESTS sigmatch_table[DETECT_AL_HTTP_URI].RegisterTests = DetectHttpUriRegisterTests; +#endif sigmatch_table[DETECT_AL_HTTP_URI].flags |= SIGMATCH_NOOPT; /* http.uri sticky buffer */ @@ -183,487 +187,10 @@ static InspectionBuffer *GetData(DetectEngineThreadCtx *det_ctx, return buffer; } -/******************************** UNITESTS **********************************/ - -#ifdef UNITTESTS - -#include "detect-isdataat.h" -#include "stream-tcp-reassemble.h" - -/** - * \test Checks if a http_uri is registered in a Signature, if content is not - * specified in the signature - */ -static int DetectHttpUriTest01(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - - if ( (de_ctx = DetectEngineCtxInit()) == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing http_uri\"; http_uri;sid:1;)"); - if (de_ctx->sig_list == NULL) - result = 1; - -end: - if (de_ctx != NULL) - DetectEngineCtxFree(de_ctx); - return result; -} - -/** - * \test Checks if a http_uri is registered in a Signature, if some parameter - * is specified with http_uri in the signature - */ -static int DetectHttpUriTest02(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - - if ( (de_ctx = DetectEngineCtxInit()) == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing http_uri\"; content:\"one\"; " - "http_cookie:wrong; sid:1;)"); - if (de_ctx->sig_list == NULL) - result = 1; - -end: - if (de_ctx != NULL) - DetectEngineCtxFree(de_ctx); - return result; -} - -/** - * \test Checks if a http_uri is registered in a Signature - */ -static int DetectHttpUriTest03(void) -{ - SigMatch *sm = NULL; - DetectEngineCtx *de_ctx = NULL; - int result = 0; - - if ( (de_ctx = DetectEngineCtxInit()) == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing http_uri\"; content:\"one\"; " - "http_uri; content:\"two\"; http_uri; " - "content:\"three\"; http_uri; " - "sid:1;)"); - - if (de_ctx->sig_list == NULL) { - printf("sig parse failed: "); - goto end; - } - - sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id]; - if (sm == NULL) { - printf("no sigmatch(es): "); - goto end; - } - - while (sm != NULL) { - if (sm->type == DETECT_CONTENT) { - result = 1; - } else { - printf("expected DETECT_AL_HTTP_URI, got %d: ", sm->type); - goto end; - } - sm = sm->next; - } - -end: - if (de_ctx != NULL) - DetectEngineCtxFree(de_ctx); - return result; -} - -/** - * \test Checks if a http_uri is registered in a Signature, when rawbytes is - * also specified in the signature - */ -static int DetectHttpUriTest04(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - - if ( (de_ctx = DetectEngineCtxInit()) == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing http_uri\"; content:\"one\"; " - "rawbytes; http_uri; sid:1;)"); - if (de_ctx->sig_list == NULL) - result = 1; - - end: - if (de_ctx != NULL) SigCleanSignatures(de_ctx); - if (de_ctx != NULL) DetectEngineCtxFree(de_ctx); - return result; -} - -/** - * \test Checks if a http_uri is successfully converted to a uricontent - * - */ -static int DetectHttpUriTest05(void) -{ - DetectEngineCtx *de_ctx = NULL; - Signature *s = NULL; - int result = 0; - - if ((de_ctx = DetectEngineCtxInit()) == NULL) - goto end; - - s = SigInit(de_ctx, "alert tcp any any -> any any " - "(msg:\"Testing http_uri\"; " - "content:\"we are testing http_uri keyword\"; " - "http_uri; sid:1;)"); - if (s == NULL) { - printf("sig failed to parse\n"); - goto end; - } - if (s->sm_lists[g_http_uri_buffer_id] == NULL) - goto end; - if (s->sm_lists[g_http_uri_buffer_id]->type != DETECT_CONTENT) { - printf("wrong type\n"); - goto end; - } - - const char *str = "we are testing http_uri keyword"; - int uricomp = memcmp((const char *)((DetectContentData*) s->sm_lists[g_http_uri_buffer_id]->ctx)->content, str, strlen(str)-1); - int urilen = ((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->content_len; - if (uricomp != 0 || - urilen != strlen("we are testing http_uri keyword")) { - printf("sig failed to parse, content not setup properly\n"); - goto end; - } - result = 1; - -end: - if (de_ctx != NULL) SigCleanSignatures(de_ctx); - if (de_ctx != NULL) SigGroupCleanup(de_ctx); - return result; -} - -static int DetectHttpUriTest12(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - - if ( (de_ctx = DetectEngineCtxInit()) == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_uri; " - "content:\"two\"; distance:0; http_uri; sid:1;)"); - if (de_ctx->sig_list == NULL) { - printf("de_ctx->sig_list == NULL\n"); - goto end; - } - - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n"); - goto end; - } - - if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) { - printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n"); - goto end; - } - - DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; - DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; - if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT || - memcmp(ud1->content, "one", ud1->content_len) != 0 || - ud2->flags != DETECT_CONTENT_DISTANCE || - memcmp(ud2->content, "two", ud1->content_len) != 0) { - goto end; - } - - result = 1; - - end: - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - return result; -} - -static int DetectHttpUriTest13(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - - if ( (de_ctx = DetectEngineCtxInit()) == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_uri; " - "content:\"two\"; within:5; http_uri; sid:1;)"); - if (de_ctx->sig_list == NULL) { - printf("de_ctx->sig_list == NULL\n"); - goto end; - } - - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n"); - goto end; - } - - if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) { - printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n"); - goto end; - } - - DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; - DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; - if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT || - memcmp(ud1->content, "one", ud1->content_len) != 0 || - ud2->flags != DETECT_CONTENT_WITHIN || - memcmp(ud2->content, "two", ud1->content_len) != 0) { - goto end; - } - - result = 1; - - end: - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - return result; -} - -static int DetectHttpUriTest14(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - - if ( (de_ctx = DetectEngineCtxInit()) == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; within:5; http_uri; sid:1;)"); - if (de_ctx->sig_list == NULL) { - printf("de_ctx->sig_list == NULL\n"); - goto end; - } - - result = 1; - - end: - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - return result; -} - -static int DetectHttpUriTest15(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - - if ( (de_ctx = DetectEngineCtxInit()) == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; http_uri; within:5; sid:1;)"); - if (de_ctx->sig_list == NULL) { - printf("de_ctx->sig_list == NULL\n"); - goto end; - } - - if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) { - printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n"); - goto end; - } - - DetectContentData *cd = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; - if (memcmp(cd->content, "one", cd->content_len) != 0 || - cd->flags != DETECT_CONTENT_WITHIN) { - goto end; - } - - result = 1; - - end: - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - return result; -} - -static int DetectHttpUriTest16(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - - if ( (de_ctx = DetectEngineCtxInit()) == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(content:\"one\"; within:5; sid:1;)"); - if (de_ctx->sig_list == NULL) { - printf("de_ctx->sig_list == NULL\n"); - goto end; - } - - result = 1; - - end: - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - return result; -} - -static int DetectHttpUriTest17(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - - if ( (de_ctx = DetectEngineCtxInit()) == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(uricontent:\"one\"; " - "content:\"two\"; distance:0; http_uri; sid:1;)"); - if (de_ctx->sig_list == NULL) { - printf("de_ctx->sig_list == NULL\n"); - goto end; - } - - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n"); - goto end; - } - - if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) { - printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n"); - goto end; - } - - DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; - DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; - if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT || - memcmp(ud1->content, "one", ud1->content_len) != 0 || - ud2->flags != DETECT_CONTENT_DISTANCE || - memcmp(ud2->content, "two", ud1->content_len) != 0) { - goto end; - } - - result = 1; - - end: - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - return result; -} - -static int DetectHttpUriTest18(void) -{ - DetectEngineCtx *de_ctx = NULL; - int result = 0; - - if ( (de_ctx = DetectEngineCtxInit()) == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " - "(uricontent:\"one\"; " - "content:\"two\"; within:5; http_uri; sid:1;)"); - if (de_ctx->sig_list == NULL) { - printf("de_ctx->sig_list == NULL\n"); - goto end; - } - - if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) { - printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n"); - goto end; - } - - if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) { - printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n"); - goto end; - } - - DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; - DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; - if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT || - memcmp(ud1->content, "one", ud1->content_len) != 0 || - ud2->flags != DETECT_CONTENT_WITHIN || - memcmp(ud2->content, "two", ud1->content_len) != 0) { - goto end; - } - - result = 1; - - end: - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - return result; -} - -static int DetectHttpUriIsdataatParseTest(void) -{ - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - FAIL_IF_NULL(de_ctx); - de_ctx->flags |= DE_QUIET; - - Signature *s = DetectEngineAppendSig(de_ctx, - "alert tcp any any -> any any (" - "content:\"one\"; http_uri; " - "isdataat:!4,relative; sid:1;)"); - FAIL_IF_NULL(s); - - SigMatch *sm = s->init_data->smlists_tail[g_http_uri_buffer_id]; - FAIL_IF_NULL(sm); - FAIL_IF_NOT(sm->type == DETECT_ISDATAAT); - - DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx; - FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE); - FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED); - FAIL_IF(data->flags & ISDATAAT_RAWBYTES); - - DetectEngineCtxFree(de_ctx); - PASS; -} - -#endif /* UNITTESTS */ - -/** - * \brief Register the UNITTESTS for the http_uri keyword - */ -static void DetectHttpUriRegisterTests (void) -{ #ifdef UNITTESTS /* UNITTESTS */ - UtRegisterTest("DetectHttpUriTest01", DetectHttpUriTest01); - UtRegisterTest("DetectHttpUriTest02", DetectHttpUriTest02); - UtRegisterTest("DetectHttpUriTest03", DetectHttpUriTest03); - UtRegisterTest("DetectHttpUriTest04", DetectHttpUriTest04); - UtRegisterTest("DetectHttpUriTest05", DetectHttpUriTest05); - UtRegisterTest("DetectHttpUriTest12", DetectHttpUriTest12); - UtRegisterTest("DetectHttpUriTest13", DetectHttpUriTest13); - UtRegisterTest("DetectHttpUriTest14", DetectHttpUriTest14); - UtRegisterTest("DetectHttpUriTest15", DetectHttpUriTest15); - UtRegisterTest("DetectHttpUriTest16", DetectHttpUriTest16); - UtRegisterTest("DetectHttpUriTest17", DetectHttpUriTest17); - UtRegisterTest("DetectHttpUriTest18", DetectHttpUriTest18); - - UtRegisterTest("DetectHttpUriIsdataatParseTest", - DetectHttpUriIsdataatParseTest); +#include "tests/detect-http-uri.c" #endif /* UNITTESTS */ -} /** * @} */ diff --git a/src/runmode-unittests.c b/src/runmode-unittests.c index ba73f9b8ea..9e734494ed 100644 --- a/src/runmode-unittests.c +++ b/src/runmode-unittests.c @@ -36,7 +36,6 @@ #include "detect-engine-sigorder.h" #include "detect-engine-payload.h" #include "detect-engine-dcepayload.h" -#include "detect-engine-uri.h" #include "detect-engine-hcbd.h" #include "detect-engine-hsbd.h" #include "detect-engine-hrhd.h" @@ -194,7 +193,6 @@ static void RegisterUnittests(void) SCRConfRegisterTests(); PayloadRegisterTests(); DcePayloadRegisterTests(); - UriRegisterTests(); #ifdef PROFILING SCProfilingRegisterTests(); #endif diff --git a/src/detect-engine-uri.c b/src/tests/detect-http-uri.c similarity index 87% rename from src/detect-engine-uri.c rename to src/tests/detect-http-uri.c index c19215e90f..f1a56d4a51 100644 --- a/src/detect-engine-uri.c +++ b/src/tests/detect-http-uri.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2010 Open Information Security Foundation +/* Copyright (C) 2007-2018 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -19,41 +19,20 @@ * * \author Victor Julien * \author Pablo Rincon Crespo - * - * Based on detect-engine-uri.c */ -#include "suricata-common.h" -#include "suricata.h" -#include "decode.h" - -#include "detect.h" -#include "detect-engine.h" -#include "detect-parse.h" -#include "detect-engine-state.h" -#include "detect-engine-content-inspection.h" -#include "detect-engine-prefilter.h" -#include "detect-engine-uri.h" - -#include "flow-util.h" -#include "util-debug.h" -#include "util-print.h" -#include "flow.h" - -#include "stream-tcp.h" - -#include "app-layer-parser.h" +#include "../suricata-common.h" +#include "../app-layer.h" +#include "../app-layer-parser.h" +#include "../app-layer-htp.h" +#include "../util-unittest.h" +#include "../util-unittest-helper.h" -#include "util-unittest.h" -#include "util-unittest-helper.h" -#include "app-layer.h" -#include "app-layer-htp.h" -#include "app-layer-protos.h" -#include "util-validate.h" +#include "../flow.h" +#include "../flow-util.h" -/***********************************Unittests**********************************/ +#include "../detect-isdataat.h" -#ifdef UNITTESTS /** \test Test a simple uricontent option */ static int UriTestSig01(void) { @@ -3823,12 +3802,459 @@ end: return result; } -#endif /* UNITTESTS */ +/** + * \test Checks if a http_uri is registered in a Signature, if content is not + * specified in the signature + */ +static int DetectHttpUriTest01(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing http_uri\"; http_uri;sid:1;)"); + if (de_ctx->sig_list == NULL) + result = 1; + +end: + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + return result; +} -void UriRegisterTests(void) +/** + * \test Checks if a http_uri is registered in a Signature, if some parameter + * is specified with http_uri in the signature + */ +static int DetectHttpUriTest02(void) { + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing http_uri\"; content:\"one\"; " + "http_cookie:wrong; sid:1;)"); + if (de_ctx->sig_list == NULL) + result = 1; + +end: + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + return result; +} + +/** + * \test Checks if a http_uri is registered in a Signature + */ +static int DetectHttpUriTest03(void) +{ + SigMatch *sm = NULL; + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing http_uri\"; content:\"one\"; " + "http_uri; content:\"two\"; http_uri; " + "content:\"three\"; http_uri; " + "sid:1;)"); + + if (de_ctx->sig_list == NULL) { + printf("sig parse failed: "); + goto end; + } + + sm = de_ctx->sig_list->sm_lists[g_http_uri_buffer_id]; + if (sm == NULL) { + printf("no sigmatch(es): "); + goto end; + } + + while (sm != NULL) { + if (sm->type == DETECT_CONTENT) { + result = 1; + } else { + printf("expected DETECT_AL_HTTP_URI, got %d: ", sm->type); + goto end; + } + sm = sm->next; + } + +end: + if (de_ctx != NULL) + DetectEngineCtxFree(de_ctx); + return result; +} + +/** + * \test Checks if a http_uri is registered in a Signature, when rawbytes is + * also specified in the signature + */ +static int DetectHttpUriTest04(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing http_uri\"; content:\"one\"; " + "rawbytes; http_uri; sid:1;)"); + if (de_ctx->sig_list == NULL) + result = 1; + + end: + if (de_ctx != NULL) SigCleanSignatures(de_ctx); + if (de_ctx != NULL) DetectEngineCtxFree(de_ctx); + return result; +} + +/** + * \test Checks if a http_uri is successfully converted to a uricontent + * + */ +static int DetectHttpUriTest05(void) +{ + DetectEngineCtx *de_ctx = NULL; + Signature *s = NULL; + int result = 0; + + if ((de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + s = SigInit(de_ctx, "alert tcp any any -> any any " + "(msg:\"Testing http_uri\"; " + "content:\"we are testing http_uri keyword\"; " + "http_uri; sid:1;)"); + if (s == NULL) { + printf("sig failed to parse\n"); + goto end; + } + if (s->sm_lists[g_http_uri_buffer_id] == NULL) + goto end; + if (s->sm_lists[g_http_uri_buffer_id]->type != DETECT_CONTENT) { + printf("wrong type\n"); + goto end; + } + + const char *str = "we are testing http_uri keyword"; + int uricomp = memcmp((const char *)((DetectContentData*) s->sm_lists[g_http_uri_buffer_id]->ctx)->content, str, strlen(str)-1); + int urilen = ((DetectContentData*) s->sm_lists_tail[g_http_uri_buffer_id]->ctx)->content_len; + if (uricomp != 0 || + urilen != strlen("we are testing http_uri keyword")) { + printf("sig failed to parse, content not setup properly\n"); + goto end; + } + result = 1; + +end: + if (de_ctx != NULL) SigCleanSignatures(de_ctx); + if (de_ctx != NULL) SigGroupCleanup(de_ctx); + return result; +} + +static int DetectHttpUriTest12(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(content:\"one\"; http_uri; " + "content:\"two\"; distance:0; http_uri; sid:1;)"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) { + printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n"); + goto end; + } + + DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; + DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; + if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT || + memcmp(ud1->content, "one", ud1->content_len) != 0 || + ud2->flags != DETECT_CONTENT_DISTANCE || + memcmp(ud2->content, "two", ud1->content_len) != 0) { + goto end; + } + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +static int DetectHttpUriTest13(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(content:\"one\"; http_uri; " + "content:\"two\"; within:5; http_uri; sid:1;)"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) { + printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n"); + goto end; + } -#ifdef UNITTESTS + if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n"); + goto end; + } + + DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; + DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; + if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT || + memcmp(ud1->content, "one", ud1->content_len) != 0 || + ud2->flags != DETECT_CONTENT_WITHIN || + memcmp(ud2->content, "two", ud1->content_len) != 0) { + goto end; + } + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +static int DetectHttpUriTest14(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(content:\"one\"; within:5; http_uri; sid:1;)"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); + goto end; + } + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +static int DetectHttpUriTest15(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(content:\"one\"; http_uri; within:5; sid:1;)"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n"); + goto end; + } + + DetectContentData *cd = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; + if (memcmp(cd->content, "one", cd->content_len) != 0 || + cd->flags != DETECT_CONTENT_WITHIN) { + goto end; + } + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +static int DetectHttpUriTest16(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(content:\"one\"; within:5; sid:1;)"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); + goto end; + } + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +static int DetectHttpUriTest17(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:\"one\"; " + "content:\"two\"; distance:0; http_uri; sid:1;)"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) { + printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n"); + goto end; + } + + DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; + DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; + if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT || + memcmp(ud1->content, "one", ud1->content_len) != 0 || + ud2->flags != DETECT_CONTENT_DISTANCE || + memcmp(ud2->content, "two", ud1->content_len) != 0) { + goto end; + } + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +static int DetectHttpUriTest18(void) +{ + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + if ( (de_ctx = DetectEngineCtxInit()) == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any " + "(uricontent:\"one\"; " + "content:\"two\"; within:5; http_uri; sid:1;)"); + if (de_ctx->sig_list == NULL) { + printf("de_ctx->sig_list == NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL) { + printf("de_ctx->sig_list->sm_lists[DETECT_SM_LIST_PMATCH] != NULL\n"); + goto end; + } + + if (de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL) { + printf("de_ctx->sig_list->sm_lists[g_http_uri_buffer_id] == NULL\n"); + goto end; + } + + DetectContentData *ud1 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->prev->ctx; + DetectContentData *ud2 = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[g_http_uri_buffer_id]->ctx; + if (ud1->flags != DETECT_CONTENT_RELATIVE_NEXT || + memcmp(ud1->content, "one", ud1->content_len) != 0 || + ud2->flags != DETECT_CONTENT_WITHIN || + memcmp(ud2->content, "two", ud1->content_len) != 0) { + goto end; + } + + result = 1; + + end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; +} + +static int DetectHttpUriIsdataatParseTest(void) +{ + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + FAIL_IF_NULL(de_ctx); + de_ctx->flags |= DE_QUIET; + + Signature *s = DetectEngineAppendSig(de_ctx, + "alert tcp any any -> any any (" + "content:\"one\"; http_uri; " + "isdataat:!4,relative; sid:1;)"); + FAIL_IF_NULL(s); + + SigMatch *sm = s->init_data->smlists_tail[g_http_uri_buffer_id]; + FAIL_IF_NULL(sm); + FAIL_IF_NOT(sm->type == DETECT_ISDATAAT); + + DetectIsdataatData *data = (DetectIsdataatData *)sm->ctx; + FAIL_IF_NOT(data->flags & ISDATAAT_RELATIVE); + FAIL_IF_NOT(data->flags & ISDATAAT_NEGATED); + FAIL_IF(data->flags & ISDATAAT_RAWBYTES); + + DetectEngineCtxFree(de_ctx); + PASS; +} + +/** + * \brief Register the UNITTESTS for the http_uri keyword + */ +static void DetectHttpUriRegisterTests (void) +{ UtRegisterTest("UriTestSig01", UriTestSig01); UtRegisterTest("UriTestSig02", UriTestSig02); UtRegisterTest("UriTestSig03", UriTestSig03); @@ -3866,7 +4292,20 @@ void UriRegisterTests(void) UtRegisterTest("UriTestSig36", UriTestSig36); UtRegisterTest("UriTestSig37", UriTestSig37); UtRegisterTest("UriTestSig38", UriTestSig38); -#endif /* UNITTESTS */ - return; + UtRegisterTest("DetectHttpUriTest01", DetectHttpUriTest01); + UtRegisterTest("DetectHttpUriTest02", DetectHttpUriTest02); + UtRegisterTest("DetectHttpUriTest03", DetectHttpUriTest03); + UtRegisterTest("DetectHttpUriTest04", DetectHttpUriTest04); + UtRegisterTest("DetectHttpUriTest05", DetectHttpUriTest05); + UtRegisterTest("DetectHttpUriTest12", DetectHttpUriTest12); + UtRegisterTest("DetectHttpUriTest13", DetectHttpUriTest13); + UtRegisterTest("DetectHttpUriTest14", DetectHttpUriTest14); + UtRegisterTest("DetectHttpUriTest15", DetectHttpUriTest15); + UtRegisterTest("DetectHttpUriTest16", DetectHttpUriTest16); + UtRegisterTest("DetectHttpUriTest17", DetectHttpUriTest17); + UtRegisterTest("DetectHttpUriTest18", DetectHttpUriTest18); + + UtRegisterTest("DetectHttpUriIsdataatParseTest", + DetectHttpUriIsdataatParseTest); }