From 6990d9c91be517395632006ef59965abfae32981 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 19 Mar 2010 09:10:39 +0100 Subject: [PATCH] Fix thresholding signature unittests. Because of the bug fix that made thresholding compatible to ip-only sigs the test sigs needed to be made non-ip-only. --- src/detect-threshold.c | 31 +++++++++++++++++++++++-------- src/detect.c | 4 ++-- 2 files changed, 25 insertions(+), 10 deletions(-) diff --git a/src/detect-threshold.c b/src/detect-threshold.c index 6442758a87..afbc28d6fd 100644 --- a/src/detect-threshold.c +++ b/src/detect-threshold.c @@ -354,6 +354,8 @@ static int DetectThresholdTestSig1(void) { p.ip4h = &ip4h; p.ip4h->ip_src.s_addr = 0x01010101; p.ip4h->ip_dst.s_addr = 0x02020202; + p.sp = 1024; + p.dp = 80; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { @@ -362,12 +364,18 @@ static int DetectThresholdTestSig1(void) { de_ctx->flags |= DE_QUIET; - s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)"); + s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)"); if (s == NULL) { goto end; } SigGroupBuild(de_ctx); + + if (s->flags & SIG_FLAG_IPONLY) { + printf("signature is ip-only: "); + goto end; + } + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); @@ -384,9 +392,8 @@ static int DetectThresholdTestSig1(void) { if(alerts == 5) result = 1; else - goto cleanup; + printf("alerts %"PRIi32", expected 5: ", alerts); -cleanup: SigGroupCleanup(de_ctx); SigCleanSignatures(de_ctx); @@ -426,6 +433,8 @@ static int DetectThresholdTestSig2(void) { p.ip4h = &ip4h; p.ip4h->ip_src.s_addr = 0x01010101; p.ip4h->ip_dst.s_addr = 0x02020202; + p.sp = 1024; + p.dp = 80; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { @@ -434,7 +443,7 @@ static int DetectThresholdTestSig2(void) { de_ctx->flags |= DE_QUIET; - s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Threshold\"; threshold: type threshold, track by_dst, count 5, seconds 60; sid:1;)"); + s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold\"; threshold: type threshold, track by_dst, count 5, seconds 60; sid:1;)"); if (s == NULL) { goto end; } @@ -507,6 +516,8 @@ static int DetectThresholdTestSig3(void) { p.ip4h = &ip4h; p.ip4h->ip_src.s_addr = 0x01010101; p.ip4h->ip_dst.s_addr = 0x02020202; + p.sp = 1024; + p.dp = 80; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { @@ -515,7 +526,7 @@ static int DetectThresholdTestSig3(void) { de_ctx->flags |= DE_QUIET; - s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:10;)"); + s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:10;)"); if (s == NULL) { goto end; } @@ -618,6 +629,8 @@ static int DetectThresholdTestSig4(void) { p.ip4h = &ip4h; p.ip4h->ip_src.s_addr = 0x01010101; p.ip4h->ip_dst.s_addr = 0x02020202; + p.sp = 1024; + p.dp = 80; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { @@ -626,7 +639,7 @@ static int DetectThresholdTestSig4(void) { de_ctx->flags |= DE_QUIET; - s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Threshold both\"; threshold: type both, track by_dst, count 2, seconds 60; sid:10;)"); + s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold both\"; threshold: type both, track by_dst, count 2, seconds 60; sid:10;)"); if (s == NULL) { goto end; } @@ -690,6 +703,8 @@ static int DetectThresholdTestSig5(void) { p.ip4h = &ip4h; p.ip4h->ip_src.s_addr = 0x01010101; p.ip4h->ip_dst.s_addr = 0x02020202; + p.sp = 1024; + p.dp = 80; DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { @@ -698,12 +713,12 @@ static int DetectThresholdTestSig5(void) { de_ctx->flags |= DE_QUIET; - s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)"); + s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)"); if (s == NULL) { goto end; } - s = s->next = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)"); + s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)"); if (s == NULL) { goto end; } diff --git a/src/detect.c b/src/detect.c index e058864685..9cbf9f7d1b 100644 --- a/src/detect.c +++ b/src/detect.c @@ -475,10 +475,10 @@ inline SigGroupHead *SigMatchSignaturesGetSgh(ThreadVars *th_v, DetectEngineCtx if (dport != NULL) { sgh = dport->sh; } else { - SCLogDebug("no dst port group found for the packet"); + SCLogDebug("no dst port group found for the packet with dp %"PRIu16"", p->dp); } } else { - SCLogDebug("no src port group found for the packet"); + SCLogDebug("no src port group found for the packet with sp %"PRIu16"", p->sp); } } } else {