diff --git a/src/detect.c b/src/detect.c index bcaeaeb38b..c3f2230a11 100644 --- a/src/detect.c +++ b/src/detect.c @@ -6367,6 +6367,128 @@ end: return result; } +/** + * \test SigTest41NoPacketInspection is a test to check that when PKT_NOPACKET_INSPECTION + * flag is set, we don't need to inspect the packet protocol header or its contents. + */ + +int SigTest41NoPacketInspection(void) { + + uint8_t *buf = (uint8_t *) + "220 (vsFTPd 2.0.5)\r\n"; + uint16_t buflen = strlen((char *)buf); + Packet p; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx; + PacketQueue pq; + int result = 0; + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + memset(&pq, 0, sizeof(pq)); + + p.src.family = AF_INET; + p.src.addr_data32[0] = 0x0102080a; + p.dst.addr_data32[0] = 0x04030201; + p.dst.family = AF_INET; + p.payload = buf; + p.payload_len = buflen; + p.proto = IPPROTO_TCP; + p.dp = 34260; + p.sp = 21; + p.flowflags |= FLOW_PKT_TOSERVER; + p.flags |= PKT_NOPACKET_INSPECTION; + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> 1.2.3.4 any (msg:\"No Packet Inspection Test\"; sid:2; rev:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + SigGroupBuild(de_ctx); + PatternMatchPrepare(mpm_ctx, MPM_B2G); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx,(void *)&det_ctx); + //DetectEngineIPOnlyThreadInit(de_ctx,&det_ctx->io_ctx); + det_ctx->de_ctx = de_ctx; + + Detect(&th_v, &p, det_ctx, &pq); + if (PacketAlertCheck(&p, 2)) + result = 0; + else + result = 1; + + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + PatternMatchDestroy(mpm_ctx); + DetectEngineCtxFree(de_ctx); +end: + return result; +} + +/** + * \test SigTest42NoPayloadInspection is a test to check that when PKT_NOPAYLOAD_INSPECTION + * flasg is set, we don't need to inspect the packet contents. + */ + +int SigTest42NoPayloadInspection(void) { + + uint8_t *buf = (uint8_t *) + "220 (vsFTPd 2.0.5)\r\n"; + uint16_t buflen = strlen((char *)buf); + Packet p; + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx; + int result = 0; + + memset(&th_v, 0, sizeof(th_v)); + memset(&p, 0, sizeof(p)); + p.src.family = AF_INET; + p.dst.family = AF_INET; + p.payload = buf; + p.payload_len = buflen; + p.proto = IPPROTO_TCP; + p.flags |= PKT_NOPAYLOAD_INSPECTION; + + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) { + goto end; + } + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any (msg:\"No Payload TEST\"; content:\"220 (vsFTPd 2.0.5)\"; sid:1;)"); + if (de_ctx->sig_list == NULL) { + result = 0; + goto end; + } + + SigGroupBuild(de_ctx); + PatternMatchPrepare(mpm_ctx,MPM_B2G); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + SigMatchSignatures(&th_v, de_ctx, det_ctx, &p); + if (PacketAlertCheck(&p, 1)) + result = 0; + else + result = 1; + + SigGroupCleanup(de_ctx); + SigCleanSignatures(de_ctx); + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + PatternMatchDestroy(mpm_ctx); + DetectEngineCtxFree(de_ctx); +end: + return result; +} + #endif /* UNITTESTS */ void SigRegisterTests(void) { @@ -6517,6 +6639,9 @@ void SigRegisterTests(void) { UtRegisterTest("SigTest40SignatureIsIPOnly01", SigTest40IPOnly01, 1); UtRegisterTest("SigTest40SignatureIsIPOnly02", SigTest40IPOnly02, 1); UtRegisterTest("SigTest40SignatureIsIPOnly03", SigTest40IPOnly03, 1); + + UtRegisterTest("SigTest41NoPacketInspection", SigTest41NoPacketInspection, 1); + UtRegisterTest("SigTest42NoPayloadInspection", SigTest42NoPayloadInspection, 1); #endif /* UNITTESTS */ } diff --git a/src/stream-tcp.c b/src/stream-tcp.c index fba9e5db7e..a8c463b4a8 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c @@ -2362,6 +2362,69 @@ end: return ret; } +/*static int StreamTcpTest09 (void) { + + Packet p; + Flow f; + ThreadVars tv; + StreamTcpThread stt; + TCPHdr tcph; + u_int8_t payload[1] = {0x42}; + + memset (&p, 0, sizeof(Packet)); + memset (&f, 0, sizeof(Flow)); + memset(&tv, 0, sizeof (ThreadVars)); + memset(&stt, 0, sizeof(StreamTcpThread)); + memset(&tcph, 0, sizeof(TCPHdr)); + + p.flow = &f; + int ret = 0; + + StreamTcpInitConfig(TRUE); + + //prevent L7 from kicking in + StreamMsgQueueSetMinInitChunkLen(FLOW_PKT_TOSERVER, 4096); + StreamMsgQueueSetMinInitChunkLen(FLOW_PKT_TOCLIENT, 4096); + StreamMsgQueueSetMinChunkLen(FLOW_PKT_TOSERVER, 4096); + StreamMsgQueueSetMinChunkLen(FLOW_PKT_TOCLIENT, 4096); + + tcph.th_win = htons(5480); + tcph.th_seq = htonl(10); + tcph.th_ack = htonl(20); + tcph.th_flags = TH_ACK|TH_PUSH; + p.tcph = &tcph; + + p.payload = payload; + p.payload_len = 1; + + if (StreamTcpPacket(&tv, &p, &stt) == -1) + goto end; + + p.tcph->th_seq = htonl(12); + p.tcph->th_ack = htonl(23); + p.tcph->th_flags = TH_ACK|TH_PUSH; + p.flowflags = FLOW_PKT_TOSERVER; + + if (StreamTcpPacket(&tv, &p, &stt) == -1) + goto end; + + p.tcph->th_seq = htonl(11); + p.tcph->th_ack = htonl(23); + p.tcph->th_flags = TH_ACK|TH_PUSH; + p.flowflags = FLOW_PKT_TOSERVER; + + if (StreamTcpPacket(&tv, &p, &stt) == -1) + goto end; + + if (((TcpSession *) (p.flow->protoctx))->client.seg_list == NULL) + ret = 1; + + StreamTcpSessionPktFree(&p); +end: + StreamTcpFreeConfig(TRUE); + return ret; +}*/ + #endif /* UNITTESTS */ void StreamTcpRegisterTests (void) { @@ -2374,6 +2437,7 @@ void StreamTcpRegisterTests (void) { UtRegisterTest("StreamTcpTest06 -- FIN, RST message MidStream session", StreamTcpTest06, 1); UtRegisterTest("StreamTcpTest07 -- PAWS invalid timestamp", StreamTcpTest07, 1); UtRegisterTest("StreamTcpTest08 -- PAWS valid timestamp", StreamTcpTest08, 1); + //UtRegisterTest("StreamTcpTest09 -- No Client Reassembly", StreamTcpTest09, 1); /* set up the reassembly tests as well */ StreamTcpReassembleRegisterTests(); #endif /* UNITTESTS */