diff --git a/src/util-action.c b/src/util-action.c index cf052e5270..9a6a917491 100644 --- a/src/util-action.c +++ b/src/util-action.c @@ -425,1146 +425,11 @@ action-order:\n\ return res; } -/** - * \test Check that we handle the "pass" action - * correctly at the IP Only engine in the default case - */ -static int UtilActionTest08(void) -{ - int res = 0; - uint8_t buf[] = "Hi all!"; - uint16_t buflen = sizeof(buf) - 1; - Packet *p[3]; - p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - - if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) - goto end; - - const char *sigs[3]; - sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; sid:1;)"; - sigs[1]= "pass ip 192.168.1.1 80 -> any any (msg:\"sig 2\"; sid:2;)"; - sigs[2]= "alert ip any any -> any any (msg:\"sig 3\"; sid:3;)"; - - uint32_t sid[3] = {1, 2, 3}; - - uint32_t results[3][3] = { - {1, 0, 1}, - {0, 0, 0}, - {1, 0, 1} }; - /* This means that with the second packet, the results will be - * all ({0,0,0}) since, we should match the "pass" rule first - */ - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto cleanup; - de_ctx->flags |= DE_QUIET; - - if (UTHAppendSigs(de_ctx, sigs, 3) == 0) - goto cleanup; - - SCSigRegisterSignatureOrderingFuncs(de_ctx); - SCSigOrderSignatures(de_ctx); - - res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); - -cleanup: - UTHFreePackets(p, 3); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - -end: - return res; -} - -/** - * \test Check that we handle the "pass" action - * correctly at the IP Only engine with more - * prio to drop - */ -static int UtilActionTest09(void) -{ - int res = 1; - uint8_t buf[] = "Hi all!"; - uint16_t buflen = sizeof(buf) - 1; - Packet *p[3]; - - action_order_sigs[0] = ACTION_DROP; - action_order_sigs[1] = ACTION_PASS; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_ALERT; - - p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - - if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) - goto end; - - const char *sigs[3]; - sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; sid:1;)"; - sigs[1]= "pass ip 192.168.1.1 80 -> any any (msg:\"sig 2\"; sid:2;)"; - sigs[2]= "drop ip any any -> any any (msg:\"sig 3\"; sid:3;)"; - - uint32_t sid[3] = {1, 2, 3}; - - uint32_t results[3][3] = { - {1, 0, 1}, - {0, 0, 1}, - {1, 0, 1} }; - /* This means that with the second packet, the results will be - * all ({0,0,1}) since, we should match the "drop" rule first. - * Later the "pass" rule will avoid the "alert" rule match - */ - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto cleanup; - de_ctx->flags |= DE_QUIET; - - if (UTHAppendSigs(de_ctx, sigs, 3) == 0) - goto cleanup; - - SCSigRegisterSignatureOrderingFuncs(de_ctx); - SCSigOrderSignatures(de_ctx); - - res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); - -cleanup: - UTHFreePackets(p, 3); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - -end: - /* Restore default values */ - action_order_sigs[0] = ACTION_PASS; - action_order_sigs[1] = ACTION_DROP; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_ALERT; - return res; -} - -/** - * \test Check that we handle the "pass" action - * correctly at the detection engine in the default case - */ -static int UtilActionTest10(void) -{ - int res = 0; - uint8_t buf[] = "Hi all!"; - uint16_t buflen = sizeof(buf) - 1; - uint8_t buf2[] = "wo!"; - uint16_t buflen2 = sizeof(buf2) - 1; - Packet *p[3]; - p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal((uint8_t *)buf2, buflen2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - - if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) - goto end; - - const char *sigs[3]; - sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)"; - sigs[1]= "pass ip any any -> any any (msg:\"sig 2\"; content:\"wo\"; sid:2;)"; - sigs[2]= "alert ip any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)"; - - uint32_t sid[3] = {1, 2, 3}; - - uint32_t results[3][3] = { - {1, 0, 1}, - {0, 0, 0}, - {1, 0, 1} }; - /* This means that with the second packet, the results will be - * all ({0,0,0}) since, we should match the "pass" rule first - */ - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto cleanup; - de_ctx->flags |= DE_QUIET; - - if (UTHAppendSigs(de_ctx, sigs, 3) == 0) - goto cleanup; - - SCSigRegisterSignatureOrderingFuncs(de_ctx); - SCSigOrderSignatures(de_ctx); - - res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); - -cleanup: - UTHFreePackets(p, 3); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - -end: - return res; -} - -/** - * \test Check that we handle the "pass" action - * correctly at the detection engine with more - * prio to drop - */ -static int UtilActionTest11(void) -{ - int res = 1; - uint8_t buf[] = "Hi all!"; - uint16_t buflen = sizeof(buf) - 1; - uint8_t buf2[] = "Hi all wo!"; - uint16_t buflen2 = sizeof(buf2) - 1; - Packet *p[3]; - - action_order_sigs[0] = ACTION_DROP; - action_order_sigs[1] = ACTION_PASS; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_ALERT; - - p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal((uint8_t *)buf2, buflen2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - - if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) - goto end; - - const char *sigs[3]; - sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)"; - sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"wo\"; sid:2;)"; - sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)"; - - uint32_t sid[3] = {1, 2, 3}; - - uint32_t results[3][3] = { - {1, 0, 1}, - {0, 0, 1}, - {1, 0, 1} }; - /* This means that with the second packet, the results will be - * all ({0,0,1}) since, we should match the "drop" rule first. - * Later the "pass" rule will avoid the "alert" rule match - */ - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto cleanup; - de_ctx->flags |= DE_QUIET; - - if (UTHAppendSigs(de_ctx, sigs, 3) == 0) - goto cleanup; - - SCSigRegisterSignatureOrderingFuncs(de_ctx); - SCSigOrderSignatures(de_ctx); - - res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); - -cleanup: - UTHFreePackets(p, 3); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - -end: - /* Restore default values */ - action_order_sigs[0] = ACTION_PASS; - action_order_sigs[1] = ACTION_DROP; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_ALERT; - return res; -} - -/** - * \test Check that we handle the "pass" action - * correctly at the detection engine in the default case - */ -static int UtilActionTest12(void) -{ - int res = 0; - uint8_t buf[] = "Hi all!"; - uint16_t buflen = sizeof(buf) - 1; - Packet *p[3]; - p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - - if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) - goto end; - - const char *sigs[3]; - sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; sid:1;)"; - sigs[1]= "pass ip any any -> any any (msg:\"Testing normal 2\"; sid:2;)"; - sigs[2]= "alert ip any any -> any any (msg:\"sig 3\"; sid:3;)"; - - uint32_t sid[3] = {1, 2, 3}; - - uint32_t results[3][3] = { - {0, 0, 0}, - {0, 0, 0}, - {0, 0, 0} }; - /* All should match the 3 sigs, but the action pass has prio */ - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto cleanup; - de_ctx->flags |= DE_QUIET; - - if (UTHAppendSigs(de_ctx, sigs, 3) == 0) - goto cleanup; - - SCSigRegisterSignatureOrderingFuncs(de_ctx); - SCSigOrderSignatures(de_ctx); - - res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); - -cleanup: - UTHFreePackets(p, 3); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - -end: - return res; -} - -/** - * \test Check that we handle the "pass" action - * correctly at the detection engine with more - * prio to drop - */ -static int UtilActionTest13(void) -{ - int res = 1; - uint8_t buf[] = "Hi all!"; - uint16_t buflen = sizeof(buf) - 1; - Packet *p[3]; - - action_order_sigs[0] = ACTION_DROP; - action_order_sigs[1] = ACTION_PASS; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_ALERT; - - p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - - if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) - goto end; - - const char *sigs[3]; - sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)"; - sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; - sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)"; - - uint32_t sid[3] = {1, 2, 3}; - - uint32_t results[3][3] = { - {0, 0, 1}, - {0, 0, 1}, - {0, 0, 1} }; - /* All the packets should match the 3 sigs. As drop has more - * priority than pass, it should alert on each packet */ - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto cleanup; - de_ctx->flags |= DE_QUIET; - - if (UTHAppendSigs(de_ctx, sigs, 3) == 0) - goto cleanup; - - SCSigRegisterSignatureOrderingFuncs(de_ctx); - SCSigOrderSignatures(de_ctx); - - res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); - -cleanup: - UTHFreePackets(p, 3); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - -end: - /* Restore default values */ - action_order_sigs[0] = ACTION_PASS; - action_order_sigs[1] = ACTION_DROP; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_ALERT; - return res; -} - -/** - * \test Check that we handle the "pass" action - * correctly at the detection engine with more - * prio to drop and alert - */ -static int UtilActionTest14(void) -{ - int res = 1; - uint8_t buf[] = "Hi all!"; - uint16_t buflen = sizeof(buf) - 1; - Packet *p[3]; - - action_order_sigs[0] = ACTION_DROP; - action_order_sigs[1] = ACTION_ALERT; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_PASS; - - p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - - if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) - goto end; - - const char *sigs[3]; - sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)"; - sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; - sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)"; - - uint32_t sid[3] = {1, 2, 3}; - - uint32_t results[3][3] = { - {1, 0, 1}, - {1, 0, 1}, - {1, 0, 1} }; - /* All the packets should match the 3 sigs. As drop - * and alert have more priority than pass, both should - * alert on each packet */ - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto cleanup; - de_ctx->flags |= DE_QUIET; - - if (UTHAppendSigs(de_ctx, sigs, 3) == 0) - goto cleanup; - - SCSigRegisterSignatureOrderingFuncs(de_ctx); - SCSigOrderSignatures(de_ctx); - - res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); - -cleanup: - UTHFreePackets(p, 3); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - -end: - /* Restore default values */ - action_order_sigs[0] = ACTION_PASS; - action_order_sigs[1] = ACTION_DROP; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_ALERT; - return res; -} - -/** - * \test Check mixed sigs (iponly and normal) - */ -static int UtilActionTest15(void) -{ - int res = 1; - uint8_t buf[] = "Hi all!"; - uint16_t buflen = sizeof(buf) - 1; - Packet *p[3]; - - p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - - if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) - goto end; - - const char *sigs[3]; - sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; sid:1;)"; - sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; - sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; sid:3;)"; - - uint32_t sid[3] = {1, 2, 3}; - - uint32_t results[3][3] = { - {0, 0, 0}, - {0, 0, 0}, - {0, 0, 0} }; - /* All the packets should match the 3 sigs. As drop - * and alert have more priority than pass, both should - * alert on each packet */ - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto cleanup; - de_ctx->flags |= DE_QUIET; - - if (UTHAppendSigs(de_ctx, sigs, 3) == 0) - goto cleanup; - - SCSigRegisterSignatureOrderingFuncs(de_ctx); - SCSigOrderSignatures(de_ctx); - - res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); - -cleanup: - UTHFreePackets(p, 3); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - -end: - return res; -} - -/** - * \test Check mixed sigs (iponly and normal) - */ -static int UtilActionTest16(void) -{ - int res = 1; - uint8_t buf[] = "Hi all!"; - uint16_t buflen = sizeof(buf) - 1; - Packet *p[3]; - - p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - - if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) - goto end; - - const char *sigs[3]; - sigs[0]= "drop tcp any any -> any any (msg:\"sig 1\"; sid:1;)"; - sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; - sigs[2]= "pass tcp any any -> any any (msg:\"sig 3\"; sid:3;)"; - - uint32_t sid[3] = {1, 2, 3}; - - uint32_t results[3][3] = { - {0, 0, 0}, - {0, 0, 0}, - {0, 0, 0} }; - /* All the packets should match the 3 sigs. As drop - * and alert have more priority than pass, both should - * alert on each packet */ - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto cleanup; - de_ctx->flags |= DE_QUIET; - - if (UTHAppendSigs(de_ctx, sigs, 3) == 0) - goto cleanup; - - SCSigRegisterSignatureOrderingFuncs(de_ctx); - SCSigOrderSignatures(de_ctx); - - res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); - -cleanup: - UTHFreePackets(p, 3); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - -end: - return res; -} - -/** - * \test Check mixed sigs (iponly and normal) - */ -static int UtilActionTest17(void) -{ - int res = 1; - uint8_t buf[] = "Hi all!"; - uint16_t buflen = sizeof(buf) - 1; - Packet *p[3]; - - p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - - if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) - goto end; - - const char *sigs[3]; - sigs[0]= "pass tcp any any -> any any (msg:\"sig 1\"; sid:1;)"; - sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; - sigs[2]= "alert tcp any any -> any any (msg:\"sig 3\"; sid:3;)"; - - uint32_t sid[3] = {1, 2, 3}; - - uint32_t results[3][3] = { - {0, 0, 0}, - {0, 0, 0}, - {0, 0, 0} }; - /* All the packets should match the 3 sigs. As drop - * and alert have more priority than pass, both should - * alert on each packet */ - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto cleanup; - de_ctx->flags |= DE_QUIET; - - if (UTHAppendSigs(de_ctx, sigs, 3) == 0) - goto cleanup; - - SCSigRegisterSignatureOrderingFuncs(de_ctx); - SCSigOrderSignatures(de_ctx); - - res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); - -cleanup: - UTHFreePackets(p, 3); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - -end: - return res; -} - -/** - * \test Check mixed sigs (iponly and normal) with more prio for drop - */ -static int UtilActionTest18(void) -{ - int res = 1; - uint8_t buf[] = "Hi all!"; - uint16_t buflen = sizeof(buf) - 1; - Packet *p[3]; - - action_order_sigs[0] = ACTION_DROP; - action_order_sigs[1] = ACTION_PASS; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_ALERT; - - p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - - if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) - goto end; - - const char *sigs[3]; - sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; sid:1;)"; - sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; - sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; sid:3;)"; - - uint32_t sid[3] = {1, 2, 3}; - - uint32_t results[3][3] = { - {0, 0, 1}, - {0, 0, 1}, - {0, 0, 1} }; - /* All the packets should match the 3 sigs. As drop - * and alert have more priority than pass, both should - * alert on each packet */ - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto cleanup; - de_ctx->flags |= DE_QUIET; - - if (UTHAppendSigs(de_ctx, sigs, 3) == 0) - goto cleanup; - - SCSigRegisterSignatureOrderingFuncs(de_ctx); - SCSigOrderSignatures(de_ctx); - - res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); - -cleanup: - UTHFreePackets(p, 3); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - -end: - /* Restore default values */ - action_order_sigs[0] = ACTION_PASS; - action_order_sigs[1] = ACTION_DROP; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_ALERT; - - return res; -} - -/** - * \test Check mixed sigs (iponly and normal) with more prio for drop - */ -static int UtilActionTest19(void) -{ - int res = 1; - uint8_t buf[] = "Hi all!"; - uint16_t buflen = sizeof(buf) - 1; - Packet *p[3]; - - action_order_sigs[0] = ACTION_DROP; - action_order_sigs[1] = ACTION_PASS; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_ALERT; - - p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - - if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) - goto end; - - const char *sigs[3]; - sigs[0]= "drop tcp any any -> any any (msg:\"sig 1\"; sid:1;)"; - sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; - sigs[2]= "pass tcp any any -> any any (msg:\"sig 3\"; sid:3;)"; - - uint32_t sid[3] = {1, 2, 3}; - - uint32_t results[3][3] = { - {1, 0, 0}, - {1, 0, 0}, - {1, 0, 0} }; - /* All the packets should match the 3 sigs. As drop - * and alert have more priority than pass, both should - * alert on each packet */ - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto cleanup; - de_ctx->flags |= DE_QUIET; - - if (UTHAppendSigs(de_ctx, sigs, 3) == 0) - goto cleanup; - - SCSigRegisterSignatureOrderingFuncs(de_ctx); - SCSigOrderSignatures(de_ctx); - - res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); - -cleanup: - UTHFreePackets(p, 3); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - -end: - /* Restore default values */ - action_order_sigs[0] = ACTION_PASS; - action_order_sigs[1] = ACTION_DROP; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_ALERT; - - return res; -} - -/** - * \test Check mixed sigs (iponly and normal) with more prio for drop - */ -static int UtilActionTest20(void) -{ - int res = 1; - uint8_t buf[] = "Hi all!"; - uint16_t buflen = sizeof(buf) - 1; - Packet *p[3]; - - action_order_sigs[0] = ACTION_DROP; - action_order_sigs[1] = ACTION_PASS; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_ALERT; - - p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - - if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) - goto end; - - const char *sigs[3]; - sigs[0]= "pass tcp any any -> any any (msg:\"sig 1\"; sid:1;)"; - sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; - sigs[2]= "alert tcp any any -> any any (msg:\"sig 3\"; sid:3;)"; - - uint32_t sid[3] = {1, 2, 3}; - - uint32_t results[3][3] = { - {0, 1, 0}, - {0, 1, 0}, - {0, 1, 0} }; - /* All the packets should match the 3 sigs. As drop - * and alert have more priority than pass, both should - * alert on each packet */ - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto cleanup; - de_ctx->flags |= DE_QUIET; - - if (UTHAppendSigs(de_ctx, sigs, 3) == 0) - goto cleanup; - - SCSigRegisterSignatureOrderingFuncs(de_ctx); - SCSigOrderSignatures(de_ctx); - - res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); - -cleanup: - UTHFreePackets(p, 3); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - -end: - return res; -} - -/** - * \test Check mixed sigs (iponly and normal) with more prio for alert and drop - */ -static int UtilActionTest21(void) -{ - int res = 1; - uint8_t buf[] = "Hi all!"; - uint16_t buflen = sizeof(buf) - 1; - Packet *p[3]; - - action_order_sigs[0] = ACTION_DROP; - action_order_sigs[1] = ACTION_ALERT; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_PASS; - - p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - - if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) - goto end; - - const char *sigs[3]; - sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; sid:1;)"; - sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; - sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; sid:3;)"; - - uint32_t sid[3] = {1, 2, 3}; - - uint32_t results[3][3] = { - {1, 0, 1}, - {1, 0, 1}, - {1, 0, 1} }; - /* All the packets should match the 3 sigs. As drop - * and alert have more priority than pass, both should - * alert on each packet */ - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto cleanup; - de_ctx->flags |= DE_QUIET; - - if (UTHAppendSigs(de_ctx, sigs, 3) == 0) - goto cleanup; - - SCSigRegisterSignatureOrderingFuncs(de_ctx); - SCSigOrderSignatures(de_ctx); - - res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); - -cleanup: - UTHFreePackets(p, 3); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - -end: - /* Restore default values */ - action_order_sigs[0] = ACTION_PASS; - action_order_sigs[1] = ACTION_DROP; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_ALERT; - - return res; -} - -/** - * \test Check mixed sigs (iponly and normal) with more prio for alert and drop - */ -static int UtilActionTest22(void) -{ - int res = 1; - uint8_t buf[] = "Hi all!"; - uint16_t buflen = sizeof(buf) - 1; - Packet *p[3]; - - action_order_sigs[0] = ACTION_DROP; - action_order_sigs[1] = ACTION_ALERT; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_PASS; - - p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - - if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) - goto end; - - const char *sigs[3]; - sigs[0]= "drop tcp any any -> any any (msg:\"sig 1\"; sid:1;)"; - sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; - sigs[2]= "pass tcp any any -> any any (msg:\"sig 3\"; sid:3;)"; - - uint32_t sid[3] = {1, 2, 3}; - - uint32_t results[3][3] = { - {1, 1, 0}, - {1, 1, 0}, - {1, 1, 0} }; - /* All the packets should match the 3 sigs. As drop - * and alert have more priority than pass, both should - * alert on each packet */ - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto cleanup; - de_ctx->flags |= DE_QUIET; - - if (UTHAppendSigs(de_ctx, sigs, 3) == 0) - goto cleanup; - - SCSigRegisterSignatureOrderingFuncs(de_ctx); - SCSigOrderSignatures(de_ctx); - - res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); - -cleanup: - UTHFreePackets(p, 3); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - -end: - /* Restore default values */ - action_order_sigs[0] = ACTION_PASS; - action_order_sigs[1] = ACTION_DROP; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_ALERT; - - return res; -} - -/** - * \test Check mixed sigs (iponly and normal) with more prio for alert and drop - */ -static int UtilActionTest23(void) -{ - int res = 1; - uint8_t buf[] = "Hi all!"; - uint16_t buflen = sizeof(buf) - 1; - Packet *p[3]; - - action_order_sigs[0] = ACTION_DROP; - action_order_sigs[1] = ACTION_ALERT; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_PASS; - - p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - - if (p[0] == NULL || p[1] == NULL ||p[2] == NULL) - goto end; - - const char *sigs[3]; - sigs[0]= "pass tcp any any -> any any (msg:\"sig 1\"; sid:1;)"; - sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)"; - sigs[2]= "alert tcp any any -> any any (msg:\"sig 3\"; sid:3;)"; - - uint32_t sid[3] = {1, 2, 3}; - - uint32_t results[3][3] = { - {0, 1, 1}, - {0, 1, 1}, - {0, 1, 1} }; - /* All the packets should match the 3 sigs. As drop - * and alert have more priority than pass, both should - * alert on each packet */ - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto cleanup; - de_ctx->flags |= DE_QUIET; - - if (UTHAppendSigs(de_ctx, sigs, 3) == 0) - goto cleanup; - - SCSigRegisterSignatureOrderingFuncs(de_ctx); - SCSigOrderSignatures(de_ctx); - - res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3); - -cleanup: - UTHFreePackets(p, 3); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - - /* Restore default values */ - action_order_sigs[0] = ACTION_PASS; - action_order_sigs[1] = ACTION_DROP; - action_order_sigs[2] = ACTION_REJECT; - action_order_sigs[3] = ACTION_ALERT; - -end: - return res; -} - /** * \test Check that the expected defaults are loaded if the * action-order configuration is not present. */ -static int UtilActionTest24(void) +static int UtilActionTest08(void) { int res = 1; char config[] = "%YAML 1.1\n" @@ -1603,21 +468,5 @@ void UtilActionRegisterTests(void) UtRegisterTest("UtilActionTest06", UtilActionTest06); UtRegisterTest("UtilActionTest07", UtilActionTest07); UtRegisterTest("UtilActionTest08", UtilActionTest08); - UtRegisterTest("UtilActionTest09", UtilActionTest09); - UtRegisterTest("UtilActionTest10", UtilActionTest10); - UtRegisterTest("UtilActionTest11", UtilActionTest11); - UtRegisterTest("UtilActionTest12", UtilActionTest12); - UtRegisterTest("UtilActionTest13", UtilActionTest13); - UtRegisterTest("UtilActionTest14", UtilActionTest14); - UtRegisterTest("UtilActionTest15", UtilActionTest15); - UtRegisterTest("UtilActionTest16", UtilActionTest16); - UtRegisterTest("UtilActionTest17", UtilActionTest17); - UtRegisterTest("UtilActionTest18", UtilActionTest18); - UtRegisterTest("UtilActionTest19", UtilActionTest19); - UtRegisterTest("UtilActionTest20", UtilActionTest20); - UtRegisterTest("UtilActionTest21", UtilActionTest21); - UtRegisterTest("UtilActionTest22", UtilActionTest22); - UtRegisterTest("UtilActionTest23", UtilActionTest23); - UtRegisterTest("UtilActionTest24", UtilActionTest24); } #endif