From a9ac6db0dd4372e35ec6e9f2f05adc602ac90a07 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sat, 14 Oct 2017 10:09:57 +0200 Subject: [PATCH] file_data: move tests into tests/ --- src/detect-engine-filedata.c | 296 +--------------------------- src/tests/detect-engine-filedata.c | 300 +++++++++++++++++++++++++++++ 2 files changed, 301 insertions(+), 295 deletions(-) create mode 100644 src/tests/detect-engine-filedata.c diff --git a/src/detect-engine-filedata.c b/src/detect-engine-filedata.c index a9efdab3ea..f9b7f55f39 100644 --- a/src/detect-engine-filedata.c +++ b/src/detect-engine-filedata.c @@ -25,38 +25,17 @@ #include "suricata-common.h" #include "suricata.h" -#include "decode.h" #include "detect.h" #include "detect-engine.h" #include "detect-engine-mpm.h" -#include "detect-parse.h" -#include "detect-engine-state.h" #include "detect-engine-content-inspection.h" #include "detect-engine-prefilter.h" #include "detect-engine-filedata.h" #include "detect-engine-hsbd.h" -#include "flow-util.h" -#include "util-debug.h" -#include "util-print.h" -#include "flow.h" - -#include "stream-tcp.h" - #include "app-layer-parser.h" -#include "util-unittest.h" -#include "util-unittest-helper.h" -#include "app-layer.h" -#include "app-layer-smtp.h" -#include "app-layer-protos.h" - -#include "util-validate.h" - -#include "conf.h" -#include "conf-yaml-loader.h" - #define BUFFER_STEP 50 static inline int FiledataCreateSpace(DetectEngineThreadCtx *det_ctx, uint16_t size) @@ -294,279 +273,6 @@ void PrefilterTxFiledata(DetectEngineThreadCtx *det_ctx, } #ifdef UNITTESTS - -static int DetectEngineSMTPFiledataTest01(void) -{ - uint8_t mimemsg[] = {0x4D, 0x49, 0x4D, 0x45, 0x2D, 0x56, 0x65, 0x72, - 0x73, 0x69, 0x6F, 0x6E, 0x3A, 0x20, 0x31, 0x2E, - 0x30, 0x0D, 0x0A, 0x43, 0x6F, 0x6E, 0x74, 0x65, - 0x6E, 0x74, 0x2D, 0x54, 0x79, 0x70, 0x65, 0x3A, - 0x20, 0x74, 0x65, 0x78, 0x74, 0x2F, 0x70, 0x6C, - 0x61, 0x69, 0x6E, 0x3B, 0x20, 0x63, 0x68, 0x61, - 0x72, 0x73, 0x65, 0x74, 0x3D, 0x55, 0x54, 0x46, - 0x2D, 0x38, 0x3B, 0x0D, 0x0A, 0x43, 0x6F, 0x6E, - 0x74, 0x65, 0x6E, 0x74, 0x2D, 0x54, 0x72, 0x61, - 0x6E, 0x73, 0x66, 0x65, 0x72, 0x2D, 0x45, 0x6E, - 0x63, 0x6F, 0x64, 0x69, 0x6E, 0x67, 0x3A, 0x20, - 0x37, 0x62, 0x69, 0x74, 0x0D, 0x0A, 0x43, 0x6F, - 0x6E, 0x74, 0x65, 0x6E, 0x74, 0x2D, 0x44, 0x69, - 0x73, 0x70, 0x6F, 0x73, 0x69, 0x74, 0x69, 0x6F, - 0x6E, 0x3A, 0x20, 0x61, 0x74, 0x74, 0x61, 0x63, - 0x68, 0x6D, 0x65, 0x6E, 0x74, 0x3B, 0x20, 0x66, - 0x69, 0x6C, 0x65, 0x6E, 0x61, 0x6D, 0x65, 0x3D, - 0x22, 0x74, 0x65, 0x73, 0x74, 0x2E, 0x74, 0x78, - 0x74, 0x22, 0x0D, 0x0A, 0x0D, 0x0A, 0x6d, 0x65, - 0x73, 0x73, 0x61, 0x67, 0x65,}; - uint32_t mimemsg_len = sizeof(mimemsg) - 1; - TcpSession ssn; - Packet *p; - ThreadVars th_v; - DetectEngineCtx *de_ctx = NULL; - DetectEngineThreadCtx *det_ctx = NULL; - SMTPState *smtp_state = NULL; - Flow f; - int result = 0; - - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; - f.alstate = SMTPStateAlloc(); - - MimeDecParseState *state = MimeDecInitParser(&f, NULL); - ((MimeDecEntity *)state->stack->top->data)->ctnt_flags = CTNT_IS_ATTACHMENT; - state->body_begin = 1; - - if (SMTPProcessDataChunk((uint8_t *)mimemsg, sizeof(mimemsg), state) != 0) - goto end; - - p->flow = &f; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST|PKT_STREAM_EOF; - f.alproto = ALPROTO_SMTP; - - StreamTcpInitConfig(TRUE); - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - - de_ctx->sig_list = SigInit(de_ctx, "alert smtp any any -> any any " - "(msg:\"file_data smtp test\"; " - "file_data; content:\"message\"; sid:1;)"); - if (de_ctx->sig_list == NULL) { - goto end; - } - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - FLOWLOCK_WRLOCK(&f); - int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SMTP, - STREAM_TOSERVER | STREAM_START | STREAM_EOF, - mimemsg, - mimemsg_len); - if (r != 0) { - printf("AppLayerParse for smtp failed. Returned %d", r); - FLOWLOCK_UNLOCK(&f); - goto end; - } - FLOWLOCK_UNLOCK(&f); - - smtp_state = f.alstate; - if (smtp_state == NULL) { - printf("no smtp state: "); - goto end; - } - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - if (!(PacketAlertCheck(p, 1))) { - printf("sid 1 didn't match but should have\n"); - goto end; - } - - result = 1; - -end: - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (de_ctx != NULL) - SigGroupCleanup(de_ctx); - if (de_ctx != NULL) - SigCleanSignatures(de_ctx); - - StreamTcpFreeConfig(TRUE); - FLOW_DESTROY(&f); - UTHFreePackets(&p, 1); - return result; -} - -static int DetectEngineSMTPFiledataTest02(void) -{ - Signature *s = NULL; - DetectEngineCtx *de_ctx = NULL; - int result = 0; - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - - s = DetectEngineAppendSig(de_ctx, "alert smtp any any -> any any " - "(msg:\"file_data smtp test\"; " - "file_data; content:\"message\"; sid:1;)"); - if (s == NULL) - goto end; - - if (s->flags & SIG_FLAG_TOSERVER) - result = 1; - else if (s->flags & SIG_FLAG_TOCLIENT) - printf("s->flags & SIG_FLAG_TOCLIENT"); - -end: - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - return result; - -} - -static int DetectEngineSMTPFiledataTest03(void) -{ - uint8_t mimemsg1[] = {0x65, 0x76,}; - uint8_t mimemsg2[] = {0x69, 0x6C,}; - uint32_t mimemsg1_len = sizeof(mimemsg1) - 1; - uint32_t mimemsg2_len = sizeof(mimemsg2) - 1; - TcpSession ssn; - Packet *p; - ThreadVars th_v; - DetectEngineCtx *de_ctx = NULL; - DetectEngineThreadCtx *det_ctx = NULL; - SMTPState *smtp_state = NULL; - Flow f; - int result = 1; - - AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); - - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); - - FLOW_INITIALIZE(&f); - f.protoctx = (void *)&ssn; - f.proto = IPPROTO_TCP; - f.flags |= FLOW_IPV4; - f.alstate = SMTPStateAlloc(); - - MimeDecParseState *state = MimeDecInitParser(&f, NULL); - ((MimeDecEntity *)state->stack->top->data)->ctnt_flags = CTNT_IS_ATTACHMENT; - state->body_begin = 1; - - if (SMTPProcessDataChunk((uint8_t *)mimemsg1, sizeof(mimemsg1), state) != 0) - goto end; - - if (SMTPProcessDataChunk((uint8_t *)mimemsg2, sizeof(mimemsg2), state) != 0) - goto end; - - p->flow = &f; - p->flowflags |= FLOW_PKT_TOSERVER; - p->flowflags |= FLOW_PKT_ESTABLISHED; - p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; - f.alproto = ALPROTO_SMTP; - - StreamTcpInitConfig(TRUE); - - de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) - goto end; - - de_ctx->flags |= DE_QUIET; - - de_ctx->sig_list = SigInit(de_ctx, "alert smtp any any -> any any " - "(msg:\"file_data smtp test\"; " - "file_data; content:\"evil\"; sid:1;)"); - if (de_ctx->sig_list == NULL) { - goto end; - } - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - FLOWLOCK_WRLOCK(&f); - int r = 0; - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SMTP, - STREAM_TOSERVER, mimemsg1, mimemsg1_len); - if (r != 0) { - printf("AppLayerParse for smtp failed. Returned %d", r); - FLOWLOCK_UNLOCK(&f); - goto end; - } - r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SMTP, - STREAM_TOSERVER, mimemsg2, mimemsg2_len); - if (r != 0) { - printf("AppLayerParse for smtp failed. Returned %d", r); - FLOWLOCK_UNLOCK(&f); - goto end; - } - FLOWLOCK_UNLOCK(&f); - - smtp_state = f.alstate; - if (smtp_state == NULL) { - printf("no smtp state: "); - goto end; - } - - /* do detect */ - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - if (PacketAlertCheck(p, 1)) { - printf("sid 1 matched but shouldn't have\n"); - goto end; - } - - result = 0; - -end: - if (alp_tctx != NULL) - AppLayerParserThreadCtxFree(alp_tctx); - if (de_ctx != NULL) - SigGroupCleanup(de_ctx); - if (de_ctx != NULL) - SigCleanSignatures(de_ctx); - - StreamTcpFreeConfig(TRUE); - FLOW_DESTROY(&f); - UTHFreePackets(&p, 1); - return result == 0; -} - +#include "tests/detect-engine-filedata.c" #endif /* UNITTESTS */ -void DetectEngineSMTPFiledataRegisterTests(void) -{ - #ifdef UNITTESTS - UtRegisterTest("DetectEngineSMTPFiledataTest01", - DetectEngineSMTPFiledataTest01); - UtRegisterTest("DetectEngineSMTPFiledataTest02", - DetectEngineSMTPFiledataTest02); - UtRegisterTest("DetectEngineSMTPFiledataTest03", - DetectEngineSMTPFiledataTest03); - #endif /* UNITTESTS */ - - return; -} diff --git a/src/tests/detect-engine-filedata.c b/src/tests/detect-engine-filedata.c new file mode 100644 index 0000000000..800196317a --- /dev/null +++ b/src/tests/detect-engine-filedata.c @@ -0,0 +1,300 @@ +/* Copyright (C) 2015-2016 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + + +/** \file + * + * \author Giuseppe Longo + * \author Victor Julien + * + */ + +#include "../suricata-common.h" +#include "../app-layer-smtp.h" +#include "../stream-tcp.h" +#include "../util-unittest.h" +#include "../util-unittest-helper.h" + +static int DetectEngineSMTPFiledataTest01(void) +{ + uint8_t mimemsg[] = {0x4D, 0x49, 0x4D, 0x45, 0x2D, 0x56, 0x65, 0x72, + 0x73, 0x69, 0x6F, 0x6E, 0x3A, 0x20, 0x31, 0x2E, + 0x30, 0x0D, 0x0A, 0x43, 0x6F, 0x6E, 0x74, 0x65, + 0x6E, 0x74, 0x2D, 0x54, 0x79, 0x70, 0x65, 0x3A, + 0x20, 0x74, 0x65, 0x78, 0x74, 0x2F, 0x70, 0x6C, + 0x61, 0x69, 0x6E, 0x3B, 0x20, 0x63, 0x68, 0x61, + 0x72, 0x73, 0x65, 0x74, 0x3D, 0x55, 0x54, 0x46, + 0x2D, 0x38, 0x3B, 0x0D, 0x0A, 0x43, 0x6F, 0x6E, + 0x74, 0x65, 0x6E, 0x74, 0x2D, 0x54, 0x72, 0x61, + 0x6E, 0x73, 0x66, 0x65, 0x72, 0x2D, 0x45, 0x6E, + 0x63, 0x6F, 0x64, 0x69, 0x6E, 0x67, 0x3A, 0x20, + 0x37, 0x62, 0x69, 0x74, 0x0D, 0x0A, 0x43, 0x6F, + 0x6E, 0x74, 0x65, 0x6E, 0x74, 0x2D, 0x44, 0x69, + 0x73, 0x70, 0x6F, 0x73, 0x69, 0x74, 0x69, 0x6F, + 0x6E, 0x3A, 0x20, 0x61, 0x74, 0x74, 0x61, 0x63, + 0x68, 0x6D, 0x65, 0x6E, 0x74, 0x3B, 0x20, 0x66, + 0x69, 0x6C, 0x65, 0x6E, 0x61, 0x6D, 0x65, 0x3D, + 0x22, 0x74, 0x65, 0x73, 0x74, 0x2E, 0x74, 0x78, + 0x74, 0x22, 0x0D, 0x0A, 0x0D, 0x0A, 0x6d, 0x65, + 0x73, 0x73, 0x61, 0x67, 0x65,}; + uint32_t mimemsg_len = sizeof(mimemsg) - 1; + TcpSession ssn; + Packet *p; + ThreadVars th_v; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + SMTPState *smtp_state = NULL; + Flow f; + int result = 0; + + AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); + + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.proto = IPPROTO_TCP; + f.flags |= FLOW_IPV4; + f.alstate = SMTPStateAlloc(); + + MimeDecParseState *state = MimeDecInitParser(&f, NULL); + ((MimeDecEntity *)state->stack->top->data)->ctnt_flags = CTNT_IS_ATTACHMENT; + state->body_begin = 1; + + if (SMTPProcessDataChunk((uint8_t *)mimemsg, sizeof(mimemsg), state) != 0) + goto end; + + p->flow = &f; + p->flowflags |= FLOW_PKT_TOSERVER; + p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST|PKT_STREAM_EOF; + f.alproto = ALPROTO_SMTP; + + StreamTcpInitConfig(TRUE); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, "alert smtp any any -> any any " + "(msg:\"file_data smtp test\"; " + "file_data; content:\"message\"; sid:1;)"); + if (de_ctx->sig_list == NULL) { + goto end; + } + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + FLOWLOCK_WRLOCK(&f); + int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SMTP, + STREAM_TOSERVER | STREAM_START | STREAM_EOF, + mimemsg, + mimemsg_len); + if (r != 0) { + printf("AppLayerParse for smtp failed. Returned %d", r); + FLOWLOCK_UNLOCK(&f); + goto end; + } + FLOWLOCK_UNLOCK(&f); + + smtp_state = f.alstate; + if (smtp_state == NULL) { + printf("no smtp state: "); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + + if (!(PacketAlertCheck(p, 1))) { + printf("sid 1 didn't match but should have\n"); + goto end; + } + + result = 1; + +end: + if (alp_tctx != NULL) + AppLayerParserThreadCtxFree(alp_tctx); + if (de_ctx != NULL) + SigGroupCleanup(de_ctx); + if (de_ctx != NULL) + SigCleanSignatures(de_ctx); + + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + UTHFreePackets(&p, 1); + return result; +} + +static int DetectEngineSMTPFiledataTest02(void) +{ + Signature *s = NULL; + DetectEngineCtx *de_ctx = NULL; + int result = 0; + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + s = DetectEngineAppendSig(de_ctx, "alert smtp any any -> any any " + "(msg:\"file_data smtp test\"; " + "file_data; content:\"message\"; sid:1;)"); + if (s == NULL) + goto end; + + if (s->flags & SIG_FLAG_TOSERVER) + result = 1; + else if (s->flags & SIG_FLAG_TOCLIENT) + printf("s->flags & SIG_FLAG_TOCLIENT"); + +end: + SigCleanSignatures(de_ctx); + DetectEngineCtxFree(de_ctx); + return result; + +} + +static int DetectEngineSMTPFiledataTest03(void) +{ + uint8_t mimemsg1[] = {0x65, 0x76,}; + uint8_t mimemsg2[] = {0x69, 0x6C,}; + uint32_t mimemsg1_len = sizeof(mimemsg1) - 1; + uint32_t mimemsg2_len = sizeof(mimemsg2) - 1; + TcpSession ssn; + Packet *p; + ThreadVars th_v; + DetectEngineCtx *de_ctx = NULL; + DetectEngineThreadCtx *det_ctx = NULL; + SMTPState *smtp_state = NULL; + Flow f; + int result = 1; + + AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc(); + + memset(&th_v, 0, sizeof(th_v)); + memset(&f, 0, sizeof(f)); + memset(&ssn, 0, sizeof(ssn)); + + p = UTHBuildPacket(NULL, 0, IPPROTO_TCP); + + FLOW_INITIALIZE(&f); + f.protoctx = (void *)&ssn; + f.proto = IPPROTO_TCP; + f.flags |= FLOW_IPV4; + f.alstate = SMTPStateAlloc(); + + MimeDecParseState *state = MimeDecInitParser(&f, NULL); + ((MimeDecEntity *)state->stack->top->data)->ctnt_flags = CTNT_IS_ATTACHMENT; + state->body_begin = 1; + + if (SMTPProcessDataChunk((uint8_t *)mimemsg1, sizeof(mimemsg1), state) != 0) + goto end; + + if (SMTPProcessDataChunk((uint8_t *)mimemsg2, sizeof(mimemsg2), state) != 0) + goto end; + + p->flow = &f; + p->flowflags |= FLOW_PKT_TOSERVER; + p->flowflags |= FLOW_PKT_ESTABLISHED; + p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST; + f.alproto = ALPROTO_SMTP; + + StreamTcpInitConfig(TRUE); + + de_ctx = DetectEngineCtxInit(); + if (de_ctx == NULL) + goto end; + + de_ctx->flags |= DE_QUIET; + + de_ctx->sig_list = SigInit(de_ctx, "alert smtp any any -> any any " + "(msg:\"file_data smtp test\"; " + "file_data; content:\"evil\"; sid:1;)"); + if (de_ctx->sig_list == NULL) { + goto end; + } + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + FLOWLOCK_WRLOCK(&f); + int r = 0; + r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SMTP, + STREAM_TOSERVER, mimemsg1, mimemsg1_len); + if (r != 0) { + printf("AppLayerParse for smtp failed. Returned %d", r); + FLOWLOCK_UNLOCK(&f); + goto end; + } + r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SMTP, + STREAM_TOSERVER, mimemsg2, mimemsg2_len); + if (r != 0) { + printf("AppLayerParse for smtp failed. Returned %d", r); + FLOWLOCK_UNLOCK(&f); + goto end; + } + FLOWLOCK_UNLOCK(&f); + + smtp_state = f.alstate; + if (smtp_state == NULL) { + printf("no smtp state: "); + goto end; + } + + /* do detect */ + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + + if (PacketAlertCheck(p, 1)) { + printf("sid 1 matched but shouldn't have\n"); + goto end; + } + + result = 0; + +end: + if (alp_tctx != NULL) + AppLayerParserThreadCtxFree(alp_tctx); + if (de_ctx != NULL) + SigGroupCleanup(de_ctx); + if (de_ctx != NULL) + SigCleanSignatures(de_ctx); + + StreamTcpFreeConfig(TRUE); + FLOW_DESTROY(&f); + UTHFreePackets(&p, 1); + return result == 0; +} + +void DetectEngineSMTPFiledataRegisterTests(void) +{ + UtRegisterTest("DetectEngineSMTPFiledataTest01", + DetectEngineSMTPFiledataTest01); + UtRegisterTest("DetectEngineSMTPFiledataTest02", + DetectEngineSMTPFiledataTest02); + UtRegisterTest("DetectEngineSMTPFiledataTest03", + DetectEngineSMTPFiledataTest03); +}