aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: dce test fixes and improvements

Browse Source
pull/2559/head
Victor Julien 9 years ago
parent a2b521b7fa
commit debc1a6334
3 changed files with 69 additions and 124 deletions
Show Stats Download Patch File Download Diff File

14
src/detect-dce-opnum.c
Unescape Escape View File

@ -354,8 +354,6 @@ static int DetectDceOpnumTestParse01(void)
Signature *s = SigAlloc();
int result = 0;
memset(s, 0, sizeof(Signature));
result = (DetectDceOpnumSetup(NULL, s, "12") == 0);
result &= (DetectDceOpnumSetup(NULL, s, "12,24") == 0);
result &= (DetectDceOpnumSetup(NULL, s, "12,12-24") == 0);
@ -380,8 +378,6 @@ static int DetectDceOpnumTestParse02(void)
DetectDceOpnumRange *dor = NULL;
SigMatch *temp = NULL;
memset(s, 0, sizeof(Signature));
result = (DetectDceOpnumSetup(NULL, s, "12") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
@ -409,8 +405,6 @@ static int DetectDceOpnumTestParse03(void)
DetectDceOpnumRange *dor = NULL;
SigMatch *temp = NULL;
memset(s, 0, sizeof(Signature));
result = (DetectDceOpnumSetup(NULL, s, "12-24") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
@ -438,8 +432,6 @@ static int DetectDceOpnumTestParse04(void)
DetectDceOpnumRange *dor = NULL;
SigMatch *temp = NULL;
memset(s, 0, sizeof(Signature));
result = (DetectDceOpnumSetup(NULL, s, "12-24,24,62-72,623-635,62,25,213-235") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
@ -504,8 +496,6 @@ static int DetectDceOpnumTestParse05(void)
DetectDceOpnumRange *dor = NULL;
SigMatch *temp = NULL;
memset(s, 0, sizeof(Signature));
result = (DetectDceOpnumSetup(NULL, s, "1,2,3,4,5,6,7") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
@ -570,8 +560,6 @@ static int DetectDceOpnumTestParse06(void)
DetectDceOpnumRange *dor = NULL;
SigMatch *temp = NULL;
memset(s, 0, sizeof(Signature));
result = (DetectDceOpnumSetup(NULL, s, "1-2,3-4,5-6,7-8") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {
@ -618,8 +606,6 @@ static int DetectDceOpnumTestParse07(void)
DetectDceOpnumRange *dor = NULL;
SigMatch *temp = NULL;
memset(s, 0, sizeof(Signature));
result = (DetectDceOpnumSetup(NULL, s, "1-2,3-4,5-6,7-8,9") == 0);
if (s->sm_lists[DETECT_SM_LIST_AMATCH] != NULL) {

24
src/detect-dce-stub-data.c
Unescape Escape View File

@ -105,20 +105,16 @@ static int DetectDceStubDataSetup(DetectEngineCtx *de_ctx, Signature *s, char *a
static int DetectDceStubDataTestParse01(void)
{
Signature s;
int result = 0;
memset(&s, 0, sizeof(Signature));
result = (DetectDceStubDataSetup(NULL, &s, NULL) == 0);
if (s.sm_lists[DETECT_SM_LIST_AMATCH] == NULL) {
result = 1;
} else {
result = 0;
}
return result;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags = DE_QUIET;
Signature *s = DetectEngineAppendSig(de_ctx,
"alert tcp any any -> any any (dce_stub_data; content:\"1\"; sid:1;)");
FAIL_IF_NULL(s);
FAIL_IF_NOT_NULL(s->sm_lists[DETECT_SM_LIST_AMATCH]);
FAIL_IF_NULL(s->sm_lists[DETECT_SM_LIST_DMATCH]);
DetectEngineCtxFree(de_ctx);
PASS;
}
/**

155
src/detect-engine-dcepayload.c
Unescape Escape View File

@ -9796,125 +9796,88 @@ end:
static int DcePayloadParseTest44(void)
{
DetectEngineCtx *de_ctx = NULL;
int result = 1;
Signature *s = NULL;
SigMatch *sm = NULL;
DetectContentData *data = NULL;
DetectIsdataatData *isd = NULL;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(msg:\"Testing bytejump_body\"; "
"content:\"one\"; "
"dce_iface:12345678-1234-1234-1234-123456789012; "
"dce_opnum:10; dce_stub_data; "
"isdataat:10,relative; "
"content:\"one\"; within:4; distance:8; "
"pkt_data; "
"content:\"two\"; "
"sid:1;)");
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
}
if (s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH] == NULL) {
result = 0;
goto end;
}
if (s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH] == NULL) {
result = 0;
goto end;
}
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any ("
"content:\"one\"; "
"dce_iface:12345678-1234-1234-1234-123456789012; "
"dce_opnum:10; dce_stub_data; "
"isdataat:10,relative; "
"content:\"one\"; within:4; distance:8; "
"pkt_data; "
"content:\"two\"; "
"sid:1;)");
FAIL_IF_NULL(s);
FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_DMATCH]);
FAIL_IF_NULL(s->init_data->smlists_tail[DETECT_SM_LIST_PMATCH]);
/* isdataat:10,relative; */
sm = s->init_data->smlists[DETECT_SM_LIST_DMATCH];
if (sm->type != DETECT_ISDATAAT) {
result = 0;
goto end;
}
FAIL_IF(sm->type != DETECT_ISDATAAT);
isd = (DetectIsdataatData *)sm->ctx;
if ( isd->flags & ISDATAAT_RAWBYTES ||
!(isd->flags & ISDATAAT_RELATIVE)) {
result = 0;
goto end;
}
FAIL_IF(isd->flags & ISDATAAT_RAWBYTES);
FAIL_IF_NOT(isd->flags & ISDATAAT_RELATIVE);
FAIL_IF_NULL(sm->next);
sm = sm->next;
if (sm->type != DETECT_CONTENT) {
result = 0;
goto end;
}
data = (DetectContentData *)sm->ctx;
if (data->flags & DETECT_CONTENT_RAWBYTES ||
data->flags & DETECT_CONTENT_NOCASE ||
!(data->flags & DETECT_CONTENT_WITHIN) ||
!(data->flags & DETECT_CONTENT_DISTANCE) ||
data->flags & DETECT_CONTENT_FAST_PATTERN ||
data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
data->flags & DETECT_CONTENT_NEGATED ) {
result = 0;
printf("two failed\n");
goto end;
}
result &= (strncmp((char *)data->content, "one", 3) == 0);
if (result == 0)
goto end;
result &= (sm->next == NULL);
/* content:\"one\"; within:4; distance:8; */
FAIL_IF(sm->type != DETECT_CONTENT);
data = (DetectContentData *)sm->ctx;
FAIL_IF (data->flags & DETECT_CONTENT_RAWBYTES ||
data->flags & DETECT_CONTENT_NOCASE ||
!(data->flags & DETECT_CONTENT_WITHIN) ||
!(data->flags & DETECT_CONTENT_DISTANCE) ||
data->flags & DETECT_CONTENT_FAST_PATTERN ||
data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
data->flags & DETECT_CONTENT_NEGATED );
FAIL_IF_NOT(strncmp((char *)data->content, "one", 3) == 0);
FAIL_IF_NOT(sm->next == NULL);
/* first content:\"one\"; */
sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH];
if (sm->type != DETECT_CONTENT) {
result = 0;
goto end;
}
FAIL_IF(sm->type != DETECT_CONTENT);
data = (DetectContentData *)sm->ctx;
if (data->flags & DETECT_CONTENT_RAWBYTES ||
data->flags & DETECT_CONTENT_NOCASE ||
data->flags & DETECT_CONTENT_WITHIN ||
data->flags & DETECT_CONTENT_DISTANCE ||
data->flags & DETECT_CONTENT_FAST_PATTERN ||
data->flags & DETECT_CONTENT_RELATIVE_NEXT ||
data->flags & DETECT_CONTENT_NEGATED ) {
printf("three failed\n");
result = 0;
goto end;
}
result &= (strncmp((char *)data->content, "one", 3) == 0);
if (result == 0)
goto end;
FAIL_IF(data->flags & DETECT_CONTENT_RAWBYTES);
FAIL_IF(data->flags & DETECT_CONTENT_NOCASE);
FAIL_IF(data->flags & DETECT_CONTENT_WITHIN);
FAIL_IF(data->flags & DETECT_CONTENT_DISTANCE);
FAIL_IF(data->flags & DETECT_CONTENT_FAST_PATTERN);
FAIL_IF(data->flags & DETECT_CONTENT_RELATIVE_NEXT);
FAIL_IF(data->flags & DETECT_CONTENT_NEGATED );
FAIL_IF_NOT(strncmp((char *)data->content, "one", 3) == 0);
FAIL_IF_NULL(sm->next);
sm = sm->next;
if (sm->type != DETECT_CONTENT) {
result = 0;
goto end;
}
FAIL_IF(sm->type != DETECT_CONTENT);
data = (DetectContentData *)sm->ctx;
if (data->flags & DETECT_CONTENT_RAWBYTES ||
data->flags & DETECT_CONTENT_NOCASE ||
data->flags & DETECT_CONTENT_WITHIN ||
data->flags & DETECT_CONTENT_DISTANCE ||
data->flags & DETECT_CONTENT_FAST_PATTERN ||
data->flags & DETECT_CONTENT_NEGATED ) {
printf("two failed\n");
result = 0;
goto end;
}
result &= (strncmp((char *)data->content, "two", 3) == 0);
if (result == 0)
goto end;
FAIL_IF(data->flags & DETECT_CONTENT_RAWBYTES ||
data->flags & DETECT_CONTENT_NOCASE ||
data->flags & DETECT_CONTENT_WITHIN ||
data->flags & DETECT_CONTENT_DISTANCE ||
data->flags & DETECT_CONTENT_FAST_PATTERN ||
data->flags & DETECT_CONTENT_NEGATED );
result &= (sm->next == NULL);
FAIL_IF_NOT(strncmp((char *)data->content, "two", 3) == 0);
FAIL_IF_NOT(sm->next == NULL);
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
return result;
PASS;
}
/**

Write Preview
Loading…
Cancel
Save