diff --git a/src/detect-hostbits.c b/src/detect-hostbits.c index fd24123251..03ebfb2267 100644 --- a/src/detect-hostbits.c +++ b/src/detect-hostbits.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2007-2020 Open Information Security Foundation +/* Copyright (C) 2007-2022 Open Information Security Foundation * * You can copy, redistribute or modify this Program under the terms of * the GNU General Public License version 2 as published by the Free @@ -642,94 +642,14 @@ static int HostBitsTestSig02(void) PASS; } -#if 0 /** - * \test HostBitsTestSig03 is a test for a invalid flowbits option + * \test HostBitsTestSig03 is a test check idx value * * \retval 1 on succces * \retval 0 on failure */ static int HostBitsTestSig03(void) -{ - uint8_t *buf = (uint8_t *) - "GET /one/ HTTP/1.1\r\n" - "Host: one.example.org\r\n" - "\r\n"; - uint16_t buflen = strlen((char *)buf); - Packet *p = SCMalloc(SIZE_OF_PACKET); - if (unlikely(p == NULL)) - return 0; - Signature *s = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - DetectEngineCtx *de_ctx = NULL; - int result = 0; - - memset(&th_v, 0, sizeof(th_v)); - memset(p, 0, SIZE_OF_PACKET); - p->src.family = AF_INET; - p->dst.family = AF_INET; - p->payload = buf; - p->payload_len = buflen; - p->proto = IPPROTO_TCP; - - de_ctx = DetectEngineCtxInit(); - - if (de_ctx == NULL) { - goto end; - } - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Unknown cmd\"; flowbits:wrongcmd; content:\"GET \"; sid:1;)"); - - if (s == NULL) { - goto end; - } - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - result = 1; - - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - DetectEngineCtxFree(de_ctx); - -end: - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - } - - if (det_ctx != NULL) { - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - } - - if (de_ctx != NULL) { - DetectEngineCtxFree(de_ctx); - } - - - SCFree(p); - return result; -} -#endif - -/** - * \test HostBitsTestSig04 is a test check idx value - * - * \retval 1 on succces - * \retval 0 on failure - */ - -static int HostBitsTestSig04(void) { uint8_t *buf = (uint8_t *) "GET /one/ HTTP/1.1\r\n" @@ -779,455 +699,6 @@ static int HostBitsTestSig04(void) PASS; } -/** - * \test HostBitsTestSig05 is a test check noalert flag - * - * \retval 1 on succces - * \retval 0 on failure - */ - -static int HostBitsTestSig05(void) -{ - uint8_t *buf = (uint8_t *) - "GET /one/ HTTP/1.1\r\n" - "Host: one.example.org\r\n" - "\r\n"; - uint16_t buflen = strlen((char *)buf); - Packet *p = SCMalloc(SIZE_OF_PACKET); - if (unlikely(p == NULL)) - return 0; - Signature *s = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - DetectEngineCtx *de_ctx = NULL; - - memset(&th_v, 0, sizeof(th_v)); - memset(p, 0, SIZE_OF_PACKET); - p->src.family = AF_INET; - p->dst.family = AF_INET; - p->payload = buf; - p->payload_len = buflen; - p->proto = IPPROTO_TCP; - - HostBitsTestSetup(); - - de_ctx = DetectEngineCtxInit(); - FAIL_IF_NULL(de_ctx); - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx, - "alert ip any any -> any any (hostbits:noalert; content:\"GET \"; sid:1;)"); - FAIL_IF_NULL(s); - FAIL_IF((s->flags & SIG_FLAG_NOALERT) != SIG_FLAG_NOALERT); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - FAIL_IF(PacketAlertCheck(p, 1)); - - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - DetectEngineCtxFree(de_ctx); - - HostBitsTestShutdown(); - - SCFree(p); - PASS; -} - -#if 0 -/** - * \test HostBitsTestSig06 is a test set flowbits option - * - * \retval 1 on succces - * \retval 0 on failure - */ - -static int HostBitsTestSig06(void) -{ - uint8_t *buf = (uint8_t *) - "GET /one/ HTTP/1.1\r\n" - "Host: one.example.org\r\n" - "\r\n"; - uint16_t buflen = strlen((char *)buf); - Packet *p = SCMalloc(SIZE_OF_PACKET); - if (unlikely(p == NULL)) - return 0; - Signature *s = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - DetectEngineCtx *de_ctx = NULL; - Flow f; - GenericVar flowvar, *gv = NULL; - int result = 0; - int idx = 0; - - memset(p, 0, SIZE_OF_PACKET); - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(Flow)); - memset(&flowvar, 0, sizeof(GenericVar)); - - FLOW_INITIALIZE(&f); - p->flow = &f; - p->flow->flowvar = &flowvar; - - p->src.family = AF_INET; - p->dst.family = AF_INET; - p->payload = buf; - p->payload_len = buflen; - p->proto = IPPROTO_TCP; - p->flags |= PKT_HAS_FLOW; - p->flowflags |= FLOW_PKT_TOSERVER; - - de_ctx = DetectEngineCtxInit(); - - if (de_ctx == NULL) { - goto end; - } - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit set\"; flowbits:set,myflow; sid:10;)"); - - if (s == NULL) { - goto end; - } - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_HOST_BIT); - - gv = p->flow->flowvar; - - for ( ; gv != NULL; gv = gv->next) { - if (gv->type == DETECT_HOSTBITS && gv->idx == idx) { - result = 1; - } - } - - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - DetectEngineCtxFree(de_ctx); - - if(gv) GenericVarFree(gv); - FLOW_DESTROY(&f); - - SCFree(p); - return result; -end: - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - } - - if (det_ctx != NULL) { - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - } - - if (de_ctx != NULL) { - DetectEngineCtxFree(de_ctx); - } - - if(gv) GenericVarFree(gv); - FLOW_DESTROY(&f); - SCFree(p); - return result; -} - -/** - * \test HostBitsTestSig07 is a test unset flowbits option - * - * \retval 1 on succces - * \retval 0 on failure - */ - -static int HostBitsTestSig07(void) -{ - uint8_t *buf = (uint8_t *) - "GET /one/ HTTP/1.1\r\n" - "Host: one.example.org\r\n" - "\r\n"; - uint16_t buflen = strlen((char *)buf); - Packet *p = SCMalloc(SIZE_OF_PACKET); - if (unlikely(p == NULL)) - return 0; - Signature *s = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - DetectEngineCtx *de_ctx = NULL; - Flow f; - GenericVar flowvar, *gv = NULL; - int result = 0; - int idx = 0; - - memset(p, 0, SIZE_OF_PACKET); - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(Flow)); - memset(&flowvar, 0, sizeof(GenericVar)); - - FLOW_INITIALIZE(&f); - p->flow = &f; - p->flow->flowvar = &flowvar; - - p->src.family = AF_INET; - p->dst.family = AF_INET; - p->payload = buf; - p->payload_len = buflen; - p->proto = IPPROTO_TCP; - - de_ctx = DetectEngineCtxInit(); - - if (de_ctx == NULL) { - goto end; - } - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit set\"; flowbits:set,myflow2; sid:10;)"); - if (s == NULL) { - goto end; - } - - s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Flowbit unset\"; flowbits:unset,myflow2; sid:11;)"); - if (s == NULL) { - goto end; - } - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - idx = VariableNameGetIdx(de_ctx, "myflow", VAR_TYPE_HOST_BIT); - - gv = p->flow->flowvar; - - for ( ; gv != NULL; gv = gv->next) { - if (gv->type == DETECT_HOSTBITS && gv->idx == idx) { - result = 1; - } - } - - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - DetectEngineCtxFree(de_ctx); - - if(gv) GenericVarFree(gv); - FLOW_DESTROY(&f); - - SCFree(p); - return result; -end: - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - } - - if (det_ctx != NULL) { - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - } - - if (de_ctx != NULL) { - DetectEngineCtxFree(de_ctx); - } - - if(gv) GenericVarFree(gv); - FLOW_DESTROY(&f); - - SCFree(p); - return result;} -#endif - -/** - * \test set / isset - * - * \retval 1 on succces - * \retval 0 on failure - */ -static int HostBitsTestSig07(void) -{ - uint8_t *buf = (uint8_t *) - "GET /one/ HTTP/1.1\r\n" - "Host: one.example.org\r\n" - "\r\n"; - uint16_t buflen = strlen((char *)buf); - Packet *p = SCMalloc(SIZE_OF_PACKET); - if (unlikely(p == NULL)) - return 0; - Signature *s = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - DetectEngineCtx *de_ctx = NULL; - Flow f; - int result = 0; - - memset(p, 0, SIZE_OF_PACKET); - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(Flow)); - - HostBitsTestSetup(); - - FLOW_INITIALIZE(&f); - p->flow = &f; - p->flowflags = FLOW_PKT_TOSERVER; - - p->src.family = AF_INET; - p->dst.family = AF_INET; - p->payload = buf; - p->payload_len = buflen; - p->proto = IPPROTO_TCP; - - de_ctx = DetectEngineCtxInit(); - FAIL_IF_NULL(de_ctx); - - de_ctx->flags |= DE_QUIET; - - s = de_ctx->sig_list = SigInit(de_ctx, - "alert ip any any -> any any (hostbits:set,myflow2; sid:10;)"); - FAIL_IF_NULL(s); - - s = s->next = SigInit(de_ctx, - "alert ip any any -> any any (hostbits:isset,myflow2; sid:11;)"); - FAIL_IF_NULL(s); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - SCLogInfo("p->host_src %p", p->host_src); - - if (HostHasHostBits(p->host_src) == 1) { - if (PacketAlertCheck(p, 11)) { - result = 1; - } - } - FAIL_IF_NOT(result); - - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - DetectEngineCtxFree(de_ctx); - - FLOW_DESTROY(&f); - - HostBitsTestShutdown(); - SCFree(p); - PASS; -} - -/** - * \test set / toggle / toggle / isset - * - * \retval 1 on succces - * \retval 0 on failure - */ -static int HostBitsTestSig08(void) -{ - uint8_t *buf = (uint8_t *) - "GET /one/ HTTP/1.1\r\n" - "Host: one.example.org\r\n" - "\r\n"; - uint16_t buflen = strlen((char *)buf); - Packet *p = SCMalloc(SIZE_OF_PACKET); - if (unlikely(p == NULL)) - return 0; - Signature *s = NULL; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - DetectEngineCtx *de_ctx = NULL; - Flow f; - - memset(p, 0, SIZE_OF_PACKET); - memset(&th_v, 0, sizeof(th_v)); - memset(&f, 0, sizeof(Flow)); - - HostBitsTestSetup(); - - FLOW_INITIALIZE(&f); - p->flow = &f; - - p->src.family = AF_INET; - p->dst.family = AF_INET; - p->payload = buf; - p->payload_len = buflen; - p->proto = IPPROTO_TCP; - - de_ctx = DetectEngineCtxInit(); - FAIL_IF_NULL(de_ctx); - - de_ctx->flags |= DE_QUIET; - - s = DetectEngineAppendSig(de_ctx, - "alert ip any any -> any any (hostbits:set,myflow2; sid:10;)"); - FAIL_IF_NULL(s); - s = DetectEngineAppendSig(de_ctx, - "alert ip any any -> any any (hostbits:toggle,myflow2; sid:11;)"); - FAIL_IF_NULL(s); - s = DetectEngineAppendSig(de_ctx, - "alert ip any any -> any any (hostbits:toggle,myflow2; sid:12;)"); - FAIL_IF_NULL(s); - s = DetectEngineAppendSig(de_ctx, - "alert ip any any -> any any (hostbits:isset,myflow2; sid:13;)"); - FAIL_IF_NULL(s); - - SCSigRegisterSignatureOrderingFuncs(de_ctx); - SCSigOrderSignatures(de_ctx); - SCSigSignatureOrderingModuleCleanup(de_ctx); - - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - SigMatchSignatures(&th_v, de_ctx, det_ctx, p); - - SCLogInfo("p->host_src %p", p->host_src); - - if (HostHasHostBits(p->host_src) == 1) { - if (PacketAlertCheck(p, 10)) { - SCLogInfo("sid 10 matched"); - } - if (PacketAlertCheck(p, 11)) { - SCLogInfo("sid 11 matched"); - } - if (PacketAlertCheck(p, 12)) { - SCLogInfo("sid 12 matched"); - } - if (PacketAlertCheck(p, 13)) { - SCLogInfo("sid 13 matched"); - } else { - FAIL; - } - } - - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - DetectEngineCtxFree(de_ctx); - - FLOW_DESTROY(&f); - - HostBitsTestShutdown(); - - SCFree(p); - PASS; -} - /** * \brief this function registers unit tests for HostBits */ @@ -1236,15 +707,6 @@ void HostBitsRegisterTests(void) UtRegisterTest("HostBitsTestParse01", HostBitsTestParse01); UtRegisterTest("HostBitsTestSig01", HostBitsTestSig01); UtRegisterTest("HostBitsTestSig02", HostBitsTestSig02); -#if 0 - UtRegisterTest("HostBitsTestSig03", HostBitsTestSig03, 0); -#endif - UtRegisterTest("HostBitsTestSig04", HostBitsTestSig04); - UtRegisterTest("HostBitsTestSig05", HostBitsTestSig05); -#if 0 - UtRegisterTest("HostBitsTestSig06", HostBitsTestSig06, 1); -#endif - UtRegisterTest("HostBitsTestSig07", HostBitsTestSig07); - UtRegisterTest("HostBitsTestSig08", HostBitsTestSig08); + UtRegisterTest("HostBitsTestSig03", HostBitsTestSig03); } #endif /* UNITTESTS */