suricata
detect-engine-address-ipv4.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2010 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Victor Julien <victor@inliniac.net>
22 *
23 * IPV4 Address part of the detection engine.
24 */
25
26#include "suricata-common.h"
27
28#include "decode.h"
29#include "detect.h"
30#include "flow-var.h"
31
32#include "util-cidr.h"
33#include "util-unittest.h"
34
38#include "detect-engine-port.h"
39
40#include "util-error.h"
41#include "util-debug.h"
42
43/**
44 * \brief Compares 2 addresses(address ranges) and returns the relationship
45 * between the 2 addresses.
46 *
47 * \param a Pointer to the first address instance to be compared.
48 * \param b Pointer to the second address instance to be compared.
49 *
50 * \retval ADDRESS_EQ If the 2 address ranges a and b, are equal.
51 * \retval ADDRESS_ES b encapsulates a. b_ip1[...a_ip1...a_ip2...]b_ip2.
52 * \retval ADDRESS_EB a encapsulates b. a_ip1[...b_ip1....b_ip2...]a_ip2.
53 * \retval ADDRESS_LE a_ip1(...b_ip1==a_ip2...)b_ip2
54 * \retval ADDRESS_LT a_ip1(...b_ip1...a_ip2...)b_ip2
55 * \retval ADDRESS_GE b_ip1(...a_ip1==b_ip2...)a_ip2
56 * \retval ADDRESS_GT a_ip1 > b_ip2, i.e. the address range for 'a' starts only
57 * after the end of the address range for 'b'
58 */
60{
61 uint32_t a_ip1 = SCNtohl(a->ip.addr_data32[0]);
62 uint32_t a_ip2 = SCNtohl(a->ip2.addr_data32[0]);
63 uint32_t b_ip1 = SCNtohl(b->ip.addr_data32[0]);
64 uint32_t b_ip2 = SCNtohl(b->ip2.addr_data32[0]);
65
66 if (a_ip1 == b_ip1 && a_ip2 == b_ip2) {
67 SCLogDebug("ADDRESS_EQ");
68 return ADDRESS_EQ;
69 } else if (a_ip1 >= b_ip1 && a_ip1 <= b_ip2 && a_ip2 <= b_ip2) {
70 SCLogDebug("ADDRESS_ES");
71 return ADDRESS_ES;
72 } else if (a_ip1 <= b_ip1 && a_ip2 >= b_ip2) {
73 SCLogDebug("ADDRESS_EB");
74 return ADDRESS_EB;
75 } else if (a_ip1 < b_ip1 && a_ip2 < b_ip2 && a_ip2 >= b_ip1) {
76 SCLogDebug("ADDRESS_LE");
77 return ADDRESS_LE;
78 } else if (a_ip1 < b_ip1 && a_ip2 < b_ip2) {
79 SCLogDebug("ADDRESS_LT");
80 return ADDRESS_LT;
81 } else if (a_ip1 > b_ip1 && a_ip1 <= b_ip2 && a_ip2 > b_ip2) {
82 SCLogDebug("ADDRESS_GE");
83 return ADDRESS_GE;
84 } else if (a_ip1 > b_ip2) {
85 SCLogDebug("ADDRESS_GT");
86 return ADDRESS_GT;
87 } else {
88 /* should be unreachable */
89 SCLogDebug("Internal Error: should be unreachable");
90 }
91
92 return ADDRESS_ER;
93}
94
95/**
96 * \brief Cut groups and merge sigs
97 *
98 * a = 1.2.3.4, b = 1.2.3.4-1.2.3.5
99 * must result in: a == 1.2.3.4, b == 1.2.3.5, c == NULL
100 *
101 * a = 1.2.3.4, b = 1.2.3.3-1.2.3.5
102 * must result in: a == 1.2.3.3, b == 1.2.3.4, c == 1.2.3.5
103 *
104 * a = 1.2.3.0/24 b = 1.2.3.128-1.2.4.10
105 * must result in: a == 1.2.3.0/24, b == 1.2.4.0-1.2.4.10, c == NULL
106 *
107 * a = 1.2.3.4, b = 1.2.3.0/24
108 * must result in: a == 1.2.3.0-1.2.3.3, b == 1.2.3.4, c == 1.2.3.5-1.2.3.255
109 *
110 * \retval 0 On success.
111 * \retval -1 On failure.
112 */
115{
116 uint32_t a_ip1 = SCNtohl(a->ip.addr_data32[0]);
117 uint32_t a_ip2 = SCNtohl(a->ip2.addr_data32[0]);
118 uint32_t b_ip1 = SCNtohl(b->ip.addr_data32[0]);
119 uint32_t b_ip2 = SCNtohl(b->ip2.addr_data32[0]);
120 DetectAddress *tmp = NULL;
121 DetectAddress *tmp_c = NULL;
122 int r = 0;
123
124 /* default to NULL */
125 *c = NULL;
126
127 r = DetectAddressCmpIPv4(a, b);
128 if (r != ADDRESS_ES && r != ADDRESS_EB && r != ADDRESS_LE && r != ADDRESS_GE) {
129 SCLogDebug("we shouldn't be here");
130 goto error;
131 }
132
133 /* get a place to temporary put sigs lists */
134 tmp = DetectAddressInit();
135 if (tmp == NULL)
136 goto error;
137
138 /* we have 3 parts: [aaa[abab)bbb]
139 * part a: a_ip1 <-> b_ip1 - 1
140 * part b: b_ip1 <-> a_ip2
141 * part c: a_ip2 + 1 <-> b_ip2
142 */
143 if (r == ADDRESS_LE) {
144 SCLogDebug("DetectAddressCutIPv4: r == ADDRESS_LE");
145
146 a->ip.addr_data32[0] = htonl(a_ip1);
147 a->ip2.addr_data32[0] = htonl(b_ip1 - 1);
148
149 b->ip.addr_data32[0] = htonl(b_ip1);
150 b->ip2.addr_data32[0] = htonl(a_ip2);
151
152 tmp_c = DetectAddressInit();
153 if (tmp_c == NULL)
154 goto error;
155
156 tmp_c->ip.family = AF_INET;
157 tmp_c->ip.addr_data32[0] = htonl(a_ip2 + 1);
158 tmp_c->ip2.addr_data32[0] = htonl(b_ip2);
159 *c = tmp_c;
160
161 /* we have 3 parts: [bbb[baba]aaa]
162 * part a: b_ip1 <-> a_ip1 - 1
163 * part b: a_ip1 <-> b_ip2
164 * part c: b_ip2 + 1 <-> a_ip2
165 */
166 } else if (r == ADDRESS_GE) {
167 SCLogDebug("DetectAddressCutIPv4: r == ADDRESS_GE");
168
169 a->ip.addr_data32[0] = htonl(b_ip1);
170 a->ip2.addr_data32[0] = htonl(a_ip1 - 1);
171
172 b->ip.addr_data32[0] = htonl(a_ip1);
173 b->ip2.addr_data32[0] = htonl(b_ip2);
174
175 tmp_c = DetectAddressInit();
176 if (tmp_c == NULL)
177 goto error;
178
179 tmp_c->ip.family = AF_INET;
180 tmp_c->ip.addr_data32[0] = htonl(b_ip2 + 1);
181 tmp_c->ip2.addr_data32[0] = htonl(a_ip2);
182 *c = tmp_c;
183
184 /* we have 2 or three parts:
185 *
186 * 2 part: [[abab]bbb] or [bbb[baba]]
187 * part a: a_ip1 <-> a_ip2
188 * part b: a_ip2 + 1 <-> b_ip2
189 *
190 * part a: b_ip1 <-> a_ip1 - 1
191 * part b: a_ip1 <-> a_ip2
192 *
193 * 3 part [bbb[aaa]bbb]
194 * becomes[aaa[bbb]ccc]
195 *
196 * part a: b_ip1 <-> a_ip1 - 1
197 * part b: a_ip1 <-> a_ip2
198 * part c: a_ip2 + 1 <-> b_ip2
199 */
200 } else if (r == ADDRESS_ES) {
201 SCLogDebug("DetectAddressCutIPv4: r == ADDRESS_ES");
202
203 if (a_ip1 == b_ip1) {
204 SCLogDebug("DetectAddressCutIPv4: 1");
205
206 a->ip.addr_data32[0] = htonl(a_ip1);
207 a->ip2.addr_data32[0] = htonl(a_ip2);
208
209 b->ip.addr_data32[0] = htonl(a_ip2 + 1);
210 b->ip2.addr_data32[0] = htonl(b_ip2);
211
212 } else if (a_ip2 == b_ip2) {
213 SCLogDebug("DetectAddressCutIPv4: 2");
214
215 a->ip.addr_data32[0] = htonl(b_ip1);
216 a->ip2.addr_data32[0] = htonl(a_ip1 - 1);
217
218 b->ip.addr_data32[0] = htonl(a_ip1);
219 b->ip2.addr_data32[0] = htonl(a_ip2);
220
221 } else {
222 SCLogDebug("3");
223
224 a->ip.addr_data32[0] = htonl(b_ip1);
225 a->ip2.addr_data32[0] = htonl(a_ip1 - 1);
226
227 b->ip.addr_data32[0] = htonl(a_ip1);
228 b->ip2.addr_data32[0] = htonl(a_ip2);
229
230 tmp_c = DetectAddressInit();
231 if (tmp_c == NULL)
232 goto error;
233
234 tmp_c->ip.family = AF_INET;
235 tmp_c->ip.addr_data32[0] = htonl(a_ip2 + 1);
236 tmp_c->ip2.addr_data32[0] = htonl(b_ip2);
237 *c = tmp_c;
238 }
239 /* we have 2 or three parts:
240 *
241 * 2 part: [[baba]aaa] or [aaa[abab]]
242 * part a: b_ip1 <-> b_ip2
243 * part b: b_ip2 + 1 <-> a_ip2
244 *
245 * part a: a_ip1 <-> b_ip1 - 1
246 * part b: b_ip1 <-> b_ip2
247 *
248 * 3 part [aaa[bbb]aaa]
249 * becomes[aaa[bbb]ccc]
250 *
251 * part a: a_ip1 <-> b_ip2 - 1
252 * part b: b_ip1 <-> b_ip2
253 * part c: b_ip2 + 1 <-> a_ip2
254 */
255 } else if (r == ADDRESS_EB) {
256 SCLogDebug("DetectAddressCutIPv4: r == ADDRESS_EB");
257
258 if (a_ip1 == b_ip1) {
259 SCLogDebug("DetectAddressCutIPv4: 1");
260
261 a->ip.addr_data32[0] = htonl(b_ip1);
262 a->ip2.addr_data32[0] = htonl(b_ip2);
263
264 b->ip.addr_data32[0] = htonl(b_ip2 + 1);
265 b->ip2.addr_data32[0] = htonl(a_ip2);
266 } else if (a_ip2 == b_ip2) {
267 SCLogDebug("DetectAddressCutIPv4: 2");
268
269 a->ip.addr_data32[0] = htonl(a_ip1);
270 a->ip2.addr_data32[0] = htonl(b_ip1 - 1);
271
272 b->ip.addr_data32[0] = htonl(b_ip1);
273 b->ip2.addr_data32[0] = htonl(b_ip2);
274 } else {
275 SCLogDebug("DetectAddressCutIPv4: 3");
276
277 a->ip.addr_data32[0] = htonl(a_ip1);
278 a->ip2.addr_data32[0] = htonl(b_ip1 - 1);
279
280 b->ip.addr_data32[0] = htonl(b_ip1);
281 b->ip2.addr_data32[0] = htonl(b_ip2);
282
283 tmp_c = DetectAddressInit();
284 if (tmp_c == NULL)
285 goto error;
286
287 tmp_c->ip.family = AF_INET;
288 tmp_c->ip.addr_data32[0] = htonl(b_ip2 + 1);
289 tmp_c->ip2.addr_data32[0] = htonl(a_ip2);
290 *c = tmp_c;
291 }
292 }
293
294 if (tmp != NULL)
296
297 return 0;
298
299error:
300 if (tmp != NULL)
302 return -1;
303}
304
305/**
306 * \brief Check if the address group list covers the complete IPv4 IP space.
307 *
308 * \param ag Pointer to a DetectAddress list head, which has to be checked to
309 * see if the address ranges in it, cover the entire IPv4 IP space.
310 *
311 * \retval 1 Yes, it covers the entire IPv4 address range.
312 * \retval 0 No, it doesn't cover the entire IPv4 address range.
313 */
315{
316 uint32_t next_ip = 0;
317
318 if (ag == NULL)
319 return 0;
320
321 /* if we don't start with 0.0.0.0 we know we're good */
322 if (SCNtohl(ag->ip.addr_data32[0]) != 0x00000000)
323 return 0;
324
325 /* if we're ending with 255.255.255.255 while we know we started with
326 * 0.0.0.0 it's the complete space */
327 if (SCNtohl(ag->ip2.addr_data32[0]) == 0xFFFFFFFF)
328 return 1;
329
330 next_ip = htonl(SCNtohl(ag->ip2.addr_data32[0]) + 1);
331 ag = ag->next;
332
333 for ( ; ag != NULL; ag = ag->next) {
334
335 if (ag->ip.addr_data32[0] != next_ip)
336 return 0;
337
338 if (SCNtohl(ag->ip2.addr_data32[0]) == 0xFFFFFFFF)
339 return 1;
340
341 next_ip = htonl(SCNtohl(ag->ip2.addr_data32[0]) + 1);
342 }
343
344 return 0;
345}
346
347/**
348 * \brief Cuts and returns an address range, which is the complement of the
349 * address range that is supplied as the argument.
350 *
351 * For example:
352 *
353 * If a = 0.0.0.0-1.2.3.4,
354 * then a = 1.2.3.4-255.255.255.255 and b = NULL
355 * If a = 1.2.3.4-255.255.255.255,
356 * then a = 0.0.0.0-1.2.3.4 and b = NULL
357 * If a = 1.2.3.4-192.168.1.1,
358 * then a = 0.0.0.0-1.2.3.3 and b = 192.168.1.2-255.255.255.255
359 *
360 * \param a Pointer to an address range (DetectAddress) instance whose complement
361 * has to be returned in a and b.
362 * \param b Pointer to DetectAddress pointer, that will be supplied back with a
363 * new DetectAddress instance, if the complement demands so.
364 *
365 * \retval 0 On success.
366 * \retval -1 On failure.
367 */
369{
370 uint32_t a_ip1 = SCNtohl(a->ip.addr_data32[0]);
371 uint32_t a_ip2 = SCNtohl(a->ip2.addr_data32[0]);
372 DetectAddress *tmp_b = NULL;
373
374 /* default to NULL */
375 *b = NULL;
376
377 if (a_ip1 != 0x00000000 && a_ip2 != 0xFFFFFFFF) {
378 a->ip.addr_data32[0] = htonl(0x00000000);
379 a->ip2.addr_data32[0] = htonl(a_ip1 - 1);
380
381 tmp_b = DetectAddressInit();
382 if (tmp_b == NULL)
383 goto error;
384
385 tmp_b->ip.family = AF_INET;
386 tmp_b->ip.addr_data32[0] = htonl(a_ip2 + 1);
387 tmp_b->ip2.addr_data32[0] = htonl(0xFFFFFFFF);
388 *b = tmp_b;
389 } else if (a_ip1 == 0x00000000 && a_ip2 != 0xFFFFFFFF) {
390 a->ip.addr_data32[0] = htonl(a_ip2 + 1);
391 a->ip2.addr_data32[0] = htonl(0xFFFFFFFF);
392 } else if (a_ip1 != 0x00000000 && a_ip2 == 0xFFFFFFFF) {
393 a->ip.addr_data32[0] = htonl(0x00000000);
394 a->ip2.addr_data32[0] = htonl(a_ip1 - 1);
395 } else {
396 goto error;
397 }
398
399 return 0;
400
401error:
402 return -1;
403}
404
405/********************************Unittests*************************************/
406
407#ifdef UNITTESTS
408
409static int DetectAddressIPv4TestAddressCmp01(void)
410{
411 struct in_addr in;
412
414 FAIL_IF_NULL(a);
415
417 FAIL_IF_NULL(b);
418
419 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
420 a->ip.addr_data32[0] = in.s_addr;
421 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
422 a->ip2.addr_data32[0] = in.s_addr;
423 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
424 b->ip.addr_data32[0] = in.s_addr;
425 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
426 b->ip2.addr_data32[0] = in.s_addr;
428
429 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
430 a->ip.addr_data32[0] = in.s_addr;
431 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
432 a->ip2.addr_data32[0] = in.s_addr;
433 FAIL_IF(inet_pton(AF_INET, "1.2.3.3", &in) < 0);
434 b->ip.addr_data32[0] = in.s_addr;
435 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
436 b->ip2.addr_data32[0] = in.s_addr;
438
439 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
440 a->ip.addr_data32[0] = in.s_addr;
441 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
442 a->ip2.addr_data32[0] = in.s_addr;
443 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
444 b->ip.addr_data32[0] = in.s_addr;
445 FAIL_IF(inet_pton(AF_INET, "192.168.1.2", &in) < 0);
446 b->ip2.addr_data32[0] = in.s_addr;
448
449 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
450 a->ip.addr_data32[0] = in.s_addr;
451 FAIL_IF(inet_pton(AF_INET, "192.168.1.2", &in) < 0);
452 a->ip2.addr_data32[0] = in.s_addr;
453 FAIL_IF(inet_pton(AF_INET, "1.2.3.3", &in) < 0);
454 b->ip.addr_data32[0] = in.s_addr;
455 FAIL_IF(inet_pton(AF_INET, "192.168.1.2", &in) < 0);
456 b->ip2.addr_data32[0] = in.s_addr;
458
459 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
460 a->ip.addr_data32[0] = in.s_addr;
461 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
462 a->ip2.addr_data32[0] = in.s_addr;
463 FAIL_IF(inet_pton(AF_INET, "1.2.3.3", &in) < 0);
464 b->ip.addr_data32[0] = in.s_addr;
465 FAIL_IF(inet_pton(AF_INET, "192.168.1.2", &in) < 0);
466 b->ip2.addr_data32[0] = in.s_addr;
468
469 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
470 a->ip.addr_data32[0] = in.s_addr;
471 FAIL_IF(inet_pton(AF_INET, "192.168.1.2", &in) < 0);
472 a->ip2.addr_data32[0] = in.s_addr;
473 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
474 b->ip.addr_data32[0] = in.s_addr;
475 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
476 b->ip2.addr_data32[0] = in.s_addr;
478
479 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
480 a->ip.addr_data32[0] = in.s_addr;
481 FAIL_IF(inet_pton(AF_INET, "192.168.1.2", &in) < 0);
482 a->ip2.addr_data32[0] = in.s_addr;
483 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
484 b->ip.addr_data32[0] = in.s_addr;
485 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
486 b->ip2.addr_data32[0] = in.s_addr;
488
489 FAIL_IF(inet_pton(AF_INET, "1.2.3.3", &in) < 0);
490 a->ip.addr_data32[0] = in.s_addr;
491 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
492 a->ip2.addr_data32[0] = in.s_addr;
493 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
494 b->ip.addr_data32[0] = in.s_addr;
495 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
496 b->ip2.addr_data32[0] = in.s_addr;
498
499 FAIL_IF(inet_pton(AF_INET, "1.2.3.3", &in) < 0);
500 a->ip.addr_data32[0] = in.s_addr;
501 FAIL_IF(inet_pton(AF_INET, "192.168.1.2", &in) < 0);
502 a->ip2.addr_data32[0] = in.s_addr;
503 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
504 b->ip.addr_data32[0] = in.s_addr;
505 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
506 b->ip2.addr_data32[0] = in.s_addr;
508
509 FAIL_IF(inet_pton(AF_INET, "1.2.3.5", &in) < 0);
510 a->ip.addr_data32[0] = in.s_addr;
511 FAIL_IF(inet_pton(AF_INET, "192.168.1.2", &in) < 0);
512 a->ip2.addr_data32[0] = in.s_addr;
513 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
514 b->ip.addr_data32[0] = in.s_addr;
515 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
516 b->ip2.addr_data32[0] = in.s_addr;
518
519 FAIL_IF(inet_pton(AF_INET, "1.2.3.3", &in) < 0);
520 a->ip.addr_data32[0] = in.s_addr;
521 FAIL_IF(inet_pton(AF_INET, "128.128.128.128", &in) < 0);
522 a->ip2.addr_data32[0] = in.s_addr;
523 FAIL_IF(inet_pton(AF_INET, "128.128.128.128", &in) < 0);
524 b->ip.addr_data32[0] = in.s_addr;
525 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
526 b->ip2.addr_data32[0] = in.s_addr;
528
529 FAIL_IF(inet_pton(AF_INET, "1.2.3.3", &in) < 0);
530 a->ip.addr_data32[0] = in.s_addr;
531 FAIL_IF(inet_pton(AF_INET, "170.170.170.170", &in) < 0);
532 a->ip2.addr_data32[0] = in.s_addr;
533 FAIL_IF(inet_pton(AF_INET, "128.128.128.128", &in) < 0);
534 b->ip.addr_data32[0] = in.s_addr;
535 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
536 b->ip2.addr_data32[0] = in.s_addr;
538
539 FAIL_IF(inet_pton(AF_INET, "170.170.170.170", &in) < 0);
540 a->ip.addr_data32[0] = in.s_addr;
541 FAIL_IF(inet_pton(AF_INET, "180.180.180.180", &in) < 0);
542 a->ip2.addr_data32[0] = in.s_addr;
543 FAIL_IF(inet_pton(AF_INET, "170.170.170.170", &in) < 0);
544 b->ip.addr_data32[0] = in.s_addr;
545 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
546 b->ip2.addr_data32[0] = in.s_addr;
548
549 FAIL_IF(inet_pton(AF_INET, "170.170.170.169", &in) < 0);
550 a->ip.addr_data32[0] = in.s_addr;
551 FAIL_IF(inet_pton(AF_INET, "180.180.180.180", &in) < 0);
552 a->ip2.addr_data32[0] = in.s_addr;
553 FAIL_IF(inet_pton(AF_INET, "170.170.170.170", &in) < 0);
554 b->ip.addr_data32[0] = in.s_addr;
555 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
556 b->ip2.addr_data32[0] = in.s_addr;
558
559 FAIL_IF(inet_pton(AF_INET, "170.170.170.169", &in) < 0);
560 a->ip.addr_data32[0] = in.s_addr;
561 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
562 a->ip2.addr_data32[0] = in.s_addr;
563 FAIL_IF(inet_pton(AF_INET, "170.170.170.170", &in) < 0);
564 b->ip.addr_data32[0] = in.s_addr;
565 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
566 b->ip2.addr_data32[0] = in.s_addr;
568
569 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
570 a->ip.addr_data32[0] = in.s_addr;
571 FAIL_IF(inet_pton(AF_INET, "170.170.170.170", &in) < 0);
572 a->ip2.addr_data32[0] = in.s_addr;
573 FAIL_IF(inet_pton(AF_INET, "180.180.180.180", &in) < 0);
574 b->ip.addr_data32[0] = in.s_addr;
575 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
576 b->ip2.addr_data32[0] = in.s_addr;
578
579 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
580 a->ip.addr_data32[0] = in.s_addr;
581 FAIL_IF(inet_pton(AF_INET, "185.185.185.185", &in) < 0);
582 a->ip2.addr_data32[0] = in.s_addr;
583 FAIL_IF(inet_pton(AF_INET, "180.180.180.180", &in) < 0);
584 b->ip.addr_data32[0] = in.s_addr;
585 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
586 b->ip2.addr_data32[0] = in.s_addr;
587 /* we could get a LE */
589
590 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
591 a->ip.addr_data32[0] = in.s_addr;
592 FAIL_IF(inet_pton(AF_INET, "180.180.180.180", &in) < 0);
593 a->ip2.addr_data32[0] = in.s_addr;
594 FAIL_IF(inet_pton(AF_INET, "180.180.180.180", &in) < 0);
595 b->ip.addr_data32[0] = in.s_addr;
596 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
597 b->ip2.addr_data32[0] = in.s_addr;
598 /* we could get a LE */
600
601 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
602 a->ip.addr_data32[0] = in.s_addr;
603 FAIL_IF(inet_pton(AF_INET, "192.168.1.2", &in) < 0);
604 a->ip2.addr_data32[0] = in.s_addr;
605 FAIL_IF(inet_pton(AF_INET, "180.180.180.180", &in) < 0);
606 b->ip.addr_data32[0] = in.s_addr;
607 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
608 b->ip2.addr_data32[0] = in.s_addr;
610
611 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
612 a->ip.addr_data32[0] = in.s_addr;
613 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
614 a->ip2.addr_data32[0] = in.s_addr;
615 FAIL_IF(inet_pton(AF_INET, "180.180.180.180", &in) < 0);
616 b->ip.addr_data32[0] = in.s_addr;
617 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
618 b->ip2.addr_data32[0] = in.s_addr;
620
621 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
622 a->ip.addr_data32[0] = in.s_addr;
623 FAIL_IF(inet_pton(AF_INET, "170.170.170.170", &in) < 0);
624 a->ip2.addr_data32[0] = in.s_addr;
625 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
626 b->ip.addr_data32[0] = in.s_addr;
627 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
628 b->ip2.addr_data32[0] = in.s_addr;
630
631 FAIL_IF(inet_pton(AF_INET, "128.128.128.128", &in) < 0);
632 a->ip.addr_data32[0] = in.s_addr;
633 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
634 a->ip2.addr_data32[0] = in.s_addr;
635 FAIL_IF(inet_pton(AF_INET, "1.2.3.3", &in) < 0);
636 b->ip.addr_data32[0] = in.s_addr;
637 FAIL_IF(inet_pton(AF_INET, "128.128.128.128", &in) < 0);
638 b->ip2.addr_data32[0] = in.s_addr;
640
641 FAIL_IF(inet_pton(AF_INET, "128.128.128.128", &in) < 0);
642 a->ip.addr_data32[0] = in.s_addr;
643 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
644 a->ip2.addr_data32[0] = in.s_addr;
645 FAIL_IF(inet_pton(AF_INET, "1.2.3.3", &in) < 0);
646 b->ip.addr_data32[0] = in.s_addr;
647 FAIL_IF(inet_pton(AF_INET, "170.170.170.170", &in) < 0);
648 b->ip2.addr_data32[0] = in.s_addr;
650
651 FAIL_IF(inet_pton(AF_INET, "170.170.170.170", &in) < 0);
652 a->ip.addr_data32[0] = in.s_addr;
653 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
654 a->ip2.addr_data32[0] = in.s_addr;
655 FAIL_IF(inet_pton(AF_INET, "170.170.170.170", &in) < 0);
656 b->ip.addr_data32[0] = in.s_addr;
657 FAIL_IF(inet_pton(AF_INET, "180.180.180.180", &in) < 0);
658 b->ip2.addr_data32[0] = in.s_addr;
660
661 FAIL_IF(inet_pton(AF_INET, "170.170.170.170", &in) < 0);
662 a->ip.addr_data32[0] = in.s_addr;
663 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
664 a->ip2.addr_data32[0] = in.s_addr;
665 FAIL_IF(inet_pton(AF_INET, "170.170.170.169", &in) < 0);
666 b->ip.addr_data32[0] = in.s_addr;
667 FAIL_IF(inet_pton(AF_INET, "180.180.180.180", &in) < 0);
668 b->ip2.addr_data32[0] = in.s_addr;
670
671 FAIL_IF(inet_pton(AF_INET, "170.170.170.169", &in) < 0);
672 a->ip.addr_data32[0] = in.s_addr;
673 FAIL_IF(inet_pton(AF_INET, "192.168.1.2", &in) < 0);
674 a->ip2.addr_data32[0] = in.s_addr;
675 FAIL_IF(inet_pton(AF_INET, "170.170.170.170", &in) < 0);
676 b->ip.addr_data32[0] = in.s_addr;
677 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
678 b->ip2.addr_data32[0] = in.s_addr;
680
681 FAIL_IF(inet_pton(AF_INET, "170.170.170.170", &in) < 0);
682 a->ip.addr_data32[0] = in.s_addr;
683 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
684 a->ip2.addr_data32[0] = in.s_addr;
685 FAIL_IF(inet_pton(AF_INET, "170.170.169.170", &in) < 0);
686 b->ip.addr_data32[0] = in.s_addr;
687 FAIL_IF(inet_pton(AF_INET, "192.168.1.1", &in) < 0);
688 b->ip2.addr_data32[0] = in.s_addr;
690
691 FAIL_IF(inet_pton(AF_INET, "192.168.1.2", &in) < 0);
692 a->ip.addr_data32[0] = in.s_addr;
693 FAIL_IF(inet_pton(AF_INET, "200.200.200.200", &in) < 0);
694 a->ip2.addr_data32[0] = in.s_addr;
695 FAIL_IF(inet_pton(AF_INET, "170.170.170.170", &in) < 0);
696 b->ip.addr_data32[0] = in.s_addr;
697 FAIL_IF(inet_pton(AF_INET, "185.185.185.185", &in) < 0);
698 b->ip2.addr_data32[0] = in.s_addr;
700
701 FAIL_IF(inet_pton(AF_INET, "192.168.1.2", &in) < 0);
702 a->ip.addr_data32[0] = in.s_addr;
703 FAIL_IF(inet_pton(AF_INET, "200.200.200.200", &in) < 0);
704 a->ip2.addr_data32[0] = in.s_addr;
705 FAIL_IF(inet_pton(AF_INET, "170.170.170.170", &in) < 0);
706 b->ip.addr_data32[0] = in.s_addr;
707 FAIL_IF(inet_pton(AF_INET, "192.168.1.2", &in) < 0);
708 b->ip2.addr_data32[0] = in.s_addr;
710
711 FAIL_IF(inet_pton(AF_INET, "182.168.1.2", &in) < 0);
712 a->ip.addr_data32[0] = in.s_addr;
713 FAIL_IF(inet_pton(AF_INET, "200.200.200.200", &in) < 0);
714 a->ip2.addr_data32[0] = in.s_addr;
715 FAIL_IF(inet_pton(AF_INET, "170.170.170.170", &in) < 0);
716 b->ip.addr_data32[0] = in.s_addr;
717 FAIL_IF(inet_pton(AF_INET, "192.168.1.2", &in) < 0);
718 b->ip2.addr_data32[0] = in.s_addr;
720
723 PASS;
724}
725
726static int DetectAddressIPv4IsCompleteIPSpace02(void)
727{
728 struct in_addr in;
729
731 FAIL_IF_NULL(a);
732
733 FAIL_IF(inet_pton(AF_INET, "0.0.0.0", &in) < 0);
734 a->ip.addr_data32[0] = in.s_addr;
735 FAIL_IF(inet_pton(AF_INET, "255.255.255.255", &in) < 0);
736 a->ip2.addr_data32[0] = in.s_addr;
738
739 FAIL_IF(inet_pton(AF_INET, "0.0.0.1", &in) < 0);
740 a->ip.addr_data32[0] = in.s_addr;
741 FAIL_IF(inet_pton(AF_INET, "255.255.255.255", &in) < 0);
742 a->ip2.addr_data32[0] = in.s_addr;
744
746
747 a = DetectAddressInit();
748 FAIL_IF_NULL(a);
749
750 FAIL_IF(inet_pton(AF_INET, "0.0.0.0", &in) < 0);
751 a->ip.addr_data32[0] = in.s_addr;
752 FAIL_IF(inet_pton(AF_INET, "255.255.255.254", &in) < 0);
753 a->ip2.addr_data32[0] = in.s_addr;
755
757
758 PASS;
759}
760
761static int DetectAddressIPv4IsCompleteIPSpace03(void)
762{
763 struct in_addr in;
764
766 FAIL_IF_NULL(a);
767 DetectAddress *temp = a;
768
769 FAIL_IF(inet_pton(AF_INET, "0.0.0.0", &in) < 0);
770 a->ip.addr_data32[0] = in.s_addr;
771 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
772 a->ip2.addr_data32[0] = in.s_addr;
774
775 temp->next = DetectAddressInit();
776 FAIL_IF_NULL(temp->next);
777 temp = temp->next;
778
779 FAIL_IF(inet_pton(AF_INET, "1.2.3.5", &in) < 0);
780 temp->ip.addr_data32[0] = in.s_addr;
781 FAIL_IF(inet_pton(AF_INET, "126.36.62.61", &in) < 0);
782 temp->ip2.addr_data32[0] = in.s_addr;
784
785 temp->next = DetectAddressInit();
786 FAIL_IF_NULL(temp->next);
787 temp = temp->next;
788
789 FAIL_IF(inet_pton(AF_INET, "126.36.62.62", &in) < 0);
790 temp->ip.addr_data32[0] = in.s_addr;
791 FAIL_IF(inet_pton(AF_INET, "222.52.21.62", &in) < 0);
792 temp->ip2.addr_data32[0] = in.s_addr;
794
795 temp->next = DetectAddressInit();
796 FAIL_IF_NULL(temp->next);
797 temp = temp->next;
798
799 FAIL_IF(inet_pton(AF_INET, "222.52.21.63", &in) < 0);
800 temp->ip.addr_data32[0] = in.s_addr;
801 FAIL_IF(inet_pton(AF_INET, "255.255.255.254", &in) < 0);
802 temp->ip2.addr_data32[0] = in.s_addr;
804
805 temp->next = DetectAddressInit();
806 FAIL_IF_NULL(temp->next);
807 temp = temp->next;
808
809 FAIL_IF(inet_pton(AF_INET, "255.255.255.255", &in) < 0);
810 temp->ip.addr_data32[0] = in.s_addr;
811 FAIL_IF(inet_pton(AF_INET, "255.255.255.255", &in) < 0);
812 temp->ip2.addr_data32[0] = in.s_addr;
814
816
817 PASS;
818}
819
820static int DetectAddressIPv4IsCompleteIPSpace04(void)
821{
822 struct in_addr in;
823
825 FAIL_IF_NULL(a);
826 DetectAddress *temp = a;
827
828 FAIL_IF(inet_pton(AF_INET, "0.0.0.0", &in) < 0);
829 a->ip.addr_data32[0] = in.s_addr;
830 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
831 a->ip2.addr_data32[0] = in.s_addr;
833
834 temp->next = DetectAddressInit();
835 FAIL_IF_NULL(temp->next);
836 temp = temp->next;
837
838 FAIL_IF(inet_pton(AF_INET, "1.2.3.5", &in) < 0);
839 temp->ip.addr_data32[0] = in.s_addr;
840 FAIL_IF(inet_pton(AF_INET, "126.36.62.61", &in) < 0);
841 temp->ip2.addr_data32[0] = in.s_addr;
843
844 temp->next = DetectAddressInit();
845 FAIL_IF_NULL(temp->next);
846 temp = temp->next;
847
848 FAIL_IF(inet_pton(AF_INET, "126.36.62.62", &in) < 0);
849 temp->ip.addr_data32[0] = in.s_addr;
850 FAIL_IF(inet_pton(AF_INET, "222.52.21.62", &in) < 0);
851 temp->ip2.addr_data32[0] = in.s_addr;
853
854 temp->next = DetectAddressInit();
855 FAIL_IF_NULL(temp->next);
856 temp = temp->next;
857
858 FAIL_IF(inet_pton(AF_INET, "222.52.21.64", &in) < 0);
859 temp->ip.addr_data32[0] = in.s_addr;
860 FAIL_IF(inet_pton(AF_INET, "255.255.255.254", &in) < 0);
861 temp->ip2.addr_data32[0] = in.s_addr;
863
864 temp->next = DetectAddressInit();
865 FAIL_IF_NULL(temp->next);
866 temp = temp->next;
867
868 FAIL_IF(inet_pton(AF_INET, "255.255.255.255", &in) < 0);
869 temp->ip.addr_data32[0] = in.s_addr;
870 FAIL_IF(inet_pton(AF_INET, "255.255.255.255", &in) < 0);
871 temp->ip2.addr_data32[0] = in.s_addr;
873
875
876 PASS;
877}
878
879static int DetectAddressIPv4CutNot05(void)
880{
881 DetectAddress *b = NULL;
882 struct in_addr in;
883
885 FAIL_IF_NULL(a);
886
887 FAIL_IF(inet_pton(AF_INET, "0.0.0.0", &in) < 0);
888 a->ip.addr_data32[0] = in.s_addr;
889 FAIL_IF(inet_pton(AF_INET, "255.255.255.255", &in) < 0);
890 a->ip2.addr_data32[0] = in.s_addr;
892
895 PASS;
896}
897
898static int DetectAddressIPv4CutNot06(void)
899{
900 DetectAddress *b = NULL;
901 struct in_addr in;
902
904 FAIL_IF_NULL(a);
905
906 FAIL_IF(inet_pton(AF_INET, "0.0.0.0", &in) < 0);
907 a->ip.addr_data32[0] = in.s_addr;
908 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
909 a->ip2.addr_data32[0] = in.s_addr;
911
912 FAIL_IF(inet_pton(AF_INET, "1.2.3.5", &in) < 0);
913 FAIL_IF_NOT(a->ip.addr_data32[0] == in.s_addr);
914 FAIL_IF(inet_pton(AF_INET, "255.255.255.255", &in) < 0);
915 FAIL_IF_NOT(a->ip2.addr_data32[0] = in.s_addr);
916
919 PASS;
920}
921
922static int DetectAddressIPv4CutNot07(void)
923{
924 DetectAddress *b = NULL;
925 struct in_addr in;
926
928 FAIL_IF_NULL(a);
929
930 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
931 a->ip.addr_data32[0] = in.s_addr;
932 FAIL_IF(inet_pton(AF_INET, "255.255.255.255", &in) < 0);
933 a->ip2.addr_data32[0] = in.s_addr;
935
936 FAIL_IF(inet_pton(AF_INET, "0.0.0.0", &in) < 0);
937 FAIL_IF_NOT(a->ip.addr_data32[0] == in.s_addr);
938 FAIL_IF(inet_pton(AF_INET, "1.2.3.3", &in) < 0);
939 FAIL_IF_NOT(a->ip2.addr_data32[0] = in.s_addr);
940
943 PASS;
944}
945
946static int DetectAddressIPv4CutNot08(void)
947{
948 DetectAddress *b = NULL;
949 struct in_addr in;
950
952 FAIL_IF_NULL(a);
953
954 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
955 a->ip.addr_data32[0] = in.s_addr;
956 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
957 a->ip2.addr_data32[0] = in.s_addr;
959
960 FAIL_IF(inet_pton(AF_INET, "0.0.0.0", &in) < 0);
961 FAIL_IF_NOT(a->ip.addr_data32[0] == in.s_addr);
962 FAIL_IF(inet_pton(AF_INET, "1.2.3.3", &in) < 0);
963 FAIL_IF_NOT(a->ip2.addr_data32[0] = in.s_addr);
964
965 FAIL_IF_NULL(b);
966 FAIL_IF(inet_pton(AF_INET, "1.2.3.5", &in) < 0);
967 FAIL_IF_NOT(b->ip.addr_data32[0] == in.s_addr);
968 FAIL_IF(inet_pton(AF_INET, "255.255.255.255", &in) < 0);
969 FAIL_IF_NOT(b->ip2.addr_data32[0] = in.s_addr);
970
973 PASS;
974}
975
976static int DetectAddressIPv4CutNot09(void)
977{
978 DetectAddress *b = NULL;
979 struct in_addr in;
980
982 FAIL_IF_NULL(a);
983
984 FAIL_IF(inet_pton(AF_INET, "1.2.3.4", &in) < 0);
985 a->ip.addr_data32[0] = in.s_addr;
986 FAIL_IF(inet_pton(AF_INET, "192.168.1.2", &in) < 0);
987 a->ip2.addr_data32[0] = in.s_addr;
989
990 FAIL_IF(inet_pton(AF_INET, "0.0.0.0", &in) < 0);
991 FAIL_IF_NOT(a->ip.addr_data32[0] == in.s_addr);
992 FAIL_IF(inet_pton(AF_INET, "1.2.3.3", &in) < 0);
993 FAIL_IF_NOT(a->ip2.addr_data32[0] = in.s_addr);
994
995 FAIL_IF_NULL(b);
996 FAIL_IF(inet_pton(AF_INET, "192.168.1.3", &in) < 0);
997 FAIL_IF_NOT(b->ip.addr_data32[0] == in.s_addr);
998 FAIL_IF(inet_pton(AF_INET, "255.255.255.255", &in) < 0);
999 FAIL_IF_NOT(b->ip2.addr_data32[0] = in.s_addr);
1000
1003 PASS;
1004}
1005
1006#endif
1007
1009{
1010#ifdef UNITTESTS
1011 UtRegisterTest("DetectAddressIPv4TestAddressCmp01",
1012 DetectAddressIPv4TestAddressCmp01);
1013 UtRegisterTest("DetectAddressIPv4IsCompleteIPSpace02",
1014 DetectAddressIPv4IsCompleteIPSpace02);
1015 UtRegisterTest("DetectAddressIPv4IsCompleteIPSpace03",
1016 DetectAddressIPv4IsCompleteIPSpace03);
1017 UtRegisterTest("DetectAddressIPv4IsCompleteIPSpace04",
1018 DetectAddressIPv4IsCompleteIPSpace04);
1019 UtRegisterTest("DetectAddressIPv4CutNot05", DetectAddressIPv4CutNot05);
1020 UtRegisterTest("DetectAddressIPv4CutNot06", DetectAddressIPv4CutNot06);
1021 UtRegisterTest("DetectAddressIPv4CutNot07", DetectAddressIPv4CutNot07);
1022 UtRegisterTest("DetectAddressIPv4CutNot08", DetectAddressIPv4CutNot08);
1023 UtRegisterTest("DetectAddressIPv4CutNot09", DetectAddressIPv4CutNot09);
1024#endif
1025}
int DetectAddressCutIPv4(DetectEngineCtx *de_ctx, DetectAddress *a, DetectAddress *b, DetectAddress **c)
Cut groups and merge sigs.
int DetectAddressIsCompleteIPSpaceIPv4(DetectAddress *ag)
Check if the address group list covers the complete IPv4 IP space.
int DetectAddressCutNotIPv4(DetectAddress *a, DetectAddress **b)
Cuts and returns an address range, which is the complement of the address range that is supplied as t...
int DetectAddressCmpIPv4(DetectAddress *a, DetectAddress *b)
Compares 2 addresses(address ranges) and returns the relationship between the 2 addresses.
void DetectAddressIPv4Tests(void)
DetectAddress * DetectAddressInit(void)
Creates and returns a new instance of a DetectAddress.
void DetectAddressFree(DetectAddress *ag)
Frees a DetectAddress instance.
@ ADDRESS_ER
Definition detect.h:152
@ ADDRESS_GT
Definition detect.h:159
@ ADDRESS_EB
Definition detect.h:157
@ ADDRESS_EQ
Definition detect.h:155
@ ADDRESS_ES
Definition detect.h:156
@ ADDRESS_GE
Definition detect.h:158
@ ADDRESS_LE
Definition detect.h:154
@ ADDRESS_LT
Definition detect.h:153
DetectEngineCtx * de_ctx
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
#define PASS
Pass the test.
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
char family
Definition decode.h:113
address structure for use in the detection engine.
Definition detect.h:168
Address ip2
Definition detect.h:171
struct DetectAddress_ * next
Definition detect.h:179
Address ip
Definition detect.h:170
main detection engine ctx
Definition detect.h:932
#define SCNtohl(x)
#define SCLogDebug(...)
Definition util-debug.h:275