suricata
detect-engine-dcepayload.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2010 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18/**
19 * \file
20 *
21 * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22 */
23
24#include "suricata-common.h"
25#include "suricata.h"
26
27#include "decode.h"
28
29#include "detect.h"
30#include "detect-engine.h"
31#include "detect-parse.h"
32#include "detect-pcre.h"
33#include "detect-isdataat.h"
34#include "detect-bytetest.h"
35#include "detect-bytejump.h"
36#include "detect-byte-extract.h"
37#include "detect-content.h"
38#include "detect-engine-content-inspection.h"
39#include "detect-engine-dcepayload.h"
40#include "detect-engine-build.h"
41#include "app-layer-parser.h"
42
43#include "stream-tcp.h"
44
45#include "app-layer.h"
46#include "flow-util.h"
47#include "util-debug.h"
48
49#include "util-unittest.h"
50#include "util-unittest-helper.h"
51
52#include "detect-dce-iface.h"
53
54static int g_dce_stub_data_buffer_id = 0;
55
56
57/**************************************Unittests*******************************/
58
59#ifdef UNITTESTS
60#include "detect-engine-alert.h"
61
62/**
63 * \test Test the working of byte_test endianness.
64 */
65static int DcePayloadTest15(void)
66{
67 int result = 0;
68
69 uint8_t request1[] = {
70 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
71 0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
72 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
73 0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
74 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
75 0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
76 0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
77 0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
78 0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
79 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
80 0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
81 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
82 0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
83 };
84 uint32_t request1_len = sizeof(request1);
85
86 TcpSession ssn;
87 Packet *p = NULL;
88 ThreadVars tv;
89 DetectEngineCtx *de_ctx = NULL;
90 DetectEngineThreadCtx *det_ctx = NULL;
91 Flow f;
92 int r;
93
94 const char *sig1 = "alert tcp any any -> any any "
95 "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
96 "byte_test:2,=,14080,0,relative,dce; sid:1;)";
97 const char *sig2 = "alert tcp any any -> any any "
98 "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
99 "byte_test:2,=,46,5,relative,dce; sid:2;)";
100
101 Signature *s;
102 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
103
104 memset(&tv, 0, sizeof(ThreadVars));
105 memset(&f, 0, sizeof(Flow));
106 memset(&ssn, 0, sizeof(TcpSession));
107
108 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
109 p->flow = &f;
110 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
111 p->flowflags |= FLOW_PKT_TOSERVER;
112 p->flowflags |= FLOW_PKT_ESTABLISHED;
113
114 FLOW_INITIALIZE(&f);
115 f.protoctx = (void *)&ssn;
116 f.proto = IPPROTO_TCP;
117 f.flags |= FLOW_IPV4;
118 f.alproto = ALPROTO_DCERPC;
119
120 StreamTcpInitConfig(true);
121
122 de_ctx = DetectEngineCtxInit();
123 if (de_ctx == NULL)
124 goto end;
125 de_ctx->flags |= DE_QUIET;
126
127 de_ctx->sig_list = SigInit(de_ctx, sig1);
128 s = de_ctx->sig_list;
129 if (s == NULL)
130 goto end;
131 s->next = SigInit(de_ctx, sig2);
132 if (s->next == NULL)
133 goto end;
134
135 SigGroupBuild(de_ctx);
136 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
137
138 /* request 1 */
139 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
140 STREAM_TOSERVER, request1, request1_len);
141 if (r != 0) {
142 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
143 result = 0;
144 goto end;
145 }
146 /* detection phase */
147 SigMatchSignatures(&tv, de_ctx, det_ctx, p);
148 if (!(PacketAlertCheck(p, 1))) {
149 printf("sid 1 didn't match but should have for packet: ");
150 goto end;
151 }
152 if (!(PacketAlertCheck(p, 2))) {
153 printf("sid 2 didn't match but should have for packet: ");
154 goto end;
155 }
156
157 result = 1;
158
159end:
160 if (alp_tctx != NULL)
161 AppLayerParserThreadCtxFree(alp_tctx);
162 if (de_ctx != NULL) {
163 SigGroupCleanup(de_ctx);
164 SigCleanSignatures(de_ctx);
165
166 DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
167 DetectEngineCtxFree(de_ctx);
168 }
169
170 StreamTcpFreeConfig(true);
171
172 UTHFreePackets(&p, 1);
173 return result;
174}
175
176/**
177 * \test Test the working of byte_test endianness.
178 */
179static int DcePayloadTest16(void)
180{
181 int result = 0;
182
183 uint8_t request1[] = {
184 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
185 0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
186 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
187 0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
188 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
189 0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
190 0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
191 0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
192 0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
193 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
194 0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
195 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
196 0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
197 };
198 uint32_t request1_len = sizeof(request1);
199
200 TcpSession ssn;
201 Packet *p = NULL;
202 ThreadVars tv;
203 DetectEngineCtx *de_ctx = NULL;
204 DetectEngineThreadCtx *det_ctx = NULL;
205 Flow f;
206 int r;
207
208 const char *sig1 = "alert tcp any any -> any any "
209 "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
210 "byte_test:2,=,55,0,relative; sid:1;)";
211 const char *sig2 = "alert tcp any any -> any any "
212 "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
213 "byte_test:2,=,11776,5,relative; sid:2;)";
214
215 Signature *s;
216 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
217
218 memset(&tv, 0, sizeof(ThreadVars));
219 memset(&f, 0, sizeof(Flow));
220 memset(&ssn, 0, sizeof(TcpSession));
221
222 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
223 p->flow = &f;
224 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
225 p->flowflags |= FLOW_PKT_TOSERVER;
226 p->flowflags |= FLOW_PKT_ESTABLISHED;
227
228 FLOW_INITIALIZE(&f);
229 f.protoctx = (void *)&ssn;
230 f.proto = IPPROTO_TCP;
231 f.flags |= FLOW_IPV4;
232 f.alproto = ALPROTO_DCERPC;
233
234 StreamTcpInitConfig(true);
235
236 de_ctx = DetectEngineCtxInit();
237 if (de_ctx == NULL)
238 goto end;
239 de_ctx->flags |= DE_QUIET;
240
241 de_ctx->sig_list = SigInit(de_ctx, sig1);
242 s = de_ctx->sig_list;
243 if (s == NULL)
244 goto end;
245 s->next = SigInit(de_ctx, sig2);
246 if (s->next == NULL)
247 goto end;
248
249 SigGroupBuild(de_ctx);
250 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
251
252 /* request 1 */
253 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
254 STREAM_TOSERVER, request1, request1_len);
255 if (r != 0) {
256 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
257 result = 0;
258 goto end;
259 }
260 /* detection phase */
261 SigMatchSignatures(&tv, de_ctx, det_ctx, p);
262 if (!(PacketAlertCheck(p, 1))) {
263 printf("sid 1 didn't match but should have for packet: ");
264 goto end;
265 }
266 if (!(PacketAlertCheck(p, 2))) {
267 printf("sid 2 didn't match but should have for packet: ");
268 goto end;
269 }
270
271 result = 1;
272
273end:
274 if (alp_tctx != NULL)
275 AppLayerParserThreadCtxFree(alp_tctx);
276 if (de_ctx != NULL) {
277 SigGroupCleanup(de_ctx);
278 SigCleanSignatures(de_ctx);
279
280 DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
281 DetectEngineCtxFree(de_ctx);
282 }
283
284 StreamTcpFreeConfig(true);
285
286 UTHFreePackets(&p, 1);
287 return result;
288}
289
290/**
291 * \test Test the working of byte_test endianness.
292 */
293static int DcePayloadTest17(void)
294{
295 int result = 0;
296
297 uint8_t request1[] = {
298 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
299 0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
300 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
301 0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
302 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
303 0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
304 0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
305 0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
306 0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
307 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
308 0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
309 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
310 0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
311 };
312 uint32_t request1_len = sizeof(request1);
313
314 TcpSession ssn;
315 Packet *p = NULL;
316 ThreadVars tv;
317 DetectEngineCtx *de_ctx = NULL;
318 DetectEngineThreadCtx *det_ctx = NULL;
319 Flow f;
320 int r;
321
322 const char *sig1 = "alert tcp any any -> any any "
323 "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
324 "byte_test:2,=,55,0,relative,big; sid:1;)";
325 const char *sig2 = "alert tcp any any -> any any "
326 "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
327 "byte_test:2,=,46,5,relative,little; sid:2;)";
328
329 Signature *s;
330 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
331
332 memset(&tv, 0, sizeof(ThreadVars));
333 memset(&f, 0, sizeof(Flow));
334 memset(&ssn, 0, sizeof(TcpSession));
335
336 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
337 p->flow = &f;
338 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
339 p->flowflags |= FLOW_PKT_TOSERVER;
340 p->flowflags |= FLOW_PKT_ESTABLISHED;
341
342 FLOW_INITIALIZE(&f);
343 f.protoctx = (void *)&ssn;
344 f.proto = IPPROTO_TCP;
345 f.flags |= FLOW_IPV4;
346 f.alproto = ALPROTO_DCERPC;
347
348 StreamTcpInitConfig(true);
349
350 de_ctx = DetectEngineCtxInit();
351 if (de_ctx == NULL)
352 goto end;
353 de_ctx->flags |= DE_QUIET;
354
355 de_ctx->sig_list = SigInit(de_ctx, sig1);
356 s = de_ctx->sig_list;
357 if (s == NULL)
358 goto end;
359 s->next = SigInit(de_ctx, sig2);
360 if (s->next == NULL)
361 goto end;
362
363 SigGroupBuild(de_ctx);
364 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
365
366 /* request 1 */
367 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
368 STREAM_TOSERVER, request1, request1_len);
369 if (r != 0) {
370 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
371 result = 0;
372 goto end;
373 }
374 /* detection phase */
375 SigMatchSignatures(&tv, de_ctx, det_ctx, p);
376 if (!(PacketAlertCheck(p, 1))) {
377 printf("sid 1 didn't match but should have for packet: ");
378 goto end;
379 }
380 if (!(PacketAlertCheck(p, 2))) {
381 printf("sid 2 didn't match but should have for packet: ");
382 goto end;
383 }
384
385 result = 1;
386
387end:
388 if (alp_tctx != NULL)
389 AppLayerParserThreadCtxFree(alp_tctx);
390 if (de_ctx != NULL) {
391 SigGroupCleanup(de_ctx);
392 SigCleanSignatures(de_ctx);
393
394 DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
395 DetectEngineCtxFree(de_ctx);
396 }
397
398 StreamTcpFreeConfig(true);
399
400 UTHFreePackets(&p, 1);
401 return result;
402}
403
404/**
405 * \test Test the working of byte_jump endianness.
406 */
407static int DcePayloadTest18(void)
408{
409 int result = 0;
410
411 uint8_t request1[] = {
412 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
413 0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
414 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
415 0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
416 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
417 0x5c, 0x00, 0x5c, 0x00, 0x31, 0x03, 0x00, 0x03,
418 0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
419 0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
420 0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
421 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
422 0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
423 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
424 0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
425 };
426 uint32_t request1_len = sizeof(request1);
427
428 TcpSession ssn;
429 Packet *p = NULL;
430 ThreadVars tv;
431 DetectEngineCtx *de_ctx = NULL;
432 DetectEngineThreadCtx *det_ctx = NULL;
433 Flow f;
434 int r;
435
436 const char *sig1 = "alert tcp any any -> any any "
437 "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
438 "byte_jump:2,0,relative,dce; byte_test:2,=,46,0,relative,dce; sid:1;)";
439 const char *sig2 = "alert tcp any any -> any any "
440 "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
441 "byte_jump:2,2,relative,dce; byte_test:2,=,14080,0,relative; sid:2;)";
442
443 Signature *s;
444 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
445
446 memset(&tv, 0, sizeof(ThreadVars));
447 memset(&f, 0, sizeof(Flow));
448 memset(&ssn, 0, sizeof(TcpSession));
449
450 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
451 p->flow = &f;
452 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
453 p->flowflags |= FLOW_PKT_TOSERVER;
454 p->flowflags |= FLOW_PKT_ESTABLISHED;
455
456 FLOW_INITIALIZE(&f);
457 f.protoctx = (void *)&ssn;
458 f.proto = IPPROTO_TCP;
459 f.flags |= FLOW_IPV4;
460 f.alproto = ALPROTO_DCERPC;
461
462 StreamTcpInitConfig(true);
463
464 de_ctx = DetectEngineCtxInit();
465 if (de_ctx == NULL)
466 goto end;
467 de_ctx->flags |= DE_QUIET;
468
469 de_ctx->sig_list = SigInit(de_ctx, sig1);
470 s = de_ctx->sig_list;
471 if (s == NULL)
472 goto end;
473 s->next = SigInit(de_ctx, sig2);
474 if (s->next == NULL)
475 goto end;
476
477 SigGroupBuild(de_ctx);
478 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
479
480 /* request 1 */
481 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
482 STREAM_TOSERVER, request1, request1_len);
483 if (r != 0) {
484 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
485 result = 0;
486 goto end;
487 }
488 /* detection phase */
489 SigMatchSignatures(&tv, de_ctx, det_ctx, p);
490 if (!(PacketAlertCheck(p, 1))) {
491 printf("sid 1 didn't match but should have for packet: ");
492 goto end;
493 }
494 if (!(PacketAlertCheck(p, 2))) {
495 printf("sid 2 didn't match but should have for packet: ");
496 goto end;
497 }
498
499 result = 1;
500
501end:
502 if (alp_tctx != NULL)
503 AppLayerParserThreadCtxFree(alp_tctx);
504 if (de_ctx != NULL) {
505 SigGroupCleanup(de_ctx);
506 SigCleanSignatures(de_ctx);
507
508 DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
509 DetectEngineCtxFree(de_ctx);
510 }
511
512 StreamTcpFreeConfig(true);
513
514 UTHFreePackets(&p, 1);
515 return result;
516}
517
518/**
519 * \test Test the working of byte_jump endianness.
520 */
521static int DcePayloadTest19(void)
522{
523 int result = 0;
524
525 uint8_t request1[] = {
526 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
527 0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
528 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
529 0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
530 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
531 0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x00,
532 0x03, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
533 0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
534 0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
535 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
536 0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
537 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
538 0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
539 };
540 uint32_t request1_len = sizeof(request1);
541
542 TcpSession ssn;
543 Packet *p = NULL;
544 ThreadVars tv;
545 DetectEngineCtx *de_ctx = NULL;
546 DetectEngineThreadCtx *det_ctx = NULL;
547 Flow f;
548 int r;
549
550 const char *sig1 = "alert tcp any any -> any any "
551 "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
552 "byte_jump:2,0,relative; byte_test:2,=,46,0,relative,dce; sid:1;)";
553 const char *sig2 = "alert tcp any any -> any any "
554 "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
555 "byte_jump:2,2,relative; byte_test:2,=,14080,0,relative; sid:2;)";
556
557 Signature *s;
558 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
559
560 memset(&tv, 0, sizeof(ThreadVars));
561 memset(&f, 0, sizeof(Flow));
562 memset(&ssn, 0, sizeof(TcpSession));
563
564 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
565 p->flow = &f;
566 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
567 p->flowflags |= FLOW_PKT_TOSERVER;
568 p->flowflags |= FLOW_PKT_ESTABLISHED;
569
570 FLOW_INITIALIZE(&f);
571 f.protoctx = (void *)&ssn;
572 f.proto = IPPROTO_TCP;
573 f.flags |= FLOW_IPV4;
574 f.alproto = ALPROTO_DCERPC;
575
576 StreamTcpInitConfig(true);
577
578 de_ctx = DetectEngineCtxInit();
579 if (de_ctx == NULL)
580 goto end;
581 de_ctx->flags |= DE_QUIET;
582
583 de_ctx->sig_list = SigInit(de_ctx, sig1);
584 s = de_ctx->sig_list;
585 if (s == NULL)
586 goto end;
587 s->next = SigInit(de_ctx, sig2);
588 if (s->next == NULL)
589 goto end;
590
591 SigGroupBuild(de_ctx);
592 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
593
594 /* request 1 */
595 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
596 STREAM_TOSERVER, request1, request1_len);
597 if (r != 0) {
598 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
599 result = 0;
600 goto end;
601 }
602 /* detection phase */
603 SigMatchSignatures(&tv, de_ctx, det_ctx, p);
604 if (!(PacketAlertCheck(p, 1))) {
605 printf("sid 1 didn't match but should have for packet: ");
606 goto end;
607 }
608 if (!(PacketAlertCheck(p, 2))) {
609 printf("sid 2 didn't match but should have for packet: ");
610 goto end;
611 }
612
613 result = 1;
614
615end:
616 if (alp_tctx != NULL)
617 AppLayerParserThreadCtxFree(alp_tctx);
618 if (de_ctx != NULL) {
619 SigGroupCleanup(de_ctx);
620 SigCleanSignatures(de_ctx);
621
622 DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
623 DetectEngineCtxFree(de_ctx);
624 }
625
626 StreamTcpFreeConfig(true);
627
628 UTHFreePackets(&p, 1);
629 return result;
630}
631
632/**
633 * \test Test the working of byte_jump endianness.
634 */
635static int DcePayloadTest20(void)
636{
637 int result = 0;
638
639 uint8_t request1[] = {
640 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
641 0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
642 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
643 0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
644 0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
645 0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x03,
646 0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
647 0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
648 0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
649 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
650 0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
651 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
652 0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
653 };
654 uint32_t request1_len = sizeof(request1);
655
656 TcpSession ssn;
657 Packet *p = NULL;
658 ThreadVars tv;
659 DetectEngineCtx *de_ctx = NULL;
660 DetectEngineThreadCtx *det_ctx = NULL;
661 Flow f;
662 int r;
663
664 const char *sig1 = "alert tcp any any -> any any "
665 "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
666 "byte_jump:2,0,relative,big; byte_test:2,=,46,0,relative,dce; sid:1;)";
667 const char *sig2 = "alert tcp any any -> any any "
668 "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
669 "byte_jump:2,2,little,relative; byte_test:2,=,14080,0,relative; sid:2;)";
670
671 Signature *s;
672 AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
673
674 memset(&tv, 0, sizeof(ThreadVars));
675 memset(&f, 0, sizeof(Flow));
676 memset(&ssn, 0, sizeof(TcpSession));
677
678 p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
679 p->flow = &f;
680 p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
681 p->flowflags |= FLOW_PKT_TOSERVER;
682 p->flowflags |= FLOW_PKT_ESTABLISHED;
683
684 FLOW_INITIALIZE(&f);
685 f.protoctx = (void *)&ssn;
686 f.proto = IPPROTO_TCP;
687 f.flags |= FLOW_IPV4;
688 f.alproto = ALPROTO_DCERPC;
689
690 StreamTcpInitConfig(true);
691
692 de_ctx = DetectEngineCtxInit();
693 if (de_ctx == NULL)
694 goto end;
695 de_ctx->flags |= DE_QUIET;
696
697 de_ctx->sig_list = SigInit(de_ctx, sig1);
698 s = de_ctx->sig_list;
699 if (s == NULL)
700 goto end;
701 s->next = SigInit(de_ctx, sig2);
702 if (s->next == NULL)
703 goto end;
704
705 SigGroupBuild(de_ctx);
706 DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
707
708 /* request 1 */
709 r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DCERPC,
710 STREAM_TOSERVER, request1, request1_len);
711 if (r != 0) {
712 printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
713 result = 0;
714 goto end;
715 }
716 /* detection phase */
717 SigMatchSignatures(&tv, de_ctx, det_ctx, p);
718 if (!(PacketAlertCheck(p, 1))) {
719 printf("sid 1 didn't match but should have for packet: ");
720 goto end;
721 }
722 if (!(PacketAlertCheck(p, 2))) {
723 printf("sid 2 didn't match but should have for packet: ");
724 goto end;
725 }
726
727 result = 1;
728
729end:
730 if (alp_tctx != NULL)
731 AppLayerParserThreadCtxFree(alp_tctx);
732 if (de_ctx != NULL) {
733 SigGroupCleanup(de_ctx);
734 SigCleanSignatures(de_ctx);
735
736 DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
737 DetectEngineCtxFree(de_ctx);
738 }
739
740 StreamTcpFreeConfig(true);
741
742 UTHFreePackets(&p, 1);
743 return result;
744}
745
746#endif /* UNITTESTS */
747
748void DcePayloadRegisterTests(void)
749{
750 g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
751
752#ifdef UNITTESTS
753 UtRegisterTest("DcePayloadTest15", DcePayloadTest15);
754 UtRegisterTest("DcePayloadTest16", DcePayloadTest16);
755 UtRegisterTest("DcePayloadTest17", DcePayloadTest17);
756 UtRegisterTest("DcePayloadTest18", DcePayloadTest18);
757 UtRegisterTest("DcePayloadTest19", DcePayloadTest19);
758 UtRegisterTest("DcePayloadTest20", DcePayloadTest20);
759#endif /* UNITTESTS */
760}
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition app-layer-parser.c:297
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition app-layer-parser.c:324
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition app-layer-parser.c:1291
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition app-layer-protos.h:44
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition decode.h:1266
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition decode.h:1262
detect-content.h
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition detect-engine-alert.c:142
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition detect-engine-build.c:2204
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition detect-engine-build.c:56
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition detect-engine-build.c:2275
detect-engine-content-inspection.h
DcePayloadRegisterTests
void DcePayloadRegisterTests(void)
Definition detect-engine-dcepayload.c:748
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition detect-engine.c:2602
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition detect-engine.c:2641
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition detect-engine.c:3372
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition detect-engine.c:1277
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition detect-engine.c:3608
SigInit
Signature * SigInit(DetectEngineCtx *de_ctx, const char *sigstr)
Parses a signature and adds it to the Detection Engine Context.
Definition detect-parse.c:3095
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition detect.c:2420
DE_QUIET
#define DE_QUIET
Definition detect.h:330
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition flow-util.h:38
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition flow.h:233
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition flow.h:235
FLOW_IPV4
#define FLOW_IPV4
Definition flow.h:100
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition fuzz_applayerparserparse.c:23
tv
ThreadVars * tv
Definition fuzz_decodepcapfile.c:32
de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition util-unittest.c:103
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition stream-tcp.c:859
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition stream-tcp.c:488
AppLayerParserThreadCtx_
Definition app-layer-parser.c:60
DetectEngineCtx_
main detection engine ctx
Definition detect.h:932
DetectEngineCtx_::flags
uint8_t flags
Definition detect.h:934
DetectEngineCtx_::sig_list
Signature * sig_list
Definition detect.h:941
DetectEngineThreadCtx_
Definition detect.h:1244
Flow_
Flow data structure.
Definition flow.h:356
Flow_::proto
uint8_t proto
Definition flow.h:378
Flow_::flags
uint32_t flags
Definition flow.h:421
Flow_::alproto
AppProto alproto
application level protocol
Definition flow.h:450
Flow_::protoctx
void * protoctx
Definition flow.h:441
Packet_
Definition decode.h:501
Packet_::flowflags
uint8_t flowflags
Definition decode.h:532
Packet_::flow
struct Flow_ * flow
Definition decode.h:546
Packet_::flags
uint32_t flags
Definition decode.h:544
Signature_
Signature container.
Definition detect.h:668
Signature_::next
struct Signature_ * next
Definition detect.h:750
TcpSession_
Definition stream-tcp-private.h:283
ThreadVars_
Per thread variable structure.
Definition threadvars.h:58
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition util-unittest-helper.c:456
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition util-unittest-helper.c:365