suricata
detect-bsize.c
Go to the documentation of this file.
1/* Copyright (C) 2017-2022 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18#include "../util-unittest.h"
19
20#define TEST_OK(str, m, lo, hi) \
21 { \
22 DetectU64Data *bsz = DetectU64Parse((str)); \
23 FAIL_IF_NULL(bsz); \
24 FAIL_IF_NOT(bsz->mode == (m)); \
25 DetectBsizeFree(NULL, bsz); \
26 SCLogDebug("str %s OK", (str)); \
27 }
28#define TEST_FAIL(str) \
29 { \
30 DetectU64Data *bsz = DetectU64Parse((str)); \
31 FAIL_IF_NOT_NULL(bsz); \
32 }
33
34static int DetectBsizeTest01(void)
35{
36 TEST_OK("50", DETECT_UINT_EQ, 50, 0);
37 TEST_OK(" 50", DETECT_UINT_EQ, 50, 0);
38 TEST_OK(" 50", DETECT_UINT_EQ, 50, 0);
39 TEST_OK(" 50 ", DETECT_UINT_EQ, 50, 0);
40 TEST_OK(" 50 ", DETECT_UINT_EQ, 50, 0);
41
42 TEST_FAIL("AA");
43 TEST_FAIL("5A");
44 TEST_FAIL("A5");
45 // bigger than UINT64_MAX
46 TEST_FAIL("100000000000000000001");
47 TEST_OK(" 1000000001 ", DETECT_UINT_EQ, 1000000001, 0);
48 PASS;
49}
50
51static int DetectBsizeTest02(void)
52{
53 TEST_OK(">50", DETECT_UINT_GT, 50, 0);
54 TEST_OK("> 50", DETECT_UINT_GT, 50, 0);
55 TEST_OK("> 50", DETECT_UINT_GT, 50, 0);
56 TEST_OK(" >50", DETECT_UINT_GT, 50, 0);
57 TEST_OK(" > 50", DETECT_UINT_GT, 50, 0);
58 TEST_OK(" > 50", DETECT_UINT_GT, 50, 0);
59 TEST_OK(" >50 ", DETECT_UINT_GT, 50, 0);
60 TEST_OK(" > 50 ", DETECT_UINT_GT, 50, 0);
61 TEST_OK(" > 50 ", DETECT_UINT_GT, 50, 0);
62
63 TEST_FAIL(">>50");
64 TEST_FAIL("<>50");
65 TEST_FAIL(" > 50A");
66 PASS;
67}
68
69static int DetectBsizeTest03(void)
70{
71 TEST_OK("<50", DETECT_UINT_LT, 50, 0);
72 TEST_OK("< 50", DETECT_UINT_LT, 50, 0);
73 TEST_OK("< 50", DETECT_UINT_LT, 50, 0);
74 TEST_OK(" <50", DETECT_UINT_LT, 50, 0);
75 TEST_OK(" < 50", DETECT_UINT_LT, 50, 0);
76 TEST_OK(" < 50", DETECT_UINT_LT, 50, 0);
77 TEST_OK(" <50 ", DETECT_UINT_LT, 50, 0);
78 TEST_OK(" < 50 ", DETECT_UINT_LT, 50, 0);
79 TEST_OK(" < 50 ", DETECT_UINT_LT, 50, 0);
80
81 TEST_FAIL(">>50");
82 TEST_FAIL(" < 50A");
83 PASS;
84}
85
86static int DetectBsizeTest04(void)
87{
88 TEST_OK("50<>100", DETECT_UINT_RA, 50, 100);
89
90 TEST_FAIL("50<$50");
91 TEST_FAIL("100<>50");
92 TEST_FAIL(">50<>100");
93 PASS;
94}
95
96#undef TEST_OK
97#undef TEST_FAIL
98
99#define TEST_OK(rule) \
100 { \
101 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
102 FAIL_IF_NULL(de_ctx); \
103 SCLogNotice("rule: %s", rule); \
104 Signature *s = DetectEngineAppendSig(de_ctx, (rule)); \
105 FAIL_IF_NULL(s); \
106 DetectEngineCtxFree(de_ctx); \
107 }
108
109#define TEST_FAIL(rule) \
110 { \
111 DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
112 FAIL_IF_NULL(de_ctx); \
113 SCLogNotice("rule: %s", rule); \
114 Signature *s = DetectEngineAppendSig(de_ctx, (rule)); \
115 FAIL_IF_NOT_NULL(s); \
116 DetectEngineCtxFree(de_ctx); \
117 }
118
119static int DetectBsizeSigTest01(void)
120{
121 TEST_OK("alert http any any -> any any (http_request_line; bsize:10; sid:1;)");
122 TEST_OK("alert http any any -> any any (file_data; bsize:>1000; sid:2;)");
123
124 /* bsize validation with buffer */
125 TEST_OK("alert http any any -> any any (http.uri; content:\"/index.php\"; bsize:>1024; "
126 "sid:6;)");
127 TEST_OK("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:<20; "
128 " sid:9;)");
129 TEST_OK("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:15<>25; "
130 "sid:10;)");
131 TEST_OK("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:10<>15; "
132 "sid:13;)");
133
134 TEST_FAIL("alert tcp any any -> any any (content:\"abc\"; bsize:10; sid:3;)");
135 TEST_FAIL("alert http any any -> any any (content:\"GET\"; http_method; bsize:10; sid:4;)");
136 TEST_FAIL("alert http any any -> any any (http_request_line; content:\"GET\"; bsize:<10>; "
137 "sid:5;)");
138
139 TEST_FAIL("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:2; "
140 "sid:11;)");
141 TEST_FAIL("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:<13; "
142 "sid:12;)");
143 TEST_FAIL(
144 "alert http any any -> any any (http.uri; content:\"abcdef\"; content: \"g\"; bsize:1; "
145 "sid:7;)");
146 TEST_FAIL(
147 "alert http any any -> any any (http.uri; content:\"abcdef\"; content: \"g\"; bsize:4; "
148 "sid:8;)");
149 TEST_FAIL("alert http any any -> any any (http.uri; content:\"abcdefghi123456\"; offset:12; "
150 "bsize:3; sid:14;)");
151 TEST_FAIL("alert http any any -> any any (http.uri; content:\"abc\"; offset:3; depth:3; "
152 "bsize:3; sid:15;)");
153 TEST_FAIL("alert http any any -> any any (http.uri; content:\"abcdef\"; content: \"gh\"; "
154 "bsize:1; sid:16;)");
155 TEST_FAIL("alert http any any -> any any (http.uri; content:\"abc\"; offset:3; bsize:3; "
156 "sid:17;)");
157 TEST_FAIL("alert http any any -> any any (http.uri; content:\"abc\"; offset:65535; bsize:3; "
158 "sid:18;)");
159 TEST_FAIL("alert http any any -> any any (http.user_agent; content:\"Suricata-UA\"; bsize:11; "
160 "content:!\"abc\"; distance:2; within:3; sid: 19;)");
161 PASS;
162}
163
164#undef TEST_OK
165#undef TEST_FAIL
166
167static void DetectBsizeRegisterTests(void)
168{
169 UtRegisterTest("DetectBsizeTest01 EQ", DetectBsizeTest01);
170 UtRegisterTest("DetectBsizeTest02 GT", DetectBsizeTest02);
171 UtRegisterTest("DetectBsizeTest03 LT", DetectBsizeTest03);
172 UtRegisterTest("DetectBsizeTest04 RA", DetectBsizeTest04);
173
174 UtRegisterTest("DetectBsizeSigTest01", DetectBsizeSigTest01);
175}
DETECT_UINT_LT
#define DETECT_UINT_LT
Definition detect-engine-uint.h:37
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition detect-engine-uint.h:35
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition detect-engine-uint.h:32
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition detect-engine-uint.h:34
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition util-unittest.c:103
PASS
#define PASS
Pass the test.
Definition util-unittest.h:105
TEST_FAIL
#define TEST_FAIL(str)
Definition detect-bsize.c:28
TEST_OK
#define TEST_OK(str, m, lo, hi)
Definition detect-bsize.c:20