suricata
detect-parse.c
Go to the documentation of this file.
1/* Copyright (C) 2007-2022 Open Information Security Foundation
2 *
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
5 * Software Foundation.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15 * 02110-1301, USA.
16 */
17
18#include "../detect.h"
19#include "../detect-parse.h"
20#include "../detect-engine-port.h"
21#include "../util-unittest.h"
22#include "util-debug.h"
23#include "util-error.h"
24
25/**
26 * \test DetectParseTest01 is a regression test against a memory leak
27 * in the case of multiple signatures with different revisions
28 * Leak happened in function DetectEngineSignatureIsDuplicate
29 */
30
31static int DetectParseTest01 (void)
32{
33 DetectEngineCtx * de_ctx = DetectEngineCtxInit();
34 FAIL_IF(DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:\"sid 1 version 0\"; content:\"dummy1\"; sid:1;)") == NULL);
35 DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:\"sid 2 version 0\"; content:\"dummy2\"; sid:2;)");
36 DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:\"sid 1 version 1\"; content:\"dummy1.1\"; sid:1; rev:1;)");
37 DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:\"sid 2 version 2\"; content:\"dummy2.1\"; sid:2; rev:1;)");
38 FAIL_IF(de_ctx->sig_list->next == NULL);
39 DetectEngineCtxFree(de_ctx);
40
41 PASS;
42}
43
44/**
45 * \test DetectParseTestNoOpt is a regression test to make sure that we reject
46 * any signature where a NOOPT rule option is given a value. This can hide rule
47 * errors which make other options disappear, eg: foo: bar: baz; where "foo" is
48 * the NOOPT option, we will end up with a signature which is missing "bar".
49 */
50
51static int DetectParseTestNoOpt(void)
52{
53 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
54 FAIL_IF(DetectEngineAppendSig(de_ctx,
55 "alert http any any -> any any (msg:\"sid 1 version 0\"; "
56 "content:\"dummy1\"; endswith: reference: ref; sid:1;)") != NULL);
57 DetectEngineCtxFree(de_ctx);
58
59 PASS;
60}
61
62static int SigParseTestNegationNoWhitespace(void)
63{
64 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
65 FAIL_IF_NULL(de_ctx);
66 Signature *s = DetectEngineAppendSig(de_ctx,
67 "alert http any [30:50,!45] -> any [30:50,!45] (msg:\"sid 2 version 0\"; "
68 "content:\"dummy2\"; sid:2;)");
69 FAIL_IF_NULL(s);
70 FAIL_IF_NULL(s->sp);
71 FAIL_IF_NULL(s->dp);
72 FAIL_IF_NOT(s->sp->port == 30);
73 FAIL_IF_NOT(s->sp->port2 == 44);
74 FAIL_IF_NULL(s->sp->next);
75 FAIL_IF_NOT(s->sp->next->port == 46);
76 FAIL_IF_NOT(s->sp->next->port2 == 50);
77 FAIL_IF_NOT_NULL(s->sp->next->next);
78 DetectEngineCtxFree(de_ctx);
79 PASS;
80}
81
82// // Tests proper Signature is parsed from portstring length < 16 ie [30:50, !45]
83static int SigParseTestWhitespaceLessThan14(void)
84{
85 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
86 FAIL_IF_NULL(de_ctx);
87 Signature *s = DetectEngineAppendSig(de_ctx,
88 "alert http any [30:50, !45] -> any [30:50,!45] (msg:\"sid 2 version 0\"; "
89 "content:\"dummy2\"; sid:2;)");
90 FAIL_IF_NULL(s);
91 FAIL_IF_NULL(s->sp);
92 FAIL_IF_NULL(s->dp);
93 FAIL_IF_NOT(s->sp->port == 30);
94 FAIL_IF_NOT(s->sp->port2 == 44);
95 FAIL_IF_NULL(s->sp->next);
96 FAIL_IF_NOT(s->sp->next->port == 46);
97 FAIL_IF_NOT(s->sp->next->port2 == 50);
98 FAIL_IF_NOT_NULL(s->sp->next->next);
99 DetectEngineCtxFree(de_ctx);
100 PASS;
101}
102
103static int SigParseTestWhitespace14Spaces(void)
104{
105 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
106 FAIL_IF_NULL(de_ctx);
107 Signature *s = DetectEngineAppendSig(de_ctx,
108 "alert http any [30:50, !45] -> any [30:50,!45] (msg:\"sid 2 "
109 "version 0\"; content:\"dummy2\"; sid:2;)");
110 FAIL_IF_NULL(s);
111 FAIL_IF_NULL(s->sp);
112 FAIL_IF_NULL(s->dp);
113 FAIL_IF_NOT(s->sp->port == 30);
114 FAIL_IF_NOT(s->sp->port2 == 44);
115 FAIL_IF_NULL(s->sp->next);
116 FAIL_IF_NOT(s->sp->next->port == 46);
117 FAIL_IF_NOT(s->sp->next->port2 == 50);
118 FAIL_IF_NOT_NULL(s->sp->next->next);
119 DetectEngineCtxFree(de_ctx);
120 PASS;
121}
122
123static int SigParseTestWhitespaceMoreThan14(void)
124{
125 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
126 FAIL_IF_NULL(de_ctx);
127 Signature *s = DetectEngineAppendSig(de_ctx,
128 "alert http any [30:50, !45] -> any [30:50,!45] "
129 "(msg:\"sid 2 version 0\"; content:\"dummy2\"; sid:2;)");
130 FAIL_IF_NULL(s);
131 FAIL_IF_NULL(s->sp);
132 FAIL_IF_NULL(s->dp);
133 FAIL_IF_NOT(s->sp->port == 30);
134 FAIL_IF_NOT(s->sp->port2 == 44);
135 FAIL_IF_NULL(s->sp->next);
136 FAIL_IF_NOT(s->sp->next->port == 46);
137 FAIL_IF_NOT(s->sp->next->port2 == 50);
138 FAIL_IF_NOT_NULL(s->sp->next->next);
139 DetectEngineCtxFree(de_ctx);
140 PASS;
141}
142
143/**
144 * \brief this function registers unit tests for DetectParse
145 */
146void DetectParseRegisterTests(void)
147{
148 UtRegisterTest("DetectParseTest01", DetectParseTest01);
149 UtRegisterTest("DetectParseTestNoOpt", DetectParseTestNoOpt);
150 UtRegisterTest("SigParseTestNegationNoWhitespace", SigParseTestNegationNoWhitespace);
151 UtRegisterTest("SigParseTestWhitespaceLessThan14", SigParseTestWhitespaceLessThan14);
152 UtRegisterTest("SigParseTestWhitespace14Spaces", SigParseTestWhitespace14Spaces);
153 UtRegisterTest("SigParseTestWhitespaceMoreThan14", SigParseTestWhitespaceMoreThan14);
154}
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition detect-engine.c:2602
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition detect-engine.c:2641
DetectParseRegisterTests
void DetectParseRegisterTests(void)
this function registers unit tests for DetectParse
Definition detect-parse.c:146
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition detect-parse.c:3437
de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition util-unittest.h:89
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition util-unittest.c:103
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition util-unittest.h:82
PASS
#define PASS
Pass the test.
Definition util-unittest.h:105
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition util-unittest.h:71
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition util-unittest.h:96
DetectEngineCtx_
main detection engine ctx
Definition detect.h:932
DetectEngineCtx_::sig_list
Signature * sig_list
Definition detect.h:941
DetectPort_::port
uint16_t port
Definition detect.h:221
DetectPort_::port2
uint16_t port2
Definition detect.h:222
DetectPort_::next
struct DetectPort_ * next
Definition detect.h:234
Signature_
Signature container.
Definition detect.h:668
Signature_::sp
DetectPort * sp
Definition detect.h:719
Signature_::dp
DetectPort * dp
Definition detect.h:719
Signature_::next
struct Signature_ * next
Definition detect.h:750