suricata
detect-ttl.c
Go to the documentation of this file.
1
2/* Copyright (C) 2007-2018 Open Information Security Foundation
3 *
4 * You can copy, redistribute or modify this Program under the terms of
5 * the GNU General Public License version 2 as published by the Free
6 * Software Foundation.
7 *
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
12 *
13 * You should have received a copy of the GNU General Public License
14 * version 2 along with this program; if not, write to the Free Software
15 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
16 * 02110-1301, USA.
17 */
18
19#include "../util-unittest.h"
20#include "../util-unittest-helper.h"
21#include "detect-engine.h"
22#include "detect-engine-alert.h"
23#include "detect-engine-build.h"
24
25/**
26 * \test DetectTtlParseTest01 is a test for setting up an valid ttl value.
27 */
28
29static int DetectTtlParseTest01 (void)
30{
31 DetectU8Data *ttld = DetectU8Parse("10");
32 FAIL_IF_NULL(ttld);
33 FAIL_IF_NOT(ttld->arg1 == 10);
34 FAIL_IF_NOT(ttld->mode == DETECT_UINT_EQ);
35 DetectTtlFree(NULL, ttld);
36 PASS;
37}
38
39/**
40 * \test DetectTtlParseTest02 is a test for setting up an valid ttl value with
41 * "<" operator.
42 */
43
44static int DetectTtlParseTest02 (void)
45{
46 DetectU8Data *ttld = DetectU8Parse("<10");
47 FAIL_IF_NULL(ttld);
48 FAIL_IF_NOT(ttld->arg1 == 10);
49 FAIL_IF_NOT(ttld->mode == DETECT_UINT_LT);
50 DetectTtlFree(NULL, ttld);
51 PASS;
52}
53
54/**
55 * \test DetectTtlParseTest03 is a test for setting up an valid ttl values with
56 * "-" operator.
57 */
58
59static int DetectTtlParseTest03 (void)
60{
61 DetectU8Data *ttld = DetectU8Parse("1-3");
62 FAIL_IF_NULL(ttld);
63 FAIL_IF_NOT(ttld->arg1 == 1);
64 FAIL_IF_NOT(ttld->arg2 == 3);
65 FAIL_IF_NOT(ttld->mode == DETECT_UINT_RA);
66 DetectTtlFree(NULL, ttld);
67 PASS;
68}
69
70/**
71 * \test DetectTtlParseTest04 is a test for setting up an valid ttl value with
72 * ">" operator and include spaces arround the given values.
73 */
74
75static int DetectTtlParseTest04 (void)
76{
77 DetectU8Data *ttld = DetectU8Parse(" > 10 ");
78 FAIL_IF_NULL(ttld);
79 FAIL_IF_NOT(ttld->arg1 == 10);
80 FAIL_IF_NOT(ttld->mode == DETECT_UINT_GT);
81 DetectTtlFree(NULL, ttld);
82 PASS;
83}
84
85/**
86 * \test DetectTtlParseTest05 is a test for setting up an valid ttl values with
87 * "-" operator and include spaces arround the given values.
88 */
89
90static int DetectTtlParseTest05 (void)
91{
92 DetectU8Data *ttld = DetectU8Parse(" 1 - 3 ");
93 FAIL_IF_NULL(ttld);
94 FAIL_IF_NOT(ttld->arg1 == 1);
95 FAIL_IF_NOT(ttld->arg2 == 3);
96 FAIL_IF_NOT(ttld->mode == DETECT_UINT_RA);
97 DetectTtlFree(NULL, ttld);
98 PASS;
99}
100
101/**
102 * \test DetectTtlParseTest06 is a test for setting up an valid ttl values with
103 * invalid "=" operator and include spaces arround the given values.
104 */
105
106static int DetectTtlParseTest06 (void)
107{
108 DetectU8Data *ttld = DetectU8Parse(" 1 = 2 ");
109 FAIL_IF_NOT_NULL(ttld);
110 PASS;
111}
112
113/**
114 * \test DetectTtlParseTest07 is a test for setting up an valid ttl values with
115 * invalid "<>" operator and include spaces arround the given values.
116 */
117
118static int DetectTtlParseTest07 (void)
119{
120 DetectU8Data *ttld = DetectU8Parse(" 1<>2 ");
121 FAIL_IF_NOT_NULL(ttld);
122 PASS;
123}
124
125/**
126 * \test DetectTtlSetupTest01 is a test for setting up an valid ttl values with
127 * valid "-" operator and include spaces arround the given values. In the
128 * test the values are setup with initializing the detection engine context
129 * setting up the signature itself.
130 */
131
132static int DetectTtlSetupTest01(void)
133{
134 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
135 FAIL_IF_NULL(de_ctx);
136 de_ctx->flags |= DE_QUIET;
137
138 Signature *s = DetectEngineAppendSig(
139 de_ctx, "alert ip any any -> any any (msg:\"with in ttl limit\"; ttl:1 - 3; sid:1;)");
140 FAIL_IF_NULL(s);
141 SigGroupBuild(de_ctx);
142 FAIL_IF_NULL(s->sm_arrays[DETECT_SM_LIST_MATCH]);
143 FAIL_IF_NULL(s->sm_arrays[DETECT_SM_LIST_MATCH]->ctx);
144 DetectU8Data *ttld = (DetectU8Data *)s->sm_arrays[DETECT_SM_LIST_MATCH]->ctx;
145
146 FAIL_IF_NOT(ttld->arg1 == 1);
147 FAIL_IF_NOT(ttld->arg2 == 3);
148 FAIL_IF_NOT(ttld->mode == DETECT_UINT_RA);
149 DetectEngineCtxFree(de_ctx);
150 PASS;
151}
152
153/**
154 * \test DetectTtlTestSig01 is a test for checking the working of ttl keyword
155 * by setting up the signature and later testing its working by matching
156 * the received packet against the sig.
157 */
158
159static int DetectTtlTestSig1(void)
160{
161 Packet *p = PacketGetFromAlloc();
162 FAIL_IF_NULL(p);
163 Signature *s = NULL;
164 ThreadVars th_v;
165 DetectEngineThreadCtx *det_ctx;
166 IPV4Hdr ip4h;
167
168 memset(&th_v, 0, sizeof(th_v));
169 memset(&ip4h, 0, sizeof(ip4h));
170
171 p->src.family = AF_INET;
172 p->dst.family = AF_INET;
173 p->proto = IPPROTO_TCP;
174 ip4h.ip_ttl = 15;
175 UTHSetIPV4Hdr(p, &ip4h);
176
177 DetectEngineCtx *de_ctx = DetectEngineCtxInit();
178 FAIL_IF_NULL(de_ctx);
179 de_ctx->flags |= DE_QUIET;
180
181 s = DetectEngineAppendSig(de_ctx,"alert ip any any -> any any (msg:\"with in ttl limit\"; ttl: >16; sid:1;)");
182 FAIL_IF_NULL(s);
183
184 s = DetectEngineAppendSig(de_ctx,"alert ip any any -> any any (msg:\"Less than 17\"; ttl: <17; sid:2;)");
185 FAIL_IF_NULL(s);
186
187 s = DetectEngineAppendSig(de_ctx,"alert ip any any -> any any (msg:\"Greater than 5\"; ttl:15; sid:3;)");
188 FAIL_IF_NULL(s);
189
190 s = DetectEngineAppendSig(de_ctx,"alert ip any any -> any any (msg:\"Equals tcp\"; ttl: 1-30; sid:4;)");
191 FAIL_IF_NULL(s);
192
193 SigGroupBuild(de_ctx);
194 DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
195
196 SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
197 FAIL_IF(PacketAlertCheck(p, 1));
198 FAIL_IF_NOT(PacketAlertCheck(p, 2));
199 FAIL_IF_NOT(PacketAlertCheck(p, 3));
200 FAIL_IF_NOT(PacketAlertCheck(p, 4));
201
202 DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
203 DetectEngineCtxFree(de_ctx);
204
205 SCFree(p);
206 PASS;
207}
208
209/**
210 * \brief this function registers unit tests for DetectTtl
211 */
212void DetectTtlRegisterTests(void)
213{
214 UtRegisterTest("DetectTtlParseTest01", DetectTtlParseTest01);
215 UtRegisterTest("DetectTtlParseTest02", DetectTtlParseTest02);
216 UtRegisterTest("DetectTtlParseTest03", DetectTtlParseTest03);
217 UtRegisterTest("DetectTtlParseTest04", DetectTtlParseTest04);
218 UtRegisterTest("DetectTtlParseTest05", DetectTtlParseTest05);
219 UtRegisterTest("DetectTtlParseTest06", DetectTtlParseTest06);
220 UtRegisterTest("DetectTtlParseTest07", DetectTtlParseTest07);
221 UtRegisterTest("DetectTtlSetupTest01", DetectTtlSetupTest01);
222 UtRegisterTest("DetectTtlTestSig1", DetectTtlTestSig1);
223}
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition detect-engine-alert.c:142
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition detect-engine-build.c:2204
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition detect-engine.c:2602
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition detect-engine.c:2641
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition detect-parse.c:3437
DetectU8Parse
DetectUintData_u8 * DetectU8Parse(const char *u8str)
This function is used to parse u8 options passed via some u8 keyword.
Definition detect-engine-uint.c:85
DETECT_UINT_LT
#define DETECT_UINT_LT
Definition detect-engine-uint.h:37
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition detect-engine-uint.h:35
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition detect-engine-uint.h:32
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition detect-engine-uint.h:34
DetectU8Data
DetectUintData_u8 DetectU8Data
Definition detect-engine-uint.h:43
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition detect-engine.c:3372
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition detect-engine.c:3608
DetectTtlFree
void DetectTtlFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectU8Data
Definition detect-ttl.c:132
DetectTtlRegisterTests
void DetectTtlRegisterTests(void)
this function registers unit tests for DetectTtl
Definition detect-ttl.c:212
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition detect.c:2420
DE_QUIET
#define DE_QUIET
Definition detect.h:330
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition detect.h:117
de_ctx
DetectEngineCtx * de_ctx
Definition fuzz_siginit.c:18
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition util-unittest.h:89
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition util-unittest.c:103
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition util-unittest.h:82
PASS
#define PASS
Pass the test.
Definition util-unittest.h:105
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition util-unittest.h:71
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition util-unittest.h:96
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition decode.c:258
Address_::family
char family
Definition decode.h:113
DetectEngineCtx_
main detection engine ctx
Definition detect.h:932
DetectEngineCtx_::flags
uint8_t flags
Definition detect.h:934
DetectEngineThreadCtx_
Definition detect.h:1244
IPV4Hdr_
Definition decode-ipv4.h:72
IPV4Hdr_::ip_ttl
uint8_t ip_ttl
Definition decode-ipv4.h:78
Packet_
Definition decode.h:501
Packet_::src
Address src
Definition decode.h:505
Packet_::dst
Address dst
Definition decode.h:506
Packet_::proto
uint8_t proto
Definition decode.h:523
SigMatchData_::ctx
SigMatchCtx * ctx
Definition detect.h:368
Signature_
Signature container.
Definition detect.h:668
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition detect.h:731
ThreadVars_
Per thread variable structure.
Definition threadvars.h:58
SCFree
#define SCFree(p)
Definition util-mem.h:61
UTHSetIPV4Hdr
void UTHSetIPV4Hdr(Packet *p, IPV4Hdr *ip4h)
Definition util-unittest-helper.c:126