suricata
detect-engine-dcepayload.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "suricata.h"
26 
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-engine.h"
31 #include "detect-parse.h"
32 #include "detect-pcre.h"
33 #include "detect-isdataat.h"
34 #include "detect-bytetest.h"
35 #include "detect-bytejump.h"
36 #include "detect-byte-extract.h"
37 #include "detect-content.h"
38 #include "detect-engine-content-inspection.h"
39 #include "detect-engine-dcepayload.h"
40 #include "detect-engine-build.h"
41 #include "app-layer-parser.h"
42 
43 #include "stream-tcp.h"
44 
45 #include "app-layer.h"
46 #include "flow-util.h"
47 #include "util-debug.h"
48 
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 
52 #include "detect-dce-iface.h"
53 
54 static int g_dce_stub_data_buffer_id = 0;
55 
56 
57 /**************************************Unittests*******************************/
58 
59 #ifdef UNITTESTS
60 #include "detect-engine-alert.h"
61 
62 /**
63  * \test Test the working of byte_test endianness.
64  */
65 static int DcePayloadTest15(void)
66 {
67  uint8_t request1[] = {
68  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
69  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
70  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
71  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
72  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
73  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
74  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
75  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
76  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
77  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
78  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
79  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
80  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
81  };
82  uint32_t request1_len = sizeof(request1);
83  const char *sig1 = "alert tcp any any -> any any "
84  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
85  "byte_test:2,=,14080,0,relative,dce; sid:1;)";
86  const char *sig2 = "alert tcp any any -> any any "
87  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
88  "byte_test:2,=,46,5,relative,dce; sid:2;)";
89 
90  TcpSession ssn;
91  ThreadVars tv;
92  DetectEngineThreadCtx *det_ctx = NULL;
93  Flow f;
94 
95  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
96 
97  memset(&tv, 0, sizeof(ThreadVars));
98  StatsThreadInit(&tv.stats);
99  memset(&f, 0, sizeof(Flow));
100  memset(&ssn, 0, sizeof(TcpSession));
101 
102  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
103  p->flow = &f;
104  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
105  p->flowflags |= FLOW_PKT_TOSERVER;
106  p->flowflags |= FLOW_PKT_ESTABLISHED;
107 
108  FLOW_INITIALIZE(&f);
109  f.protoctx = (void *)&ssn;
110  f.proto = IPPROTO_TCP;
111  f.flags |= FLOW_IPV4;
112  f.alproto = ALPROTO_DCERPC;
113 
114  StreamTcpInitConfig(true);
115 
116  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
117  FAIL_IF_NULL(de_ctx);
118  de_ctx->flags |= DE_QUIET;
119 
120  Signature *s = DetectEngineAppendSig(de_ctx, sig1);
121  FAIL_IF_NULL(s);
122  s = DetectEngineAppendSig(de_ctx, sig2);
123  FAIL_IF_NULL(s);
124 
125  SigGroupBuild(de_ctx);
126  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
127 
128  /* request 1 */
129  int r = AppLayerParserParse(
130  NULL, alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
131  FAIL_IF(r != 0);
132  /* detection phase */
133  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
134  FAIL_IF_NOT(PacketAlertCheck(p, 1));
135  FAIL_IF_NOT(PacketAlertCheck(p, 2));
136 
137  FLOW_DESTROY(&f);
138  UTHFreePackets(&p, 1);
139  AppLayerParserThreadCtxFree(alp_tctx);
140  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
141  DetectEngineCtxFree(de_ctx);
142  StreamTcpFreeConfig(true);
143  StatsThreadCleanup(&tv.stats);
144  PASS;
145 }
146 
147 /**
148  * \test Test the working of byte_test endianness.
149  */
150 static int DcePayloadTest16(void)
151 {
152  uint8_t request1[] = {
153  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
154  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
155  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
156  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
157  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
158  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
159  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
160  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
161  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
162  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
163  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
164  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
165  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
166  };
167  uint32_t request1_len = sizeof(request1);
168  const char *sig1 = "alert tcp any any -> any any "
169  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
170  "byte_test:2,=,55,0,relative; sid:1;)";
171  const char *sig2 = "alert tcp any any -> any any "
172  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
173  "byte_test:2,=,11776,5,relative; sid:2;)";
174 
175  TcpSession ssn;
176  ThreadVars tv;
177  DetectEngineThreadCtx *det_ctx = NULL;
178  Flow f;
179 
180  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
181  memset(&tv, 0, sizeof(ThreadVars));
182  StatsThreadInit(&tv.stats);
183  memset(&f, 0, sizeof(Flow));
184  memset(&ssn, 0, sizeof(TcpSession));
185 
186  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
187  p->flow = &f;
188  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
189  p->flowflags |= FLOW_PKT_TOSERVER;
190  p->flowflags |= FLOW_PKT_ESTABLISHED;
191 
192  FLOW_INITIALIZE(&f);
193  f.protoctx = (void *)&ssn;
194  f.proto = IPPROTO_TCP;
195  f.flags |= FLOW_IPV4;
196  f.alproto = ALPROTO_DCERPC;
197 
198  StreamTcpInitConfig(true);
199 
200  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
201  FAIL_IF_NULL(de_ctx);
202  de_ctx->flags |= DE_QUIET;
203 
204  Signature *s = DetectEngineAppendSig(de_ctx, sig1);
205  FAIL_IF_NULL(s);
206  s = DetectEngineAppendSig(de_ctx, sig2);
207  FAIL_IF_NULL(s);
208 
209  SigGroupBuild(de_ctx);
210  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
211 
212  /* request 1 */
213  int r = AppLayerParserParse(
214  NULL, alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
215  FAIL_IF(r != 0);
216  /* detection phase */
217  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
218  FAIL_IF_NOT(PacketAlertCheck(p, 1));
219  FAIL_IF_NOT(PacketAlertCheck(p, 2));
220 
221  FLOW_DESTROY(&f);
222  UTHFreePackets(&p, 1);
223  AppLayerParserThreadCtxFree(alp_tctx);
224  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
225  DetectEngineCtxFree(de_ctx);
226  StreamTcpFreeConfig(true);
227  StatsThreadCleanup(&tv.stats);
228  PASS;
229 }
230 
231 /**
232  * \test Test the working of byte_test endianness.
233  */
234 static int DcePayloadTest17(void)
235 {
236  uint8_t request1[] = {
237  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
238  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
239  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
240  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
241  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
242  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
243  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
244  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
245  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
246  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
247  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
248  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
249  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
250  };
251  uint32_t request1_len = sizeof(request1);
252  const char *sig1 = "alert tcp any any -> any any "
253  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
254  "byte_test:2,=,55,0,relative,big; sid:1;)";
255  const char *sig2 = "alert tcp any any -> any any "
256  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
257  "byte_test:2,=,46,5,relative,little; sid:2;)";
258 
259  TcpSession ssn;
260  ThreadVars tv;
261  DetectEngineThreadCtx *det_ctx = NULL;
262  Flow f;
263 
264  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
265  memset(&tv, 0, sizeof(ThreadVars));
266  StatsThreadInit(&tv.stats);
267  memset(&f, 0, sizeof(Flow));
268  memset(&ssn, 0, sizeof(TcpSession));
269 
270  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
271  p->flow = &f;
272  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
273  p->flowflags |= FLOW_PKT_TOSERVER;
274  p->flowflags |= FLOW_PKT_ESTABLISHED;
275 
276  FLOW_INITIALIZE(&f);
277  f.protoctx = (void *)&ssn;
278  f.proto = IPPROTO_TCP;
279  f.flags |= FLOW_IPV4;
280  f.alproto = ALPROTO_DCERPC;
281 
282  StreamTcpInitConfig(true);
283 
284  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
285  FAIL_IF_NULL(de_ctx);
286  de_ctx->flags |= DE_QUIET;
287 
288  Signature *s = DetectEngineAppendSig(de_ctx, sig1);
289  FAIL_IF_NULL(s);
290  s = DetectEngineAppendSig(de_ctx, sig2);
291  FAIL_IF_NULL(s);
292 
293  SigGroupBuild(de_ctx);
294  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
295 
296  /* request 1 */
297  int r = AppLayerParserParse(
298  NULL, alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
299  FAIL_IF(r != 0);
300  /* detection phase */
301  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
302  FAIL_IF_NOT(PacketAlertCheck(p, 1));
303  FAIL_IF_NOT(PacketAlertCheck(p, 2));
304 
305  FLOW_DESTROY(&f);
306  UTHFreePackets(&p, 1);
307  AppLayerParserThreadCtxFree(alp_tctx);
308  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
309  DetectEngineCtxFree(de_ctx);
310  StreamTcpFreeConfig(true);
311  StatsThreadCleanup(&tv.stats);
312  PASS;
313 }
314 
315 /**
316  * \test Test the working of byte_jump endianness.
317  */
318 static int DcePayloadTest18(void)
319 {
320  uint8_t request1[] = {
321  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
322  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
323  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
324  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
325  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
326  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x03, 0x00, 0x03,
327  0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
328  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
329  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
330  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
331  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
332  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
333  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
334  };
335  uint32_t request1_len = sizeof(request1);
336  const char *sig1 = "alert tcp any any -> any any "
337  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
338  "byte_jump:2,0,relative,dce; byte_test:2,=,46,0,relative,dce; sid:1;)";
339  const char *sig2 = "alert tcp any any -> any any "
340  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
341  "byte_jump:2,2,relative,dce; byte_test:2,=,14080,0,relative; sid:2;)";
342  TcpSession ssn;
343  ThreadVars tv;
344  DetectEngineThreadCtx *det_ctx = NULL;
345  Flow f;
346 
347  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
348  memset(&tv, 0, sizeof(ThreadVars));
349  StatsThreadInit(&tv.stats);
350  memset(&f, 0, sizeof(Flow));
351  memset(&ssn, 0, sizeof(TcpSession));
352 
353  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
354  p->flow = &f;
355  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
356  p->flowflags |= FLOW_PKT_TOSERVER;
357  p->flowflags |= FLOW_PKT_ESTABLISHED;
358 
359  FLOW_INITIALIZE(&f);
360  f.protoctx = (void *)&ssn;
361  f.proto = IPPROTO_TCP;
362  f.flags |= FLOW_IPV4;
363  f.alproto = ALPROTO_DCERPC;
364 
365  StreamTcpInitConfig(true);
366 
367  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
368  FAIL_IF_NULL(de_ctx);
369  de_ctx->flags |= DE_QUIET;
370 
371  Signature *s = DetectEngineAppendSig(de_ctx, sig1);
372  FAIL_IF_NULL(s);
373  s = DetectEngineAppendSig(de_ctx, sig2);
374  FAIL_IF_NULL(s);
375 
376  SigGroupBuild(de_ctx);
377  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
378 
379  /* request 1 */
380  int r = AppLayerParserParse(
381  NULL, alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
382  FAIL_IF(r != 0);
383  /* detection phase */
384  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
385  FAIL_IF_NOT(PacketAlertCheck(p, 1));
386  FAIL_IF_NOT(PacketAlertCheck(p, 2));
387 
388  FLOW_DESTROY(&f);
389  UTHFreePackets(&p, 1);
390  AppLayerParserThreadCtxFree(alp_tctx);
391  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
392  DetectEngineCtxFree(de_ctx);
393  StreamTcpFreeConfig(true);
394  StatsThreadCleanup(&tv.stats);
395  PASS;
396 }
397 
398 /**
399  * \test Test the working of byte_jump endianness.
400  */
401 static int DcePayloadTest19(void)
402 {
403  uint8_t request1[] = {
404  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
405  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
406  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
407  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
408  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
409  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x00,
410  0x03, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
411  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
412  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
413  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
414  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
415  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
416  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
417  };
418  uint32_t request1_len = sizeof(request1);
419  const char *sig1 = "alert tcp any any -> any any "
420  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
421  "byte_jump:2,0,relative; byte_test:2,=,46,0,relative,dce; sid:1;)";
422  const char *sig2 = "alert tcp any any -> any any "
423  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
424  "byte_jump:2,2,relative; byte_test:2,=,14080,0,relative; sid:2;)";
425  TcpSession ssn;
426  ThreadVars tv;
427  DetectEngineThreadCtx *det_ctx = NULL;
428  Flow f;
429 
430  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
431  memset(&tv, 0, sizeof(ThreadVars));
432  StatsThreadInit(&tv.stats);
433  memset(&f, 0, sizeof(Flow));
434  memset(&ssn, 0, sizeof(TcpSession));
435 
436  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
437  p->flow = &f;
438  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
439  p->flowflags |= FLOW_PKT_TOSERVER;
440  p->flowflags |= FLOW_PKT_ESTABLISHED;
441 
442  FLOW_INITIALIZE(&f);
443  f.protoctx = (void *)&ssn;
444  f.proto = IPPROTO_TCP;
445  f.flags |= FLOW_IPV4;
446  f.alproto = ALPROTO_DCERPC;
447 
448  StreamTcpInitConfig(true);
449 
450  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
451  FAIL_IF_NULL(de_ctx);
452  de_ctx->flags |= DE_QUIET;
453 
454  Signature *s = DetectEngineAppendSig(de_ctx, sig1);
455  FAIL_IF_NULL(s);
456  s = DetectEngineAppendSig(de_ctx, sig2);
457  FAIL_IF_NULL(s);
458 
459  SigGroupBuild(de_ctx);
460  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
461 
462  /* request 1 */
463  int r = AppLayerParserParse(
464  NULL, alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
465  FAIL_IF(r != 0);
466  /* detection phase */
467  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
468  FAIL_IF_NOT(PacketAlertCheck(p, 1));
469  FAIL_IF_NOT(PacketAlertCheck(p, 2));
470 
471  FLOW_DESTROY(&f);
472  UTHFreePackets(&p, 1);
473  AppLayerParserThreadCtxFree(alp_tctx);
474  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
475  DetectEngineCtxFree(de_ctx);
476  StreamTcpFreeConfig(true);
477  StatsThreadCleanup(&tv.stats);
478  PASS;
479 }
480 
481 /**
482  * \test Test the working of byte_jump endianness.
483  */
484 static int DcePayloadTest20(void)
485 {
486  uint8_t request1[] = {
487  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
488  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
489  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
490  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
491  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
492  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x03,
493  0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
494  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
495  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
496  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
497  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
498  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
499  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
500  };
501  uint32_t request1_len = sizeof(request1);
502  const char *sig1 = "alert tcp any any -> any any "
503  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
504  "byte_jump:2,0,relative,big; byte_test:2,=,46,0,relative,dce; sid:1;)";
505  const char *sig2 = "alert tcp any any -> any any "
506  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
507  "byte_jump:2,2,little,relative; byte_test:2,=,14080,0,relative; sid:2;)";
508  TcpSession ssn;
509  ThreadVars tv;
510  DetectEngineThreadCtx *det_ctx = NULL;
511  Flow f;
512 
513  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
514  memset(&tv, 0, sizeof(ThreadVars));
515  StatsThreadInit(&tv.stats);
516  memset(&f, 0, sizeof(Flow));
517  memset(&ssn, 0, sizeof(TcpSession));
518 
519  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
520  p->flow = &f;
521  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
522  p->flowflags |= FLOW_PKT_TOSERVER;
523  p->flowflags |= FLOW_PKT_ESTABLISHED;
524 
525  FLOW_INITIALIZE(&f);
526  f.protoctx = (void *)&ssn;
527  f.proto = IPPROTO_TCP;
528  f.flags |= FLOW_IPV4;
529  f.alproto = ALPROTO_DCERPC;
530 
531  StreamTcpInitConfig(true);
532 
533  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
534  FAIL_IF_NULL(de_ctx);
535  de_ctx->flags |= DE_QUIET;
536 
537  Signature *s = DetectEngineAppendSig(de_ctx, sig1);
538  FAIL_IF_NULL(s);
539  s = DetectEngineAppendSig(de_ctx, sig2);
540  FAIL_IF_NULL(s);
541 
542  SigGroupBuild(de_ctx);
543  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
544 
545  /* request 1 */
546  int r = AppLayerParserParse(
547  NULL, alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
548  FAIL_IF(r != 0);
549  /* detection phase */
550  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
551  FAIL_IF_NOT(PacketAlertCheck(p, 1));
552  FAIL_IF_NOT(PacketAlertCheck(p, 2));
553 
554  FLOW_DESTROY(&f);
555  UTHFreePackets(&p, 1);
556  AppLayerParserThreadCtxFree(alp_tctx);
557  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
558  DetectEngineCtxFree(de_ctx);
559  StreamTcpFreeConfig(true);
560  StatsThreadCleanup(&tv.stats);
561  PASS;
562 }
563 
564 #endif /* UNITTESTS */
565 
566 void DcePayloadRegisterTests(void)
567 {
568  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
569 
570 #ifdef UNITTESTS
571  UtRegisterTest("DcePayloadTest15", DcePayloadTest15);
572  UtRegisterTest("DcePayloadTest16", DcePayloadTest16);
573  UtRegisterTest("DcePayloadTest17", DcePayloadTest17);
574  UtRegisterTest("DcePayloadTest18", DcePayloadTest18);
575  UtRegisterTest("DcePayloadTest19", DcePayloadTest19);
576  UtRegisterTest("DcePayloadTest20", DcePayloadTest20);
577 #endif /* UNITTESTS */
578 }
detect-content.h
detect-engine.h
detect-dce-iface.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
flow-util.h
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
detect-isdataat.h
Flow_::proto
uint8_t proto
Definition: flow.h:370
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
DcePayloadRegisterTests
void DcePayloadRegisterTests(void)
Definition: detect-engine-dcepayload.c:566
Flow_
Flow data structure.
Definition: flow.h:348
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:933
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2634
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2418
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3447
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
Flow_::protoctx
void * protoctx
Definition: flow.h:433
detect-pcre.h
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1278
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:496
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:19
DetectEngineThreadCtx_
Definition: detect.h:1245
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:24
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3364
app-layer-parser.h
Packet_
Definition: decode.h:501
detect-engine-build.h
detect-bytejump.h
detect-engine-alert.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2194
StatsThreadInit
void StatsThreadInit(StatsThreadContext *stats)
Definition: counters.c:1258
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
detect-engine-content-inspection.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:867
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1277
suricata-common.h
detect-byte-extract.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3601
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:33
Flow_::flags
uint32_t flags
Definition: flow.h:413
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2595
suricata.h
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:935
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
detect-engine-dcepayload.h
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
StatsThreadCleanup
void StatsThreadCleanup(StatsThreadContext *stats)
Definition: counters.c:1354
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
app-layer.h
detect-bytetest.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456