suricata
detect-engine-dcepayload.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "suricata.h"
26 
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-engine.h"
31 #include "detect-parse.h"
32 #include "detect-pcre.h"
33 #include "detect-isdataat.h"
34 #include "detect-bytetest.h"
35 #include "detect-bytejump.h"
36 #include "detect-byte-extract.h"
37 #include "detect-content.h"
38 #include "detect-engine-content-inspection.h"
39 #include "detect-engine-dcepayload.h"
40 #include "detect-engine-build.h"
41 #include "app-layer-parser.h"
42 
43 #include "stream-tcp.h"
44 
45 #include "app-layer.h"
46 #include "flow-util.h"
47 #include "util-debug.h"
48 
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 
52 static int g_dce_stub_data_buffer_id = 0;
53 
54 
55 /**************************************Unittests*******************************/
56 
57 #ifdef UNITTESTS
58 #include "detect-engine-alert.h"
59 
60 /**
61  * \test Test the working of byte_test endianness.
62  */
63 static int DcePayloadTest15(void)
64 {
65  uint8_t request1[] = {
66  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
67  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
68  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
69  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
70  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
71  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
72  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
73  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
74  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
75  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
76  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
77  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
78  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
79  };
80  uint32_t request1_len = sizeof(request1);
81  const char *sig1 = "alert tcp any any -> any any "
82  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
83  "byte_test:2,=,14080,0,relative,dce; sid:1;)";
84  const char *sig2 = "alert tcp any any -> any any "
85  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
86  "byte_test:2,=,46,5,relative,dce; sid:2;)";
87 
88  TcpSession ssn;
89  ThreadVars tv;
90  DetectEngineThreadCtx *det_ctx = NULL;
91  Flow f;
92 
93  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
94 
95  memset(&tv, 0, sizeof(ThreadVars));
96  StatsThreadInit(&tv.stats);
97  memset(&f, 0, sizeof(Flow));
98  memset(&ssn, 0, sizeof(TcpSession));
99 
100  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
101  p->flow = &f;
102  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
103  p->flowflags |= FLOW_PKT_TOSERVER;
104  p->flowflags |= FLOW_PKT_ESTABLISHED;
105 
106  FLOW_INITIALIZE(&f);
107  f.protoctx = (void *)&ssn;
108  f.proto = IPPROTO_TCP;
109  f.flags |= FLOW_IPV4;
110  f.alproto = ALPROTO_DCERPC;
111 
112  StreamTcpInitConfig(true);
113 
114  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
115  FAIL_IF_NULL(de_ctx);
116  de_ctx->flags |= DE_QUIET;
117 
118  Signature *s = DetectEngineAppendSig(de_ctx, sig1);
119  FAIL_IF_NULL(s);
120  s = DetectEngineAppendSig(de_ctx, sig2);
121  FAIL_IF_NULL(s);
122 
123  SigGroupBuild(de_ctx);
124  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
125 
126  /* request 1 */
127  int r = AppLayerParserParse(
128  NULL, alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
129  FAIL_IF(r != 0);
130  /* detection phase */
131  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
132  FAIL_IF_NOT(PacketAlertCheck(p, 1));
133  FAIL_IF_NOT(PacketAlertCheck(p, 2));
134 
135  FLOW_DESTROY(&f);
136  UTHFreePackets(&p, 1);
137  AppLayerParserThreadCtxFree(alp_tctx);
138  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
139  DetectEngineCtxFree(de_ctx);
140  StreamTcpFreeConfig(true);
141  StatsThreadCleanup(&tv.stats);
142  PASS;
143 }
144 
145 /**
146  * \test Test the working of byte_test endianness.
147  */
148 static int DcePayloadTest16(void)
149 {
150  uint8_t request1[] = {
151  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
152  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
153  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
154  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
155  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
156  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
157  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
158  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
159  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
160  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
161  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
162  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
163  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
164  };
165  uint32_t request1_len = sizeof(request1);
166  const char *sig1 = "alert tcp any any -> any any "
167  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
168  "byte_test:2,=,55,0,relative; sid:1;)";
169  const char *sig2 = "alert tcp any any -> any any "
170  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
171  "byte_test:2,=,11776,5,relative; sid:2;)";
172 
173  TcpSession ssn;
174  ThreadVars tv;
175  DetectEngineThreadCtx *det_ctx = NULL;
176  Flow f;
177 
178  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
179  memset(&tv, 0, sizeof(ThreadVars));
180  StatsThreadInit(&tv.stats);
181  memset(&f, 0, sizeof(Flow));
182  memset(&ssn, 0, sizeof(TcpSession));
183 
184  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
185  p->flow = &f;
186  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
187  p->flowflags |= FLOW_PKT_TOSERVER;
188  p->flowflags |= FLOW_PKT_ESTABLISHED;
189 
190  FLOW_INITIALIZE(&f);
191  f.protoctx = (void *)&ssn;
192  f.proto = IPPROTO_TCP;
193  f.flags |= FLOW_IPV4;
194  f.alproto = ALPROTO_DCERPC;
195 
196  StreamTcpInitConfig(true);
197 
198  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
199  FAIL_IF_NULL(de_ctx);
200  de_ctx->flags |= DE_QUIET;
201 
202  Signature *s = DetectEngineAppendSig(de_ctx, sig1);
203  FAIL_IF_NULL(s);
204  s = DetectEngineAppendSig(de_ctx, sig2);
205  FAIL_IF_NULL(s);
206 
207  SigGroupBuild(de_ctx);
208  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
209 
210  /* request 1 */
211  int r = AppLayerParserParse(
212  NULL, alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
213  FAIL_IF(r != 0);
214  /* detection phase */
215  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
216  FAIL_IF_NOT(PacketAlertCheck(p, 1));
217  FAIL_IF_NOT(PacketAlertCheck(p, 2));
218 
219  FLOW_DESTROY(&f);
220  UTHFreePackets(&p, 1);
221  AppLayerParserThreadCtxFree(alp_tctx);
222  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
223  DetectEngineCtxFree(de_ctx);
224  StreamTcpFreeConfig(true);
225  StatsThreadCleanup(&tv.stats);
226  PASS;
227 }
228 
229 /**
230  * \test Test the working of byte_test endianness.
231  */
232 static int DcePayloadTest17(void)
233 {
234  uint8_t request1[] = {
235  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
236  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
237  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
238  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
239  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
240  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
241  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
242  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
243  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
244  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
245  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
246  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
247  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
248  };
249  uint32_t request1_len = sizeof(request1);
250  const char *sig1 = "alert tcp any any -> any any "
251  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
252  "byte_test:2,=,55,0,relative,big; sid:1;)";
253  const char *sig2 = "alert tcp any any -> any any "
254  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
255  "byte_test:2,=,46,5,relative,little; sid:2;)";
256 
257  TcpSession ssn;
258  ThreadVars tv;
259  DetectEngineThreadCtx *det_ctx = NULL;
260  Flow f;
261 
262  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
263  memset(&tv, 0, sizeof(ThreadVars));
264  StatsThreadInit(&tv.stats);
265  memset(&f, 0, sizeof(Flow));
266  memset(&ssn, 0, sizeof(TcpSession));
267 
268  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
269  p->flow = &f;
270  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
271  p->flowflags |= FLOW_PKT_TOSERVER;
272  p->flowflags |= FLOW_PKT_ESTABLISHED;
273 
274  FLOW_INITIALIZE(&f);
275  f.protoctx = (void *)&ssn;
276  f.proto = IPPROTO_TCP;
277  f.flags |= FLOW_IPV4;
278  f.alproto = ALPROTO_DCERPC;
279 
280  StreamTcpInitConfig(true);
281 
282  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
283  FAIL_IF_NULL(de_ctx);
284  de_ctx->flags |= DE_QUIET;
285 
286  Signature *s = DetectEngineAppendSig(de_ctx, sig1);
287  FAIL_IF_NULL(s);
288  s = DetectEngineAppendSig(de_ctx, sig2);
289  FAIL_IF_NULL(s);
290 
291  SigGroupBuild(de_ctx);
292  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
293 
294  /* request 1 */
295  int r = AppLayerParserParse(
296  NULL, alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
297  FAIL_IF(r != 0);
298  /* detection phase */
299  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
300  FAIL_IF_NOT(PacketAlertCheck(p, 1));
301  FAIL_IF_NOT(PacketAlertCheck(p, 2));
302 
303  FLOW_DESTROY(&f);
304  UTHFreePackets(&p, 1);
305  AppLayerParserThreadCtxFree(alp_tctx);
306  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
307  DetectEngineCtxFree(de_ctx);
308  StreamTcpFreeConfig(true);
309  StatsThreadCleanup(&tv.stats);
310  PASS;
311 }
312 
313 /**
314  * \test Test the working of byte_jump endianness.
315  */
316 static int DcePayloadTest18(void)
317 {
318  uint8_t request1[] = {
319  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
320  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
321  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
322  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
323  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
324  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x03, 0x00, 0x03,
325  0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
326  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
327  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
328  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
329  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
330  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
331  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
332  };
333  uint32_t request1_len = sizeof(request1);
334  const char *sig1 = "alert tcp any any -> any any "
335  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
336  "byte_jump:2,0,relative,dce; byte_test:2,=,46,0,relative,dce; sid:1;)";
337  const char *sig2 = "alert tcp any any -> any any "
338  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
339  "byte_jump:2,2,relative,dce; byte_test:2,=,14080,0,relative; sid:2;)";
340  TcpSession ssn;
341  ThreadVars tv;
342  DetectEngineThreadCtx *det_ctx = NULL;
343  Flow f;
344 
345  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
346  memset(&tv, 0, sizeof(ThreadVars));
347  StatsThreadInit(&tv.stats);
348  memset(&f, 0, sizeof(Flow));
349  memset(&ssn, 0, sizeof(TcpSession));
350 
351  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
352  p->flow = &f;
353  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
354  p->flowflags |= FLOW_PKT_TOSERVER;
355  p->flowflags |= FLOW_PKT_ESTABLISHED;
356 
357  FLOW_INITIALIZE(&f);
358  f.protoctx = (void *)&ssn;
359  f.proto = IPPROTO_TCP;
360  f.flags |= FLOW_IPV4;
361  f.alproto = ALPROTO_DCERPC;
362 
363  StreamTcpInitConfig(true);
364 
365  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
366  FAIL_IF_NULL(de_ctx);
367  de_ctx->flags |= DE_QUIET;
368 
369  Signature *s = DetectEngineAppendSig(de_ctx, sig1);
370  FAIL_IF_NULL(s);
371  s = DetectEngineAppendSig(de_ctx, sig2);
372  FAIL_IF_NULL(s);
373 
374  SigGroupBuild(de_ctx);
375  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
376 
377  /* request 1 */
378  int r = AppLayerParserParse(
379  NULL, alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
380  FAIL_IF(r != 0);
381  /* detection phase */
382  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
383  FAIL_IF_NOT(PacketAlertCheck(p, 1));
384  FAIL_IF_NOT(PacketAlertCheck(p, 2));
385 
386  FLOW_DESTROY(&f);
387  UTHFreePackets(&p, 1);
388  AppLayerParserThreadCtxFree(alp_tctx);
389  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
390  DetectEngineCtxFree(de_ctx);
391  StreamTcpFreeConfig(true);
392  StatsThreadCleanup(&tv.stats);
393  PASS;
394 }
395 
396 /**
397  * \test Test the working of byte_jump endianness.
398  */
399 static int DcePayloadTest19(void)
400 {
401  uint8_t request1[] = {
402  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
403  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
404  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
405  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
406  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
407  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x00,
408  0x03, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
409  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
410  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
411  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
412  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
413  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
414  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
415  };
416  uint32_t request1_len = sizeof(request1);
417  const char *sig1 = "alert tcp any any -> any any "
418  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
419  "byte_jump:2,0,relative; byte_test:2,=,46,0,relative,dce; sid:1;)";
420  const char *sig2 = "alert tcp any any -> any any "
421  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
422  "byte_jump:2,2,relative; byte_test:2,=,14080,0,relative; sid:2;)";
423  TcpSession ssn;
424  ThreadVars tv;
425  DetectEngineThreadCtx *det_ctx = NULL;
426  Flow f;
427 
428  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
429  memset(&tv, 0, sizeof(ThreadVars));
430  StatsThreadInit(&tv.stats);
431  memset(&f, 0, sizeof(Flow));
432  memset(&ssn, 0, sizeof(TcpSession));
433 
434  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
435  p->flow = &f;
436  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
437  p->flowflags |= FLOW_PKT_TOSERVER;
438  p->flowflags |= FLOW_PKT_ESTABLISHED;
439 
440  FLOW_INITIALIZE(&f);
441  f.protoctx = (void *)&ssn;
442  f.proto = IPPROTO_TCP;
443  f.flags |= FLOW_IPV4;
444  f.alproto = ALPROTO_DCERPC;
445 
446  StreamTcpInitConfig(true);
447 
448  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
449  FAIL_IF_NULL(de_ctx);
450  de_ctx->flags |= DE_QUIET;
451 
452  Signature *s = DetectEngineAppendSig(de_ctx, sig1);
453  FAIL_IF_NULL(s);
454  s = DetectEngineAppendSig(de_ctx, sig2);
455  FAIL_IF_NULL(s);
456 
457  SigGroupBuild(de_ctx);
458  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
459 
460  /* request 1 */
461  int r = AppLayerParserParse(
462  NULL, alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
463  FAIL_IF(r != 0);
464  /* detection phase */
465  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
466  FAIL_IF_NOT(PacketAlertCheck(p, 1));
467  FAIL_IF_NOT(PacketAlertCheck(p, 2));
468 
469  FLOW_DESTROY(&f);
470  UTHFreePackets(&p, 1);
471  AppLayerParserThreadCtxFree(alp_tctx);
472  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
473  DetectEngineCtxFree(de_ctx);
474  StreamTcpFreeConfig(true);
475  StatsThreadCleanup(&tv.stats);
476  PASS;
477 }
478 
479 /**
480  * \test Test the working of byte_jump endianness.
481  */
482 static int DcePayloadTest20(void)
483 {
484  uint8_t request1[] = {
485  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
486  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
487  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
488  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
489  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
490  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x03,
491  0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
492  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
493  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
494  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
495  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
496  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
497  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
498  };
499  uint32_t request1_len = sizeof(request1);
500  const char *sig1 = "alert tcp any any -> any any "
501  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
502  "byte_jump:2,0,relative,big; byte_test:2,=,46,0,relative,dce; sid:1;)";
503  const char *sig2 = "alert tcp any any -> any any "
504  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
505  "byte_jump:2,2,little,relative; byte_test:2,=,14080,0,relative; sid:2;)";
506  TcpSession ssn;
507  ThreadVars tv;
508  DetectEngineThreadCtx *det_ctx = NULL;
509  Flow f;
510 
511  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
512  memset(&tv, 0, sizeof(ThreadVars));
513  StatsThreadInit(&tv.stats);
514  memset(&f, 0, sizeof(Flow));
515  memset(&ssn, 0, sizeof(TcpSession));
516 
517  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
518  p->flow = &f;
519  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
520  p->flowflags |= FLOW_PKT_TOSERVER;
521  p->flowflags |= FLOW_PKT_ESTABLISHED;
522 
523  FLOW_INITIALIZE(&f);
524  f.protoctx = (void *)&ssn;
525  f.proto = IPPROTO_TCP;
526  f.flags |= FLOW_IPV4;
527  f.alproto = ALPROTO_DCERPC;
528 
529  StreamTcpInitConfig(true);
530 
531  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
532  FAIL_IF_NULL(de_ctx);
533  de_ctx->flags |= DE_QUIET;
534 
535  Signature *s = DetectEngineAppendSig(de_ctx, sig1);
536  FAIL_IF_NULL(s);
537  s = DetectEngineAppendSig(de_ctx, sig2);
538  FAIL_IF_NULL(s);
539 
540  SigGroupBuild(de_ctx);
541  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
542 
543  /* request 1 */
544  int r = AppLayerParserParse(
545  NULL, alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
546  FAIL_IF(r != 0);
547  /* detection phase */
548  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
549  FAIL_IF_NOT(PacketAlertCheck(p, 1));
550  FAIL_IF_NOT(PacketAlertCheck(p, 2));
551 
552  FLOW_DESTROY(&f);
553  UTHFreePackets(&p, 1);
554  AppLayerParserThreadCtxFree(alp_tctx);
555  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
556  DetectEngineCtxFree(de_ctx);
557  StreamTcpFreeConfig(true);
558  StatsThreadCleanup(&tv.stats);
559  PASS;
560 }
561 
562 #endif /* UNITTESTS */
563 
564 void DcePayloadRegisterTests(void)
565 {
566  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
567 
568 #ifdef UNITTESTS
569  UtRegisterTest("DcePayloadTest15", DcePayloadTest15);
570  UtRegisterTest("DcePayloadTest16", DcePayloadTest16);
571  UtRegisterTest("DcePayloadTest17", DcePayloadTest17);
572  UtRegisterTest("DcePayloadTest18", DcePayloadTest18);
573  UtRegisterTest("DcePayloadTest19", DcePayloadTest19);
574  UtRegisterTest("DcePayloadTest20", DcePayloadTest20);
575 #endif /* UNITTESTS */
576 }
detect-content.h
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
Flow_::flags
uint64_t flags
Definition: flow.h:396
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1293
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
flow-util.h
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
detect-isdataat.h
Flow_::proto
uint8_t proto
Definition: flow.h:369
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:143
Packet_::flags
uint32_t flags
Definition: decode.h:551
DcePayloadRegisterTests
void DcePayloadRegisterTests(void)
Definition: detect-engine-dcepayload.c:564
Flow_
Flow data structure.
Definition: flow.h:347
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:937
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2652
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:224
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2435
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3478
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:536
Flow_::protoctx
void * protoctx
Definition: flow.h:426
detect-pcre.h
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:99
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1278
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:498
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:19
DetectEngineThreadCtx_
Definition: detect.h:1252
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:24
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3386
app-layer-parser.h
Packet_
Definition: decode.h:505
detect-engine-build.h
detect-bytejump.h
detect-engine-alert.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2274
StatsThreadInit
void StatsThreadInit(StatsThreadContext *stats)
Definition: counters.c:1331
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
detect-engine-content-inspection.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:553
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:869
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1315
suricata-common.h
detect-byte-extract.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3625
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:33
detect-parse.h
Signature_
Signature container.
Definition: detect.h:672
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:226
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2613
suricata.h
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:939
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:443
detect-engine-dcepayload.h
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
StatsThreadCleanup
void StatsThreadCleanup(StatsThreadContext *stats)
Definition: counters.c:1427
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1289
app-layer.h
detect-bytetest.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456