suricata
detect-engine-dcepayload.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2010 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Anoop Saldanha <anoopsaldanha@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 #include "suricata.h"
26 
27 #include "decode.h"
28 
29 #include "detect.h"
30 #include "detect-engine.h"
31 #include "detect-parse.h"
32 #include "detect-pcre.h"
33 #include "detect-isdataat.h"
34 #include "detect-bytetest.h"
35 #include "detect-bytejump.h"
36 #include "detect-byte-extract.h"
37 #include "detect-content.h"
38 #include "detect-engine-content-inspection.h"
39 #include "detect-engine-dcepayload.h"
40 #include "detect-engine-build.h"
41 #include "app-layer-parser.h"
42 
43 #include "stream-tcp.h"
44 
45 #include "app-layer.h"
46 #include "flow-util.h"
47 #include "util-debug.h"
48 
49 #include "util-unittest.h"
50 #include "util-unittest-helper.h"
51 
52 #include "detect-dce-iface.h"
53 
54 static int g_dce_stub_data_buffer_id = 0;
55 
56 
57 /**************************************Unittests*******************************/
58 
59 #ifdef UNITTESTS
60 #include "detect-engine-alert.h"
61 
62 /**
63  * \test Test the working of byte_test endianness.
64  */
65 static int DcePayloadTest15(void)
66 {
67  uint8_t request1[] = {
68  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
69  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
70  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
71  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
72  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
73  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
74  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
75  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
76  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
77  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
78  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
79  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
80  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
81  };
82  uint32_t request1_len = sizeof(request1);
83  const char *sig1 = "alert tcp any any -> any any "
84  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
85  "byte_test:2,=,14080,0,relative,dce; sid:1;)";
86  const char *sig2 = "alert tcp any any -> any any "
87  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
88  "byte_test:2,=,46,5,relative,dce; sid:2;)";
89 
90  TcpSession ssn;
91  ThreadVars tv;
92  DetectEngineThreadCtx *det_ctx = NULL;
93  Flow f;
94 
95  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
96 
97  memset(&tv, 0, sizeof(ThreadVars));
98  memset(&f, 0, sizeof(Flow));
99  memset(&ssn, 0, sizeof(TcpSession));
100 
101  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
102  p->flow = &f;
103  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
104  p->flowflags |= FLOW_PKT_TOSERVER;
105  p->flowflags |= FLOW_PKT_ESTABLISHED;
106 
107  FLOW_INITIALIZE(&f);
108  f.protoctx = (void *)&ssn;
109  f.proto = IPPROTO_TCP;
110  f.flags |= FLOW_IPV4;
111  f.alproto = ALPROTO_DCERPC;
112 
113  StreamTcpInitConfig(true);
114 
115  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
116  FAIL_IF_NULL(de_ctx);
117  de_ctx->flags |= DE_QUIET;
118 
119  Signature *s = DetectEngineAppendSig(de_ctx, sig1);
120  FAIL_IF_NULL(s);
121  s = DetectEngineAppendSig(de_ctx, sig2);
122  FAIL_IF_NULL(s);
123 
124  SigGroupBuild(de_ctx);
125  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
126 
127  /* request 1 */
128  int r = AppLayerParserParse(
129  NULL, alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
130  FAIL_IF(r != 0);
131  /* detection phase */
132  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
133  FAIL_IF_NOT(PacketAlertCheck(p, 1));
134  FAIL_IF_NOT(PacketAlertCheck(p, 2));
135 
136  FLOW_DESTROY(&f);
137  UTHFreePackets(&p, 1);
138  AppLayerParserThreadCtxFree(alp_tctx);
139  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
140  DetectEngineCtxFree(de_ctx);
141  StreamTcpFreeConfig(true);
142  StatsThreadCleanup(&tv);
143  PASS;
144 }
145 
146 /**
147  * \test Test the working of byte_test endianness.
148  */
149 static int DcePayloadTest16(void)
150 {
151  uint8_t request1[] = {
152  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
153  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
154  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
155  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
156  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
157  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
158  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
159  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
160  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
161  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
162  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
163  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
164  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
165  };
166  uint32_t request1_len = sizeof(request1);
167  const char *sig1 = "alert tcp any any -> any any "
168  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
169  "byte_test:2,=,55,0,relative; sid:1;)";
170  const char *sig2 = "alert tcp any any -> any any "
171  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
172  "byte_test:2,=,11776,5,relative; sid:2;)";
173 
174  TcpSession ssn;
175  ThreadVars tv;
176  DetectEngineThreadCtx *det_ctx = NULL;
177  Flow f;
178 
179  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
180  memset(&tv, 0, sizeof(ThreadVars));
181  memset(&f, 0, sizeof(Flow));
182  memset(&ssn, 0, sizeof(TcpSession));
183 
184  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
185  p->flow = &f;
186  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
187  p->flowflags |= FLOW_PKT_TOSERVER;
188  p->flowflags |= FLOW_PKT_ESTABLISHED;
189 
190  FLOW_INITIALIZE(&f);
191  f.protoctx = (void *)&ssn;
192  f.proto = IPPROTO_TCP;
193  f.flags |= FLOW_IPV4;
194  f.alproto = ALPROTO_DCERPC;
195 
196  StreamTcpInitConfig(true);
197 
198  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
199  FAIL_IF_NULL(de_ctx);
200  de_ctx->flags |= DE_QUIET;
201 
202  Signature *s = DetectEngineAppendSig(de_ctx, sig1);
203  FAIL_IF_NULL(s);
204  s = DetectEngineAppendSig(de_ctx, sig2);
205  FAIL_IF_NULL(s);
206 
207  SigGroupBuild(de_ctx);
208  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
209 
210  /* request 1 */
211  int r = AppLayerParserParse(
212  NULL, alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
213  FAIL_IF(r != 0);
214  /* detection phase */
215  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
216  FAIL_IF_NOT(PacketAlertCheck(p, 1));
217  FAIL_IF_NOT(PacketAlertCheck(p, 2));
218 
219  FLOW_DESTROY(&f);
220  UTHFreePackets(&p, 1);
221  AppLayerParserThreadCtxFree(alp_tctx);
222  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
223  DetectEngineCtxFree(de_ctx);
224  StreamTcpFreeConfig(true);
225  StatsThreadCleanup(&tv);
226  PASS;
227 }
228 
229 /**
230  * \test Test the working of byte_test endianness.
231  */
232 static int DcePayloadTest17(void)
233 {
234  uint8_t request1[] = {
235  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
236  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
237  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
238  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
239  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
240  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x37, 0x00,
241  0x31, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
242  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
243  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
244  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
245  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
246  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
247  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
248  };
249  uint32_t request1_len = sizeof(request1);
250  const char *sig1 = "alert tcp any any -> any any "
251  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
252  "byte_test:2,=,55,0,relative,big; sid:1;)";
253  const char *sig2 = "alert tcp any any -> any any "
254  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
255  "byte_test:2,=,46,5,relative,little; sid:2;)";
256 
257  TcpSession ssn;
258  ThreadVars tv;
259  DetectEngineThreadCtx *det_ctx = NULL;
260  Flow f;
261 
262  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
263  memset(&tv, 0, sizeof(ThreadVars));
264  memset(&f, 0, sizeof(Flow));
265  memset(&ssn, 0, sizeof(TcpSession));
266 
267  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
268  p->flow = &f;
269  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
270  p->flowflags |= FLOW_PKT_TOSERVER;
271  p->flowflags |= FLOW_PKT_ESTABLISHED;
272 
273  FLOW_INITIALIZE(&f);
274  f.protoctx = (void *)&ssn;
275  f.proto = IPPROTO_TCP;
276  f.flags |= FLOW_IPV4;
277  f.alproto = ALPROTO_DCERPC;
278 
279  StreamTcpInitConfig(true);
280 
281  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
282  FAIL_IF_NULL(de_ctx);
283  de_ctx->flags |= DE_QUIET;
284 
285  Signature *s = DetectEngineAppendSig(de_ctx, sig1);
286  FAIL_IF_NULL(s);
287  s = DetectEngineAppendSig(de_ctx, sig2);
288  FAIL_IF_NULL(s);
289 
290  SigGroupBuild(de_ctx);
291  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
292 
293  /* request 1 */
294  int r = AppLayerParserParse(
295  NULL, alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
296  FAIL_IF(r != 0);
297  /* detection phase */
298  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
299  FAIL_IF_NOT(PacketAlertCheck(p, 1));
300  FAIL_IF_NOT(PacketAlertCheck(p, 2));
301 
302  FLOW_DESTROY(&f);
303  UTHFreePackets(&p, 1);
304  AppLayerParserThreadCtxFree(alp_tctx);
305  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
306  DetectEngineCtxFree(de_ctx);
307  StreamTcpFreeConfig(true);
308  StatsThreadCleanup(&tv);
309  PASS;
310 }
311 
312 /**
313  * \test Test the working of byte_jump endianness.
314  */
315 static int DcePayloadTest18(void)
316 {
317  uint8_t request1[] = {
318  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
319  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
320  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
321  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
322  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
323  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x03, 0x00, 0x03,
324  0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
325  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
326  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
327  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
328  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
329  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
330  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
331  };
332  uint32_t request1_len = sizeof(request1);
333  const char *sig1 = "alert tcp any any -> any any "
334  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
335  "byte_jump:2,0,relative,dce; byte_test:2,=,46,0,relative,dce; sid:1;)";
336  const char *sig2 = "alert tcp any any -> any any "
337  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
338  "byte_jump:2,2,relative,dce; byte_test:2,=,14080,0,relative; sid:2;)";
339  TcpSession ssn;
340  ThreadVars tv;
341  DetectEngineThreadCtx *det_ctx = NULL;
342  Flow f;
343 
344  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
345  memset(&tv, 0, sizeof(ThreadVars));
346  memset(&f, 0, sizeof(Flow));
347  memset(&ssn, 0, sizeof(TcpSession));
348 
349  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
350  p->flow = &f;
351  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
352  p->flowflags |= FLOW_PKT_TOSERVER;
353  p->flowflags |= FLOW_PKT_ESTABLISHED;
354 
355  FLOW_INITIALIZE(&f);
356  f.protoctx = (void *)&ssn;
357  f.proto = IPPROTO_TCP;
358  f.flags |= FLOW_IPV4;
359  f.alproto = ALPROTO_DCERPC;
360 
361  StreamTcpInitConfig(true);
362 
363  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
364  FAIL_IF_NULL(de_ctx);
365  de_ctx->flags |= DE_QUIET;
366 
367  Signature *s = DetectEngineAppendSig(de_ctx, sig1);
368  FAIL_IF_NULL(s);
369  s = DetectEngineAppendSig(de_ctx, sig2);
370  FAIL_IF_NULL(s);
371 
372  SigGroupBuild(de_ctx);
373  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
374 
375  /* request 1 */
376  int r = AppLayerParserParse(
377  NULL, alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
378  FAIL_IF(r != 0);
379  /* detection phase */
380  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
381  FAIL_IF_NOT(PacketAlertCheck(p, 1));
382  FAIL_IF_NOT(PacketAlertCheck(p, 2));
383 
384  FLOW_DESTROY(&f);
385  UTHFreePackets(&p, 1);
386  AppLayerParserThreadCtxFree(alp_tctx);
387  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
388  DetectEngineCtxFree(de_ctx);
389  StreamTcpFreeConfig(true);
390  StatsThreadCleanup(&tv);
391  PASS;
392 }
393 
394 /**
395  * \test Test the working of byte_jump endianness.
396  */
397 static int DcePayloadTest19(void)
398 {
399  uint8_t request1[] = {
400  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
401  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
402  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
403  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
404  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
405  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x00,
406  0x03, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
407  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
408  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
409  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
410  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
411  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
412  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
413  };
414  uint32_t request1_len = sizeof(request1);
415  const char *sig1 = "alert tcp any any -> any any "
416  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
417  "byte_jump:2,0,relative; byte_test:2,=,46,0,relative,dce; sid:1;)";
418  const char *sig2 = "alert tcp any any -> any any "
419  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
420  "byte_jump:2,2,relative; byte_test:2,=,14080,0,relative; sid:2;)";
421  TcpSession ssn;
422  ThreadVars tv;
423  DetectEngineThreadCtx *det_ctx = NULL;
424  Flow f;
425 
426  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
427  memset(&tv, 0, sizeof(ThreadVars));
428  memset(&f, 0, sizeof(Flow));
429  memset(&ssn, 0, sizeof(TcpSession));
430 
431  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
432  p->flow = &f;
433  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
434  p->flowflags |= FLOW_PKT_TOSERVER;
435  p->flowflags |= FLOW_PKT_ESTABLISHED;
436 
437  FLOW_INITIALIZE(&f);
438  f.protoctx = (void *)&ssn;
439  f.proto = IPPROTO_TCP;
440  f.flags |= FLOW_IPV4;
441  f.alproto = ALPROTO_DCERPC;
442 
443  StreamTcpInitConfig(true);
444 
445  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
446  FAIL_IF_NULL(de_ctx);
447  de_ctx->flags |= DE_QUIET;
448 
449  Signature *s = DetectEngineAppendSig(de_ctx, sig1);
450  FAIL_IF_NULL(s);
451  s = DetectEngineAppendSig(de_ctx, sig2);
452  FAIL_IF_NULL(s);
453 
454  SigGroupBuild(de_ctx);
455  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
456 
457  /* request 1 */
458  int r = AppLayerParserParse(
459  NULL, alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
460  FAIL_IF(r != 0);
461  /* detection phase */
462  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
463  FAIL_IF_NOT(PacketAlertCheck(p, 1));
464  FAIL_IF_NOT(PacketAlertCheck(p, 2));
465 
466  FLOW_DESTROY(&f);
467  UTHFreePackets(&p, 1);
468  AppLayerParserThreadCtxFree(alp_tctx);
469  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
470  DetectEngineCtxFree(de_ctx);
471  StreamTcpFreeConfig(true);
472  StatsThreadCleanup(&tv);
473  PASS;
474 }
475 
476 /**
477  * \test Test the working of byte_jump endianness.
478  */
479 static int DcePayloadTest20(void)
480 {
481  uint8_t request1[] = {
482  0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00,
483  0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
484  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1a, 0x00,
485  0x76, 0x7e, 0x32, 0x00, 0x0f, 0x00, 0x00, 0x00,
486  0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00,
487  0x5c, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x03, 0x03,
488  0x00, 0x00, 0x2e, 0x00, 0x37, 0x00, 0x31, 0x00,
489  0x2e, 0x00, 0x38, 0x00, 0x34, 0x00, 0x2e, 0x00,
490  0x36, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x00,
491  0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
492  0x84, 0xf9, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00,
493  0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
494  0x14, 0xfa, 0x7f, 0x01, 0x00, 0x00, 0x00, 0x00
495  };
496  uint32_t request1_len = sizeof(request1);
497  const char *sig1 = "alert tcp any any -> any any "
498  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
499  "byte_jump:2,0,relative,big; byte_test:2,=,46,0,relative,dce; sid:1;)";
500  const char *sig2 = "alert tcp any any -> any any "
501  "(dce_stub_data; content:\"|5c 00 5c 00 31|\"; distance:0; "
502  "byte_jump:2,2,little,relative; byte_test:2,=,14080,0,relative; sid:2;)";
503  TcpSession ssn;
504  ThreadVars tv;
505  DetectEngineThreadCtx *det_ctx = NULL;
506  Flow f;
507 
508  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
509  memset(&tv, 0, sizeof(ThreadVars));
510  memset(&f, 0, sizeof(Flow));
511  memset(&ssn, 0, sizeof(TcpSession));
512 
513  Packet *p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
514  p->flow = &f;
515  p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
516  p->flowflags |= FLOW_PKT_TOSERVER;
517  p->flowflags |= FLOW_PKT_ESTABLISHED;
518 
519  FLOW_INITIALIZE(&f);
520  f.protoctx = (void *)&ssn;
521  f.proto = IPPROTO_TCP;
522  f.flags |= FLOW_IPV4;
523  f.alproto = ALPROTO_DCERPC;
524 
525  StreamTcpInitConfig(true);
526 
527  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
528  FAIL_IF_NULL(de_ctx);
529  de_ctx->flags |= DE_QUIET;
530 
531  Signature *s = DetectEngineAppendSig(de_ctx, sig1);
532  FAIL_IF_NULL(s);
533  s = DetectEngineAppendSig(de_ctx, sig2);
534  FAIL_IF_NULL(s);
535 
536  SigGroupBuild(de_ctx);
537  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
538 
539  /* request 1 */
540  int r = AppLayerParserParse(
541  NULL, alp_tctx, &f, ALPROTO_DCERPC, STREAM_TOSERVER, request1, request1_len);
542  FAIL_IF(r != 0);
543  /* detection phase */
544  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
545  FAIL_IF_NOT(PacketAlertCheck(p, 1));
546  FAIL_IF_NOT(PacketAlertCheck(p, 2));
547 
548  FLOW_DESTROY(&f);
549  UTHFreePackets(&p, 1);
550  AppLayerParserThreadCtxFree(alp_tctx);
551  DetectEngineThreadCtxDeinit(&tv, (void *)det_ctx);
552  DetectEngineCtxFree(de_ctx);
553  StreamTcpFreeConfig(true);
554  StatsThreadCleanup(&tv);
555  PASS;
556 }
557 
558 #endif /* UNITTESTS */
559 
560 void DcePayloadRegisterTests(void)
561 {
562  g_dce_stub_data_buffer_id = DetectBufferTypeGetByName("dce_stub_data");
563 
564 #ifdef UNITTESTS
565  UtRegisterTest("DcePayloadTest15", DcePayloadTest15);
566  UtRegisterTest("DcePayloadTest16", DcePayloadTest16);
567  UtRegisterTest("DcePayloadTest17", DcePayloadTest17);
568  UtRegisterTest("DcePayloadTest18", DcePayloadTest18);
569  UtRegisterTest("DcePayloadTest19", DcePayloadTest19);
570  UtRegisterTest("DcePayloadTest20", DcePayloadTest20);
571 #endif /* UNITTESTS */
572 }
detect-content.h
detect-engine.h
detect-dce-iface.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1268
ALPROTO_DCERPC
@ ALPROTO_DCERPC
Definition: app-layer-protos.h:44
flow-util.h
stream-tcp.h
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
detect-isdataat.h
Flow_::proto
uint8_t proto
Definition: flow.h:370
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:142
Packet_::flags
uint32_t flags
Definition: decode.h:544
DcePayloadRegisterTests
void DcePayloadRegisterTests(void)
Definition: detect-engine-dcepayload.c:560
Flow_
Flow data structure.
Definition: flow.h:348
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:932
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2633
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:324
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:225
DE_QUIET
#define DE_QUIET
Definition: detect.h:330
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:365
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:2416
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:3439
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:532
Flow_::protoctx
void * protoctx
Definition: flow.h:433
detect-pcre.h
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:100
util-unittest.h
util-unittest-helper.h
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectBufferTypeGetByName
int DetectBufferTypeGetByName(const char *name)
Definition: detect-engine.c:1278
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:488
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
decode.h
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:18
DetectEngineThreadCtx_
Definition: detect.h:1244
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:23
detect.h
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3360
app-layer-parser.h
Packet_
Definition: decode.h:501
detect-engine-build.h
detect-bytejump.h
detect-engine-alert.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2185
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:297
detect-engine-content-inspection.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:546
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:859
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1291
suricata-common.h
detect-byte-extract.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3592
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
Flow_::flags
uint32_t flags
Definition: flow.h:413
detect-parse.h
Signature_
Signature container.
Definition: detect.h:668
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:227
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2594
suricata.h
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:934
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:60
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:442
detect-engine-dcepayload.h
StatsThreadCleanup
void StatsThreadCleanup(ThreadVars *tv)
Definition: counters.c:1324
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:119
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1264
app-layer.h
detect-bytetest.h
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:456