suricata
detect-template-buffer.c
Go to the documentation of this file.
1 /* Copyright (C) 2015-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "../util-unittest.h"
19 #include "../util-unittest-helper.h"
20 #include "../app-layer-parser.h"
21 #include "../detect-engine.h"
22 #include "../detect-parse.h"
23 #include "../flow-util.h"
24 #include "../stream-tcp.h"
25 #include "../detect-engine-build.h"
26 
27 static int DetectTemplateBufferTest(void)
28 {
29  AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
30  FAIL_IF_NULL(alp_tctx);
31 
32  Flow f;
33  Packet *p;
34  TcpSession tcp;
35  ThreadVars tv;
36  Signature *s;
37 
38  uint8_t request[] = "Hello World!";
39 
40  /* Setup flow. */
41  memset(&f, 0, sizeof(Flow));
42  memset(&tcp, 0, sizeof(TcpSession));
43  memset(&tv, 0, sizeof(ThreadVars));
44  p = UTHBuildPacket(request, sizeof(request), IPPROTO_TCP);
45  FLOW_INITIALIZE(&f);
46  f.alproto = ALPROTO_TEMPLATE;
47  f.protoctx = (void *)&tcp;
48  f.proto = IPPROTO_TCP;
49  f.flags |= FLOW_IPV4;
50  p->flow = &f;
51  p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
52  p->flowflags |= FLOW_PKT_TOSERVER | FLOW_PKT_ESTABLISHED;
53  StreamTcpInitConfig(true);
54 
55  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
56  FAIL_IF_NULL(de_ctx);
57 
58  /* This rule should match. */
59  s = DetectEngineAppendSig(de_ctx,
60  "alert tcp any any -> any any ("
61  "msg:\"TEMPLATE Test Rule\"; "
62  "template_buffer; content:\"World!\"; "
63  "sid:1; rev:1;)");
64  FAIL_IF_NULL(s);
65 
66  /* This rule should not match. */
67  s = DetectEngineAppendSig(de_ctx,
68  "alert tcp any any -> any any ("
69  "msg:\"TEMPLATE Test Rule\"; "
70  "template_buffer; content:\"W0rld!\"; "
71  "sid:2; rev:1;)");
72  FAIL_IF_NULL(s);
73 
74  SigGroupBuild(de_ctx);
75 
76  DetectEngineThreadCtx *det_ctx = NULL;
77  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
78  FAIL_IF_NULL(det_ctx);
79 
80  AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TEMPLATE,
81  STREAM_TOSERVER, request, sizeof(request));
82 
83  /* Check that we have app-layer state. */
84  FAIL_IF_NULL(f.alstate);
85 
86  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
87  FAIL_IF(!PacketAlertCheck(p, 1));
88  FAIL_IF(PacketAlertCheck(p, 2));
89 
90  /* Cleanup. */
91  AppLayerParserThreadCtxFree(alp_tctx);
92  DetectEngineThreadCtxDeinit(&tv, det_ctx);
93  DetectEngineCtxFree(de_ctx);
94  StreamTcpFreeConfig(true);
95  FLOW_DESTROY(&f);
96  UTHFreePacket(p);
97 
98  PASS;
99 }
100 
101 static void DetectTemplateBufferRegisterTests(void)
102 {
103  UtRegisterTest("DetectTemplateBufferTest", DetectTemplateBufferTest);
104 }
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1022
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_::proto
uint8_t proto
Definition: flow.h:373
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
Packet_::flags
uint32_t flags
Definition: decode.h:474
Flow_
Flow data structure.
Definition: flow.h:351
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:839
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2533
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:312
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:223
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:340
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1897
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2620
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:468
Flow_::protoctx
void * protoctx
Definition: flow.h:441
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:97
StreamTcpInitConfig
void StreamTcpInitConfig(bool)
To initialize the stream global configuration data.
Definition: stream-tcp.c:463
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:38
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1095
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:22
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
Packet_
Definition: decode.h:437
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2149
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:291
Packet_::flow
struct Flow_ * flow
Definition: decode.h:476
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:3244
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
StreamTcpFreeConfig
void StreamTcpFreeConfig(bool quiet)
Definition: stream-tcp.c:794
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1292
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3454
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:448
Flow_::alstate
void * alstate
Definition: flow.h:476
Flow_::flags
uint32_t flags
Definition: flow.h:421
Signature_
Signature container.
Definition: detect.h:596
ALPROTO_TEMPLATE
@ ALPROTO_TEMPLATE
Definition: app-layer-protos.h:60
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:225
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2494
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:65
TcpSession_
Definition: stream-tcp-private.h:283
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:450
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1019