suricata
detect-bsize.c
Go to the documentation of this file.
1 /* Copyright (C) 2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "../util-unittest.h"
19 
20 #define TEST_OK(str, m, lo, hi) { \
21  DetectBsizeData *bsz = DetectBsizeParse((str)); \
22  FAIL_IF_NULL(bsz); \
23  FAIL_IF_NOT(bsz->mode == (m)); \
24  DetectBsizeFree(bsz); \
25  SCLogDebug("str %s OK", (str)); \
26 }
27 #define TEST_FAIL(str) { \
28  DetectBsizeData *bsz = DetectBsizeParse((str)); \
29  FAIL_IF_NOT_NULL(bsz); \
30 }
31 
32 static int DetectBsizeTest01(void)
33 {
34  TEST_OK("50", DETECT_BSIZE_EQ, 50, 0);
35  TEST_OK(" 50", DETECT_BSIZE_EQ, 50, 0);
36  TEST_OK(" 50", DETECT_BSIZE_EQ, 50, 0);
37  TEST_OK(" 50 ", DETECT_BSIZE_EQ, 50, 0);
38  TEST_OK(" 50 ", DETECT_BSIZE_EQ, 50, 0);
39 
40  TEST_FAIL("AA");
41  TEST_FAIL("5A");
42  TEST_FAIL("A5");
43  PASS;
44 }
45 
46 static int DetectBsizeTest02(void)
47 {
48  TEST_OK(">50", DETECT_BSIZE_GT, 50, 0);
49  TEST_OK("> 50", DETECT_BSIZE_GT, 50, 0);
50  TEST_OK("> 50", DETECT_BSIZE_GT, 50, 0);
51  TEST_OK(" >50", DETECT_BSIZE_GT, 50, 0);
52  TEST_OK(" > 50", DETECT_BSIZE_GT, 50, 0);
53  TEST_OK(" > 50", DETECT_BSIZE_GT, 50, 0);
54  TEST_OK(" >50 ", DETECT_BSIZE_GT, 50, 0);
55  TEST_OK(" > 50 ", DETECT_BSIZE_GT, 50, 0);
56  TEST_OK(" > 50 ", DETECT_BSIZE_GT, 50, 0);
57 
58  TEST_FAIL(">>50");
59  TEST_FAIL("<>50");
60  TEST_FAIL(" > 50A");
61  PASS;
62 }
63 
64 static int DetectBsizeTest03(void)
65 {
66  TEST_OK("<50", DETECT_BSIZE_LT, 50, 0);
67  TEST_OK("< 50", DETECT_BSIZE_LT, 50, 0);
68  TEST_OK("< 50", DETECT_BSIZE_LT, 50, 0);
69  TEST_OK(" <50", DETECT_BSIZE_LT, 50, 0);
70  TEST_OK(" < 50", DETECT_BSIZE_LT, 50, 0);
71  TEST_OK(" < 50", DETECT_BSIZE_LT, 50, 0);
72  TEST_OK(" <50 ", DETECT_BSIZE_LT, 50, 0);
73  TEST_OK(" < 50 ", DETECT_BSIZE_LT, 50, 0);
74  TEST_OK(" < 50 ", DETECT_BSIZE_LT, 50, 0);
75 
76  TEST_FAIL(">>50");
77  TEST_FAIL(" < 50A");
78  PASS;
79 }
80 
81 static int DetectBsizeTest04(void)
82 {
83  TEST_OK("50<>100", DETECT_BSIZE_RA, 50, 100);
84 
85  TEST_FAIL("50<$50");
86  TEST_FAIL("100<>50");
87  TEST_FAIL(">50<>100");
88  PASS;
89 }
90 
91 #undef TEST_OK
92 #undef TEST_FAIL
93 
94 #define TEST_OK(rule) \
95 { \
96  DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
97  FAIL_IF_NULL(de_ctx); \
98  Signature *s = DetectEngineAppendSig(de_ctx, (rule)); \
99  FAIL_IF_NULL(s); \
100  DetectEngineCtxFree(de_ctx); \
101 }
102 
103 #define TEST_FAIL(rule) \
104 { \
105  DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
106  FAIL_IF_NULL(de_ctx); \
107  Signature *s = DetectEngineAppendSig(de_ctx, (rule)); \
108  FAIL_IF_NOT_NULL(s); \
109  DetectEngineCtxFree(de_ctx); \
110 }
111 
112 static int DetectBsizeSigTest01(void)
113 {
114  TEST_OK("alert http any any -> any any (http_request_line; bsize:10; sid:1;)");
115  TEST_OK("alert http any any -> any any (file_data; bsize:>1000; sid:2;)");
116 
117  TEST_FAIL("alert tcp any any -> any any (content:\"abc\"; bsize:10; sid:3;)");
118  TEST_FAIL("alert http any any -> any any (content:\"GET\"; http_method; bsize:10; sid:4;)");
119  TEST_FAIL("alert http any any -> any any (http_request_line; content:\"GET\"; bsize:<10>; sid:5;)");
120  PASS;
121 }
122 
123 #undef TEST_OK
124 #undef TEST_FAIL
125 
126 static void DetectBsizeRegisterTests(void)
127 {
128  UtRegisterTest("DetectBsizeTest01 EQ", DetectBsizeTest01);
129  UtRegisterTest("DetectBsizeTest02 GT", DetectBsizeTest02);
130  UtRegisterTest("DetectBsizeTest03 LT", DetectBsizeTest03);
131  UtRegisterTest("DetectBsizeTest04 RA", DetectBsizeTest04);
132 
133  UtRegisterTest("DetectBsizeSigTest01", DetectBsizeSigTest01);
134 }
#define DETECT_BSIZE_LT
Definition: detect-bsize.c:63
#define PASS
Pass the test.
#define DETECT_BSIZE_EQ
Definition: detect-bsize.c:66
#define TEST_FAIL(str)
Definition: detect-bsize.c:103
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define DETECT_BSIZE_RA
Definition: detect-bsize.c:65
#define DETECT_BSIZE_GT
Definition: detect-bsize.c:64
#define TEST_OK(str, m, lo, hi)
Definition: detect-bsize.c:94