suricata
detect-bsize.c
Go to the documentation of this file.
1 /* Copyright (C) 2017 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "../util-unittest.h"
19 
20 #define TEST_OK(str, m, lo, hi) { \
21  DetectBsizeData *bsz = DetectBsizeParse((str)); \
22  FAIL_IF_NULL(bsz); \
23  FAIL_IF_NOT(bsz->mode == (m)); \
24  DetectBsizeFree(NULL, bsz); \
25  SCLogDebug("str %s OK", (str)); \
26 }
27 #define TEST_FAIL(str) { \
28  DetectBsizeData *bsz = DetectBsizeParse((str)); \
29  FAIL_IF_NOT_NULL(bsz); \
30 }
31 
32 static int DetectBsizeTest01(void)
33 {
34  TEST_OK("50", DETECT_BSIZE_EQ, 50, 0);
35  TEST_OK(" 50", DETECT_BSIZE_EQ, 50, 0);
36  TEST_OK(" 50", DETECT_BSIZE_EQ, 50, 0);
37  TEST_OK(" 50 ", DETECT_BSIZE_EQ, 50, 0);
38  TEST_OK(" 50 ", DETECT_BSIZE_EQ, 50, 0);
39 
40  TEST_FAIL("AA");
41  TEST_FAIL("5A");
42  TEST_FAIL("A5");
43  TEST_FAIL("10000000001");
44  TEST_OK(" 1000000001 ", DETECT_BSIZE_EQ, 1000000001, 0);
45  PASS;
46 }
47 
48 static int DetectBsizeTest02(void)
49 {
50  TEST_OK(">50", DETECT_BSIZE_GT, 50, 0);
51  TEST_OK("> 50", DETECT_BSIZE_GT, 50, 0);
52  TEST_OK("> 50", DETECT_BSIZE_GT, 50, 0);
53  TEST_OK(" >50", DETECT_BSIZE_GT, 50, 0);
54  TEST_OK(" > 50", DETECT_BSIZE_GT, 50, 0);
55  TEST_OK(" > 50", DETECT_BSIZE_GT, 50, 0);
56  TEST_OK(" >50 ", DETECT_BSIZE_GT, 50, 0);
57  TEST_OK(" > 50 ", DETECT_BSIZE_GT, 50, 0);
58  TEST_OK(" > 50 ", DETECT_BSIZE_GT, 50, 0);
59 
60  TEST_FAIL(">>50");
61  TEST_FAIL("<>50");
62  TEST_FAIL(" > 50A");
63  PASS;
64 }
65 
66 static int DetectBsizeTest03(void)
67 {
68  TEST_OK("<50", DETECT_BSIZE_LT, 50, 0);
69  TEST_OK("< 50", DETECT_BSIZE_LT, 50, 0);
70  TEST_OK("< 50", DETECT_BSIZE_LT, 50, 0);
71  TEST_OK(" <50", DETECT_BSIZE_LT, 50, 0);
72  TEST_OK(" < 50", DETECT_BSIZE_LT, 50, 0);
73  TEST_OK(" < 50", DETECT_BSIZE_LT, 50, 0);
74  TEST_OK(" <50 ", DETECT_BSIZE_LT, 50, 0);
75  TEST_OK(" < 50 ", DETECT_BSIZE_LT, 50, 0);
76  TEST_OK(" < 50 ", DETECT_BSIZE_LT, 50, 0);
77 
78  TEST_FAIL(">>50");
79  TEST_FAIL(" < 50A");
80  PASS;
81 }
82 
83 static int DetectBsizeTest04(void)
84 {
85  TEST_OK("50<>100", DETECT_BSIZE_RA, 50, 100);
86 
87  TEST_FAIL("50<$50");
88  TEST_FAIL("100<>50");
89  TEST_FAIL(">50<>100");
90  PASS;
91 }
92 
93 #undef TEST_OK
94 #undef TEST_FAIL
95 
96 #define TEST_OK(rule) \
97 { \
98  DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
99  FAIL_IF_NULL(de_ctx); \
100  Signature *s = DetectEngineAppendSig(de_ctx, (rule)); \
101  FAIL_IF_NULL(s); \
102  DetectEngineCtxFree(de_ctx); \
103 }
104 
105 #define TEST_FAIL(rule) \
106 { \
107  DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
108  FAIL_IF_NULL(de_ctx); \
109  Signature *s = DetectEngineAppendSig(de_ctx, (rule)); \
110  FAIL_IF_NOT_NULL(s); \
111  DetectEngineCtxFree(de_ctx); \
112 }
113 
114 static int DetectBsizeSigTest01(void)
115 {
116  TEST_OK("alert http any any -> any any (http_request_line; bsize:10; sid:1;)");
117  TEST_OK("alert http any any -> any any (file_data; bsize:>1000; sid:2;)");
118 
119  TEST_FAIL("alert tcp any any -> any any (content:\"abc\"; bsize:10; sid:3;)");
120  TEST_FAIL("alert http any any -> any any (content:\"GET\"; http_method; bsize:10; sid:4;)");
121  TEST_FAIL("alert http any any -> any any (http_request_line; content:\"GET\"; bsize:<10>; sid:5;)");
122  PASS;
123 }
124 
125 #undef TEST_OK
126 #undef TEST_FAIL
127 
128 static void DetectBsizeRegisterTests(void)
129 {
130  UtRegisterTest("DetectBsizeTest01 EQ", DetectBsizeTest01);
131  UtRegisterTest("DetectBsizeTest02 GT", DetectBsizeTest02);
132  UtRegisterTest("DetectBsizeTest03 LT", DetectBsizeTest03);
133  UtRegisterTest("DetectBsizeTest04 RA", DetectBsizeTest04);
134 
135  UtRegisterTest("DetectBsizeSigTest01", DetectBsizeSigTest01);
136 }
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_BSIZE_GT
#define DETECT_BSIZE_GT
Definition: detect-bsize.c:64
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
TEST_FAIL
#define TEST_FAIL(str)
Definition: detect-bsize.c:105
DETECT_BSIZE_LT
#define DETECT_BSIZE_LT
Definition: detect-bsize.c:63
TEST_OK
#define TEST_OK(str, m, lo, hi)
Definition: detect-bsize.c:96
DETECT_BSIZE_EQ
#define DETECT_BSIZE_EQ
Definition: detect-bsize.c:66
DETECT_BSIZE_RA
#define DETECT_BSIZE_RA
Definition: detect-bsize.c:65