suricata
detect-bsize.c
Go to the documentation of this file.
1 /* Copyright (C) 2017-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "../util-unittest.h"
19 
20 #define TEST_OK(str, m, lo, hi) \
21  { \
22  DetectU64Data *bsz = DetectBsizeParse((str)); \
23  FAIL_IF_NULL(bsz); \
24  FAIL_IF_NOT(bsz->mode == (m)); \
25  DetectBsizeFree(NULL, bsz); \
26  SCLogDebug("str %s OK", (str)); \
27  }
28 #define TEST_FAIL(str) \
29  { \
30  DetectU64Data *bsz = DetectBsizeParse((str)); \
31  FAIL_IF_NOT_NULL(bsz); \
32  }
33 
34 static int DetectBsizeTest01(void)
35 {
36  TEST_OK("50", DETECT_UINT_EQ, 50, 0);
37  TEST_OK(" 50", DETECT_UINT_EQ, 50, 0);
38  TEST_OK(" 50", DETECT_UINT_EQ, 50, 0);
39  TEST_OK(" 50 ", DETECT_UINT_EQ, 50, 0);
40  TEST_OK(" 50 ", DETECT_UINT_EQ, 50, 0);
41 
42  TEST_FAIL("AA");
43  TEST_FAIL("5A");
44  TEST_FAIL("A5");
45  // bigger than UINT64_MAX
46  TEST_FAIL("100000000000000000001");
47  TEST_OK(" 1000000001 ", DETECT_UINT_EQ, 1000000001, 0);
48  PASS;
49 }
50 
51 static int DetectBsizeTest02(void)
52 {
53  TEST_OK(">50", DETECT_UINT_GT, 50, 0);
54  TEST_OK("> 50", DETECT_UINT_GT, 50, 0);
55  TEST_OK("> 50", DETECT_UINT_GT, 50, 0);
56  TEST_OK(" >50", DETECT_UINT_GT, 50, 0);
57  TEST_OK(" > 50", DETECT_UINT_GT, 50, 0);
58  TEST_OK(" > 50", DETECT_UINT_GT, 50, 0);
59  TEST_OK(" >50 ", DETECT_UINT_GT, 50, 0);
60  TEST_OK(" > 50 ", DETECT_UINT_GT, 50, 0);
61  TEST_OK(" > 50 ", DETECT_UINT_GT, 50, 0);
62 
63  TEST_FAIL(">>50");
64  TEST_FAIL("<>50");
65  TEST_FAIL(" > 50A");
66  PASS;
67 }
68 
69 static int DetectBsizeTest03(void)
70 {
71  TEST_OK("<50", DETECT_UINT_LT, 50, 0);
72  TEST_OK("< 50", DETECT_UINT_LT, 50, 0);
73  TEST_OK("< 50", DETECT_UINT_LT, 50, 0);
74  TEST_OK(" <50", DETECT_UINT_LT, 50, 0);
75  TEST_OK(" < 50", DETECT_UINT_LT, 50, 0);
76  TEST_OK(" < 50", DETECT_UINT_LT, 50, 0);
77  TEST_OK(" <50 ", DETECT_UINT_LT, 50, 0);
78  TEST_OK(" < 50 ", DETECT_UINT_LT, 50, 0);
79  TEST_OK(" < 50 ", DETECT_UINT_LT, 50, 0);
80 
81  TEST_FAIL(">>50");
82  TEST_FAIL(" < 50A");
83  PASS;
84 }
85 
86 static int DetectBsizeTest04(void)
87 {
88  TEST_OK("50<>100", DETECT_UINT_RA, 50, 100);
89 
90  TEST_FAIL("50<$50");
91  TEST_FAIL("100<>50");
92  TEST_FAIL(">50<>100");
93  PASS;
94 }
95 
96 #undef TEST_OK
97 #undef TEST_FAIL
98 
99 #define TEST_OK(rule) \
100  { \
101  DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
102  FAIL_IF_NULL(de_ctx); \
103  SCLogNotice("rule: %s", rule); \
104  Signature *s = DetectEngineAppendSig(de_ctx, (rule)); \
105  FAIL_IF_NULL(s); \
106  DetectEngineCtxFree(de_ctx); \
107  }
108 
109 #define TEST_FAIL(rule) \
110  { \
111  DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
112  FAIL_IF_NULL(de_ctx); \
113  SCLogNotice("rule: %s", rule); \
114  Signature *s = DetectEngineAppendSig(de_ctx, (rule)); \
115  FAIL_IF_NOT_NULL(s); \
116  DetectEngineCtxFree(de_ctx); \
117  }
118 
119 static int DetectBsizeSigTest01(void)
120 {
121  TEST_OK("alert http any any -> any any (http_request_line; bsize:10; sid:1;)");
122  TEST_OK("alert http any any -> any any (file_data; bsize:>1000; sid:2;)");
123 
124  /* bsize validation with buffer */
125  TEST_OK("alert http any any -> any any (http.uri; content:\"/index.php\"; bsize:>1024; "
126  "sid:6;)");
127  TEST_OK("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:<20; "
128  " sid:9;)");
129  TEST_OK("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:15<>25; "
130  "sid:10;)");
131  TEST_OK("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:10<>15; "
132  "sid:13;)");
133 
134  TEST_FAIL("alert tcp any any -> any any (content:\"abc\"; bsize:10; sid:3;)");
135  TEST_FAIL("alert http any any -> any any (content:\"GET\"; http_method; bsize:10; sid:4;)");
136  TEST_FAIL("alert http any any -> any any (http_request_line; content:\"GET\"; bsize:<10>; "
137  "sid:5;)");
138 
139  TEST_FAIL("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:2; "
140  "sid:11;)");
141  TEST_FAIL("alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:<13; "
142  "sid:12;)");
143  TEST_FAIL(
144  "alert http any any -> any any (http.uri; content:\"abcdef\"; content: \"g\"; bsize:1; "
145  "sid:7;)");
146  TEST_FAIL(
147  "alert http any any -> any any (http.uri; content:\"abcdef\"; content: \"g\"; bsize:4; "
148  "sid:8;)");
149  TEST_FAIL("alert http any any -> any any (http.uri; content:\"abcdefghi123456\"; offset:12; "
150  "bsize:3; sid:14;)");
151  TEST_FAIL("alert http any any -> any any (http.uri; content:\"abc\"; offset:3; depth:3; "
152  "bsize:3; sid:15;)");
153  TEST_FAIL("alert http any any -> any any (http.uri; content:\"abcdef\"; content: \"gh\"; "
154  "bsize:1; sid:16;)");
155  TEST_FAIL("alert http any any -> any any (http.uri; content:\"abc\"; offset:3; bsize:3; "
156  "sid:17;)");
157  TEST_FAIL("alert http any any -> any any (http.uri; content:\"abc\"; offset:65535; bsize:3; "
158  "sid:18;)");
159  TEST_FAIL("alert http any any -> any any (http.user_agent; content:\"Suricata-UA\"; bsize:11; "
160  "content:!\"abc\"; distance:2; within:3; sid: 19;)");
161  PASS;
162 }
163 
164 #undef TEST_OK
165 #undef TEST_FAIL
166 
167 static void DetectBsizeRegisterTests(void)
168 {
169  UtRegisterTest("DetectBsizeTest01 EQ", DetectBsizeTest01);
170  UtRegisterTest("DetectBsizeTest02 GT", DetectBsizeTest02);
171  UtRegisterTest("DetectBsizeTest03 LT", DetectBsizeTest03);
172  UtRegisterTest("DetectBsizeTest04 RA", DetectBsizeTest04);
173 
174  UtRegisterTest("DetectBsizeSigTest01", DetectBsizeSigTest01);
175 }
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_UINT_LT
#define DETECT_UINT_LT
Definition: detect-engine-uint.h:37
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition: detect-engine-uint.h:35
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition: detect-engine-uint.h:32
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
TEST_FAIL
#define TEST_FAIL(str)
Definition: detect-bsize.c:109
TEST_OK
#define TEST_OK(str, m, lo, hi)
Definition: detect-bsize.c:99
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition: detect-engine-uint.h:34