suricata
detect-bsize.c
Go to the documentation of this file.
1
/* Copyright (C) 2017-2022 Open Information Security Foundation
2
*
3
* You can copy, redistribute or modify this Program under the terms of
4
* the GNU General Public License version 2 as published by the Free
5
* Software Foundation.
6
*
7
* This program is distributed in the hope that it will be useful,
8
* but WITHOUT ANY WARRANTY; without even the implied warranty of
9
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10
* GNU General Public License for more details.
11
*
12
* You should have received a copy of the GNU General Public License
13
* version 2 along with this program; if not, write to the Free Software
14
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15
* 02110-1301, USA.
16
*/
17
18
#include "../util-unittest.h"
19
20
#define TEST_OK(str, m, lo, hi) \
21
{ \
22
DetectU64Data *bsz = DetectU64Parse((str)); \
23
FAIL_IF_NULL(bsz); \
24
FAIL_IF_NOT(bsz->mode == (m)); \
25
DetectBsizeFree(NULL, bsz); \
26
SCLogDebug("str %s OK", (str)); \
27
}
28
#define TEST_FAIL(str) \
29
{ \
30
DetectU64Data *bsz = DetectU64Parse((str)); \
31
FAIL_IF_NOT_NULL(bsz); \
32
}
33
34
static
int
DetectBsizeTest01(
void
)
35
{
36
TEST_OK
(
"50"
,
DETECT_UINT_EQ
, 50, 0);
37
TEST_OK
(
" 50"
,
DETECT_UINT_EQ
, 50, 0);
38
TEST_OK
(
" 50"
,
DETECT_UINT_EQ
, 50, 0);
39
TEST_OK
(
" 50 "
,
DETECT_UINT_EQ
, 50, 0);
40
TEST_OK
(
" 50 "
,
DETECT_UINT_EQ
, 50, 0);
41
42
TEST_FAIL
(
"AA"
);
43
TEST_FAIL
(
"5A"
);
44
TEST_FAIL
(
"A5"
);
45
// bigger than UINT64_MAX
46
TEST_FAIL
(
"100000000000000000001"
);
47
TEST_OK
(
" 1000000001 "
,
DETECT_UINT_EQ
, 1000000001, 0);
48
PASS
;
49
}
50
51
static
int
DetectBsizeTest02(
void
)
52
{
53
TEST_OK
(
">50"
,
DETECT_UINT_GT
, 50, 0);
54
TEST_OK
(
"> 50"
,
DETECT_UINT_GT
, 50, 0);
55
TEST_OK
(
"> 50"
,
DETECT_UINT_GT
, 50, 0);
56
TEST_OK
(
" >50"
,
DETECT_UINT_GT
, 50, 0);
57
TEST_OK
(
" > 50"
,
DETECT_UINT_GT
, 50, 0);
58
TEST_OK
(
" > 50"
,
DETECT_UINT_GT
, 50, 0);
59
TEST_OK
(
" >50 "
,
DETECT_UINT_GT
, 50, 0);
60
TEST_OK
(
" > 50 "
,
DETECT_UINT_GT
, 50, 0);
61
TEST_OK
(
" > 50 "
,
DETECT_UINT_GT
, 50, 0);
62
63
TEST_FAIL
(
">>50"
);
64
TEST_FAIL
(
"<>50"
);
65
TEST_FAIL
(
" > 50A"
);
66
PASS
;
67
}
68
69
static
int
DetectBsizeTest03(
void
)
70
{
71
TEST_OK
(
"<50"
,
DETECT_UINT_LT
, 50, 0);
72
TEST_OK
(
"< 50"
,
DETECT_UINT_LT
, 50, 0);
73
TEST_OK
(
"< 50"
,
DETECT_UINT_LT
, 50, 0);
74
TEST_OK
(
" <50"
,
DETECT_UINT_LT
, 50, 0);
75
TEST_OK
(
" < 50"
,
DETECT_UINT_LT
, 50, 0);
76
TEST_OK
(
" < 50"
,
DETECT_UINT_LT
, 50, 0);
77
TEST_OK
(
" <50 "
,
DETECT_UINT_LT
, 50, 0);
78
TEST_OK
(
" < 50 "
,
DETECT_UINT_LT
, 50, 0);
79
TEST_OK
(
" < 50 "
,
DETECT_UINT_LT
, 50, 0);
80
81
TEST_FAIL
(
">>50"
);
82
TEST_FAIL
(
" < 50A"
);
83
PASS
;
84
}
85
86
static
int
DetectBsizeTest04(
void
)
87
{
88
TEST_OK
(
"50<>100"
,
DETECT_UINT_RA
, 50, 100);
89
90
TEST_FAIL
(
"50<$50"
);
91
TEST_FAIL
(
"100<>50"
);
92
TEST_FAIL
(
">50<>100"
);
93
PASS
;
94
}
95
96
#undef TEST_OK
97
#undef TEST_FAIL
98
99
#define TEST_OK(rule) \
100
{ \
101
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
102
FAIL_IF_NULL(de_ctx); \
103
SCLogNotice("rule: %s", rule); \
104
Signature *s = DetectEngineAppendSig(de_ctx, (rule)); \
105
FAIL_IF_NULL(s); \
106
DetectEngineCtxFree(de_ctx); \
107
}
108
109
#define TEST_FAIL(rule) \
110
{ \
111
DetectEngineCtx *de_ctx = DetectEngineCtxInit(); \
112
FAIL_IF_NULL(de_ctx); \
113
SCLogNotice("rule: %s", rule); \
114
Signature *s = DetectEngineAppendSig(de_ctx, (rule)); \
115
FAIL_IF_NOT_NULL(s); \
116
DetectEngineCtxFree(de_ctx); \
117
}
118
119
static
int
DetectBsizeSigTest01(
void
)
120
{
121
TEST_OK
(
"alert http any any -> any any (http_request_line; bsize:10; sid:1;)"
);
122
TEST_OK
(
"alert http any any -> any any (file_data; bsize:>1000; sid:2;)"
);
123
124
/* bsize validation with buffer */
125
TEST_OK
(
"alert http any any -> any any (http.uri; content:\"/index.php\"; bsize:>1024; "
126
"sid:6;)"
);
127
TEST_OK
(
"alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:<20; "
128
" sid:9;)"
);
129
TEST_OK
(
"alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:15<>25; "
130
"sid:10;)"
);
131
TEST_OK
(
"alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:10<>15; "
132
"sid:13;)"
);
133
134
TEST_FAIL
(
"alert tcp any any -> any any (content:\"abc\"; bsize:10; sid:3;)"
);
135
TEST_FAIL
(
"alert http any any -> any any (content:\"GET\"; http_method; bsize:10; sid:4;)"
);
136
TEST_FAIL
(
"alert http any any -> any any (http_request_line; content:\"GET\"; bsize:<10>; "
137
"sid:5;)"
);
138
139
TEST_FAIL
(
"alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:2; "
140
"sid:11;)"
);
141
TEST_FAIL
(
"alert http any any -> any any (http.uri; content:\"abcdefgh123456\"; bsize:<13; "
142
"sid:12;)"
);
143
TEST_FAIL
(
144
"alert http any any -> any any (http.uri; content:\"abcdef\"; content: \"g\"; bsize:1; "
145
"sid:7;)"
);
146
TEST_FAIL
(
147
"alert http any any -> any any (http.uri; content:\"abcdef\"; content: \"g\"; bsize:4; "
148
"sid:8;)"
);
149
TEST_FAIL
(
"alert http any any -> any any (http.uri; content:\"abcdefghi123456\"; offset:12; "
150
"bsize:3; sid:14;)"
);
151
TEST_FAIL
(
"alert http any any -> any any (http.uri; content:\"abc\"; offset:3; depth:3; "
152
"bsize:3; sid:15;)"
);
153
TEST_FAIL
(
"alert http any any -> any any (http.uri; content:\"abcdef\"; content: \"gh\"; "
154
"bsize:1; sid:16;)"
);
155
TEST_FAIL
(
"alert http any any -> any any (http.uri; content:\"abc\"; offset:3; bsize:3; "
156
"sid:17;)"
);
157
TEST_FAIL
(
"alert http any any -> any any (http.uri; content:\"abc\"; offset:65535; bsize:3; "
158
"sid:18;)"
);
159
TEST_FAIL
(
"alert http any any -> any any (http.user_agent; content:\"Suricata-UA\"; bsize:11; "
160
"content:!\"abc\"; distance:2; within:3; sid: 19;)"
);
161
PASS
;
162
}
163
164
#undef TEST_OK
165
#undef TEST_FAIL
166
167
static
void
DetectBsizeRegisterTests(
void
)
168
{
169
UtRegisterTest
(
"DetectBsizeTest01 EQ"
, DetectBsizeTest01);
170
UtRegisterTest
(
"DetectBsizeTest02 GT"
, DetectBsizeTest02);
171
UtRegisterTest
(
"DetectBsizeTest03 LT"
, DetectBsizeTest03);
172
UtRegisterTest
(
"DetectBsizeTest04 RA"
, DetectBsizeTest04);
173
174
UtRegisterTest
(
"DetectBsizeSigTest01"
, DetectBsizeSigTest01);
175
}
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition:
util-unittest.c:103
DETECT_UINT_LT
#define DETECT_UINT_LT
Definition:
detect-engine-uint.h:37
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition:
detect-engine-uint.h:35
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition:
detect-engine-uint.h:32
PASS
#define PASS
Pass the test.
Definition:
util-unittest.h:105
TEST_FAIL
#define TEST_FAIL(str)
Definition:
detect-bsize.c:109
TEST_OK
#define TEST_OK(str, m, lo, hi)
Definition:
detect-bsize.c:99
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition:
detect-engine-uint.h:34
src
tests
detect-bsize.c
Generated on Sat Jul 26 2025 23:30:30 for suricata by
1.8.18
1.8.18 1.8.18