suricata
detect-file-data.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Giuseppe Longo <giuseppelng@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  */
25 
26 #ifdef UNITTESTS
27 
28 #include "../stream-tcp.h"
29 #include "../detect.h"
30 #include "../detect-isdataat.h"
31 
32 static int DetectEngineSMTPFiledataTest02(void)
33 {
36  de_ctx->flags |= DE_QUIET;
37 
38  Signature *s = DetectEngineAppendSig(de_ctx, "alert smtp any any -> any any "
39  "(msg:\"file_data smtp test\"; "
40  "file_data; content:\"message\"; sid:1;)");
41  FAIL_IF_NULL(s);
42 
45  PASS;
46 }
47 
48 static int DetectFiledataParseTest01(void)
49 {
52  de_ctx->flags |= DE_QUIET;
53  Signature *s =
54  DetectEngineAppendSig(de_ctx, "alert smtp any any -> any any "
55  "(msg:\"test\"; file_data; content:\"abc\"; sid:1;)");
56  FAIL_IF_NULL(s);
58  FAIL_IF_NULL(s->sm_lists[g_file_data_buffer_id]);
60  PASS;
61 }
62 
63 static int DetectFiledataParseTest02(void)
64 {
67  de_ctx->flags |= DE_QUIET;
68  Signature *s =
69  DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
70  "(msg:\"test\"; file_data; content:\"abc\"; sid:1;)");
71  FAIL_IF_NULL(s);
73  FAIL_IF_NULL(s->sm_lists[g_file_data_buffer_id]);
75  PASS;
76 }
77 
78 static int DetectFiledataParseTest03(void)
79 {
82  de_ctx->flags |= DE_QUIET;
84  "alert tcp any any -> any 25 "
85  "(msg:\"test\"; flow:to_server,established; file_data; content:\"abc\"; sid:1;)");
86  FAIL_IF_NULL(s);
88  FAIL_IF_NULL(s->sm_lists[g_file_data_buffer_id]);
90  PASS;
91 }
92 
93 /**
94  * \test Test the file_data fails with flow:to_server.
95  */
96 static int DetectFiledataParseTest04(void)
97 {
100  de_ctx->flags |= DE_QUIET;
102  "alert smtp any any -> any any "
103  "(msg:\"test\"; flow:to_client,established; file_data; content:\"abc\"; sid:1;)");
104  FAIL_IF_NOT_NULL(s);
106  PASS;
107 }
108 
109 /**
110  * \test Test the file_data fails with flow:to_server.
111  */
112 static int DetectFiledataParseTest05(void)
113 {
116  de_ctx->flags |= DE_QUIET;
118  "alert http any any -> any any "
119  "(msg:\"test\"; flow:to_server,established; file_data; content:\"abc\"; sid:1;)");
120  FAIL_IF_NOT_NULL(s);
122  PASS;
123 }
124 
125 static int DetectFiledataIsdataatParseTest1(void)
126 {
129  de_ctx->flags |= DE_QUIET;
130 
132  "alert tcp any any -> any any ("
133  "file_data; content:\"one\"; "
134  "isdataat:!4,relative; sid:1;)");
135  FAIL_IF_NULL(s);
136 
137  SigMatch *sm = s->init_data->smlists[g_file_data_buffer_id];
138  FAIL_IF_NULL(sm);
140  sm = sm->next;
141  FAIL_IF_NULL(sm);
143 
148 
150  PASS;
151 }
152 
153 static int DetectFiledataIsdataatParseTest2(void)
154 {
157  de_ctx->flags |= DE_QUIET;
158 
160  "alert tcp any any -> any any ("
161  "file_data; "
162  "isdataat:!4,relative; sid:1;)");
163  FAIL_IF_NULL(s);
164 
165  SigMatch *sm = s->init_data->smlists_tail[g_file_data_buffer_id];
166  FAIL_IF_NULL(sm);
168 
173 
175  PASS;
176 }
177 
179 {
180  UtRegisterTest("DetectEngineSMTPFiledataTest02",
181  DetectEngineSMTPFiledataTest02);
182 
183  UtRegisterTest("DetectFiledataParseTest01", DetectFiledataParseTest01);
184  UtRegisterTest("DetectFiledataParseTest02", DetectFiledataParseTest02);
185  UtRegisterTest("DetectFiledataParseTest03", DetectFiledataParseTest03);
186  UtRegisterTest("DetectFiledataParseTest04", DetectFiledataParseTest04);
187  UtRegisterTest("DetectFiledataParseTest05", DetectFiledataParseTest05);
188 
189  UtRegisterTest("DetectFiledataIsdataatParseTest1",
190  DetectFiledataIsdataatParseTest1);
191  UtRegisterTest("DetectFiledataIsdataatParseTest2",
192  DetectFiledataIsdataatParseTest2);
193 }
194 
195 #endif
DETECT_SM_LIST_PMATCH
@ DETECT_SM_LIST_PMATCH
Definition: detect.h:90
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectIsdataatData_::flags
uint8_t flags
Definition: detect-isdataat.h:37
DETECT_CONTENT
@ DETECT_CONTENT
Definition: detect-engine-register.h:60
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:801
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2442
DE_QUIET
#define DE_QUIET
Definition: detect.h:295
DetectIsdataatData_
Definition: detect-isdataat.h:35
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
SignatureInitData_::smlists_tail
struct SigMatch_ ** smlists_tail
Definition: detect.h:542
SIG_FLAG_TOSERVER
#define SIG_FLAG_TOSERVER
Definition: detect.h:236
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
SigMatch_::next
struct SigMatch_ * next
Definition: detect.h:325
SigMatch_::ctx
SigMatchCtx * ctx
Definition: detect.h:324
Signature_::flags
uint32_t flags
Definition: detect.h:547
ISDATAAT_RELATIVE
#define ISDATAAT_RELATIVE
Definition: detect-isdataat.h:27
Signature_::init_data
SignatureInitData * init_data
Definition: detect.h:617
ISDATAAT_RAWBYTES
#define ISDATAAT_RAWBYTES
Definition: detect-isdataat.h:28
SignatureInitData_::smlists
struct SigMatch_ ** smlists
Definition: detect.h:540
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2413
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
SigMatch_::type
uint16_t type
Definition: detect.h:322
ISDATAAT_NEGATED
#define ISDATAAT_NEGATED
Definition: detect-isdataat.h:29
DetectFiledataRegisterTests
void DetectFiledataRegisterTests(void)
Definition: detect-file-data.c:178
Signature_
Signature container.
Definition: detect.h:546
SigMatch_
a single match condition for a signature
Definition: detect.h:321
DETECT_ISDATAAT
@ DETECT_ISDATAAT
Definition: detect-engine-register.h:80
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2397
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:802