suricata
detect-parse.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2022 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "../detect.h"
19 #include "../detect-parse.h"
20 #include "../detect-engine-port.h"
21 #include "../util-unittest.h"
22 #include "util-debug.h"
23 #include "util-error.h"
24 
25 /**
26  * \test DetectParseTest01 is a regression test against a memory leak
27  * in the case of multiple signatures with different revisions
28  * Leak happened in function DetectEngineSignatureIsDuplicate
29  */
30 
31 static int DetectParseTest01 (void)
32 {
33  DetectEngineCtx * de_ctx = DetectEngineCtxInit();
34  FAIL_IF(DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:\"sid 1 version 0\"; content:\"dummy1\"; sid:1;)") == NULL);
35  DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:\"sid 2 version 0\"; content:\"dummy2\"; sid:2;)");
36  DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:\"sid 1 version 1\"; content:\"dummy1.1\"; sid:1; rev:1;)");
37  DetectEngineAppendSig(de_ctx, "alert http any any -> any any (msg:\"sid 2 version 2\"; content:\"dummy2.1\"; sid:2; rev:1;)");
38  FAIL_IF(de_ctx->sig_list->next == NULL);
39  DetectEngineCtxFree(de_ctx);
40 
41  PASS;
42 }
43 
44 /**
45  * \test DetectParseTestNoOpt is a regression test to make sure that we reject
46  * any signature where a NOOPT rule option is given a value. This can hide rule
47  * errors which make other options disappear, eg: foo: bar: baz; where "foo" is
48  * the NOOPT option, we will end up with a signature which is missing "bar".
49  */
50 
51 static int DetectParseTestNoOpt(void)
52 {
53  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
54  FAIL_IF(DetectEngineAppendSig(de_ctx,
55  "alert http any any -> any any (msg:\"sid 1 version 0\"; "
56  "content:\"dummy1\"; endswith: reference: ref; sid:1;)") != NULL);
57  DetectEngineCtxFree(de_ctx);
58 
59  PASS;
60 }
61 
62 static int SigParseTestNegationNoWhitespace(void)
63 {
64  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
65  FAIL_IF_NULL(de_ctx);
66  Signature *s = DetectEngineAppendSig(de_ctx,
67  "alert http any [30:50,!45] -> any [30:50,!45] (msg:\"sid 2 version 0\"; "
68  "content:\"dummy2\"; sid:2;)");
69  FAIL_IF_NULL(s);
70  FAIL_IF_NULL(s->sp);
71  FAIL_IF_NULL(s->dp);
72  FAIL_IF_NOT(s->sp->port == 30);
73  FAIL_IF_NOT(s->sp->port2 == 44);
74  FAIL_IF_NULL(s->sp->next);
75  FAIL_IF_NOT(s->sp->next->port == 46);
76  FAIL_IF_NOT(s->sp->next->port2 == 50);
77  FAIL_IF_NOT_NULL(s->sp->next->next);
78  DetectEngineCtxFree(de_ctx);
79  PASS;
80 }
81 
82 // // Tests proper Signature is parsed from portstring length < 16 ie [30:50, !45]
83 static int SigParseTestWhitespaceLessThan14(void)
84 {
85  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
86  FAIL_IF_NULL(de_ctx);
87  Signature *s = DetectEngineAppendSig(de_ctx,
88  "alert http any [30:50, !45] -> any [30:50,!45] (msg:\"sid 2 version 0\"; "
89  "content:\"dummy2\"; sid:2;)");
90  FAIL_IF_NULL(s);
91  FAIL_IF_NULL(s->sp);
92  FAIL_IF_NULL(s->dp);
93  FAIL_IF_NOT(s->sp->port == 30);
94  FAIL_IF_NOT(s->sp->port2 == 44);
95  FAIL_IF_NULL(s->sp->next);
96  FAIL_IF_NOT(s->sp->next->port == 46);
97  FAIL_IF_NOT(s->sp->next->port2 == 50);
98  FAIL_IF_NOT_NULL(s->sp->next->next);
99  DetectEngineCtxFree(de_ctx);
100  PASS;
101 }
102 
103 static int SigParseTestWhitespace14Spaces(void)
104 {
105  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
106  FAIL_IF_NULL(de_ctx);
107  Signature *s = DetectEngineAppendSig(de_ctx,
108  "alert http any [30:50, !45] -> any [30:50,!45] (msg:\"sid 2 "
109  "version 0\"; content:\"dummy2\"; sid:2;)");
110  FAIL_IF_NULL(s);
111  FAIL_IF_NULL(s->sp);
112  FAIL_IF_NULL(s->dp);
113  FAIL_IF_NOT(s->sp->port == 30);
114  FAIL_IF_NOT(s->sp->port2 == 44);
115  FAIL_IF_NULL(s->sp->next);
116  FAIL_IF_NOT(s->sp->next->port == 46);
117  FAIL_IF_NOT(s->sp->next->port2 == 50);
118  FAIL_IF_NOT_NULL(s->sp->next->next);
119  DetectEngineCtxFree(de_ctx);
120  PASS;
121 }
122 
123 static int SigParseTestWhitespaceMoreThan14(void)
124 {
125  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
126  FAIL_IF_NULL(de_ctx);
127  Signature *s = DetectEngineAppendSig(de_ctx,
128  "alert http any [30:50, !45] -> any [30:50,!45] "
129  "(msg:\"sid 2 version 0\"; content:\"dummy2\"; sid:2;)");
130  FAIL_IF_NULL(s);
131  FAIL_IF_NULL(s->sp);
132  FAIL_IF_NULL(s->dp);
133  FAIL_IF_NOT(s->sp->port == 30);
134  FAIL_IF_NOT(s->sp->port2 == 44);
135  FAIL_IF_NULL(s->sp->next);
136  FAIL_IF_NOT(s->sp->next->port == 46);
137  FAIL_IF_NOT(s->sp->next->port2 == 50);
138  FAIL_IF_NOT_NULL(s->sp->next->next);
139  DetectEngineCtxFree(de_ctx);
140  PASS;
141 }
142 
143 /**
144  * \brief this function registers unit tests for DetectParse
145  */
146 void DetectParseRegisterTests(void)
147 {
148  UtRegisterTest("DetectParseTest01", DetectParseTest01);
149  UtRegisterTest("DetectParseTestNoOpt", DetectParseTestNoOpt);
150  UtRegisterTest("SigParseTestNegationNoWhitespace", SigParseTestNegationNoWhitespace);
151  UtRegisterTest("SigParseTestWhitespaceLessThan14", SigParseTestWhitespaceLessThan14);
152  UtRegisterTest("SigParseTestWhitespace14Spaces", SigParseTestWhitespace14Spaces);
153  UtRegisterTest("SigParseTestWhitespaceMoreThan14", SigParseTestWhitespaceMoreThan14);
154 }
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
DetectParseRegisterTests
void DetectParseRegisterTests(void)
this function registers unit tests for DetectParse
Definition: detect-parse.c:146
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DetectPort_::port
uint16_t port
Definition: detect.h:218
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:839
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2533
DetectPort_::next
struct DetectPort_ * next
Definition: detect.h:231
DetectPort_::port2
uint16_t port2
Definition: detect.h:219
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
Signature_::next
struct Signature_ * next
Definition: detect.h:668
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
util-debug.h
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
util-error.h
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
Signature_::sp
DetectPort * sp
Definition: detect.h:637
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2620
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectEngineCtx_::sig_list
Signature * sig_list
Definition: detect.h:847
Signature_::dp
DetectPort * dp
Definition: detect.h:637
Signature_
Signature container.
Definition: detect.h:596
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2494