detect-snmp-community.c

Go to the documentation of this file.

/* Copyright (C) 2019 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */
 
#include "util-unittest.h"
#include "util-unittest-helper.h"
#include "app-layer-parser.h"
#include "detect-engine.h"
#include "detect-parse.h"
#include "flow-util.h"
#include "stream-tcp.h"
#include "detect-engine-build.h"
#include "detect-engine-alert.h"
 
static int DetectSNMPCommunityTest(void)
{
    AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
    DetectEngineThreadCtx *det_ctx = NULL;
    DetectEngineCtx *de_ctx = NULL;
    Flow f;
    Packet *p;
    TcpSession tcp;
    ThreadVars tv;
    Signature *s;
 
    uint8_t request[] = {
        0x30, 0x27, 0x02, 0x01, 0x01, 0x04, 0x0b, 0x5b,
        0x52, 0x30, 0x5f, 0x43, 0x40, 0x63, 0x74, 0x69,
        0x21, 0x5d, 0xa1, 0x15, 0x02, 0x04, 0x2b, 0x13,
        0x3f, 0x85, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00,
        0x30, 0x07, 0x30, 0x05, 0x06, 0x01, 0x01, 0x05,
        0x00
    };
 
    /* Setup flow. */
    memset(&f, 0, sizeof(Flow));
    memset(&tcp, 0, sizeof(TcpSession));
    memset(&tv, 0, sizeof(ThreadVars));
    p = UTHBuildPacket(request, sizeof(request), IPPROTO_UDP);
    FLOW_INITIALIZE(&f);
    f.alproto = ALPROTO_SNMP;
    f.protoctx = (void *)&tcp;
    f.proto = IPPROTO_UDP;
    f.protomap = FlowGetProtoMapping(f.proto);
    f.flags |= FLOW_IPV4;
    p->flow = &f;
    p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
    p->flowflags |= FLOW_PKT_TOSERVER | FLOW_PKT_ESTABLISHED;
    StreamTcpInitConfig(true);
 
    de_ctx = DetectEngineCtxInit();
    FAIL_IF_NULL(de_ctx);
 
    /* This rule should match. */
    s = DetectEngineAppendSig(de_ctx,
        "alert snmp any any -> any any ("
        "msg:\"SNMP Test Rule\"; "
        "snmp.community; content:\"[R0_C@cti!]\"; "
        "sid:1; rev:1;)");
    FAIL_IF_NULL(s);
 
    /* This rule should not match. */
    s = DetectEngineAppendSig(de_ctx,
        "alert snmp any any -> any any ("
        "msg:\"SNMP Test Rule\"; "
        "snmp.community; content:\"private\"; "
        "sid:2; rev:1;)");
    FAIL_IF_NULL(s);
 
    SigGroupBuild(de_ctx);
    DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
 
    int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_SNMP,
                        STREAM_TOSERVER, request, sizeof(request));
    FAIL_IF(r != 0);
 
    /* Check that we have app-layer state. */
    FAIL_IF_NULL(f.alstate);
 
    SigMatchSignatures(&tv, de_ctx, det_ctx, p);
    FAIL_IF(!PacketAlertCheck(p, 1));
    FAIL_IF(PacketAlertCheck(p, 2));
 
    /* Cleanup. */
    AppLayerParserThreadCtxFree(alp_tctx);
    DetectEngineThreadCtxDeinit(&tv, det_ctx);
    SigGroupCleanup(de_ctx);
    DetectEngineCtxFree(de_ctx);
    StreamTcpFreeConfig(true);
    FLOW_DESTROY(&f);
    UTHFreePacket(p);
 
    PASS;
}
 
static void DetectSNMPCommunityRegisterTests(void)
{
    UtRegisterTest("DetectSNMPCommunityTest",
        DetectSNMPCommunityTest);
}