suricata
detect-template-buffer.c
Go to the documentation of this file.
1 /* Copyright (C) 2015-2018 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 #include "../util-unittest.h"
19 #include "../util-unittest-helper.h"
20 #include "../app-layer-parser.h"
21 #include "../detect-engine.h"
22 #include "../detect-parse.h"
23 #include "../flow-util.h"
24 #include "../stream-tcp.h"
25 
26 static int DetectTemplateBufferTest(void)
27 {
30 
31  Flow f;
32  Packet *p;
33  TcpSession tcp;
34  ThreadVars tv;
35  Signature *s;
36 
37  uint8_t request[] = "Hello World!";
38 
39  /* Setup flow. */
40  memset(&f, 0, sizeof(Flow));
41  memset(&tcp, 0, sizeof(TcpSession));
42  memset(&tv, 0, sizeof(ThreadVars));
43  p = UTHBuildPacket(request, sizeof(request), IPPROTO_TCP);
44  FLOW_INITIALIZE(&f);
46  f.protoctx = (void *)&tcp;
47  f.proto = IPPROTO_TCP;
48  f.flags |= FLOW_IPV4;
49  p->flow = &f;
53 
56 
57  /* This rule should match. */
59  "alert tcp any any -> any any ("
60  "msg:\"TEMPLATE Test Rule\"; "
61  "template_buffer; content:\"World!\"; "
62  "sid:1; rev:1;)");
63  FAIL_IF_NULL(s);
64 
65  /* This rule should not match. */
67  "alert tcp any any -> any any ("
68  "msg:\"TEMPLATE Test Rule\"; "
69  "template_buffer; content:\"W0rld!\"; "
70  "sid:2; rev:1;)");
71  FAIL_IF_NULL(s);
72 
74 
75  DetectEngineThreadCtx *det_ctx = NULL;
76  DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
77  FAIL_IF_NULL(det_ctx);
78 
80  STREAM_TOSERVER, request, sizeof(request));
81 
82  /* Check that we have app-layer state. */
84 
85  SigMatchSignatures(&tv, de_ctx, det_ctx, p);
86  FAIL_IF(!PacketAlertCheck(p, 1));
88 
89  /* Cleanup. */
94  FLOW_DESTROY(&f);
95  UTHFreePacket(p);
96 
97  PASS;
98 }
99 
100 static void DetectTemplateBufferRegisterTests(void)
101 {
102  UtRegisterTest("DetectTemplateBufferTest", DetectTemplateBufferTest);
103 }
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
PKT_HAS_FLOW
#define PKT_HAS_FLOW
Definition: decode.h:1087
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
Flow_::proto
uint8_t proto
Definition: flow.h:361
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:138
Packet_::flags
uint32_t flags
Definition: decode.h:446
Flow_
Flow data structure.
Definition: flow.h:343
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:766
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2089
AppLayerParserThreadCtxFree
void AppLayerParserThreadCtxFree(AppLayerParserThreadCtx *tctx)
Destroys the app layer parser thread context obtained using AppLayerParserThreadCtxAlloc().
Definition: app-layer-parser.c:279
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:218
UTHBuildPacket
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
Definition: util-unittest-helper.c:336
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:442
Flow_::protoctx
void * protoctx
Definition: flow.h:416
FLOW_IPV4
#define FLOW_IPV4
Definition: flow.h:94
FLOW_INITIALIZE
#define FLOW_INITIALIZE(f)
Definition: flow-util.h:39
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1009
STREAM_TOSERVER
#define STREAM_TOSERVER
Definition: stream.h:31
alp_tctx
AppLayerParserThreadCtx * alp_tctx
Definition: fuzz_applayerparserparse.c:19
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
TRUE
#define TRUE
Definition: suricata-common.h:33
SigMatchSignatures
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1668
Packet_
Definition: decode.h:411
StreamTcpFreeConfig
void StreamTcpFreeConfig(char quiet)
Definition: stream-tcp.c:669
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:1876
AppLayerParserThreadCtxAlloc
AppLayerParserThreadCtx * AppLayerParserThreadCtxAlloc(void)
Gets a new app layer protocol's parser thread context.
Definition: app-layer-parser.c:253
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2326
Packet_::flow
struct Flow_ * flow
Definition: decode.h:448
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Definition: detect-engine.c:2793
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
AppLayerParserParse
int AppLayerParserParse(ThreadVars *tv, AppLayerParserThreadCtx *alp_tctx, Flow *f, AppProto alproto, uint8_t flags, const uint8_t *input, uint32_t input_len)
Definition: app-layer-parser.c:1171
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3001
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:29
UTHFreePacket
void UTHFreePacket(Packet *p)
UTHFreePacket: function to release the allocated data from UTHBuildPacket and the packet itself.
Definition: util-unittest-helper.c:484
Flow_::alstate
void * alstate
Definition: flow.h:454
Flow_::flags
uint32_t flags
Definition: flow.h:396
Signature_
Signature container.
Definition: detect.h:527
StreamTcpInitConfig
void StreamTcpInitConfig(char)
To initialize the stream global configuration data.
Definition: stream-tcp.c:365
ALPROTO_TEMPLATE
@ ALPROTO_TEMPLATE
Definition: app-layer-protos.h:55
FLOW_PKT_ESTABLISHED
#define FLOW_PKT_ESTABLISHED
Definition: flow.h:220
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2044
AppLayerParserThreadCtx_
Definition: app-layer-parser.c:85
TcpSession_
Definition: stream-tcp-private.h:260
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:425
FLOW_DESTROY
#define FLOW_DESTROY(f)
Definition: flow-util.h:121
PKT_STREAM_EST
#define PKT_STREAM_EST
Definition: decode.h:1085