suricata
detect-ttl.c
Go to the documentation of this file.
1 
2 /* Copyright (C) 2007-2018 Open Information Security Foundation
3  *
4  * You can copy, redistribute or modify this Program under the terms of
5  * the GNU General Public License version 2 as published by the Free
6  * Software Foundation.
7  *
8  * This program is distributed in the hope that it will be useful,
9  * but WITHOUT ANY WARRANTY; without even the implied warranty of
10  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11  * GNU General Public License for more details.
12  *
13  * You should have received a copy of the GNU General Public License
14  * version 2 along with this program; if not, write to the Free Software
15  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
16  * 02110-1301, USA.
17  */
18 
19 #include "../util-unittest.h"
20 #include "../util-unittest-helper.h"
21 #include "detect-engine.h"
22 #include "detect-engine-alert.h"
23 #include "detect-engine-build.h"
24 
25 /**
26  * \test DetectTtlParseTest01 is a test for setting up an valid ttl value.
27  */
28 
29 static int DetectTtlParseTest01 (void)
30 {
31  DetectU8Data *ttld = DetectU8Parse("10");
32  FAIL_IF_NULL(ttld);
33  FAIL_IF_NOT(ttld->arg1 == 10);
34  FAIL_IF_NOT(ttld->mode == DETECT_UINT_EQ);
35  DetectTtlFree(NULL, ttld);
36  PASS;
37 }
38 
39 /**
40  * \test DetectTtlParseTest02 is a test for setting up an valid ttl value with
41  * "<" operator.
42  */
43 
44 static int DetectTtlParseTest02 (void)
45 {
46  DetectU8Data *ttld = DetectU8Parse("<10");
47  FAIL_IF_NULL(ttld);
48  FAIL_IF_NOT(ttld->arg1 == 10);
49  FAIL_IF_NOT(ttld->mode == DETECT_UINT_LT);
50  DetectTtlFree(NULL, ttld);
51  PASS;
52 }
53 
54 /**
55  * \test DetectTtlParseTest03 is a test for setting up an valid ttl values with
56  * "-" operator.
57  */
58 
59 static int DetectTtlParseTest03 (void)
60 {
61  DetectU8Data *ttld = DetectU8Parse("1-3");
62  FAIL_IF_NULL(ttld);
63  FAIL_IF_NOT(ttld->arg1 == 1);
64  FAIL_IF_NOT(ttld->arg2 == 3);
65  FAIL_IF_NOT(ttld->mode == DETECT_UINT_RA);
66  DetectTtlFree(NULL, ttld);
67  PASS;
68 }
69 
70 /**
71  * \test DetectTtlParseTest04 is a test for setting up an valid ttl value with
72  * ">" operator and include spaces arround the given values.
73  */
74 
75 static int DetectTtlParseTest04 (void)
76 {
77  DetectU8Data *ttld = DetectU8Parse(" > 10 ");
78  FAIL_IF_NULL(ttld);
79  FAIL_IF_NOT(ttld->arg1 == 10);
80  FAIL_IF_NOT(ttld->mode == DETECT_UINT_GT);
81  DetectTtlFree(NULL, ttld);
82  PASS;
83 }
84 
85 /**
86  * \test DetectTtlParseTest05 is a test for setting up an valid ttl values with
87  * "-" operator and include spaces arround the given values.
88  */
89 
90 static int DetectTtlParseTest05 (void)
91 {
92  DetectU8Data *ttld = DetectU8Parse(" 1 - 3 ");
93  FAIL_IF_NULL(ttld);
94  FAIL_IF_NOT(ttld->arg1 == 1);
95  FAIL_IF_NOT(ttld->arg2 == 3);
96  FAIL_IF_NOT(ttld->mode == DETECT_UINT_RA);
97  DetectTtlFree(NULL, ttld);
98  PASS;
99 }
100 
101 /**
102  * \test DetectTtlParseTest06 is a test for setting up an valid ttl values with
103  * invalid "=" operator and include spaces arround the given values.
104  */
105 
106 static int DetectTtlParseTest06 (void)
107 {
108  DetectU8Data *ttld = DetectU8Parse(" 1 = 2 ");
109  FAIL_IF_NOT_NULL(ttld);
110  PASS;
111 }
112 
113 /**
114  * \test DetectTtlParseTest07 is a test for setting up an valid ttl values with
115  * invalid "<>" operator and include spaces arround the given values.
116  */
117 
118 static int DetectTtlParseTest07 (void)
119 {
120  DetectU8Data *ttld = DetectU8Parse(" 1<>2 ");
121  FAIL_IF_NOT_NULL(ttld);
122  PASS;
123 }
124 
125 /**
126  * \test DetectTtlSetupTest01 is a test for setting up an valid ttl values with
127  * valid "-" operator and include spaces arround the given values. In the
128  * test the values are setup with initializing the detection engine context
129  * setting up the signature itself.
130  */
131 
132 static int DetectTtlSetupTest01(void)
133 {
134  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
135  FAIL_IF_NULL(de_ctx);
136  de_ctx->flags |= DE_QUIET;
137 
138  Signature *s = DetectEngineAppendSig(
139  de_ctx, "alert ip any any -> any any (msg:\"with in ttl limit\"; ttl:1 - 3; sid:1;)");
140  FAIL_IF_NULL(s);
141  SigGroupBuild(de_ctx);
142  FAIL_IF_NULL(s->sm_arrays[DETECT_SM_LIST_MATCH]);
143  FAIL_IF_NULL(s->sm_arrays[DETECT_SM_LIST_MATCH]->ctx);
144  DetectU8Data *ttld = (DetectU8Data *)s->sm_arrays[DETECT_SM_LIST_MATCH]->ctx;
145 
146  FAIL_IF_NOT(ttld->arg1 == 1);
147  FAIL_IF_NOT(ttld->arg2 == 3);
148  FAIL_IF_NOT(ttld->mode == DETECT_UINT_RA);
149  DetectEngineCtxFree(de_ctx);
150  PASS;
151 }
152 
153 /**
154  * \test DetectTtlTestSig01 is a test for checking the working of ttl keyword
155  * by setting up the signature and later testing its working by matching
156  * the received packet against the sig.
157  */
158 
159 static int DetectTtlTestSig1(void)
160 {
161  Packet *p = PacketGetFromAlloc();
162  FAIL_IF_NULL(p);
163  Signature *s = NULL;
164  ThreadVars th_v;
165  DetectEngineThreadCtx *det_ctx;
166  IPV4Hdr ip4h;
167 
168  memset(&th_v, 0, sizeof(th_v));
169  memset(&ip4h, 0, sizeof(ip4h));
170 
171  p->src.family = AF_INET;
172  p->dst.family = AF_INET;
173  p->proto = IPPROTO_TCP;
174  ip4h.ip_ttl = 15;
175  UTHSetIPV4Hdr(p, &ip4h);
176 
177  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
178  FAIL_IF_NULL(de_ctx);
179  de_ctx->flags |= DE_QUIET;
180 
181  s = DetectEngineAppendSig(de_ctx,"alert ip any any -> any any (msg:\"with in ttl limit\"; ttl: >16; sid:1;)");
182  FAIL_IF_NULL(s);
183 
184  s = DetectEngineAppendSig(de_ctx,"alert ip any any -> any any (msg:\"Less than 17\"; ttl: <17; sid:2;)");
185  FAIL_IF_NULL(s);
186 
187  s = DetectEngineAppendSig(de_ctx,"alert ip any any -> any any (msg:\"Greater than 5\"; ttl:15; sid:3;)");
188  FAIL_IF_NULL(s);
189 
190  s = DetectEngineAppendSig(de_ctx,"alert ip any any -> any any (msg:\"Equals tcp\"; ttl: 1-30; sid:4;)");
191  FAIL_IF_NULL(s);
192 
193  SigGroupBuild(de_ctx);
194  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
195 
196  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
197  FAIL_IF(PacketAlertCheck(p, 1));
198  FAIL_IF_NOT(PacketAlertCheck(p, 2));
199  FAIL_IF_NOT(PacketAlertCheck(p, 3));
200  FAIL_IF_NOT(PacketAlertCheck(p, 4));
201 
202  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
203  DetectEngineCtxFree(de_ctx);
204 
205  SCFree(p);
206  PASS;
207 }
208 
209 /**
210  * \brief this function registers unit tests for DetectTtl
211  */
212 void DetectTtlRegisterTests(void)
213 {
214  UtRegisterTest("DetectTtlParseTest01", DetectTtlParseTest01);
215  UtRegisterTest("DetectTtlParseTest02", DetectTtlParseTest02);
216  UtRegisterTest("DetectTtlParseTest03", DetectTtlParseTest03);
217  UtRegisterTest("DetectTtlParseTest04", DetectTtlParseTest04);
218  UtRegisterTest("DetectTtlParseTest05", DetectTtlParseTest05);
219  UtRegisterTest("DetectTtlParseTest06", DetectTtlParseTest06);
220  UtRegisterTest("DetectTtlParseTest07", DetectTtlParseTest07);
221  UtRegisterTest("DetectTtlSetupTest01", DetectTtlSetupTest01);
222  UtRegisterTest("DetectTtlTestSig1", DetectTtlTestSig1);
223 }
Packet_::proto
uint8_t proto
Definition: decode.h:495
detect-engine.h
FAIL_IF_NULL
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
IPV4Hdr_::ip_ttl
uint8_t ip_ttl
Definition: decode-ipv4.h:78
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
DETECT_UINT_LT
#define DETECT_UINT_LT
Definition: detect-engine-uint.h:37
PacketAlertCheck
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
Definition: detect-engine-alert.c:141
SigMatchData_::ctx
SigMatchCtx * ctx
Definition: detect.h:361
UTHSetIPV4Hdr
void UTHSetIPV4Hdr(Packet *p, IPV4Hdr *ip4h)
Definition: util-unittest-helper.c:126
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:841
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:2611
DETECT_UINT_EQ
#define DETECT_UINT_EQ
Definition: detect-engine-uint.h:35
DE_QUIET
#define DE_QUIET
Definition: detect.h:323
SigMatchSignatures
void SigMatchSignatures(ThreadVars *tv, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1938
Signature_::sm_arrays
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:654
DETECT_UINT_GT
#define DETECT_UINT_GT
Definition: detect-engine-uint.h:32
DetectEngineAppendSig
Signature * DetectEngineAppendSig(DetectEngineCtx *, const char *)
Parse and append a Signature into the Detection Engine Context signature list.
Definition: detect-parse.c:2587
FAIL_IF_NOT
#define FAIL_IF_NOT(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:82
DetectU8Parse
DetectUintData_u8 * DetectU8Parse(const char *u8str)
This function is used to parse u8 options passed via some u8 keyword.
Definition: detect-engine-uint.c:85
FAIL_IF_NOT_NULL
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
PASS
#define PASS
Pass the test.
Definition: util-unittest.h:105
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1093
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
DetectEngineThreadCtxInit
TmEcode DetectEngineThreadCtxInit(ThreadVars *tv, void *initdata, void **data)
initialize thread specific detection engine context
Definition: detect-engine.c:3347
DetectU8Data
DetectUintData_u8 DetectU8Data
Definition: detect-engine-uint.h:43
DETECT_SM_LIST_MATCH
@ DETECT_SM_LIST_MATCH
Definition: detect.h:114
Packet_
Definition: decode.h:473
detect-engine-build.h
detect-engine-alert.h
SigGroupBuild
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
Definition: detect-engine-build.c:2144
IPV4Hdr_
Definition: decode-ipv4.h:72
DetectTtlRegisterTests
void DetectTtlRegisterTests(void)
this function registers unit tests for DetectTtl
Definition: detect-ttl.c:212
FAIL_IF
#define FAIL_IF(expr)
Fail a test if expression evaluates to true.
Definition: util-unittest.h:71
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3574
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:232
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DetectTtlFree
void DetectTtlFree(DetectEngineCtx *, void *)
this function will free memory associated with DetectU8Data
Definition: detect-ttl.c:132
Signature_
Signature container.
Definition: detect.h:601
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:2572
Address_::family
char family
Definition: decode.h:109
Packet_::dst
Address dst
Definition: decode.h:478
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:843
Packet_::src
Address src
Definition: decode.h:477
DETECT_UINT_RA
#define DETECT_UINT_RA
Definition: detect-engine-uint.h:34