suricata
detect-ttl.c
Go to the documentation of this file.
1 
2 /* Copyright (C) 2007-2018 Open Information Security Foundation
3  *
4  * You can copy, redistribute or modify this Program under the terms of
5  * the GNU General Public License version 2 as published by the Free
6  * Software Foundation.
7  *
8  * This program is distributed in the hope that it will be useful,
9  * but WITHOUT ANY WARRANTY; without even the implied warranty of
10  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11  * GNU General Public License for more details.
12  *
13  * You should have received a copy of the GNU General Public License
14  * version 2 along with this program; if not, write to the Free Software
15  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
16  * 02110-1301, USA.
17  */
18 
19 #include "../detect-engine.h"
20 #include "../util-unittest.h"
21 
22 /**
23  * \test DetectTtlParseTest01 is a test for setting up an valid ttl value.
24  */
25 
26 static int DetectTtlParseTest01 (void)
27 {
28  DetectTtlData *ttld = DetectTtlParse("10");
29  FAIL_IF_NULL(ttld);
30  FAIL_IF_NOT(ttld->ttl1 == 10);
31  FAIL_IF_NOT(ttld->mode == DETECT_TTL_EQ);
32  DetectTtlFree(ttld);
33  PASS;
34 }
35 
36 /**
37  * \test DetectTtlParseTest02 is a test for setting up an valid ttl value with
38  * "<" operator.
39  */
40 
41 static int DetectTtlParseTest02 (void)
42 {
43  DetectTtlData *ttld = DetectTtlParse("<10");
44  FAIL_IF_NULL(ttld);
45  FAIL_IF_NOT(ttld->ttl1 == 10);
46  FAIL_IF_NOT(ttld->mode == DETECT_TTL_LT);
47  DetectTtlFree(ttld);
48  PASS;
49 }
50 
51 /**
52  * \test DetectTtlParseTest03 is a test for setting up an valid ttl values with
53  * "-" operator.
54  */
55 
56 static int DetectTtlParseTest03 (void)
57 {
58  DetectTtlData *ttld = DetectTtlParse("1-2");
59  FAIL_IF_NULL(ttld);
60  FAIL_IF_NOT(ttld->ttl1 == 1);
61  FAIL_IF_NOT(ttld->ttl2 == 2);
62  FAIL_IF_NOT(ttld->mode == DETECT_TTL_RA);
63  DetectTtlFree(ttld);
64  PASS;
65 }
66 
67 /**
68  * \test DetectTtlParseTest04 is a test for setting up an valid ttl value with
69  * ">" operator and include spaces arround the given values.
70  */
71 
72 static int DetectTtlParseTest04 (void)
73 {
74  DetectTtlData *ttld = DetectTtlParse(" > 10 ");
75  FAIL_IF_NULL(ttld);
76  FAIL_IF_NOT(ttld->ttl1 == 10);
77  FAIL_IF_NOT(ttld->mode == DETECT_TTL_GT);
78  DetectTtlFree(ttld);
79  PASS;
80 }
81 
82 /**
83  * \test DetectTtlParseTest05 is a test for setting up an valid ttl values with
84  * "-" operator and include spaces arround the given values.
85  */
86 
87 static int DetectTtlParseTest05 (void)
88 {
89  DetectTtlData *ttld = DetectTtlParse(" 1 - 2 ");
90  FAIL_IF_NULL(ttld);
91  FAIL_IF_NOT(ttld->ttl1 == 1);
92  FAIL_IF_NOT(ttld->ttl2 == 2);
93  FAIL_IF_NOT(ttld->mode == DETECT_TTL_RA);
94  DetectTtlFree(ttld);
95  PASS;
96 }
97 
98 /**
99  * \test DetectTtlParseTest06 is a test for setting up an valid ttl values with
100  * invalid "=" operator and include spaces arround the given values.
101  */
102 
103 static int DetectTtlParseTest06 (void)
104 {
105  DetectTtlData *ttld = DetectTtlParse(" 1 = 2 ");
106  FAIL_IF_NOT_NULL(ttld);
107  PASS;
108 }
109 
110 /**
111  * \test DetectTtlParseTest07 is a test for setting up an valid ttl values with
112  * invalid "<>" operator and include spaces arround the given values.
113  */
114 
115 static int DetectTtlParseTest07 (void)
116 {
117  DetectTtlData *ttld = DetectTtlParse(" 1<>2 ");
118  FAIL_IF_NOT_NULL(ttld);
119  PASS;
120 }
121 
122 /**
123  * \test DetectTtlSetupTest01 is a test for setting up an valid ttl values with
124  * valid "-" operator and include spaces arround the given values. In the
125  * test the values are setup with initializing the detection engine context
126  * setting up the signature itself.
127  */
128 
129 static int DetectTtlSetupTest01(void)
130 {
132  FAIL_IF_NULL(de_ctx);
133  de_ctx->flags |= DE_QUIET;
134 
135  Signature *s = DetectEngineAppendSig(de_ctx,
136  "alert ip any any -> any any (msg:\"with in ttl limit\"; ttl:1 - 2; sid:1;)");
137  FAIL_IF_NULL(s);
138  SigGroupBuild(de_ctx);
142 
143  FAIL_IF_NOT(ttld->ttl1 == 1);
144  FAIL_IF_NOT(ttld->ttl2 == 2);
145  FAIL_IF_NOT(ttld->mode == DETECT_TTL_RA);
146  DetectEngineCtxFree(de_ctx);
147  PASS;
148 }
149 
150 /**
151  * \test DetectTtlTestSig01 is a test for checking the working of ttl keyword
152  * by setting up the signature and later testing its working by matching
153  * the received packet against the sig.
154  */
155 
156 static int DetectTtlTestSig1(void)
157 {
158  Packet *p = PacketGetFromAlloc();
159  FAIL_IF_NULL(p);
160  Signature *s = NULL;
161  ThreadVars th_v;
162  DetectEngineThreadCtx *det_ctx;
163  IPV4Hdr ip4h;
164 
165  memset(&th_v, 0, sizeof(th_v));
166  memset(&ip4h, 0, sizeof(ip4h));
167 
168  p->src.family = AF_INET;
169  p->dst.family = AF_INET;
170  p->proto = IPPROTO_TCP;
171  ip4h.ip_ttl = 15;
172  p->ip4h = &ip4h;
173 
175  FAIL_IF_NULL(de_ctx);
176  de_ctx->flags |= DE_QUIET;
177 
178  s = DetectEngineAppendSig(de_ctx,"alert ip any any -> any any (msg:\"with in ttl limit\"; ttl: >16; sid:1;)");
179  FAIL_IF_NULL(s);
180 
181  s = DetectEngineAppendSig(de_ctx,"alert ip any any -> any any (msg:\"Less than 17\"; ttl: <17; sid:2;)");
182  FAIL_IF_NULL(s);
183 
184  s = DetectEngineAppendSig(de_ctx,"alert ip any any -> any any (msg:\"Greater than 5\"; ttl:15; sid:3;)");
185  FAIL_IF_NULL(s);
186 
187  s = DetectEngineAppendSig(de_ctx,"alert ip any any -> any any (msg:\"Equals tcp\"; ttl: 1-30; sid:4;)");
188  FAIL_IF_NULL(s);
189 
190  SigGroupBuild(de_ctx);
191  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
192 
193  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
194  FAIL_IF(PacketAlertCheck(p, 1));
198 
199  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
200  DetectEngineCtxFree(de_ctx);
201 
202  SCFree(p);
203  PASS;
204 }
205 
206 /**
207  * \brief this function registers unit tests for DetectTtl
208  */
210 {
211  UtRegisterTest("DetectTtlParseTest01", DetectTtlParseTest01);
212  UtRegisterTest("DetectTtlParseTest02", DetectTtlParseTest02);
213  UtRegisterTest("DetectTtlParseTest03", DetectTtlParseTest03);
214  UtRegisterTest("DetectTtlParseTest04", DetectTtlParseTest04);
215  UtRegisterTest("DetectTtlParseTest05", DetectTtlParseTest05);
216  UtRegisterTest("DetectTtlParseTest06", DetectTtlParseTest06);
217  UtRegisterTest("DetectTtlParseTest07", DetectTtlParseTest07);
218  UtRegisterTest("DetectTtlSetupTest01", DetectTtlSetupTest01);
219  UtRegisterTest("DetectTtlTestSig1", DetectTtlTestSig1);
220 }
Signature * DetectEngineAppendSig(DetectEngineCtx *de_ctx, const char *sigstr)
Parse and append a Signature into the Detection Engine Context signature list.
int PacketAlertCheck(Packet *p, uint32_t sid)
Check if a certain sid alerted, this is used in the test functions.
#define PASS
Pass the test.
#define FAIL_IF(expr)
Fail a test if expression evaluates to false.
Definition: util-unittest.h:71
Address dst
Definition: decode.h:412
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
Signature container.
Definition: detect.h:492
main detection engine ctx
Definition: detect.h:720
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
#define DE_QUIET
Definition: detect.h:298
uint8_t ttl1
Definition: detect-ttl.h:33
void DetectTtlFree(void *)
this function will free memory associated with DetectTtlData
Definition: detect-ttl.c:289
char family
Definition: decode.h:110
uint8_t proto
Definition: decode.h:429
uint8_t flags
Definition: detect.h:721
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1752
uint8_t mode
Definition: detect-ttl.h:36
uint8_t ttl2
Definition: detect-ttl.h:34
SigMatchData * sm_arrays[DETECT_SM_LIST_MAX]
Definition: detect.h:544
#define FAIL_IF_NOT_NULL(expr)
Fail a test if expression evaluates to non-NULL.
Definition: util-unittest.h:96
IPV4Hdr * ip4h
Definition: decode.h:503
void DetectTtlRegisterTests(void)
this function registers unit tests for DetectTtl
Definition: detect-ttl.c:209
#define DETECT_TTL_EQ
Definition: detect-ttl.h:28
#define SCFree(a)
Definition: util-mem.h:236
#define DETECT_TTL_GT
Definition: detect-ttl.h:29
#define DETECT_TTL_RA
Definition: detect-ttl.h:30
#define FAIL_IF_NULL(expr)
Fail a test if expression evaluates to NULL.
Definition: util-unittest.h:89
Per thread variable structure.
Definition: threadvars.h:57
#define DETECT_TTL_LT
Definition: detect-ttl.h:27
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
#define FAIL_IF_NOT(expr)
Fail a test if expression to true.
Definition: util-unittest.h:82
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:140
Address src
Definition: decode.h:411
IPV4Hdr ip4h
SigMatchCtx * ctx
Definition: detect.h:336
DetectEngineCtx * DetectEngineCtxInit(void)