suricata
util-action.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Pablo Rincon <pablo.rincon.crespo@gmail.com>
22  */
23 
24 #include "suricata-common.h"
25 
26 #include "action-globals.h"
27 #include "conf.h"
28 #include "conf-yaml-loader.h"
29 
30 #include "detect.h"
31 #include "detect-engine.h"
32 #include "detect-engine-sigorder.h"
33 
34 #include "util-unittest.h"
35 #include "util-action.h"
36 #include "util-unittest-helper.h"
37 #include "util-debug.h"
38 
39 /* Default order: */
40 uint8_t action_order_sigs[4] = {ACTION_PASS, ACTION_DROP, ACTION_REJECT, ACTION_ALERT};
41 /* This order can be changed from config */
42 
43 /**
44  * \brief Return the priority associated to an action (to order sigs
45  * as specified at config)
46  * action_order_sigs has this priority by index val
47  * so action_order_sigs[0] has to be inspected first.
48  * This function is called from detect-engine-sigorder
49  * \param action can be one of ACTION_PASS, ACTION_DROP,
50  * ACTION_REJECT or ACTION_ALERT
51  * \retval uint8_t the priority (order of this actions)
52  */
53 uint8_t ActionOrderVal(uint8_t action)
54 {
55  /* reject_both and reject_dst have the same prio as reject */
56  if( (action & ACTION_REJECT) ||
57  (action & ACTION_REJECT_BOTH) ||
58  (action & ACTION_REJECT_DST)) {
59  action = ACTION_REJECT;
60  }
61  uint8_t i = 0;
62  for (; i < 4; i++) {
63  if (action_order_sigs[i] == action)
64  return i;
65  }
66  /* Unknown action, set just a low prio (high val) */
67  return 10;
68 }
69 
70 /**
71  * \brief Return the ACTION_* bit from their ascii value
72  * \param action can be one of "pass", "drop",
73  * "reject" or "alert"
74  * \retval uint8_t can be one of ACTION_PASS, ACTION_DROP,
75  * ACTION_REJECT or ACTION_ALERT
76  */
77 static uint8_t ActionAsciiToFlag(const char *action)
78 {
79  if (strcmp(action,"pass") == 0)
80  return ACTION_PASS;
81  if (strcmp(action,"drop") == 0)
82  return ACTION_DROP;
83  if (strcmp(action,"reject") == 0)
84  return ACTION_REJECT;
85  if (strcmp(action,"alert") == 0)
86  return ACTION_ALERT;
87 
88  return 0;
89 }
90 
91 /**
92  * \brief Load the action order from config. If none is provided,
93  * it will be default to ACTION_PASS, ACTION_DROP,
94  * ACTION_REJECT, ACTION_ALERT (pass has the highest prio)
95  *
96  * \retval 0 on success; -1 on fatal error;
97  */
98 int ActionInitConfig()
99 {
100  uint8_t actions_used = 0;
101  uint8_t action_flag = 0;
102  uint8_t actions_config[4] = {0, 0, 0, 0};
103  int order = 0;
104 
105  ConfNode *action_order;
106  ConfNode *action = NULL;
107 
108  /* Let's load the order of actions from the general config */
109  action_order = ConfGetNode("action-order");
110  if (action_order == NULL) {
111  /* No configuration, use defaults. */
112  return 0;
113  }
114  else {
115  TAILQ_FOREACH(action, &action_order->head, next) {
116  SCLogDebug("Loading action order : %s", action->val);
117  action_flag = ActionAsciiToFlag(action->val);
118  if (action_flag == 0) {
119  SCLogError(SC_ERR_ACTION_ORDER, "action-order, invalid action: \"%s\". Please, use"
120  " \"pass\",\"drop\",\"alert\",\"reject\". You have"
121  " to specify all of them, without quotes and without"
122  " capital letters", action->val);
123  goto error;
124  }
125 
126  if (actions_used & action_flag) {
127  SCLogError(SC_ERR_ACTION_ORDER, "action-order, action already set: \"%s\". Please,"
128  " use \"pass\",\"drop\",\"alert\",\"reject\". You"
129  " have to specify all of them, without quotes and"
130  " without capital letters", action->val);
131  goto error;
132  }
133 
134  if (order >= 4) {
135  SCLogError(SC_ERR_ACTION_ORDER, "action-order, you have already specified all the "
136  "possible actions plus \"%s\". Please, use \"pass\","
137  "\"drop\",\"alert\",\"reject\". You have to specify"
138  " all of them, without quotes and without capital"
139  " letters", action->val);
140  goto error;
141  }
142  actions_used |= action_flag;
143  actions_config[order++] = action_flag;
144  }
145  }
146  if (order < 4) {
147  SCLogError(SC_ERR_ACTION_ORDER, "action-order, the config didn't specify all of the "
148  "actions. Please, use \"pass\",\"drop\",\"alert\","
149  "\"reject\". You have to specify all of them, without"
150  " quotes and without capital letters");
151  goto error;
152  }
153 
154  /* Now, it's a valid config. Override the default preset */
155  for (order = 0; order < 4; order++) {
156  action_order_sigs[order] = actions_config[order];
157  }
158 
159  return 0;
160 
161  error:
162  return -1;
163 }
164 
165 #ifdef UNITTESTS
166 
167 /**
168  * \test Check that we invalidate duplicated actions
169  * (It should default to pass, drop, reject, alert)
170  */
171 static int UtilActionTest01(void)
172 {
173  int res = 1;
174  char config[] = "\
175 %YAML 1.1\n\
176 ---\n\
177 action-order:\n\
178  - alert\n\
179  - drop\n\
180  - reject\n\
181  - alert\n";
182 
183  ConfCreateContextBackup();
184  ConfInit();
185  ConfYamlLoadString(config, strlen(config));
186 
187  ActionInitConfig();
188  if (action_order_sigs[0] != ACTION_PASS ||
189  action_order_sigs[1] != ACTION_DROP ||
190  action_order_sigs[2] != ACTION_REJECT ||
191  action_order_sigs[3] != ACTION_ALERT)
192  {
193  res = 0;
194  }
195  ConfRestoreContextBackup();
196 
197  /* Restore default values */
198  action_order_sigs[0] = ACTION_PASS;
199  action_order_sigs[1] = ACTION_DROP;
200  action_order_sigs[2] = ACTION_REJECT;
201  action_order_sigs[3] = ACTION_ALERT;
202  return res;
203 }
204 
205 /**
206  * \test Check that we invalidate with unknown keywords
207  * (It should default to pass, drop, reject, alert)
208  */
209 static int UtilActionTest02(void)
210 {
211  int res = 1;
212  char config[] = "\
213 %YAML 1.1\n\
214 ---\n\
215 action-order:\n\
216  - alert\n\
217  - drop\n\
218  - reject\n\
219  - ftw\n";
220 
221  ConfCreateContextBackup();
222  ConfInit();
223  ConfYamlLoadString(config, strlen(config));
224 
225  ActionInitConfig();
226  if (action_order_sigs[0] != ACTION_PASS ||
227  action_order_sigs[1] != ACTION_DROP ||
228  action_order_sigs[2] != ACTION_REJECT ||
229  action_order_sigs[3] != ACTION_ALERT)
230  {
231  res = 0;
232  }
233  ConfRestoreContextBackup();
234 
235  /* Restore default values */
236  action_order_sigs[0] = ACTION_PASS;
237  action_order_sigs[1] = ACTION_DROP;
238  action_order_sigs[2] = ACTION_REJECT;
239  action_order_sigs[3] = ACTION_ALERT;
240  return res;
241 }
242 
243 /**
244  * \test Check that we invalidate if any action is missing
245  * (It should default to pass, drop, reject, alert)
246  */
247 static int UtilActionTest03(void)
248 {
249  int res = 1;
250  char config[] = "\
251 %YAML 1.1\n\
252 ---\n\
253 action-order:\n\
254  - alert\n\
255  - drop\n\
256  - reject\n";
257 
258  ConfCreateContextBackup();
259  ConfInit();
260  ConfYamlLoadString(config, strlen(config));
261 
262  ActionInitConfig();
263  if (action_order_sigs[0] != ACTION_PASS ||
264  action_order_sigs[1] != ACTION_DROP ||
265  action_order_sigs[2] != ACTION_REJECT ||
266  action_order_sigs[3] != ACTION_ALERT)
267  {
268  res = 0;
269  }
270  ConfRestoreContextBackup();
271 
272  /* Restore default values */
273  action_order_sigs[0] = ACTION_PASS;
274  action_order_sigs[1] = ACTION_DROP;
275  action_order_sigs[2] = ACTION_REJECT;
276  action_order_sigs[3] = ACTION_ALERT;
277  return res;
278 }
279 
280 /**
281  * \test Check that we invalidate if any action is missing
282  * (It should default to pass, drop, reject, alert)
283  */
284 static int UtilActionTest04(void)
285 {
286  int res = 1;
287  char config[] = "\
288 %YAML 1.1\n\
289 ---\n\
290 action-order:\n";
291 
292  ConfCreateContextBackup();
293  ConfInit();
294  ConfYamlLoadString(config, strlen(config));
295 
296  ActionInitConfig();
297  if (action_order_sigs[0] != ACTION_PASS ||
298  action_order_sigs[1] != ACTION_DROP ||
299  action_order_sigs[2] != ACTION_REJECT ||
300  action_order_sigs[3] != ACTION_ALERT)
301  {
302  res = 0;
303  }
304  ConfRestoreContextBackup();
305 
306  /* Restore default values */
307  action_order_sigs[0] = ACTION_PASS;
308  action_order_sigs[1] = ACTION_DROP;
309  action_order_sigs[2] = ACTION_REJECT;
310  action_order_sigs[3] = ACTION_ALERT;
311  return res;
312 }
313 
314 /**
315  * \test Check that we invalidate with unknown keywords
316  * and/or more than the expected
317  * (It should default to pass, drop, reject, alert)
318  */
319 static int UtilActionTest05(void)
320 {
321  int res = 1;
322  char config[] = "\
323 %YAML 1.1\n\
324 ---\n\
325 action-order:\n\
326  - alert\n\
327  - drop\n\
328  - reject\n\
329  - pass\n\
330  - whatever\n";
331 
332  ConfCreateContextBackup();
333  ConfInit();
334  ConfYamlLoadString(config, strlen(config));
335 
336  ActionInitConfig();
337  if (action_order_sigs[0] != ACTION_PASS ||
338  action_order_sigs[1] != ACTION_DROP ||
339  action_order_sigs[2] != ACTION_REJECT ||
340  action_order_sigs[3] != ACTION_ALERT)
341  {
342  res = 0;
343  }
344  ConfRestoreContextBackup();
345 
346  /* Restore default values */
347  action_order_sigs[0] = ACTION_PASS;
348  action_order_sigs[1] = ACTION_DROP;
349  action_order_sigs[2] = ACTION_REJECT;
350  action_order_sigs[3] = ACTION_ALERT;
351  return res;
352 }
353 
354 /**
355  * \test Check that we load a valid config
356  */
357 static int UtilActionTest06(void)
358 {
359  int res = 1;
360  char config[] = "\
361 %YAML 1.1\n\
362 ---\n\
363 action-order:\n\
364  - alert\n\
365  - drop\n\
366  - reject\n\
367  - pass\n";
368 
369  ConfCreateContextBackup();
370  ConfInit();
371  ConfYamlLoadString(config, strlen(config));
372 
373  ActionInitConfig();
374  if (action_order_sigs[0] != ACTION_ALERT ||
375  action_order_sigs[1] != ACTION_DROP ||
376  action_order_sigs[2] != ACTION_REJECT ||
377  action_order_sigs[3] != ACTION_PASS)
378  {
379  res = 0;
380  }
381  ConfRestoreContextBackup();
382 
383  /* Restore default values */
384  action_order_sigs[0] = ACTION_PASS;
385  action_order_sigs[1] = ACTION_DROP;
386  action_order_sigs[2] = ACTION_REJECT;
387  action_order_sigs[3] = ACTION_ALERT;
388  return res;
389 }
390 
391 /**
392  * \test Check that we load a valid config
393  */
394 static int UtilActionTest07(void)
395 {
396  int res = 1;
397  char config[] = "\
398 %YAML 1.1\n\
399 ---\n\
400 action-order:\n\
401  - pass\n\
402  - alert\n\
403  - drop\n\
404  - reject\n";
405 
406  ConfCreateContextBackup();
407  ConfInit();
408  ConfYamlLoadString(config, strlen(config));
409 
410  ActionInitConfig();
411  if (action_order_sigs[0] != ACTION_PASS ||
412  action_order_sigs[1] != ACTION_ALERT ||
413  action_order_sigs[2] != ACTION_DROP ||
414  action_order_sigs[3] != ACTION_REJECT)
415  {
416  res = 0;
417  }
418  ConfRestoreContextBackup();
419 
420  /* Restore default values */
421  action_order_sigs[0] = ACTION_PASS;
422  action_order_sigs[1] = ACTION_DROP;
423  action_order_sigs[2] = ACTION_REJECT;
424  action_order_sigs[3] = ACTION_ALERT;
425  return res;
426 }
427 
428 /**
429  * \test Check that we handle the "pass" action
430  * correctly at the IP Only engine in the default case
431  */
432 static int UtilActionTest08(void)
433 {
434  int res = 0;
435  uint8_t *buf = (uint8_t *)"Hi all!";
436  uint16_t buflen = strlen((char *)buf);
437  Packet *p[3];
438  p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
439  "192.168.1.5", "192.168.1.1",
440  41424, 80);
441  p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
442  "192.168.1.1", "192.168.1.5",
443  80, 41424);
444  p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
445  "192.168.1.5", "192.168.1.1",
446  41424, 80);
447 
448  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
449  goto end;
450 
451  const char *sigs[3];
452  sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; sid:1;)";
453  sigs[1]= "pass ip 192.168.1.1 80 -> any any (msg:\"sig 2\"; sid:2;)";
454  sigs[2]= "alert ip any any -> any any (msg:\"sig 3\"; sid:3;)";
455 
456  uint32_t sid[3] = {1, 2, 3};
457 
458  uint32_t results[3][3] = {
459  {1, 0, 1},
460  {0, 0, 0},
461  {1, 0, 1} };
462  /* This means that with the second packet, the results will be
463  * all ({0,0,0}) since, we should match the "pass" rule first
464  */
465 
466  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
467  if (de_ctx == NULL)
468  goto cleanup;
469  de_ctx->flags |= DE_QUIET;
470 
471  if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
472  goto cleanup;
473 
474  SCSigRegisterSignatureOrderingFuncs(de_ctx);
475  SCSigOrderSignatures(de_ctx);
476 
477  res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
478 
479 cleanup:
480  UTHFreePackets(p, 3);
481 
482  if (de_ctx != NULL) {
483  SigGroupCleanup(de_ctx);
484  SigCleanSignatures(de_ctx);
485  DetectEngineCtxFree(de_ctx);
486  }
487 
488 end:
489  return res;
490 }
491 
492 /**
493  * \test Check that we handle the "pass" action
494  * correctly at the IP Only engine with more
495  * prio to drop
496  */
497 static int UtilActionTest09(void)
498 {
499  int res = 1;
500  uint8_t *buf = (uint8_t *)"Hi all!";
501  uint16_t buflen = strlen((char *)buf);
502  Packet *p[3];
503 
504  action_order_sigs[0] = ACTION_DROP;
505  action_order_sigs[1] = ACTION_PASS;
506  action_order_sigs[2] = ACTION_REJECT;
507  action_order_sigs[3] = ACTION_ALERT;
508 
509  p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
510  "192.168.1.5", "192.168.1.1",
511  41424, 80);
512  p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
513  "192.168.1.1", "192.168.1.5",
514  80, 41424);
515  p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
516  "192.168.1.5", "192.168.1.1",
517  41424, 80);
518 
519  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
520  goto end;
521 
522  const char *sigs[3];
523  sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; sid:1;)";
524  sigs[1]= "pass ip 192.168.1.1 80 -> any any (msg:\"sig 2\"; sid:2;)";
525  sigs[2]= "drop ip any any -> any any (msg:\"sig 3\"; sid:3;)";
526 
527  uint32_t sid[3] = {1, 2, 3};
528 
529  uint32_t results[3][3] = {
530  {1, 0, 1},
531  {0, 0, 1},
532  {1, 0, 1} };
533  /* This means that with the second packet, the results will be
534  * all ({0,0,1}) since, we should match the "drop" rule first.
535  * Later the "pass" rule will avoid the "alert" rule match
536  */
537 
538  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
539  if (de_ctx == NULL)
540  goto cleanup;
541  de_ctx->flags |= DE_QUIET;
542 
543  if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
544  goto cleanup;
545 
546  SCSigRegisterSignatureOrderingFuncs(de_ctx);
547  SCSigOrderSignatures(de_ctx);
548 
549  res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
550 
551 cleanup:
552  UTHFreePackets(p, 3);
553 
554  if (de_ctx != NULL) {
555  SigGroupCleanup(de_ctx);
556  SigCleanSignatures(de_ctx);
557  DetectEngineCtxFree(de_ctx);
558  }
559 
560 end:
561  /* Restore default values */
562  action_order_sigs[0] = ACTION_PASS;
563  action_order_sigs[1] = ACTION_DROP;
564  action_order_sigs[2] = ACTION_REJECT;
565  action_order_sigs[3] = ACTION_ALERT;
566  return res;
567 }
568 
569 /**
570  * \test Check that we handle the "pass" action
571  * correctly at the detection engine in the default case
572  */
573 static int UtilActionTest10(void)
574 {
575  int res = 0;
576  uint8_t *buf = (uint8_t *)"Hi all!";
577  uint16_t buflen = strlen((char *)buf);
578  uint8_t *buf2 = (uint8_t *)"wo!";
579  uint16_t buflen2 = strlen((char *)buf2);
580  Packet *p[3];
581  p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
582  "192.168.1.5", "192.168.1.1",
583  41424, 80);
584  p[1] = UTHBuildPacketReal((uint8_t *)buf2, buflen2, IPPROTO_TCP,
585  "192.168.1.1", "192.168.1.5",
586  80, 41424);
587  p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
588  "192.168.1.5", "192.168.1.1",
589  41424, 80);
590 
591  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
592  goto end;
593 
594  const char *sigs[3];
595  sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)";
596  sigs[1]= "pass ip any any -> any any (msg:\"sig 2\"; content:\"wo\"; sid:2;)";
597  sigs[2]= "alert ip any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)";
598 
599  uint32_t sid[3] = {1, 2, 3};
600 
601  uint32_t results[3][3] = {
602  {1, 0, 1},
603  {0, 0, 0},
604  {1, 0, 1} };
605  /* This means that with the second packet, the results will be
606  * all ({0,0,0}) since, we should match the "pass" rule first
607  */
608 
609  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
610  if (de_ctx == NULL)
611  goto cleanup;
612  de_ctx->flags |= DE_QUIET;
613 
614  if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
615  goto cleanup;
616 
617  SCSigRegisterSignatureOrderingFuncs(de_ctx);
618  SCSigOrderSignatures(de_ctx);
619 
620  res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
621 
622 cleanup:
623  UTHFreePackets(p, 3);
624 
625  if (de_ctx != NULL) {
626  SigGroupCleanup(de_ctx);
627  SigCleanSignatures(de_ctx);
628  DetectEngineCtxFree(de_ctx);
629  }
630 
631 end:
632  return res;
633 }
634 
635 /**
636  * \test Check that we handle the "pass" action
637  * correctly at the detection engine with more
638  * prio to drop
639  */
640 static int UtilActionTest11(void)
641 {
642  int res = 1;
643  uint8_t *buf = (uint8_t *)"Hi all!";
644  uint16_t buflen = strlen((char *)buf);
645  uint8_t *buf2 = (uint8_t *)"Hi all wo!";
646  uint16_t buflen2 = strlen((char *)buf2);
647  Packet *p[3];
648 
649  action_order_sigs[0] = ACTION_DROP;
650  action_order_sigs[1] = ACTION_PASS;
651  action_order_sigs[2] = ACTION_REJECT;
652  action_order_sigs[3] = ACTION_ALERT;
653 
654  p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
655  "192.168.1.5", "192.168.1.1",
656  41424, 80);
657  p[1] = UTHBuildPacketReal((uint8_t *)buf2, buflen2, IPPROTO_TCP,
658  "192.168.1.1", "192.168.1.5",
659  80, 41424);
660  p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
661  "192.168.1.5", "192.168.1.1",
662  41424, 80);
663 
664  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
665  goto end;
666 
667  const char *sigs[3];
668  sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)";
669  sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"wo\"; sid:2;)";
670  sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)";
671 
672  uint32_t sid[3] = {1, 2, 3};
673 
674  uint32_t results[3][3] = {
675  {1, 0, 1},
676  {0, 0, 1},
677  {1, 0, 1} };
678  /* This means that with the second packet, the results will be
679  * all ({0,0,1}) since, we should match the "drop" rule first.
680  * Later the "pass" rule will avoid the "alert" rule match
681  */
682 
683  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
684  if (de_ctx == NULL)
685  goto cleanup;
686  de_ctx->flags |= DE_QUIET;
687 
688  if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
689  goto cleanup;
690 
691  SCSigRegisterSignatureOrderingFuncs(de_ctx);
692  SCSigOrderSignatures(de_ctx);
693 
694  res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
695 
696 cleanup:
697  UTHFreePackets(p, 3);
698 
699  if (de_ctx != NULL) {
700  SigGroupCleanup(de_ctx);
701  SigCleanSignatures(de_ctx);
702  DetectEngineCtxFree(de_ctx);
703  }
704 
705 end:
706  /* Restore default values */
707  action_order_sigs[0] = ACTION_PASS;
708  action_order_sigs[1] = ACTION_DROP;
709  action_order_sigs[2] = ACTION_REJECT;
710  action_order_sigs[3] = ACTION_ALERT;
711  return res;
712 }
713 
714 /**
715  * \test Check that we handle the "pass" action
716  * correctly at the detection engine in the default case
717  */
718 static int UtilActionTest12(void)
719 {
720  int res = 0;
721  uint8_t *buf = (uint8_t *)"Hi all!";
722  uint16_t buflen = strlen((char *)buf);
723  Packet *p[3];
724  p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
725  "192.168.1.5", "192.168.1.1",
726  41424, 80);
727  p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
728  "192.168.1.1", "192.168.1.5",
729  80, 41424);
730  p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
731  "192.168.1.5", "192.168.1.1",
732  41424, 80);
733 
734  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
735  goto end;
736 
737  const char *sigs[3];
738  sigs[0]= "alert ip any any -> any any (msg:\"sig 1\"; sid:1;)";
739  sigs[1]= "pass ip any any -> any any (msg:\"Testing normal 2\"; sid:2;)";
740  sigs[2]= "alert ip any any -> any any (msg:\"sig 3\"; sid:3;)";
741 
742  uint32_t sid[3] = {1, 2, 3};
743 
744  uint32_t results[3][3] = {
745  {0, 0, 0},
746  {0, 0, 0},
747  {0, 0, 0} };
748  /* All should match the 3 sigs, but the action pass has prio */
749 
750  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
751  if (de_ctx == NULL)
752  goto cleanup;
753  de_ctx->flags |= DE_QUIET;
754 
755  if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
756  goto cleanup;
757 
758  SCSigRegisterSignatureOrderingFuncs(de_ctx);
759  SCSigOrderSignatures(de_ctx);
760 
761  res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
762 
763 cleanup:
764  UTHFreePackets(p, 3);
765 
766  if (de_ctx != NULL) {
767  SigGroupCleanup(de_ctx);
768  SigCleanSignatures(de_ctx);
769  DetectEngineCtxFree(de_ctx);
770  }
771 
772 end:
773  return res;
774 }
775 
776 /**
777  * \test Check that we handle the "pass" action
778  * correctly at the detection engine with more
779  * prio to drop
780  */
781 static int UtilActionTest13(void)
782 {
783  int res = 1;
784  uint8_t *buf = (uint8_t *)"Hi all!";
785  uint16_t buflen = strlen((char *)buf);
786  Packet *p[3];
787 
788  action_order_sigs[0] = ACTION_DROP;
789  action_order_sigs[1] = ACTION_PASS;
790  action_order_sigs[2] = ACTION_REJECT;
791  action_order_sigs[3] = ACTION_ALERT;
792 
793  p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
794  "192.168.1.5", "192.168.1.1",
795  41424, 80);
796  p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
797  "192.168.1.1", "192.168.1.5",
798  80, 41424);
799  p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
800  "192.168.1.5", "192.168.1.1",
801  41424, 80);
802 
803  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
804  goto end;
805 
806  const char *sigs[3];
807  sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)";
808  sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
809  sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)";
810 
811  uint32_t sid[3] = {1, 2, 3};
812 
813  uint32_t results[3][3] = {
814  {0, 0, 1},
815  {0, 0, 1},
816  {0, 0, 1} };
817  /* All the patckets should match the 3 sigs. As drop has more
818  * priority than pass, it should alert on each packet */
819 
820  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
821  if (de_ctx == NULL)
822  goto cleanup;
823  de_ctx->flags |= DE_QUIET;
824 
825  if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
826  goto cleanup;
827 
828  SCSigRegisterSignatureOrderingFuncs(de_ctx);
829  SCSigOrderSignatures(de_ctx);
830 
831  res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
832 
833 cleanup:
834  UTHFreePackets(p, 3);
835 
836  if (de_ctx != NULL) {
837  SigGroupCleanup(de_ctx);
838  SigCleanSignatures(de_ctx);
839  DetectEngineCtxFree(de_ctx);
840  }
841 
842 end:
843  /* Restore default values */
844  action_order_sigs[0] = ACTION_PASS;
845  action_order_sigs[1] = ACTION_DROP;
846  action_order_sigs[2] = ACTION_REJECT;
847  action_order_sigs[3] = ACTION_ALERT;
848  return res;
849 }
850 
851 /**
852  * \test Check that we handle the "pass" action
853  * correctly at the detection engine with more
854  * prio to drop and alert
855  */
856 static int UtilActionTest14(void)
857 {
858  int res = 1;
859  uint8_t *buf = (uint8_t *)"Hi all!";
860  uint16_t buflen = strlen((char *)buf);
861  Packet *p[3];
862 
863  action_order_sigs[0] = ACTION_DROP;
864  action_order_sigs[1] = ACTION_ALERT;
865  action_order_sigs[2] = ACTION_REJECT;
866  action_order_sigs[3] = ACTION_PASS;
867 
868  p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
869  "192.168.1.5", "192.168.1.1",
870  41424, 80);
871  p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
872  "192.168.1.1", "192.168.1.5",
873  80, 41424);
874  p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
875  "192.168.1.5", "192.168.1.1",
876  41424, 80);
877 
878  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
879  goto end;
880 
881  const char *sigs[3];
882  sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; content:\"Hi all\"; sid:1;)";
883  sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
884  sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; content:\"Hi all\"; sid:3;)";
885 
886  uint32_t sid[3] = {1, 2, 3};
887 
888  uint32_t results[3][3] = {
889  {1, 0, 1},
890  {1, 0, 1},
891  {1, 0, 1} };
892  /* All the patckets should match the 3 sigs. As drop
893  * and alert have more priority than pass, both should
894  * alert on each packet */
895 
896  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
897  if (de_ctx == NULL)
898  goto cleanup;
899  de_ctx->flags |= DE_QUIET;
900 
901  if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
902  goto cleanup;
903 
904  SCSigRegisterSignatureOrderingFuncs(de_ctx);
905  SCSigOrderSignatures(de_ctx);
906 
907  res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
908 
909 cleanup:
910  UTHFreePackets(p, 3);
911 
912  if (de_ctx != NULL) {
913  SigGroupCleanup(de_ctx);
914  SigCleanSignatures(de_ctx);
915  DetectEngineCtxFree(de_ctx);
916  }
917 
918 end:
919  /* Restore default values */
920  action_order_sigs[0] = ACTION_PASS;
921  action_order_sigs[1] = ACTION_DROP;
922  action_order_sigs[2] = ACTION_REJECT;
923  action_order_sigs[3] = ACTION_ALERT;
924  return res;
925 }
926 
927 /**
928  * \test Check mixed sigs (iponly and normal)
929  */
930 static int UtilActionTest15(void)
931 {
932  int res = 1;
933  uint8_t *buf = (uint8_t *)"Hi all!";
934  uint16_t buflen = strlen((char *)buf);
935  Packet *p[3];
936 
937  p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
938  "192.168.1.5", "192.168.1.1",
939  41424, 80);
940  p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
941  "192.168.1.1", "192.168.1.5",
942  80, 41424);
943  p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
944  "192.168.1.5", "192.168.1.1",
945  41424, 80);
946 
947  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
948  goto end;
949 
950  const char *sigs[3];
951  sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
952  sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
953  sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
954 
955  uint32_t sid[3] = {1, 2, 3};
956 
957  uint32_t results[3][3] = {
958  {0, 0, 0},
959  {0, 0, 0},
960  {0, 0, 0} };
961  /* All the patckets should match the 3 sigs. As drop
962  * and alert have more priority than pass, both should
963  * alert on each packet */
964 
965  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
966  if (de_ctx == NULL)
967  goto cleanup;
968  de_ctx->flags |= DE_QUIET;
969 
970  if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
971  goto cleanup;
972 
973  SCSigRegisterSignatureOrderingFuncs(de_ctx);
974  SCSigOrderSignatures(de_ctx);
975 
976  res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
977 
978 cleanup:
979  UTHFreePackets(p, 3);
980 
981  if (de_ctx != NULL) {
982  SigGroupCleanup(de_ctx);
983  SigCleanSignatures(de_ctx);
984  DetectEngineCtxFree(de_ctx);
985  }
986 
987 end:
988  return res;
989 }
990 
991 /**
992  * \test Check mixed sigs (iponly and normal)
993  */
994 static int UtilActionTest16(void)
995 {
996  int res = 1;
997  uint8_t *buf = (uint8_t *)"Hi all!";
998  uint16_t buflen = strlen((char *)buf);
999  Packet *p[3];
1000 
1001  p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1002  "192.168.1.5", "192.168.1.1",
1003  41424, 80);
1004  p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1005  "192.168.1.1", "192.168.1.5",
1006  80, 41424);
1007  p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1008  "192.168.1.5", "192.168.1.1",
1009  41424, 80);
1010 
1011  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
1012  goto end;
1013 
1014  const char *sigs[3];
1015  sigs[0]= "drop tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
1016  sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
1017  sigs[2]= "pass tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
1018 
1019  uint32_t sid[3] = {1, 2, 3};
1020 
1021  uint32_t results[3][3] = {
1022  {0, 0, 0},
1023  {0, 0, 0},
1024  {0, 0, 0} };
1025  /* All the patckets should match the 3 sigs. As drop
1026  * and alert have more priority than pass, both should
1027  * alert on each packet */
1028 
1029  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1030  if (de_ctx == NULL)
1031  goto cleanup;
1032  de_ctx->flags |= DE_QUIET;
1033 
1034  if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
1035  goto cleanup;
1036 
1037  SCSigRegisterSignatureOrderingFuncs(de_ctx);
1038  SCSigOrderSignatures(de_ctx);
1039 
1040  res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
1041 
1042 cleanup:
1043  UTHFreePackets(p, 3);
1044 
1045  if (de_ctx != NULL) {
1046  SigGroupCleanup(de_ctx);
1047  SigCleanSignatures(de_ctx);
1048  DetectEngineCtxFree(de_ctx);
1049  }
1050 
1051 end:
1052  return res;
1053 }
1054 
1055 /**
1056  * \test Check mixed sigs (iponly and normal)
1057  */
1058 static int UtilActionTest17(void)
1059 {
1060  int res = 1;
1061  uint8_t *buf = (uint8_t *)"Hi all!";
1062  uint16_t buflen = strlen((char *)buf);
1063  Packet *p[3];
1064 
1065  p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1066  "192.168.1.5", "192.168.1.1",
1067  41424, 80);
1068  p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1069  "192.168.1.1", "192.168.1.5",
1070  80, 41424);
1071  p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1072  "192.168.1.5", "192.168.1.1",
1073  41424, 80);
1074 
1075  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
1076  goto end;
1077 
1078  const char *sigs[3];
1079  sigs[0]= "pass tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
1080  sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
1081  sigs[2]= "alert tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
1082 
1083  uint32_t sid[3] = {1, 2, 3};
1084 
1085  uint32_t results[3][3] = {
1086  {0, 0, 0},
1087  {0, 0, 0},
1088  {0, 0, 0} };
1089  /* All the patckets should match the 3 sigs. As drop
1090  * and alert have more priority than pass, both should
1091  * alert on each packet */
1092 
1093  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1094  if (de_ctx == NULL)
1095  goto cleanup;
1096  de_ctx->flags |= DE_QUIET;
1097 
1098  if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
1099  goto cleanup;
1100 
1101  SCSigRegisterSignatureOrderingFuncs(de_ctx);
1102  SCSigOrderSignatures(de_ctx);
1103 
1104  res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
1105 
1106 cleanup:
1107  UTHFreePackets(p, 3);
1108 
1109  if (de_ctx != NULL) {
1110  SigGroupCleanup(de_ctx);
1111  SigCleanSignatures(de_ctx);
1112  DetectEngineCtxFree(de_ctx);
1113  }
1114 
1115 end:
1116  return res;
1117 }
1118 
1119 /**
1120  * \test Check mixed sigs (iponly and normal) with more prio for drop
1121  */
1122 static int UtilActionTest18(void)
1123 {
1124  int res = 1;
1125  uint8_t *buf = (uint8_t *)"Hi all!";
1126  uint16_t buflen = strlen((char *)buf);
1127  Packet *p[3];
1128 
1129  action_order_sigs[0] = ACTION_DROP;
1130  action_order_sigs[1] = ACTION_PASS;
1131  action_order_sigs[2] = ACTION_REJECT;
1132  action_order_sigs[3] = ACTION_ALERT;
1133 
1134  p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1135  "192.168.1.5", "192.168.1.1",
1136  41424, 80);
1137  p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1138  "192.168.1.1", "192.168.1.5",
1139  80, 41424);
1140  p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1141  "192.168.1.5", "192.168.1.1",
1142  41424, 80);
1143 
1144  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
1145  goto end;
1146 
1147  const char *sigs[3];
1148  sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
1149  sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
1150  sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
1151 
1152  uint32_t sid[3] = {1, 2, 3};
1153 
1154  uint32_t results[3][3] = {
1155  {0, 0, 1},
1156  {0, 0, 1},
1157  {0, 0, 1} };
1158  /* All the patckets should match the 3 sigs. As drop
1159  * and alert have more priority than pass, both should
1160  * alert on each packet */
1161 
1162  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1163  if (de_ctx == NULL)
1164  goto cleanup;
1165  de_ctx->flags |= DE_QUIET;
1166 
1167  if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
1168  goto cleanup;
1169 
1170  SCSigRegisterSignatureOrderingFuncs(de_ctx);
1171  SCSigOrderSignatures(de_ctx);
1172 
1173  res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
1174 
1175 cleanup:
1176  UTHFreePackets(p, 3);
1177 
1178  if (de_ctx != NULL) {
1179  SigGroupCleanup(de_ctx);
1180  SigCleanSignatures(de_ctx);
1181  DetectEngineCtxFree(de_ctx);
1182  }
1183 
1184 end:
1185  /* Restore default values */
1186  action_order_sigs[0] = ACTION_PASS;
1187  action_order_sigs[1] = ACTION_DROP;
1188  action_order_sigs[2] = ACTION_REJECT;
1189  action_order_sigs[3] = ACTION_ALERT;
1190 
1191  return res;
1192 }
1193 
1194 /**
1195  * \test Check mixed sigs (iponly and normal) with more prio for drop
1196  */
1197 static int UtilActionTest19(void)
1198 {
1199  int res = 1;
1200  uint8_t *buf = (uint8_t *)"Hi all!";
1201  uint16_t buflen = strlen((char *)buf);
1202  Packet *p[3];
1203 
1204  action_order_sigs[0] = ACTION_DROP;
1205  action_order_sigs[1] = ACTION_PASS;
1206  action_order_sigs[2] = ACTION_REJECT;
1207  action_order_sigs[3] = ACTION_ALERT;
1208 
1209  p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1210  "192.168.1.5", "192.168.1.1",
1211  41424, 80);
1212  p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1213  "192.168.1.1", "192.168.1.5",
1214  80, 41424);
1215  p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1216  "192.168.1.5", "192.168.1.1",
1217  41424, 80);
1218 
1219  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
1220  goto end;
1221 
1222  const char *sigs[3];
1223  sigs[0]= "drop tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
1224  sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
1225  sigs[2]= "pass tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
1226 
1227  uint32_t sid[3] = {1, 2, 3};
1228 
1229  uint32_t results[3][3] = {
1230  {1, 0, 0},
1231  {1, 0, 0},
1232  {1, 0, 0} };
1233  /* All the patckets should match the 3 sigs. As drop
1234  * and alert have more priority than pass, both should
1235  * alert on each packet */
1236 
1237  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1238  if (de_ctx == NULL)
1239  goto cleanup;
1240  de_ctx->flags |= DE_QUIET;
1241 
1242  if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
1243  goto cleanup;
1244 
1245  SCSigRegisterSignatureOrderingFuncs(de_ctx);
1246  SCSigOrderSignatures(de_ctx);
1247 
1248  res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
1249 
1250 cleanup:
1251  UTHFreePackets(p, 3);
1252 
1253  if (de_ctx != NULL) {
1254  SigGroupCleanup(de_ctx);
1255  SigCleanSignatures(de_ctx);
1256  DetectEngineCtxFree(de_ctx);
1257  }
1258 
1259 end:
1260  /* Restore default values */
1261  action_order_sigs[0] = ACTION_PASS;
1262  action_order_sigs[1] = ACTION_DROP;
1263  action_order_sigs[2] = ACTION_REJECT;
1264  action_order_sigs[3] = ACTION_ALERT;
1265 
1266  return res;
1267 }
1268 
1269 /**
1270  * \test Check mixed sigs (iponly and normal) with more prio for drop
1271  */
1272 static int UtilActionTest20(void)
1273 {
1274  int res = 1;
1275  uint8_t *buf = (uint8_t *)"Hi all!";
1276  uint16_t buflen = strlen((char *)buf);
1277  Packet *p[3];
1278 
1279  action_order_sigs[0] = ACTION_DROP;
1280  action_order_sigs[1] = ACTION_PASS;
1281  action_order_sigs[2] = ACTION_REJECT;
1282  action_order_sigs[3] = ACTION_ALERT;
1283 
1284  p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1285  "192.168.1.5", "192.168.1.1",
1286  41424, 80);
1287  p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1288  "192.168.1.1", "192.168.1.5",
1289  80, 41424);
1290  p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1291  "192.168.1.5", "192.168.1.1",
1292  41424, 80);
1293 
1294  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
1295  goto end;
1296 
1297  const char *sigs[3];
1298  sigs[0]= "pass tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
1299  sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
1300  sigs[2]= "alert tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
1301 
1302  uint32_t sid[3] = {1, 2, 3};
1303 
1304  uint32_t results[3][3] = {
1305  {0, 1, 0},
1306  {0, 1, 0},
1307  {0, 1, 0} };
1308  /* All the patckets should match the 3 sigs. As drop
1309  * and alert have more priority than pass, both should
1310  * alert on each packet */
1311 
1312  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1313  if (de_ctx == NULL)
1314  goto cleanup;
1315  de_ctx->flags |= DE_QUIET;
1316 
1317  if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
1318  goto cleanup;
1319 
1320  SCSigRegisterSignatureOrderingFuncs(de_ctx);
1321  SCSigOrderSignatures(de_ctx);
1322 
1323  res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
1324 
1325 cleanup:
1326  UTHFreePackets(p, 3);
1327 
1328  if (de_ctx != NULL) {
1329  SigGroupCleanup(de_ctx);
1330  SigCleanSignatures(de_ctx);
1331  DetectEngineCtxFree(de_ctx);
1332  }
1333 
1334 end:
1335  return res;
1336 }
1337 
1338 /**
1339  * \test Check mixed sigs (iponly and normal) with more prio for alert and drop
1340  */
1341 static int UtilActionTest21(void)
1342 {
1343  int res = 1;
1344  uint8_t *buf = (uint8_t *)"Hi all!";
1345  uint16_t buflen = strlen((char *)buf);
1346  Packet *p[3];
1347 
1348  action_order_sigs[0] = ACTION_DROP;
1349  action_order_sigs[1] = ACTION_ALERT;
1350  action_order_sigs[2] = ACTION_REJECT;
1351  action_order_sigs[3] = ACTION_PASS;
1352 
1353  p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1354  "192.168.1.5", "192.168.1.1",
1355  41424, 80);
1356  p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1357  "192.168.1.1", "192.168.1.5",
1358  80, 41424);
1359  p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1360  "192.168.1.5", "192.168.1.1",
1361  41424, 80);
1362 
1363  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
1364  goto end;
1365 
1366  const char *sigs[3];
1367  sigs[0]= "alert tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
1368  sigs[1]= "pass tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
1369  sigs[2]= "drop tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
1370 
1371  uint32_t sid[3] = {1, 2, 3};
1372 
1373  uint32_t results[3][3] = {
1374  {1, 0, 1},
1375  {1, 0, 1},
1376  {1, 0, 1} };
1377  /* All the patckets should match the 3 sigs. As drop
1378  * and alert have more priority than pass, both should
1379  * alert on each packet */
1380 
1381  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1382  if (de_ctx == NULL)
1383  goto cleanup;
1384  de_ctx->flags |= DE_QUIET;
1385 
1386  if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
1387  goto cleanup;
1388 
1389  SCSigRegisterSignatureOrderingFuncs(de_ctx);
1390  SCSigOrderSignatures(de_ctx);
1391 
1392  res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
1393 
1394 cleanup:
1395  UTHFreePackets(p, 3);
1396 
1397  if (de_ctx != NULL) {
1398  SigGroupCleanup(de_ctx);
1399  SigCleanSignatures(de_ctx);
1400  DetectEngineCtxFree(de_ctx);
1401  }
1402 
1403 end:
1404  /* Restore default values */
1405  action_order_sigs[0] = ACTION_PASS;
1406  action_order_sigs[1] = ACTION_DROP;
1407  action_order_sigs[2] = ACTION_REJECT;
1408  action_order_sigs[3] = ACTION_ALERT;
1409 
1410  return res;
1411 }
1412 
1413 /**
1414  * \test Check mixed sigs (iponly and normal) with more prio for alert and drop
1415  */
1416 static int UtilActionTest22(void)
1417 {
1418  int res = 1;
1419  uint8_t *buf = (uint8_t *)"Hi all!";
1420  uint16_t buflen = strlen((char *)buf);
1421  Packet *p[3];
1422 
1423  action_order_sigs[0] = ACTION_DROP;
1424  action_order_sigs[1] = ACTION_ALERT;
1425  action_order_sigs[2] = ACTION_REJECT;
1426  action_order_sigs[3] = ACTION_PASS;
1427 
1428  p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1429  "192.168.1.5", "192.168.1.1",
1430  41424, 80);
1431  p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1432  "192.168.1.1", "192.168.1.5",
1433  80, 41424);
1434  p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1435  "192.168.1.5", "192.168.1.1",
1436  41424, 80);
1437 
1438  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
1439  goto end;
1440 
1441  const char *sigs[3];
1442  sigs[0]= "drop tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
1443  sigs[1]= "alert tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
1444  sigs[2]= "pass tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
1445 
1446  uint32_t sid[3] = {1, 2, 3};
1447 
1448  uint32_t results[3][3] = {
1449  {1, 1, 0},
1450  {1, 1, 0},
1451  {1, 1, 0} };
1452  /* All the patckets should match the 3 sigs. As drop
1453  * and alert have more priority than pass, both should
1454  * alert on each packet */
1455 
1456  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1457  if (de_ctx == NULL)
1458  goto cleanup;
1459  de_ctx->flags |= DE_QUIET;
1460 
1461  if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
1462  goto cleanup;
1463 
1464  SCSigRegisterSignatureOrderingFuncs(de_ctx);
1465  SCSigOrderSignatures(de_ctx);
1466 
1467  res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
1468 
1469 cleanup:
1470  UTHFreePackets(p, 3);
1471 
1472  if (de_ctx != NULL) {
1473  SigGroupCleanup(de_ctx);
1474  SigCleanSignatures(de_ctx);
1475  DetectEngineCtxFree(de_ctx);
1476  }
1477 
1478 end:
1479  /* Restore default values */
1480  action_order_sigs[0] = ACTION_PASS;
1481  action_order_sigs[1] = ACTION_DROP;
1482  action_order_sigs[2] = ACTION_REJECT;
1483  action_order_sigs[3] = ACTION_ALERT;
1484 
1485  return res;
1486 }
1487 
1488 /**
1489  * \test Check mixed sigs (iponly and normal) with more prio for alert and drop
1490  */
1491 static int UtilActionTest23(void)
1492 {
1493  int res = 1;
1494  uint8_t *buf = (uint8_t *)"Hi all!";
1495  uint16_t buflen = strlen((char *)buf);
1496  Packet *p[3];
1497 
1498  action_order_sigs[0] = ACTION_DROP;
1499  action_order_sigs[1] = ACTION_ALERT;
1500  action_order_sigs[2] = ACTION_REJECT;
1501  action_order_sigs[3] = ACTION_PASS;
1502 
1503  p[0] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1504  "192.168.1.5", "192.168.1.1",
1505  41424, 80);
1506  p[1] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1507  "192.168.1.1", "192.168.1.5",
1508  80, 41424);
1509  p[2] = UTHBuildPacketReal((uint8_t *)buf, buflen, IPPROTO_TCP,
1510  "192.168.1.5", "192.168.1.1",
1511  41424, 80);
1512 
1513  if (p[0] == NULL || p[1] == NULL ||p[2] == NULL)
1514  goto end;
1515 
1516  const char *sigs[3];
1517  sigs[0]= "pass tcp any any -> any any (msg:\"sig 1\"; sid:1;)";
1518  sigs[1]= "drop tcp any any -> any any (msg:\"sig 2\"; content:\"Hi all\"; sid:2;)";
1519  sigs[2]= "alert tcp any any -> any any (msg:\"sig 3\"; sid:3;)";
1520 
1521  uint32_t sid[3] = {1, 2, 3};
1522 
1523  uint32_t results[3][3] = {
1524  {0, 1, 1},
1525  {0, 1, 1},
1526  {0, 1, 1} };
1527  /* All the patckets should match the 3 sigs. As drop
1528  * and alert have more priority than pass, both should
1529  * alert on each packet */
1530 
1531  DetectEngineCtx *de_ctx = DetectEngineCtxInit();
1532  if (de_ctx == NULL)
1533  goto cleanup;
1534  de_ctx->flags |= DE_QUIET;
1535 
1536  if (UTHAppendSigs(de_ctx, sigs, 3) == 0)
1537  goto cleanup;
1538 
1539  SCSigRegisterSignatureOrderingFuncs(de_ctx);
1540  SCSigOrderSignatures(de_ctx);
1541 
1542  res = UTHMatchPacketsWithResults(de_ctx, p, 3, sid, (uint32_t *) results, 3);
1543 
1544 cleanup:
1545  UTHFreePackets(p, 3);
1546 
1547  if (de_ctx != NULL) {
1548  SigGroupCleanup(de_ctx);
1549  SigCleanSignatures(de_ctx);
1550  DetectEngineCtxFree(de_ctx);
1551  }
1552 
1553  /* Restore default values */
1554  action_order_sigs[0] = ACTION_PASS;
1555  action_order_sigs[1] = ACTION_DROP;
1556  action_order_sigs[2] = ACTION_REJECT;
1557  action_order_sigs[3] = ACTION_ALERT;
1558 
1559 end:
1560  return res;
1561 }
1562 
1563 /**
1564  * \test Check that the expected defaults are loaded if the
1565  * action-order configuration is not present.
1566  */
1567 static int UtilActionTest24(void)
1568 {
1569  int res = 1;
1570  char config[] = "%YAML 1.1\n"
1571  "---\n";
1572 
1573  ConfCreateContextBackup();
1574  ConfInit();
1575  ConfYamlLoadString(config, strlen(config));
1576 
1577  if (ActionInitConfig() != 0) {
1578  res = 0;
1579  goto done;
1580  }
1581  if (action_order_sigs[0] != ACTION_PASS ||
1582  action_order_sigs[1] != ACTION_DROP ||
1583  action_order_sigs[2] != ACTION_REJECT ||
1584  action_order_sigs[3] != ACTION_ALERT) {
1585  res = 0;
1586  }
1587 
1588 done:
1589  ConfRestoreContextBackup();
1590  return res;
1591 }
1592 
1593 #endif
1594 
1595 /* Register unittests */
1596 void UtilActionRegisterTests(void)
1597 {
1598 #ifdef UNITTESTS
1599  /* Generic tests */
1600  UtRegisterTest("UtilActionTest01", UtilActionTest01);
1601  UtRegisterTest("UtilActionTest02", UtilActionTest02);
1602  UtRegisterTest("UtilActionTest02", UtilActionTest02);
1603  UtRegisterTest("UtilActionTest03", UtilActionTest03);
1604  UtRegisterTest("UtilActionTest04", UtilActionTest04);
1605  UtRegisterTest("UtilActionTest05", UtilActionTest05);
1606  UtRegisterTest("UtilActionTest06", UtilActionTest06);
1607  UtRegisterTest("UtilActionTest07", UtilActionTest07);
1608  UtRegisterTest("UtilActionTest08", UtilActionTest08);
1609  UtRegisterTest("UtilActionTest09", UtilActionTest09);
1610  UtRegisterTest("UtilActionTest10", UtilActionTest10);
1611  UtRegisterTest("UtilActionTest11", UtilActionTest11);
1612  UtRegisterTest("UtilActionTest12", UtilActionTest12);
1613  UtRegisterTest("UtilActionTest13", UtilActionTest13);
1614  UtRegisterTest("UtilActionTest14", UtilActionTest14);
1615  UtRegisterTest("UtilActionTest15", UtilActionTest15);
1616  UtRegisterTest("UtilActionTest16", UtilActionTest16);
1617  UtRegisterTest("UtilActionTest17", UtilActionTest17);
1618  UtRegisterTest("UtilActionTest18", UtilActionTest18);
1619  UtRegisterTest("UtilActionTest19", UtilActionTest19);
1620  UtRegisterTest("UtilActionTest20", UtilActionTest20);
1621  UtRegisterTest("UtilActionTest21", UtilActionTest21);
1622  UtRegisterTest("UtilActionTest22", UtilActionTest22);
1623  UtRegisterTest("UtilActionTest23", UtilActionTest23);
1624  UtRegisterTest("UtilActionTest24", UtilActionTest24);
1625 #endif
1626 }
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:335
TAILQ_FOREACH
#define TAILQ_FOREACH(var, head, field)
Definition: queue.h:350
next
struct HtpBodyChunk_ * next
Definition: app-layer-htp.h:493
UTHAppendSigs
int UTHAppendSigs(DetectEngineCtx *de_ctx, const char *sigs[], int numsigs)
UTHAppendSigs: Add sigs to the detection_engine checking for errors.
Definition: util-unittest-helper.c:652
ACTION_REJECT_DST
#define ACTION_REJECT_DST
Definition: action-globals.h:32
ConfYamlLoadString
int ConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:451
UtilActionRegisterTests
void UtilActionRegisterTests(void)
Definition: util-action.c:1596
ACTION_REJECT
#define ACTION_REJECT
Definition: action-globals.h:31
SigCleanSignatures
void SigCleanSignatures(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:39
ConfNode_::val
char * val
Definition: conf.h:34
SCSigOrderSignatures
void SCSigOrderSignatures(DetectEngineCtx *de_ctx)
Orders the signatures.
Definition: detect-engine-sigorder.c:723
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:723
SCSigRegisterSignatureOrderingFuncs
void SCSigRegisterSignatureOrderingFuncs(DetectEngineCtx *de_ctx)
Lets you register the Signature ordering functions. The order in which the functions are registered...
Definition: detect-engine-sigorder.c:783
DE_QUIET
#define DE_QUIET
Definition: detect.h:296
ConfCreateContextBackup
void ConfCreateContextBackup(void)
Creates a backup of the conf_hash hash_table used by the conf API.
Definition: conf.c:699
action_order_sigs
uint8_t action_order_sigs[4]
Definition: util-action.c:40
DetectEngineCtx_::flags
uint8_t flags
Definition: detect.h:724
ACTION_REJECT_BOTH
#define ACTION_REJECT_BOTH
Definition: action-globals.h:33
SCLogError
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
ConfInit
void ConfInit(void)
Initialize the configuration system.
Definition: conf.c:113
UTHMatchPacketsWithResults
int UTHMatchPacketsWithResults(DetectEngineCtx *de_ctx, Packet **p, int num_packets, uint32_t sids[], uint32_t *results, int numsigs)
Definition: util-unittest-helper.c:691
UtRegisterTest
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
Definition: util-unittest.c:103
UTHBuildPacketReal
Packet * UTHBuildPacketReal(uint8_t *payload, uint16_t payload_len, uint8_t ipproto, const char *src, const char *dst, uint16_t sport, uint16_t dport)
UTHBuildPacketReal is a function that create tcp/udp packets for unittests specifying ip and port sou...
Definition: util-unittest-helper.c:167
ConfRestoreContextBackup
void ConfRestoreContextBackup(void)
Restores the backup of the hash_table present in backup_conf_hash back to conf_hash.
Definition: conf.c:711
ActionInitConfig
int ActionInitConfig()
Load the action order from config. If none is provided, it will be default to ACTION_PASS, ACTION_DROP, ACTION_REJECT, ACTION_ALERT (pass has the highest prio)
Definition: util-action.c:98
SigGroupCleanup
int SigGroupCleanup(DetectEngineCtx *de_ctx)
Definition: detect-engine-build.c:1964
Packet_
Definition: decode.h:405
ACTION_ALERT
#define ACTION_ALERT
Definition: action-globals.h:29
ConfNode_
Definition: conf.h:32
res
PoolThreadReserved res
Definition: stream-tcp-private.h:60
ConfGetNode
ConfNode * ConfGetNode(const char *name)
Get a ConfNode by name.
Definition: conf.c:176
ACTION_PASS
#define ACTION_PASS
Definition: action-globals.h:34
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
ActionOrderVal
uint8_t ActionOrderVal(uint8_t action)
Return the priority associated to an action (to order sigs as specified at config) action_order_sigs ...
Definition: util-action.c:53
DetectEngineCtxFree
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
Definition: detect-engine.c:1685
UTHFreePackets
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
Definition: util-unittest-helper.c:393
DetectEngineCtxInit
DetectEngineCtx * DetectEngineCtxInit(void)
Definition: detect-engine.c:1640