diff options
Diffstat (limited to 'framework/src/suricata/src/detect-engine-tag.c')
-rw-r--r-- | framework/src/suricata/src/detect-engine-tag.c | 1519 |
1 files changed, 0 insertions, 1519 deletions
diff --git a/framework/src/suricata/src/detect-engine-tag.c b/framework/src/suricata/src/detect-engine-tag.c deleted file mode 100644 index 7c8caabb..00000000 --- a/framework/src/suricata/src/detect-engine-tag.c +++ /dev/null @@ -1,1519 +0,0 @@ -/* Copyright (C) 2007-2013 Open Information Security Foundation - * - * You can copy, redistribute or modify this Program under the terms of - * the GNU General Public License version 2 as published by the Free - * Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * version 2 along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA - * 02110-1301, USA. - */ - -/** - * \file detect-engine-tag.c - * - * \author Victor Julien <victor@inliniac.net> - * \author Pablo Rincon Crespo <pablo.rincon.crespo@gmail.com> - * - * Implements a global context to store data related to hosts flagged - * tag keyword - */ - -#include "suricata-common.h" -#include "detect-engine.h" -#include "util-hash.h" -#include "util-atomic.h" -#include "util-time.h" -#include "util-hashlist.h" -#include "detect-engine-tag.h" -#include "detect-tag.h" -#include "host.h" -#include "host-storage.h" -#include "flow-storage.h" - -#include "util-unittest.h" -#include "util-unittest-helper.h" -#include "flow-util.h" -#include "stream-tcp-private.h" - -SC_ATOMIC_DECLARE(unsigned int, num_tags); /**< Atomic counter, to know if we - have tagged hosts/sessions, - to avoid locking */ -static int host_tag_id = -1; /**< Host storage id for tags */ -static int flow_tag_id = -1; /**< Flow storage id for tags */ - -void TagInitCtx(void) -{ - SC_ATOMIC_INIT(num_tags); - - host_tag_id = HostStorageRegister("tag", sizeof(void *), NULL, DetectTagDataListFree); - if (host_tag_id == -1) { - SCLogError(SC_ERR_HOST_INIT, "Can't initiate host storage for tag"); - exit(EXIT_FAILURE); - } - flow_tag_id = FlowStorageRegister("tag", sizeof(void *), NULL, DetectTagDataListFree); - if (flow_tag_id == -1) { - SCLogError(SC_ERR_FLOW_INIT, "Can't initiate flow storage for tag"); - exit(EXIT_FAILURE); - } -} - -/** - * \brief Destroy tag context hash tables - * - * \param tag_ctx Tag Context - * - */ -void TagDestroyCtx(void) -{ -#ifdef DEBUG - BUG_ON(SC_ATOMIC_GET(num_tags) != 0); -#endif - SC_ATOMIC_DESTROY(num_tags); -} - -/** \brief Reset the tagging engine context - */ -void TagRestartCtx() -{ - TagDestroyCtx(); - TagInitCtx(); -} - -int TagHostHasTag(Host *host) -{ - return HostGetStorageById(host, host_tag_id) ? 1 : 0; -} - -static DetectTagDataEntry *DetectTagDataCopy(DetectTagDataEntry *dtd) -{ - DetectTagDataEntry *tde = SCMalloc(sizeof(DetectTagDataEntry)); - if (unlikely(tde == NULL)) { - return NULL; - } - memset(tde, 0, sizeof(DetectTagDataEntry)); - - tde->sid = dtd->sid; - tde->gid = dtd->gid; - tde->flags = dtd->flags; - tde->metric = dtd->metric; - tde->count = dtd->count; - - tde->first_ts = dtd->first_ts; - tde->last_ts = dtd->last_ts; - return tde; -} - -/** - * \brief This function is used to add a tag to a session (type session) - * or update it if it's already installed. The number of times to - * allow an update is limited by DETECT_TAG_MATCH_LIMIT. This way - * repetitive matches to the same rule are limited of setting tags, - * to avoid DOS attacks - * - * \param p pointer to the current packet - * \param tde pointer to the new DetectTagDataEntry - * - * \retval 0 if the tde was added succesfuly - * \retval 1 if an entry of this sid/gid already exist and was updated - */ -int TagFlowAdd(Packet *p, DetectTagDataEntry *tde) -{ - uint8_t updated = 0; - uint16_t tag_cnt = 0; - DetectTagDataEntry *iter = NULL; - - if (p->flow == NULL) - return 1; - - FLOWLOCK_WRLOCK(p->flow); - iter = FlowGetStorageById(p->flow, flow_tag_id); - if (iter != NULL) { - /* First iterate installed entries searching a duplicated sid/gid */ - for (; iter != NULL; iter = iter->next) { - tag_cnt++; - - if (iter->sid == tde->sid && iter->gid == tde->gid) { - iter->cnt_match++; - - /* If so, update data, unless the maximum MATCH limit is - * reached. This prevents possible DOS attacks */ - if (iter->cnt_match < DETECT_TAG_MATCH_LIMIT) { - /* Reset time and counters */ - iter->first_ts = iter->last_ts = tde->first_ts; - iter->packets = 0; - iter->bytes = 0; - } - updated = 1; - break; - } - } - } - - /* If there was no entry of this rule, prepend the new tde */ - if (updated == 0 && tag_cnt < DETECT_TAG_MAX_TAGS) { - DetectTagDataEntry *new_tde = DetectTagDataCopy(tde); - if (new_tde != NULL) { - new_tde->next = FlowGetStorageById(p->flow, flow_tag_id); - FlowSetStorageById(p->flow, flow_tag_id, new_tde); - SCLogDebug("adding tag with first_ts %u", new_tde->first_ts); - (void) SC_ATOMIC_ADD(num_tags, 1); - } - } else if (tag_cnt == DETECT_TAG_MAX_TAGS) { - SCLogDebug("Max tags for sessions reached (%"PRIu16")", tag_cnt); - } - - FLOWLOCK_UNLOCK(p->flow); - return updated; -} - -/** - * \brief Add a tag entry for a host. If it already exist, update it. - * - * \param tag_ctx Tag context for hosts - * \param tde Tag data - * \param p packet - * - * \retval 0 if it was added, 1 if it was updated - */ -int TagHashAddTag(DetectTagDataEntry *tde, Packet *p) -{ - SCEnter(); - - uint8_t updated = 0; - uint16_t num_tags = 0; - Host *host = NULL; - - /* Lookup host in the hash. If it doesn't exist yet it's - * created. */ - if (tde->flags & TAG_ENTRY_FLAG_DIR_SRC) { - host = HostGetHostFromHash(&p->src); - } else if (tde->flags & TAG_ENTRY_FLAG_DIR_DST) { - host = HostGetHostFromHash(&p->dst); - } - /* no host for us */ - if (host == NULL) { - SCLogDebug("host tag not added: no host"); - return -1; - } - - void *tag = HostGetStorageById(host, host_tag_id); - if (tag == NULL) { - /* get a new tde as the one we have is on the stack */ - DetectTagDataEntry *new_tde = DetectTagDataCopy(tde); - if (new_tde != NULL) { - HostSetStorageById(host, host_tag_id, new_tde); - (void) SC_ATOMIC_ADD(num_tags, 1); - SCLogDebug("host tag added"); - } - } else { - /* Append the tag to the list of this host */ - SCLogDebug("updating existing host"); - - /* First iterate installed entries searching a duplicated sid/gid */ - DetectTagDataEntry *iter = NULL; - - for (iter = tag; iter != NULL; iter = iter->next) { - num_tags++; - if (iter->sid == tde->sid && iter->gid == tde->gid) { - iter->cnt_match++; - /* If so, update data, unless the maximum MATCH limit is - * reached. This prevents possible DOS attacks */ - if (iter->cnt_match < DETECT_TAG_MATCH_LIMIT) { - /* Reset time and counters */ - iter->first_ts = iter->last_ts = tde->first_ts; - iter->packets = 0; - iter->bytes = 0; - } - updated = 1; - break; - } - } - - /* If there was no entry of this rule, append the new tde */ - if (updated == 0 && num_tags < DETECT_TAG_MAX_TAGS) { - /* get a new tde as the one we have is on the stack */ - DetectTagDataEntry *new_tde = DetectTagDataCopy(tde); - if (new_tde != NULL) { - (void) SC_ATOMIC_ADD(num_tags, 1); - - new_tde->next = tag; - HostSetStorageById(host, host_tag_id, new_tde); - } - } else if (num_tags == DETECT_TAG_MAX_TAGS) { - SCLogDebug("Max tags for sessions reached (%"PRIu16")", num_tags); - } - } - - HostRelease(host); - SCReturnInt(updated); -} - -static void TagHandlePacketFlow(Flow *f, Packet *p) -{ - if (FlowGetStorageById(f, flow_tag_id) == NULL) - return; - - DetectTagDataEntry *tde = NULL; - DetectTagDataEntry *prev = NULL; - DetectTagDataEntry *iter = FlowGetStorageById(f, flow_tag_id); - uint8_t flag_added = 0; - - while (iter != NULL) { - /* update counters */ - iter->last_ts = p->ts.tv_sec; - switch (iter->metric) { - case DETECT_TAG_METRIC_PACKET: - iter->packets++; - break; - case DETECT_TAG_METRIC_BYTES: - iter->bytes += GET_PKT_LEN(p); - break; - } - - /* If this packet triggered the rule with tag, we dont need - * to log it (the alert will log it) */ - if (!(iter->flags & TAG_ENTRY_FLAG_SKIPPED_FIRST)) { - iter->flags |= TAG_ENTRY_FLAG_SKIPPED_FIRST; - } else { - /* Update metrics; remove if tag expired; and set alerts */ - switch (iter->metric) { - case DETECT_TAG_METRIC_PACKET: - if (iter->packets > iter->count) { - SCLogDebug("flow tag expired: packets %u > %u", - iter->packets, iter->count); - /* tag expired */ - if (prev != NULL) { - tde = iter; - prev->next = iter->next; - iter = iter->next; - SCFree(tde); - (void) SC_ATOMIC_SUB(num_tags, 1); - continue; - } else { - FlowSetStorageById(p->flow, flow_tag_id, iter->next); - tde = iter; - iter = iter->next; - SCFree(tde); - (void) SC_ATOMIC_SUB(num_tags, 1); - continue; - } - } else if (flag_added == 0) { - /* It's matching the tag. Add it to be logged and - * update "flag_added" to add the packet once. */ - p->flags |= PKT_HAS_TAG; - flag_added++; - } - break; - case DETECT_TAG_METRIC_BYTES: - if (iter->bytes > iter->count) { - /* tag expired */ - SCLogDebug("flow tag expired: bytes %u > %u", - iter->bytes, iter->count); - if (prev != NULL) { - tde = iter; - prev->next = iter->next; - iter = iter->next; - SCFree(tde); - (void) SC_ATOMIC_SUB(num_tags, 1); - continue; - } else { - FlowSetStorageById(p->flow, flow_tag_id, iter->next); - tde = iter; - iter = iter->next; - SCFree(tde); - (void) SC_ATOMIC_SUB(num_tags, 1); - continue; - } - } else if (flag_added == 0) { - /* It's matching the tag. Add it to be logged and - * update "flag_added" to add the packet once. */ - p->flags |= PKT_HAS_TAG; - flag_added++; - } - break; - case DETECT_TAG_METRIC_SECONDS: - /* last_ts handles this metric, but also a generic time based - * expiration to prevent dead sessions/hosts */ - if (iter->last_ts - iter->first_ts > iter->count) { - SCLogDebug("flow tag expired: %u - %u = %u > %u", - iter->last_ts, iter->first_ts, - (iter->last_ts - iter->first_ts), iter->count); - /* tag expired */ - if (prev != NULL) { - tde = iter; - prev->next = iter->next; - iter = iter->next; - SCFree(tde); - (void) SC_ATOMIC_SUB(num_tags, 1); - continue; - } else { - FlowSetStorageById(p->flow, flow_tag_id, iter->next); - tde = iter; - iter = iter->next; - SCFree(tde); - (void) SC_ATOMIC_SUB(num_tags, 1); - continue; - } - } else if (flag_added == 0) { - /* It's matching the tag. Add it to be logged and - * update "flag_added" to add the packet once. */ - p->flags |= PKT_HAS_TAG; - flag_added++; - } - break; - } - - } - - prev = iter; - iter = iter->next; - } -} - -void TagHandlePacketHost(Host *host, Packet *p) -{ - DetectTagDataEntry *tde = NULL; - DetectTagDataEntry *prev = NULL; - DetectTagDataEntry *iter; - uint8_t flag_added = 0; - - iter = HostGetStorageById(host, host_tag_id); - prev = NULL; - while (iter != NULL) { - /* update counters */ - iter->last_ts = p->ts.tv_sec; - switch (iter->metric) { - case DETECT_TAG_METRIC_PACKET: - iter->packets++; - break; - case DETECT_TAG_METRIC_BYTES: - iter->bytes += GET_PKT_LEN(p); - break; - } - - /* If this packet triggered the rule with tag, we dont need - * to log it (the alert will log it) */ - if (!(iter->flags & TAG_ENTRY_FLAG_SKIPPED_FIRST)) { - iter->flags |= TAG_ENTRY_FLAG_SKIPPED_FIRST; - } else { - /* Update metrics; remove if tag expired; and set alerts */ - switch (iter->metric) { - case DETECT_TAG_METRIC_PACKET: - if (iter->packets > iter->count) { - SCLogDebug("host tag expired: packets %u > %u", iter->packets, iter->count); - /* tag expired */ - if (prev != NULL) { - tde = iter; - prev->next = iter->next; - iter = iter->next; - SCFree(tde); - (void) SC_ATOMIC_SUB(num_tags, 1); - continue; - } else { - tde = iter; - iter = iter->next; - SCFree(tde); - (void) SC_ATOMIC_SUB(num_tags, 1); - HostSetStorageById(host, host_tag_id, iter); - continue; - } - } else if (flag_added == 0) { - /* It's matching the tag. Add it to be logged and - * update "flag_added" to add the packet once. */ - p->flags |= PKT_HAS_TAG; - flag_added++; - } - break; - case DETECT_TAG_METRIC_BYTES: - if (iter->bytes > iter->count) { - SCLogDebug("host tag expired: bytes %u > %u", iter->bytes, iter->count); - /* tag expired */ - if (prev != NULL) { - tde = iter; - prev->next = iter->next; - iter = iter->next; - SCFree(tde); - (void) SC_ATOMIC_SUB(num_tags, 1); - continue; - } else { - tde = iter; - iter = iter->next; - SCFree(tde); - (void) SC_ATOMIC_SUB(num_tags, 1); - HostSetStorageById(host, host_tag_id, iter); - continue; - } - } else if (flag_added == 0) { - /* It's matching the tag. Add it to be logged and - * update "flag_added" to add the packet once. */ - p->flags |= PKT_HAS_TAG; - flag_added++; - } - break; - case DETECT_TAG_METRIC_SECONDS: - /* last_ts handles this metric, but also a generic time based - * expiration to prevent dead sessions/hosts */ - if (iter->last_ts - iter->first_ts > iter->count) { - SCLogDebug("host tag expired: %u - %u = %u > %u", - iter->last_ts, iter->first_ts, - (iter->last_ts - iter->first_ts), iter->count); - /* tag expired */ - if (prev != NULL) { - tde = iter; - prev->next = iter->next; - iter = iter->next; - SCFree(tde); - (void) SC_ATOMIC_SUB(num_tags, 1); - continue; - } else { - tde = iter; - iter = iter->next; - SCFree(tde); - (void) SC_ATOMIC_SUB(num_tags, 1); - HostSetStorageById(host, host_tag_id, iter); - continue; - } - } else if (flag_added == 0) { - /* It's matching the tag. Add it to be logged and - * update "flag_added" to add the packet once. */ - p->flags |= PKT_HAS_TAG; - flag_added++; - } - break; - } - - } - - prev = iter; - iter = iter->next; - } -} - -/** - * \brief Search tags for src and dst. Update entries of the tag, remove if necessary - * - * \param de_ctx Detect context - * \param det_ctx Detect thread context - * \param p packet - * - */ -void TagHandlePacket(DetectEngineCtx *de_ctx, - DetectEngineThreadCtx *det_ctx, Packet *p) -{ - SCEnter(); - - /* If there's no tag, get out of here */ - unsigned int current_tags = SC_ATOMIC_GET(num_tags); - if (current_tags == 0) - SCReturn; - - /* First update and get session tags */ - if (p->flow != NULL) { - FLOWLOCK_WRLOCK(p->flow); - TagHandlePacketFlow(p->flow, p); - FLOWLOCK_UNLOCK(p->flow); - } - - Host *src = HostLookupHostFromHash(&p->src); - if (src) { - if (TagHostHasTag(src)) { - TagHandlePacketHost(src,p); - } - HostRelease(src); - } - Host *dst = HostLookupHostFromHash(&p->dst); - if (dst) { - if (TagHostHasTag(dst)) { - TagHandlePacketHost(dst,p); - } - HostRelease(dst); - } - SCReturn; -} - -/** - * \brief Removes the entries exceding the max timeout value - * - * \param tag_ctx Tag context - * \param ts the current time - * - * \retval 1 no tags or tags removed -- host is free to go (from tag perspective) - * \retval 0 still active tags - */ -int TagTimeoutCheck(Host *host, struct timeval *tv) -{ - DetectTagDataEntry *tde = NULL; - DetectTagDataEntry *tmp = NULL; - DetectTagDataEntry *prev = NULL; - int retval = 1; - - tmp = HostGetStorageById(host, host_tag_id); - if (tmp == NULL) - return 1; - - prev = NULL; - while (tmp != NULL) { - if ((tv->tv_sec - tmp->last_ts) <= TAG_MAX_LAST_TIME_SEEN) { - prev = tmp; - tmp = tmp->next; - retval = 0; - continue; - } - - /* timed out */ - - if (prev != NULL) { - prev->next = tmp->next; - - tde = tmp; - tmp = tde->next; - - SCFree(tde); - (void) SC_ATOMIC_SUB(num_tags, 1); - } else { - HostSetStorageById(host, host_tag_id, tmp->next); - - tde = tmp; - tmp = tde->next; - - SCFree(tde); - (void) SC_ATOMIC_SUB(num_tags, 1); - } - } - return retval; -} - -#ifdef UNITTESTS - -/** - * \test host tagging: packets - */ -int DetectTagTestPacket01 (void) -{ - int result = 0; - uint8_t *buf = (uint8_t *)"Hi all!"; - uint8_t *buf2 = (uint8_t *)"lalala!"; - uint16_t buf_len = strlen((char *)buf); - uint16_t buf_len2 = strlen((char *)buf2); - - Packet *p[7]; - p[0] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[2] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.9", - 41424, 80); - p[3] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.9", - 41424, 80); - p[4] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.9", - 41424, 80); - p[5] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.11", - 41424, 80); - p[6] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.11", - 41424, 80); - - char *sigs[5]; - sigs[0]= "alert tcp any any -> any any (msg:\"Testing tag 1\"; content:\"Hi all\"; tag:host,3,packets,src; sid:1;)"; - sigs[1]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"Hi all\"; tag:host,4,packets,dst; sid:2;)"; - sigs[2]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:3;)"; - sigs[3]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:4;)"; - sigs[4]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:5;)"; - - /* Please, Notice that tagged data goes with sig_id = 1 and tag sig generator = 2 */ - uint32_t sid[5] = {1,2,3,4,5}; - - int32_t results[7][5] = { - {1, 1, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0} - }; - StorageInit(); - TagInitCtx(); - StorageFinalize(); - HostInitConfig(1); - - SCLogDebug("running tests"); - result = UTHGenericTest(p, 7, sigs, sid, (uint32_t *) results, 5); - SCLogDebug("running tests done"); - - Host *src = HostLookupHostFromHash(&p[1]->src); - if (src) { - void *tag = HostGetStorageById(src, host_tag_id); - if (tag != NULL) { - printf("tag should have been expired: "); - result = 0; - } - - HostRelease(src); - } - Host *dst = HostLookupHostFromHash(&p[1]->dst); - if (dst) { - void *tag = HostGetStorageById(dst, host_tag_id); - BUG_ON(tag == NULL); - - DetectTagDataEntry *iter = tag; - - /* check internal state */ - if (!(iter->gid == 1 && iter->sid == 2 && iter->packets == 4 && iter->count == 4)) { - printf("gid %u sid %u packets %u count %u: ", iter->gid, iter->sid, iter->packets, iter->count); - result = 0; - } - - HostRelease(dst); - } - BUG_ON(src == NULL || dst == NULL); - - UTHFreePackets(p, 7); - - HostShutdown(); - TagDestroyCtx(); - StorageCleanup(); - return result; -} - -/** - * \test host tagging: seconds - */ -int DetectTagTestPacket02 (void) -{ - int result = 0; - uint8_t *buf = (uint8_t *)"Hi all!"; - uint8_t *buf2 = (uint8_t *)"lalala!"; - uint16_t buf_len = strlen((char *)buf); - uint16_t buf_len2 = strlen((char *)buf2); - - DecodeThreadVars dtv; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - memset(&dtv, 0, sizeof(DecodeThreadVars)); - memset(&th_v, 0, sizeof(th_v)); - - StorageInit(); - TagInitCtx(); - StorageFinalize(); - HostInitConfig(1); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) { - goto end; - } - de_ctx->flags |= DE_QUIET; - - Packet *p[7]; - p[0] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[2] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.9", - 41424, 80); - p[3] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.9", - 41424, 80); - p[4] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.9", - 41424, 80); - p[5] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.11", - 41424, 80); - p[6] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.11", - 41424, 80); - - char *sigs[5]; - sigs[0]= "alert tcp any any -> any any (msg:\"Testing tag 1\"; content:\"Hi all\"; tag:host,3,seconds,src; sid:1;)"; - sigs[1]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"Hi all\"; tag:host,8,seconds,dst; sid:2;)"; - sigs[2]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:3;)"; - sigs[3]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:4;)"; - sigs[4]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:5;)"; - - /* Please, Notice that tagged data goes with sig_id = 1 and tag sig generator = 2 */ - uint32_t sid[5] = {1,2,3,4,5}; - int numsigs = 5; - - if (UTHAppendSigs(de_ctx, sigs, numsigs) == 0) - goto cleanup; - - //de_ctx->flags |= DE_QUIET; - - int32_t results[7][5] = { - {1, 1, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0} - }; - - int num_packets = 7; - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - int i = 0; - for (; i < num_packets; i++) { - SCLogDebug("packet %d", i); - TimeGet(&p[i]->ts); - SigMatchSignatures(&th_v, de_ctx, det_ctx, p[i]); - if (UTHCheckPacketMatchResults(p[i], sid, (uint32_t *)&results[i][0], numsigs) == 0) - goto cleanup; - - TimeSetIncrementTime(2); - SCLogDebug("packet %d flag %s", i, p[i]->flags & PKT_HAS_TAG ? "true" : "false"); - - /* see if the PKT_HAS_TAG is set on the packet if needed */ - int expect; - if (i == 0 || i == 2 || i == 3 || i == 5 || i == 6) - expect = FALSE; - else - expect = TRUE; - if (((p[i]->flags & PKT_HAS_TAG) ? TRUE : FALSE) != expect) - goto cleanup; - } - - result = 1; - -cleanup: - UTHFreePackets(p, 7); - if (det_ctx != NULL) - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } -end: - HostShutdown(); - TagDestroyCtx(); - StorageCleanup(); - return result; -} - -/** - * \test host tagging: bytes - */ -static int DetectTagTestPacket03 (void) -{ - int result = 0; - uint8_t *buf = (uint8_t *)"Hi all!"; - uint8_t *buf2 = (uint8_t *)"lalala!"; - uint16_t buf_len = strlen((char *)buf); - uint16_t buf_len2 = strlen((char *)buf2); - - DecodeThreadVars dtv; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - memset(&dtv, 0, sizeof(DecodeThreadVars)); - memset(&th_v, 0, sizeof(th_v)); - - StorageInit(); - TagInitCtx(); - StorageFinalize(); - HostInitConfig(1); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) { - goto end; - } - de_ctx->flags |= DE_QUIET; - - Packet *p[7]; - p[0] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[2] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.9", - 41424, 80); - p[3] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.9", - 41424, 80); - p[4] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.9", - 41424, 80); - p[5] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.11", - 41424, 80); - p[6] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.11", - 41424, 80); - - char *sigs[5]; - sigs[0]= "alert tcp any any -> any any (msg:\"Testing tag 1\"; content:\"Hi all\"; tag:host, 150, bytes, src; sid:1;)"; - sigs[1]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"Hi all\"; tag:host, 150, bytes, dst; sid:2;)"; - sigs[2]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:3;)"; - sigs[3]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:4;)"; - sigs[4]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:5;)"; - - /* Please, Notice that tagged data goes with sig_id = 1 and tag sig generator = 2 */ - uint32_t sid[5] = {1,2,3,4,5}; - int numsigs = 5; - - if (UTHAppendSigs(de_ctx, sigs, numsigs) == 0) - goto cleanup; - - int32_t results[7][5] = { - {1, 1, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0} - }; - - int num_packets = 7; - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - int i = 0; - for (; i < num_packets; i++) { - SigMatchSignatures(&th_v, de_ctx, det_ctx, p[i]); - - if (UTHCheckPacketMatchResults(p[i], sid, (uint32_t *)&results[i][0], numsigs) == 0) - goto cleanup; - - SCLogDebug("packet %d flag %s", i, p[i]->flags & PKT_HAS_TAG ? "true" : "false"); - - /* see if the PKT_HAS_TAG is set on the packet if needed */ - int expect; - if (i == 0 || i == 3 || i == 5 || i == 6) - expect = FALSE; - else - expect = TRUE; - if (((p[i]->flags & PKT_HAS_TAG) ? TRUE : FALSE) != expect) - goto cleanup; - } - - result = 1; - -cleanup: - UTHFreePackets(p, 7); - if (det_ctx != NULL) - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } -end: - HostShutdown(); - TagDestroyCtx(); - StorageCleanup(); - return result; -} - -/** - * \test session tagging: packets - */ -static int DetectTagTestPacket04 (void) -{ - int result = 0; - uint8_t *buf = (uint8_t *)"Hi all!"; - uint8_t *buf2 = (uint8_t *)"lalala!"; - uint16_t buf_len = strlen((char *)buf); - uint16_t buf_len2 = strlen((char *)buf2); - - Flow *f = NULL; - TcpSession ssn; - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - StorageInit(); - TagInitCtx(); - StorageFinalize(); - HostInitConfig(1); - FlowInitConfig(1); - - f = FlowAlloc(); - BUG_ON(f == NULL); - FLOW_INITIALIZE(f); - f->protoctx = (void *)&ssn; - f->flags |= FLOW_IPV4; - if (inet_pton(AF_INET, "192.168.1.5", f->src.addr_data32) != 1) - goto end; - if (inet_pton(AF_INET, "192.168.1.1", f->dst.addr_data32) != 1) - goto end; - - DecodeThreadVars dtv; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - memset(&dtv, 0, sizeof(DecodeThreadVars)); - memset(&th_v, 0, sizeof(th_v)); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) { - goto end; - } - de_ctx->flags |= DE_QUIET; - - Packet *p[7]; - p[0] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[2] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[3] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[4] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[5] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[6] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 80, 41424); - - char *sigs[5]; - sigs[0]= "alert tcp any any -> any any (msg:\"Testing tag 1\"; content:\"Hi all\"; tag:session,4,packets; sid:1;)"; - sigs[1]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"blahblah\"; sid:2;)"; - sigs[2]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:3;)"; - sigs[3]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:4;)"; - sigs[4]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:5;)"; - - /* Please, Notice that tagged data goes with sig_id = 1 and tag sig generator = 2 */ - uint32_t sid[5] = {1,2,3,4,5}; - int numsigs = 5; - - if (UTHAppendSigs(de_ctx, sigs, numsigs) == 0) - goto cleanup; - - int32_t results[7][5] = { - {1, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0} - }; - - int num_packets = 7; - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - int i = 0; - for (; i < num_packets; i++) { - p[i]->flow = f; - p[i]->flow->protoctx = &ssn; - SigMatchSignatures(&th_v, de_ctx, det_ctx, p[i]); - - if (UTHCheckPacketMatchResults(p[i], sid, (uint32_t *)&results[i][0], numsigs) == 0) - goto cleanup; - - SCLogDebug("packet %d flag %s", i, p[i]->flags & PKT_HAS_TAG ? "true" : "false"); - /* see if the PKT_HAS_TAG is set on the packet if needed */ - int expect; - if (i == 0 || i == 4 || i == 5 || i == 6) - expect = FALSE; - else - expect = TRUE; - if (((p[i]->flags & PKT_HAS_TAG) ? TRUE : FALSE) != expect) - goto cleanup; - } - - result = 1; - -cleanup: - UTHFreePackets(p, 7); - if (det_ctx != NULL) - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - - /* clean up flow */ - uint8_t proto_map = FlowGetProtoMapping(f->proto); - FlowClearMemory(f, proto_map); - FLOW_DESTROY(f); -end: - FlowShutdown(); - HostShutdown(); - TagDestroyCtx(); - StorageCleanup(); - return result; -} - -/** - * \test session tagging: seconds - */ -static int DetectTagTestPacket05 (void) -{ - int result = 0; - uint8_t *buf = (uint8_t *)"Hi all!"; - uint8_t *buf2 = (uint8_t *)"lalala!"; - uint16_t buf_len = strlen((char *)buf); - uint16_t buf_len2 = strlen((char *)buf2); - - Flow *f = NULL; - TcpSession ssn; - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - StorageInit(); - TagInitCtx(); - StorageFinalize(); - HostInitConfig(1); - FlowInitConfig(1); - - f = FlowAlloc(); - BUG_ON(f == NULL); - FLOW_INITIALIZE(f); - f->protoctx = (void *)&ssn; - f->flags |= FLOW_IPV4; - if (inet_pton(AF_INET, "192.168.1.5", f->src.addr_data32) != 1) - goto end; - if (inet_pton(AF_INET, "192.168.1.1", f->dst.addr_data32) != 1) - goto end; - - DecodeThreadVars dtv; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - memset(&dtv, 0, sizeof(DecodeThreadVars)); - memset(&th_v, 0, sizeof(th_v)); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) { - goto end; - } - de_ctx->flags |= DE_QUIET; - - Packet *p[7]; - p[0] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[2] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[3] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[4] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[5] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[6] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 80, 41424); - - char *sigs[5]; - sigs[0]= "alert tcp any any -> any any (msg:\"Testing tag 1\"; content:\"Hi all\"; tag:session,8,seconds; sid:1;)"; - sigs[1]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"blahblah\"; sid:2;)"; - sigs[2]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:3;)"; - sigs[3]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:4;)"; - sigs[4]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:5;)"; - - /* Please, Notice that tagged data goes with sig_id = 1 and tag sig generator = 2 */ - uint32_t sid[5] = {1,2,3,4,5}; - int numsigs = 5; - - if (UTHAppendSigs(de_ctx, sigs, numsigs) == 0) - goto cleanup; - - int32_t results[7][5] = { - {1, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0} - }; - - int num_packets = 7; - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - int i = 0; - for (; i < num_packets; i++) { - p[i]->flow = f; - p[i]->flow->protoctx = &ssn; - - SCLogDebug("packet %d", i); - TimeGet(&p[i]->ts); - SigMatchSignatures(&th_v, de_ctx, det_ctx, p[i]); - - if (UTHCheckPacketMatchResults(p[i], sid, (uint32_t *)&results[i][0], numsigs) == 0) - goto cleanup; - - TimeSetIncrementTime(2); - - SCLogDebug("packet %d flag %s", i, p[i]->flags & PKT_HAS_TAG ? "true" : "false"); - /* see if the PKT_HAS_TAG is set on the packet if needed */ - int expect; - if (i == 0 || i == 5 || i == 6) - expect = FALSE; - else - expect = TRUE; - if (((p[i]->flags & PKT_HAS_TAG) ? TRUE : FALSE) != expect) - goto cleanup; - } - - result = 1; - -cleanup: - UTHFreePackets(p, 7); - if (det_ctx != NULL) - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - - /* clean up flow */ - uint8_t proto_map = FlowGetProtoMapping(f->proto); - FlowClearMemory(f, proto_map); - FLOW_DESTROY(f); -end: - FlowShutdown(); - HostShutdown(); - TagDestroyCtx(); - StorageCleanup(); - return result; -} - -/** - * \test session tagging: bytes - */ -static int DetectTagTestPacket06 (void) -{ - int result = 0; - uint8_t *buf = (uint8_t *)"Hi all!"; - uint8_t *buf2 = (uint8_t *)"lalala!"; - uint16_t buf_len = strlen((char *)buf); - uint16_t buf_len2 = strlen((char *)buf2); - - Flow *f = NULL; - TcpSession ssn; - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - StorageInit(); - TagInitCtx(); - StorageFinalize(); - HostInitConfig(1); - FlowInitConfig(1); - - f = FlowAlloc(); - BUG_ON(f == NULL); - FLOW_INITIALIZE(f); - f->protoctx = (void *)&ssn; - f->flags |= FLOW_IPV4; - if (inet_pton(AF_INET, "192.168.1.5", f->src.addr_data32) != 1) - goto end; - if (inet_pton(AF_INET, "192.168.1.1", f->dst.addr_data32) != 1) - goto end; - - DecodeThreadVars dtv; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - memset(&dtv, 0, sizeof(DecodeThreadVars)); - memset(&th_v, 0, sizeof(th_v)); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) { - goto end; - } - de_ctx->flags |= DE_QUIET; - - Packet *p[7]; - p[0] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[2] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[3] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[4] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[5] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[6] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 80, 41424); - - char *sigs[5]; - sigs[0]= "alert tcp any any -> any any (msg:\"Testing tag 1\"; content:\"Hi all\"; tag:session,150,bytes; sid:1;)"; - sigs[1]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"blahblah\"; sid:2;)"; - sigs[2]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:3;)"; - sigs[3]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:4;)"; - sigs[4]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:5;)"; - - /* Please, Notice that tagged data goes with sig_id = 1 and tag sig generator = 2 */ - uint32_t sid[5] = {1,2,3,4,5}; - int numsigs = 5; - - if (UTHAppendSigs(de_ctx, sigs, numsigs) == 0) - goto cleanup; - - int32_t results[7][5] = { - {1, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0} - }; - - int num_packets = 7; - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - int i = 0; - for (; i < num_packets; i++) { - p[i]->flow = f; - p[i]->flow->protoctx = &ssn; - SigMatchSignatures(&th_v, de_ctx, det_ctx, p[i]); - - if (UTHCheckPacketMatchResults(p[i], sid, (uint32_t *)&results[i][0], numsigs) == 0) - goto cleanup; - - SCLogDebug("packet %d flag %s", i, p[i]->flags & PKT_HAS_TAG ? "true" : "false"); - - /* see if the PKT_HAS_TAG is set on the packet if needed */ - int expect; - if (i == 0 || i == 3 || i == 4 || i == 5 || i == 6) - expect = FALSE; - else - expect = TRUE; - if (((p[i]->flags & PKT_HAS_TAG) ? TRUE : FALSE) != expect) - goto cleanup; - } - - result = 1; - -cleanup: - UTHFreePackets(p, 7); - if (det_ctx != NULL) - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - - /* clean up flow */ - uint8_t proto_map = FlowGetProtoMapping(f->proto); - FlowClearMemory(f, proto_map); - FLOW_DESTROY(f); -end: - FlowShutdown(); - HostShutdown(); - TagDestroyCtx(); - StorageCleanup(); - return result; -} - -/** - * \test session tagging: bytes, where a 2nd match makes us tag more - */ -static int DetectTagTestPacket07 (void) -{ - int result = 0; - uint8_t *buf = (uint8_t *)"Hi all!"; - uint8_t *buf2 = (uint8_t *)"lalala!"; - uint16_t buf_len = strlen((char *)buf); - uint16_t buf_len2 = strlen((char *)buf2); - - Flow *f = NULL; - TcpSession ssn; - - memset(&f, 0, sizeof(f)); - memset(&ssn, 0, sizeof(ssn)); - - StorageInit(); - TagInitCtx(); - StorageFinalize(); - HostInitConfig(1); - FlowInitConfig(1); - - f = FlowAlloc(); - BUG_ON(f == NULL); - FLOW_INITIALIZE(f); - f->protoctx = (void *)&ssn; - f->flags |= FLOW_IPV4; - if (inet_pton(AF_INET, "192.168.1.5", f->src.addr_data32) != 1) - goto end; - if (inet_pton(AF_INET, "192.168.1.1", f->dst.addr_data32) != 1) - goto end; - - DecodeThreadVars dtv; - ThreadVars th_v; - DetectEngineThreadCtx *det_ctx = NULL; - memset(&dtv, 0, sizeof(DecodeThreadVars)); - memset(&th_v, 0, sizeof(th_v)); - - DetectEngineCtx *de_ctx = DetectEngineCtxInit(); - if (de_ctx == NULL) { - goto end; - } - de_ctx->flags |= DE_QUIET; - - Packet *p[7]; - p[0] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[1] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[2] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[3] = UTHBuildPacketReal(buf, buf_len, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 41424, 80); - p[4] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[5] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.1", "192.168.1.5", - 80, 41424); - p[6] = UTHBuildPacketReal(buf2, buf_len2, IPPROTO_TCP, - "192.168.1.5", "192.168.1.1", - 80, 41424); - - char *sigs[5]; - sigs[0]= "alert tcp any any -> any any (msg:\"Testing tag 1\"; content:\"Hi all\"; tag:session,150,bytes; sid:1;)"; - sigs[1]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"blahblah\"; sid:2;)"; - sigs[2]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:3;)"; - sigs[3]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:4;)"; - sigs[4]= "alert tcp any any -> any any (msg:\"Testing tag 2\"; content:\"no match\"; sid:5;)"; - - /* Please, Notice that tagged data goes with sig_id = 1 and tag sig generator = 2 */ - uint32_t sid[5] = {1,2,3,4,5}; - int numsigs = 5; - - if (UTHAppendSigs(de_ctx, sigs, numsigs) == 0) - goto cleanup; - - int32_t results[7][5] = { - {1, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {1, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0}, - {0, 0, 0, 0, 0} - }; - - int num_packets = 7; - SigGroupBuild(de_ctx); - DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); - - int i = 0; - for (; i < num_packets; i++) { - p[i]->flow = f; - p[i]->flow->protoctx = &ssn; - SigMatchSignatures(&th_v, de_ctx, det_ctx, p[i]); - - if (UTHCheckPacketMatchResults(p[i], sid, (uint32_t *)&results[i][0], numsigs) == 0) - goto cleanup; - - SCLogDebug("packet %d flag %s", i, p[i]->flags & PKT_HAS_TAG ? "true" : "false"); -#if 1 - /* see if the PKT_HAS_TAG is set on the packet if needed */ - int expect; - if (i == 0 || i == 6) - expect = FALSE; - else - expect = TRUE; - if (((p[i]->flags & PKT_HAS_TAG) ? TRUE : FALSE) != expect) - goto cleanup; -#endif - } - - result = 1; - -cleanup: - UTHFreePackets(p, 7); - if (det_ctx != NULL) - DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); - - if (de_ctx != NULL) { - SigGroupCleanup(de_ctx); - SigCleanSignatures(de_ctx); - DetectEngineCtxFree(de_ctx); - } - - /* clean up flow */ - uint8_t proto_map = FlowGetProtoMapping(f->proto); - FlowClearMemory(f, proto_map); - FLOW_DESTROY(f); -end: - FlowShutdown(); - HostShutdown(); - TagDestroyCtx(); - StorageCleanup(); - return result; -} - -#endif /* UNITTESTS */ - -/** - * \brief this function registers unit tests for DetectTag - */ -void DetectEngineTagRegisterTests(void) -{ -#ifdef UNITTESTS - UtRegisterTest("DetectTagTestPacket01", DetectTagTestPacket01, 1); - UtRegisterTest("DetectTagTestPacket02", DetectTagTestPacket02, 1); - UtRegisterTest("DetectTagTestPacket03", DetectTagTestPacket03, 1); - UtRegisterTest("DetectTagTestPacket04", DetectTagTestPacket04, 1); - UtRegisterTest("DetectTagTestPacket05", DetectTagTestPacket05, 1); - UtRegisterTest("DetectTagTestPacket06", DetectTagTestPacket06, 1); - UtRegisterTest("DetectTagTestPacket07", DetectTagTestPacket07, 1); -#endif /* UNITTESTS */ -} - |