/src/suricata7/src/detect-ipproto.c
Line | Count | Source |
1 | | /* Copyright (C) 2007-2022 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | /** |
19 | | * \file |
20 | | * |
21 | | * \author Brian Rectanus <brectanu@gmail.com> |
22 | | * |
23 | | * Implements the ip_proto keyword |
24 | | */ |
25 | | |
26 | | #include "suricata-common.h" |
27 | | #include "decode.h" |
28 | | #include "detect.h" |
29 | | |
30 | | #include "detect-ipproto.h" |
31 | | |
32 | | #include "detect-parse.h" |
33 | | #include "detect-engine.h" |
34 | | #include "detect-engine-mpm.h" |
35 | | #include "detect-engine-build.h" |
36 | | |
37 | | #include "detect-engine-siggroup.h" |
38 | | #include "detect-engine-address.h" |
39 | | |
40 | | #include "util-byte.h" |
41 | | #include "util-proto-name.h" |
42 | | #include "util-unittest.h" |
43 | | #include "util-unittest-helper.h" |
44 | | |
45 | | #include "util-debug.h" |
46 | | |
47 | | /** |
48 | | * \brief Regex for parsing our options |
49 | | */ |
50 | 73 | #define PARSE_REGEX "^([!<>]?)\\s*([^\\s]+)$" |
51 | | |
52 | | static DetectParseRegex parse_regex; |
53 | | |
54 | | static int DetectIPProtoSetup(DetectEngineCtx *, Signature *, const char *); |
55 | | #ifdef UNITTESTS |
56 | | static void DetectIPProtoRegisterTests(void); |
57 | | #endif |
58 | | static void DetectIPProtoFree(DetectEngineCtx *, void *); |
59 | | |
60 | | void DetectIPProtoRegister(void) |
61 | 73 | { |
62 | 73 | sigmatch_table[DETECT_IPPROTO].name = "ip_proto"; |
63 | 73 | sigmatch_table[DETECT_IPPROTO].desc = "match on the IP protocol in the packet-header"; |
64 | 73 | sigmatch_table[DETECT_IPPROTO].url = "/rules/header-keywords.html#ip-proto"; |
65 | 73 | sigmatch_table[DETECT_IPPROTO].Match = NULL; |
66 | 73 | sigmatch_table[DETECT_IPPROTO].Setup = DetectIPProtoSetup; |
67 | 73 | sigmatch_table[DETECT_IPPROTO].Free = DetectIPProtoFree; |
68 | | #ifdef UNITTESTS |
69 | | sigmatch_table[DETECT_IPPROTO].RegisterTests = DetectIPProtoRegisterTests; |
70 | | #endif |
71 | 73 | sigmatch_table[DETECT_IPPROTO].flags = SIGMATCH_QUOTES_OPTIONAL; |
72 | | |
73 | 73 | DetectSetupParseRegexes(PARSE_REGEX, &parse_regex); |
74 | 73 | } |
75 | | |
76 | | /** |
77 | | * \internal |
78 | | * \brief Parse ip_proto options string. |
79 | | * |
80 | | * \param optstr Options string to parse |
81 | | * |
82 | | * \return New ip_proto data structure |
83 | | */ |
84 | | static DetectIPProtoData *DetectIPProtoParse(const char *optstr) |
85 | 21.1k | { |
86 | 21.1k | DetectIPProtoData *data = NULL; |
87 | 21.1k | char *args[2] = { NULL, NULL }; |
88 | 21.1k | int res = 0; |
89 | 21.1k | size_t pcre2_len; |
90 | 21.1k | int i; |
91 | 21.1k | const char *str_ptr; |
92 | | |
93 | | /* Execute the regex and populate args with captures. */ |
94 | 21.1k | pcre2_match_data *match = NULL; |
95 | 21.1k | int ret = DetectParsePcreExec(&parse_regex, &match, optstr, 0, 0); |
96 | 21.1k | if (ret != 3) { |
97 | 1.31k | SCLogError("pcre_exec parse error, ret" |
98 | 1.31k | "%" PRId32 ", string %s", |
99 | 1.31k | ret, optstr); |
100 | 1.31k | goto error; |
101 | 1.31k | } |
102 | | |
103 | 59.5k | for (i = 0; i < (ret - 1); i++) { |
104 | 39.6k | res = pcre2_substring_get_bynumber(match, i + 1, (PCRE2_UCHAR8 **)&str_ptr, &pcre2_len); |
105 | 39.6k | if (res < 0) { |
106 | 0 | SCLogError("pcre2_substring_get_bynumber failed"); |
107 | 0 | goto error; |
108 | 0 | } |
109 | 39.6k | args[i] = (char *)str_ptr; |
110 | 39.6k | } |
111 | | |
112 | | /* Initialize the data */ |
113 | 19.8k | data = SCMalloc(sizeof(DetectIPProtoData)); |
114 | 19.8k | if (unlikely(data == NULL)) |
115 | 0 | goto error; |
116 | 19.8k | data->op = DETECT_IPPROTO_OP_EQ; |
117 | 19.8k | data->proto = 0; |
118 | | |
119 | | /* Operator */ |
120 | 19.8k | if (*(args[0]) != '\0') { |
121 | 8.98k | data->op = *(args[0]); |
122 | 8.98k | } |
123 | | |
124 | | /* Protocol name/number */ |
125 | 19.8k | if (!isdigit((unsigned char)*(args[1]))) { |
126 | 1.67k | uint8_t proto; |
127 | 1.67k | if (!SCGetProtoByName(args[1], &proto)) { |
128 | 1.37k | SCLogError("Unknown protocol name: \"%s\"", str_ptr); |
129 | 1.37k | goto error; |
130 | 1.37k | } |
131 | 301 | data->proto = proto; |
132 | 301 | } |
133 | 18.1k | else { |
134 | 18.1k | if (StringParseUint8(&data->proto, 10, 0, args[1]) <= 0) { |
135 | 1.44k | SCLogError("Malformed protocol number: %s", str_ptr); |
136 | 1.44k | goto error; |
137 | 1.44k | } |
138 | 18.1k | } |
139 | | |
140 | 51.0k | for (i = 0; i < (ret - 1); i++){ |
141 | 34.0k | if (args[i] != NULL) |
142 | 34.0k | pcre2_substring_free((PCRE2_UCHAR8 *)args[i]); |
143 | 34.0k | } |
144 | | |
145 | 17.0k | pcre2_match_data_free(match); |
146 | 17.0k | return data; |
147 | | |
148 | 4.13k | error: |
149 | 4.13k | if (match) { |
150 | 4.13k | pcre2_match_data_free(match); |
151 | 4.13k | } |
152 | 9.76k | for (i = 0; i < (ret - 1) && i < 2; i++){ |
153 | 5.63k | if (args[i] != NULL) |
154 | 5.63k | pcre2_substring_free((PCRE2_UCHAR8 *)args[i]); |
155 | 5.63k | } |
156 | 4.13k | if (data != NULL) |
157 | 2.81k | SCFree(data); |
158 | | |
159 | 4.13k | return NULL; |
160 | 19.8k | } |
161 | | |
162 | | static int DetectIPProtoTypePresentForOP(Signature *s, uint8_t op) |
163 | 60.4k | { |
164 | 60.4k | SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH]; |
165 | 60.4k | DetectIPProtoData *data; |
166 | | |
167 | 476k | while (sm != NULL) { |
168 | 422k | if (sm->type == DETECT_IPPROTO) { |
169 | 278k | data = (DetectIPProtoData *)sm->ctx; |
170 | 278k | if (data->op == op) |
171 | 6.51k | return 1; |
172 | 278k | } |
173 | 416k | sm = sm->next; |
174 | 416k | } |
175 | | |
176 | 53.9k | return 0; |
177 | 60.4k | } |
178 | | |
179 | | /** |
180 | | * \internal |
181 | | * \brief Setup ip_proto keyword. |
182 | | * |
183 | | * \param de_ctx Detection engine context |
184 | | * \param s Signature |
185 | | * \param optstr Options string |
186 | | * |
187 | | * \return Non-zero on error |
188 | | */ |
189 | | static int DetectIPProtoSetup(DetectEngineCtx *de_ctx, Signature *s, const char *optstr) |
190 | 21.1k | { |
191 | 21.1k | SigMatch *sm = NULL; |
192 | 21.1k | int i; |
193 | | |
194 | 21.1k | DetectIPProtoData *data = DetectIPProtoParse(optstr); |
195 | 21.1k | if (data == NULL) { |
196 | 4.13k | return -1; |
197 | 4.13k | } |
198 | | |
199 | | /* Reset our "any" (or "ip") state: for ipv4, ipv6 and ip cases, the bitfield |
200 | | * s->proto.proto have all bit set to 1 to be able to match any protocols. ipproto |
201 | | * will refined the protocol list and thus it needs to reset the bitfield to zero |
202 | | * before setting the value specified by the ip_proto keyword. |
203 | | */ |
204 | 17.0k | if (s->proto.flags & (DETECT_PROTO_ANY | DETECT_PROTO_IPV6 | DETECT_PROTO_IPV4)) { |
205 | 10.3k | s->proto.flags &= ~DETECT_PROTO_ANY; |
206 | 10.3k | memset(s->proto.proto, 0x00, sizeof(s->proto.proto)); |
207 | 10.3k | s->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
208 | 10.3k | } else { |
209 | | /* The ipproto engine has a relationship with the protocol that is |
210 | | * set after the action and also the app protocol(that can also be |
211 | | * set through the app-layer-protocol. |
212 | | * An ip_proto keyword can be used only with alert ip, which if |
213 | | * not true we error out on the sig. And hence the init_flag to |
214 | | * indicate this. */ |
215 | 6.68k | if (!(s->init_data->init_flags & SIG_FLAG_INIT_FIRST_IPPROTO_SEEN)) { |
216 | 1.91k | SCLogError("Signature can use " |
217 | 1.91k | "ip_proto keyword only when we use alert ip, " |
218 | 1.91k | "in which case the _ANY flag is set on the sig " |
219 | 1.91k | "and the if condition should match."); |
220 | 1.91k | goto error; |
221 | 1.91k | } |
222 | 6.68k | } |
223 | | |
224 | 15.1k | int eq_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_EQ); |
225 | 15.1k | int gt_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_GT); |
226 | 15.1k | int lt_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_LT); |
227 | 15.1k | int not_set = DetectIPProtoTypePresentForOP(s, DETECT_IPPROTO_OP_NOT); |
228 | | |
229 | 15.1k | switch (data->op) { |
230 | 6.65k | case DETECT_IPPROTO_OP_EQ: |
231 | 6.65k | if (eq_set || gt_set || lt_set || not_set) { |
232 | 839 | SCLogError("can't use a eq " |
233 | 839 | "ipproto without any operators attached to " |
234 | 839 | "them in the same sig"); |
235 | 839 | goto error; |
236 | 839 | } |
237 | 5.81k | s->proto.proto[data->proto / 8] |= 1 << (data->proto % 8); |
238 | 5.81k | break; |
239 | | |
240 | 1.31k | case DETECT_IPPROTO_OP_GT: |
241 | 1.31k | if (eq_set || gt_set) { |
242 | 34 | SCLogError("can't use a eq or gt " |
243 | 34 | "ipproto along with a greater than ipproto in the " |
244 | 34 | "same sig "); |
245 | 34 | goto error; |
246 | 34 | } |
247 | 1.28k | if (!lt_set && !not_set) { |
248 | 948 | s->proto.proto[data->proto / 8] = (uint8_t)(0xfe << (data->proto % 8)); |
249 | 27.8k | for (i = (data->proto / 8) + 1; i < (256 / 8); i++) { |
250 | 26.9k | s->proto.proto[i] = 0xff; |
251 | 26.9k | } |
252 | 948 | } else if (lt_set && !not_set) { |
253 | 83 | SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH]; |
254 | 478 | while (temp_sm != NULL) { |
255 | 478 | if (temp_sm->type == DETECT_IPPROTO) { |
256 | 83 | break; |
257 | 83 | } |
258 | 395 | temp_sm = temp_sm->next; |
259 | 395 | } |
260 | 83 | if (temp_sm != NULL) { |
261 | 83 | DetectIPProtoData *data_temp = (DetectIPProtoData *)temp_sm->ctx; |
262 | 83 | if (data_temp->proto <= data->proto) { |
263 | 8 | SCLogError("can't have " |
264 | 8 | "both gt and lt ipprotos, with the lt being " |
265 | 8 | "lower than gt value"); |
266 | 8 | goto error; |
267 | 75 | } else { |
268 | 362 | for (i = 0; i < (data->proto / 8); i++) { |
269 | 287 | s->proto.proto[i] = 0; |
270 | 287 | } |
271 | 75 | s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8); |
272 | 2.11k | for (i = (data->proto / 8) + 1; i < (256 / 8); i++) { |
273 | 2.03k | s->proto.proto[i] &= 0xff; |
274 | 2.03k | } |
275 | 75 | } |
276 | 83 | } |
277 | 249 | } else if (!lt_set && not_set) { |
278 | 762 | for (i = 0; i < (data->proto / 8); i++) { |
279 | 633 | s->proto.proto[i] = 0; |
280 | 633 | } |
281 | 129 | s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8); |
282 | 3.49k | for (i = (data->proto / 8) + 1; i < (256 / 8); i++) { |
283 | 3.36k | s->proto.proto[i] &= 0xff; |
284 | 3.36k | } |
285 | 129 | } else { |
286 | 120 | DetectIPProtoData *data_temp; |
287 | 120 | SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH]; |
288 | 889 | while (temp_sm != NULL) { |
289 | 889 | if (temp_sm->type == DETECT_IPPROTO && |
290 | 353 | ((DetectIPProtoData *)temp_sm->ctx)->op == DETECT_IPPROTO_OP_LT) { |
291 | 120 | break; |
292 | 120 | } |
293 | 769 | temp_sm = temp_sm->next; |
294 | 769 | } |
295 | 120 | if (temp_sm != NULL) { |
296 | 120 | data_temp = (DetectIPProtoData *)temp_sm->ctx; |
297 | 120 | if (data_temp->proto <= data->proto) { |
298 | 12 | SCLogError("can't have " |
299 | 12 | "both gt and lt ipprotos, with the lt being " |
300 | 12 | "lower than gt value"); |
301 | 12 | goto error; |
302 | 108 | } else { |
303 | 597 | for (i = 0; i < (data->proto / 8); i++) { |
304 | 489 | s->proto.proto[i] = 0; |
305 | 489 | } |
306 | 108 | s->proto.proto[data->proto / 8] &= 0xfe << (data->proto % 8); |
307 | 2.96k | for (i = (data->proto / 8) + 1; i < (256 / 8); i++) { |
308 | 2.85k | s->proto.proto[i] &= 0xff; |
309 | 2.85k | } |
310 | 108 | } |
311 | 120 | } |
312 | 120 | } |
313 | 1.26k | break; |
314 | | |
315 | 1.30k | case DETECT_IPPROTO_OP_LT: |
316 | 1.30k | if (eq_set || lt_set) { |
317 | 7 | SCLogError("can't use a eq or lt " |
318 | 7 | "ipproto along with a less than ipproto in the " |
319 | 7 | "same sig "); |
320 | 7 | goto error; |
321 | 7 | } |
322 | 1.30k | if (!gt_set && !not_set) { |
323 | 7.56k | for (i = 0; i < (data->proto / 8); i++) { |
324 | 6.50k | s->proto.proto[i] = 0xff; |
325 | 6.50k | } |
326 | 1.05k | s->proto.proto[data->proto / 8] = (uint8_t)(~(0xff << (data->proto % 8))); |
327 | 1.05k | } else if (gt_set && !not_set) { |
328 | 64 | SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH]; |
329 | 594 | while (temp_sm != NULL) { |
330 | 594 | if (temp_sm->type == DETECT_IPPROTO) { |
331 | 64 | break; |
332 | 64 | } |
333 | 530 | temp_sm = temp_sm->next; |
334 | 530 | } |
335 | 64 | if (temp_sm != NULL) { |
336 | 64 | DetectIPProtoData *data_temp = (DetectIPProtoData *)temp_sm->ctx; |
337 | 64 | if (data_temp->proto >= data->proto) { |
338 | 11 | SCLogError("can't use a have " |
339 | 11 | "both gt and lt ipprotos, with the lt being " |
340 | 11 | "lower than gt value"); |
341 | 11 | goto error; |
342 | 53 | } else { |
343 | 534 | for (i = 0; i < (data->proto / 8); i++) { |
344 | 481 | s->proto.proto[i] &= 0xff; |
345 | 481 | } |
346 | 53 | s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8)); |
347 | 1.21k | for (i = (data->proto / 8) + 1; i < 256 / 8; i++) { |
348 | 1.16k | s->proto.proto[i] = 0; |
349 | 1.16k | } |
350 | 53 | } |
351 | 64 | } |
352 | 180 | } else if (!gt_set && not_set) { |
353 | 1.65k | for (i = 0; i < (data->proto / 8); i++) { |
354 | 1.54k | s->proto.proto[i] &= 0xFF; |
355 | 1.54k | } |
356 | 114 | s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8)); |
357 | 2.10k | for (i = (data->proto / 8) + 1; i < (256 / 8); i++) { |
358 | 1.99k | s->proto.proto[i] = 0; |
359 | 1.99k | } |
360 | 114 | } else { |
361 | 66 | DetectIPProtoData *data_temp; |
362 | 66 | SigMatch *temp_sm = s->init_data->smlists[DETECT_SM_LIST_MATCH]; |
363 | 767 | while (temp_sm != NULL) { |
364 | 767 | if (temp_sm->type == DETECT_IPPROTO && |
365 | 218 | ((DetectIPProtoData *)temp_sm->ctx)->op == DETECT_IPPROTO_OP_GT) { |
366 | 66 | break; |
367 | 66 | } |
368 | 701 | temp_sm = temp_sm->next; |
369 | 701 | } |
370 | 66 | if (temp_sm != NULL) { |
371 | 66 | data_temp = (DetectIPProtoData *)temp_sm->ctx; |
372 | 66 | if (data_temp->proto >= data->proto) { |
373 | 12 | SCLogError("can't have " |
374 | 12 | "both gt and lt ipprotos, with the lt being " |
375 | 12 | "lower than gt value"); |
376 | 12 | goto error; |
377 | 54 | } else { |
378 | 638 | for (i = 0; i < (data->proto / 8); i++) { |
379 | 584 | s->proto.proto[i] &= 0xFF; |
380 | 584 | } |
381 | 54 | s->proto.proto[data->proto / 8] &= ~(0xff << (data->proto % 8)); |
382 | 1.14k | for (i = (data->proto / 8) + 1; i < (256 / 8); i++) { |
383 | 1.09k | s->proto.proto[i] = 0; |
384 | 1.09k | } |
385 | 54 | } |
386 | 66 | } |
387 | 66 | } |
388 | 1.27k | break; |
389 | | |
390 | 5.83k | case DETECT_IPPROTO_OP_NOT: |
391 | 5.83k | if (eq_set) { |
392 | 245 | SCLogError("can't use a eq " |
393 | 245 | "ipproto along with a not ipproto in the " |
394 | 245 | "same sig "); |
395 | 245 | goto error; |
396 | 245 | } |
397 | 5.59k | if (!gt_set && !lt_set && !not_set) { |
398 | 4.30k | for (i = 0; i < (data->proto / 8); i++) { |
399 | 2.40k | s->proto.proto[i] = 0xff; |
400 | 2.40k | } |
401 | 1.90k | s->proto.proto[data->proto / 8] = (uint8_t)(~(1 << (data->proto % 8))); |
402 | 58.5k | for (i = (data->proto / 8) + 1; i < (256 / 8); i++) { |
403 | 56.6k | s->proto.proto[i] = 0xff; |
404 | 56.6k | } |
405 | 3.68k | } else { |
406 | 8.30k | for (i = 0; i < (data->proto / 8); i++) { |
407 | 4.61k | s->proto.proto[i] &= 0xff; |
408 | 4.61k | } |
409 | 3.68k | s->proto.proto[data->proto / 8] &= ~(1 << (data->proto % 8)); |
410 | 113k | for (i = (data->proto / 8) + 1; i < (256 / 8); i++) { |
411 | 109k | s->proto.proto[i] &= 0xff; |
412 | 109k | } |
413 | 3.68k | } |
414 | 5.59k | break; |
415 | 15.1k | } |
416 | | |
417 | 13.9k | sm = SigMatchAlloc(); |
418 | 13.9k | if (sm == NULL) |
419 | 0 | goto error; |
420 | 13.9k | sm->type = DETECT_IPPROTO; |
421 | 13.9k | sm->ctx = (void *)data; |
422 | 13.9k | SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH); |
423 | 13.9k | s->flags |= SIG_FLAG_REQUIRE_PACKET; |
424 | | |
425 | 13.9k | return 0; |
426 | | |
427 | 3.08k | error: |
428 | | |
429 | 3.08k | DetectIPProtoFree(de_ctx, data); |
430 | 3.08k | return -1; |
431 | 13.9k | } |
432 | | |
433 | | |
434 | | void DetectIPProtoRemoveAllSMs(DetectEngineCtx *de_ctx, Signature *s) |
435 | 2.15M | { |
436 | 2.15M | SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_MATCH]; |
437 | | |
438 | 2.43M | while (sm != NULL) { |
439 | 281k | if (sm->type != DETECT_IPPROTO) { |
440 | 277k | sm = sm->next; |
441 | 277k | continue; |
442 | 277k | } |
443 | 3.38k | SigMatch *tmp_sm = sm->next; |
444 | 3.38k | SigMatchRemoveSMFromList(s, sm, DETECT_SM_LIST_MATCH); |
445 | 3.38k | SigMatchFree(de_ctx, sm); |
446 | 3.38k | sm = tmp_sm; |
447 | 3.38k | } |
448 | | |
449 | 2.15M | return; |
450 | 2.15M | } |
451 | | |
452 | | static void DetectIPProtoFree(DetectEngineCtx *de_ctx, void *ptr) |
453 | 17.0k | { |
454 | 17.0k | DetectIPProtoData *data = (DetectIPProtoData *)ptr; |
455 | 17.0k | if (data) { |
456 | 17.0k | SCFree(data); |
457 | 17.0k | } |
458 | 17.0k | } |
459 | | |
460 | | /* UNITTESTS */ |
461 | | #ifdef UNITTESTS |
462 | | #include "detect-engine-alert.h" |
463 | | |
464 | | /** |
465 | | * \test DetectIPProtoTestParse01 is a test for an invalid proto number |
466 | | */ |
467 | | static int DetectIPProtoTestParse01(void) |
468 | | { |
469 | | DetectIPProtoData *data = DetectIPProtoParse("999"); |
470 | | FAIL_IF_NOT(data == NULL); |
471 | | PASS; |
472 | | } |
473 | | |
474 | | /** |
475 | | * \test DetectIPProtoTestParse02 is a test for an invalid proto name |
476 | | */ |
477 | | static int DetectIPProtoTestParse02(void) |
478 | | { |
479 | | DetectIPProtoData *data = DetectIPProtoParse("foobarbooeek"); |
480 | | FAIL_IF_NOT(data == NULL); |
481 | | PASS; |
482 | | } |
483 | | |
484 | | /** |
485 | | * \test DetectIPProtoTestSetup01 is a test for a protocol number |
486 | | */ |
487 | | static int DetectIPProtoTestSetup01(void) |
488 | | { |
489 | | const char *value_str = "14"; |
490 | | int value; |
491 | | FAIL_IF(StringParseInt32(&value, 10, 0, (const char *)value_str) < 0); |
492 | | int i; |
493 | | |
494 | | Signature *sig = SigAlloc(); |
495 | | FAIL_IF_NULL(sig); |
496 | | |
497 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
498 | | sig->proto.flags |= DETECT_PROTO_ANY; |
499 | | DetectIPProtoSetup(NULL, sig, value_str); |
500 | | for (i = 0; i < (value / 8); i++) { |
501 | | FAIL_IF(sig->proto.proto[i] != 0); |
502 | | } |
503 | | FAIL_IF(sig->proto.proto[value / 8] != 0x40); |
504 | | for (i = (value / 8) + 1; i < (256 / 8); i++) { |
505 | | FAIL_IF(sig->proto.proto[i] != 0); |
506 | | } |
507 | | SigFree(NULL, sig); |
508 | | PASS; |
509 | | } |
510 | | |
511 | | /** |
512 | | * \test DetectIPProtoTestSetup02 is a test for a protocol name |
513 | | */ |
514 | | static int DetectIPProtoTestSetup02(void) |
515 | | { |
516 | | int result = 0; |
517 | | Signature *sig = NULL; |
518 | | const char *value_str = "tcp"; |
519 | | struct protoent *pent = getprotobyname(value_str); |
520 | | if (pent == NULL) { |
521 | | goto end; |
522 | | } |
523 | | uint8_t value = (uint8_t)pent->p_proto; |
524 | | int i; |
525 | | |
526 | | if ((sig = SigAlloc()) == NULL) |
527 | | goto end; |
528 | | |
529 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
530 | | sig->proto.flags |= DETECT_PROTO_ANY; |
531 | | DetectIPProtoSetup(NULL, sig, value_str); |
532 | | for (i = 0; i < (value / 8); i++) { |
533 | | if (sig->proto.proto[i] != 0) |
534 | | goto end; |
535 | | } |
536 | | if (sig->proto.proto[value / 8] != 0x40) { |
537 | | goto end; |
538 | | } |
539 | | for (i = (value / 8) + 1; i < (256 / 8); i++) { |
540 | | if (sig->proto.proto[i] != 0) |
541 | | goto end; |
542 | | } |
543 | | |
544 | | result = 1; |
545 | | |
546 | | end: |
547 | | if (sig != NULL) |
548 | | SigFree(NULL, sig); |
549 | | return result; |
550 | | } |
551 | | |
552 | | /** |
553 | | * \test DetectIPProtoTestSetup03 is a test for a < operator |
554 | | */ |
555 | | static int DetectIPProtoTestSetup03(void) |
556 | | { |
557 | | int result = 0; |
558 | | Signature *sig; |
559 | | const char *value_str = "<14"; |
560 | | int value = 14; |
561 | | int i; |
562 | | |
563 | | if ((sig = SigAlloc()) == NULL) |
564 | | goto end; |
565 | | |
566 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
567 | | sig->proto.flags |= DETECT_PROTO_ANY; |
568 | | DetectIPProtoSetup(NULL, sig, value_str); |
569 | | for (i = 0; i < (value / 8); i++) { |
570 | | if (sig->proto.proto[i] != 0xFF) |
571 | | goto end; |
572 | | } |
573 | | if (sig->proto.proto[value / 8] != 0x3F) { |
574 | | goto end; |
575 | | } |
576 | | for (i = (value / 8) + 1; i < (256 / 8); i++) { |
577 | | if (sig->proto.proto[i] != 0) |
578 | | goto end; |
579 | | } |
580 | | |
581 | | result = 1; |
582 | | |
583 | | end: |
584 | | SigFree(NULL, sig); |
585 | | return result; |
586 | | } |
587 | | |
588 | | /** |
589 | | * \test DetectIPProtoTestSetup04 is a test for a > operator |
590 | | */ |
591 | | static int DetectIPProtoTestSetup04(void) |
592 | | { |
593 | | int result = 0; |
594 | | Signature *sig; |
595 | | const char *value_str = ">14"; |
596 | | int value = 14; |
597 | | int i; |
598 | | |
599 | | if ((sig = SigAlloc()) == NULL) |
600 | | goto end; |
601 | | |
602 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
603 | | sig->proto.flags |= DETECT_PROTO_ANY; |
604 | | DetectIPProtoSetup(NULL, sig, value_str); |
605 | | for (i = 0; i < (value / 8); i++) { |
606 | | if (sig->proto.proto[i] != 0) |
607 | | goto end; |
608 | | } |
609 | | if (sig->proto.proto[value / 8] != 0x80) { |
610 | | goto end; |
611 | | } |
612 | | for (i = (value / 8) + 1; i < (256 / 8); i++) { |
613 | | if (sig->proto.proto[i] != 0xFF) |
614 | | goto end; |
615 | | } |
616 | | |
617 | | result = 1; |
618 | | |
619 | | end: |
620 | | SigFree(NULL, sig); |
621 | | return result; |
622 | | } |
623 | | |
624 | | /** |
625 | | * \test DetectIPProtoTestSetup05 is a test for a ! operator |
626 | | */ |
627 | | static int DetectIPProtoTestSetup05(void) |
628 | | { |
629 | | int result = 0; |
630 | | Signature *sig; |
631 | | const char *value_str = "!14"; |
632 | | int value = 14; |
633 | | int i; |
634 | | |
635 | | if ((sig = SigAlloc()) == NULL) |
636 | | goto end; |
637 | | |
638 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
639 | | sig->proto.flags |= DETECT_PROTO_ANY; |
640 | | DetectIPProtoSetup(NULL, sig, value_str); |
641 | | for (i = 0; i < (value / 8); i++) { |
642 | | if (sig->proto.proto[i] != 0xFF) |
643 | | goto end; |
644 | | } |
645 | | if (sig->proto.proto[value / 8] != 0xBF) { |
646 | | goto end; |
647 | | } |
648 | | for (i = (value / 8) + 1; i < (256 / 8); i++) { |
649 | | if (sig->proto.proto[i] != 0xFF) |
650 | | goto end; |
651 | | } |
652 | | |
653 | | result = 1; |
654 | | |
655 | | end: |
656 | | SigFree(NULL, sig); |
657 | | return result; |
658 | | } |
659 | | |
660 | | /** |
661 | | * \test Negative test. |
662 | | */ |
663 | | static int DetectIPProtoTestSetup06(void) |
664 | | { |
665 | | int result = 0; |
666 | | Signature *sig; |
667 | | const char *value1_str = "14"; |
668 | | const char *value2_str = "15"; |
669 | | |
670 | | if ((sig = SigAlloc()) == NULL) |
671 | | goto end; |
672 | | |
673 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
674 | | sig->proto.flags |= DETECT_PROTO_ANY; |
675 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
676 | | goto end; |
677 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) |
678 | | goto end; |
679 | | |
680 | | result = 1; |
681 | | |
682 | | end: |
683 | | SigFree(NULL, sig); |
684 | | return result; |
685 | | } |
686 | | |
687 | | /** |
688 | | * \test Negative test. |
689 | | */ |
690 | | static int DetectIPProtoTestSetup07(void) |
691 | | { |
692 | | int result = 0; |
693 | | Signature *sig; |
694 | | const char *value1_str = "14"; |
695 | | const char *value2_str = "<15"; |
696 | | |
697 | | if ((sig = SigAlloc()) == NULL) |
698 | | goto end; |
699 | | |
700 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
701 | | sig->proto.flags |= DETECT_PROTO_ANY; |
702 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
703 | | goto end; |
704 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) |
705 | | goto end; |
706 | | |
707 | | result = 1; |
708 | | |
709 | | end: |
710 | | SigFree(NULL, sig); |
711 | | return result; |
712 | | } |
713 | | |
714 | | /** |
715 | | * \test Negative test. |
716 | | */ |
717 | | static int DetectIPProtoTestSetup08(void) |
718 | | { |
719 | | int result = 0; |
720 | | Signature *sig; |
721 | | const char *value1_str = "14"; |
722 | | const char *value2_str = ">15"; |
723 | | |
724 | | if ((sig = SigAlloc()) == NULL) |
725 | | goto end; |
726 | | |
727 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
728 | | sig->proto.flags |= DETECT_PROTO_ANY; |
729 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
730 | | goto end; |
731 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) |
732 | | goto end; |
733 | | |
734 | | result = 1; |
735 | | |
736 | | end: |
737 | | SigFree(NULL, sig); |
738 | | return result; |
739 | | } |
740 | | |
741 | | /** |
742 | | * \test Negative test. |
743 | | */ |
744 | | static int DetectIPProtoTestSetup09(void) |
745 | | { |
746 | | int result = 0; |
747 | | Signature *sig; |
748 | | const char *value1_str = "14"; |
749 | | const char *value2_str = "!15"; |
750 | | |
751 | | if ((sig = SigAlloc()) == NULL) |
752 | | goto end; |
753 | | |
754 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
755 | | sig->proto.flags |= DETECT_PROTO_ANY; |
756 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
757 | | goto end; |
758 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) |
759 | | goto end; |
760 | | |
761 | | result = 1; |
762 | | |
763 | | end: |
764 | | SigFree(NULL, sig); |
765 | | return result; |
766 | | } |
767 | | |
768 | | /** |
769 | | * \test Negative test. |
770 | | */ |
771 | | static int DetectIPProtoTestSetup10(void) |
772 | | { |
773 | | int result = 0; |
774 | | Signature *sig; |
775 | | const char *value1_str = ">14"; |
776 | | const char *value2_str = "15"; |
777 | | |
778 | | if ((sig = SigAlloc()) == NULL) |
779 | | goto end; |
780 | | |
781 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
782 | | sig->proto.flags |= DETECT_PROTO_ANY; |
783 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
784 | | goto end; |
785 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) |
786 | | goto end; |
787 | | |
788 | | result = 1; |
789 | | |
790 | | end: |
791 | | SigFree(NULL, sig); |
792 | | return result; |
793 | | } |
794 | | |
795 | | /** |
796 | | * \test Negative test. |
797 | | */ |
798 | | static int DetectIPProtoTestSetup11(void) |
799 | | { |
800 | | int result = 0; |
801 | | Signature *sig; |
802 | | const char *value1_str = "<14"; |
803 | | const char *value2_str = "15"; |
804 | | |
805 | | if ((sig = SigAlloc()) == NULL) |
806 | | goto end; |
807 | | |
808 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
809 | | sig->proto.flags |= DETECT_PROTO_ANY; |
810 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
811 | | goto end; |
812 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) |
813 | | goto end; |
814 | | |
815 | | result = 1; |
816 | | |
817 | | end: |
818 | | SigFree(NULL, sig); |
819 | | return result; |
820 | | } |
821 | | |
822 | | /** |
823 | | * \test Negative test. |
824 | | */ |
825 | | static int DetectIPProtoTestSetup12(void) |
826 | | { |
827 | | int result = 0; |
828 | | Signature *sig; |
829 | | const char *value1_str = "!14"; |
830 | | const char *value2_str = "15"; |
831 | | |
832 | | if ((sig = SigAlloc()) == NULL) |
833 | | goto end; |
834 | | |
835 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
836 | | sig->proto.flags |= DETECT_PROTO_ANY; |
837 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
838 | | goto end; |
839 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) |
840 | | goto end; |
841 | | |
842 | | result = 1; |
843 | | |
844 | | end: |
845 | | SigFree(NULL, sig); |
846 | | return result; |
847 | | } |
848 | | |
849 | | /** |
850 | | * \test Negative test. |
851 | | */ |
852 | | static int DetectIPProtoTestSetup13(void) |
853 | | { |
854 | | int result = 0; |
855 | | Signature *sig; |
856 | | const char *value1_str = ">14"; |
857 | | const char *value2_str = ">15"; |
858 | | |
859 | | if ((sig = SigAlloc()) == NULL) |
860 | | goto end; |
861 | | |
862 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
863 | | sig->proto.flags |= DETECT_PROTO_ANY; |
864 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
865 | | goto end; |
866 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) |
867 | | goto end; |
868 | | |
869 | | result = 1; |
870 | | |
871 | | end: |
872 | | SigFree(NULL, sig); |
873 | | return result; |
874 | | } |
875 | | |
876 | | static int DetectIPProtoTestSetup14(void) |
877 | | { |
878 | | int result = 0; |
879 | | Signature *sig; |
880 | | const char *value1_str = "<14"; |
881 | | const char *value2_str = "<15"; |
882 | | |
883 | | if ((sig = SigAlloc()) == NULL) |
884 | | goto end; |
885 | | |
886 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
887 | | sig->proto.flags |= DETECT_PROTO_ANY; |
888 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
889 | | goto end; |
890 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != -1) |
891 | | goto end; |
892 | | |
893 | | result = 1; |
894 | | |
895 | | end: |
896 | | SigFree(NULL, sig); |
897 | | return result; |
898 | | } |
899 | | |
900 | | static int DetectIPProtoTestSetup15(void) |
901 | | { |
902 | | int result = 0; |
903 | | Signature *sig; |
904 | | const char *value1_str = "<14"; |
905 | | int value1 = 14; |
906 | | const char *value2_str = ">34"; |
907 | | int i; |
908 | | |
909 | | if ((sig = SigAlloc()) == NULL) |
910 | | goto end; |
911 | | |
912 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
913 | | sig->proto.flags |= DETECT_PROTO_ANY; |
914 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
915 | | goto end; |
916 | | for (i = 0; i < (value1 / 8); i++) { |
917 | | if (sig->proto.proto[i] != 0xFF) |
918 | | goto end; |
919 | | } |
920 | | if (sig->proto.proto[value1 / 8] != 0x3F) { |
921 | | goto end; |
922 | | } |
923 | | for (i = (value1 / 8) + 1; i < (256 / 8); i++) { |
924 | | if (sig->proto.proto[i] != 0) |
925 | | goto end; |
926 | | } |
927 | | if (DetectIPProtoSetup(NULL, sig, value2_str) == 0) |
928 | | goto end; |
929 | | |
930 | | result = 1; |
931 | | |
932 | | end: |
933 | | SigFree(NULL, sig); |
934 | | return result; |
935 | | |
936 | | } |
937 | | |
938 | | static int DetectIPProtoTestSetup16(void) |
939 | | { |
940 | | int result = 0; |
941 | | Signature *sig; |
942 | | const char *value1_str = "<14"; |
943 | | const char *value2_str = ">34"; |
944 | | int value2 = 34; |
945 | | int i; |
946 | | |
947 | | if ((sig = SigAlloc()) == NULL) |
948 | | goto end; |
949 | | |
950 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
951 | | sig->proto.flags |= DETECT_PROTO_ANY; |
952 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) |
953 | | goto end; |
954 | | for (i = 0; i < (value2 / 8); i++) { |
955 | | if (sig->proto.proto[i] != 0) |
956 | | goto end; |
957 | | } |
958 | | if (sig->proto.proto[value2 / 8] != 0xF8) { |
959 | | goto end; |
960 | | } |
961 | | for (i = (value2 / 8) + 1; i < (256 / 8); i++) { |
962 | | if (sig->proto.proto[i] != 0xFF) |
963 | | goto end; |
964 | | } |
965 | | if (DetectIPProtoSetup(NULL, sig, value1_str) == 0) |
966 | | goto end; |
967 | | |
968 | | result = 1; |
969 | | |
970 | | end: |
971 | | SigFree(NULL, sig); |
972 | | return result; |
973 | | |
974 | | } |
975 | | |
976 | | static int DetectIPProtoTestSetup17(void) |
977 | | { |
978 | | int result = 0; |
979 | | Signature *sig; |
980 | | const char *value1_str = "<11"; |
981 | | int value1 = 11; |
982 | | const char *value2_str = ">13"; |
983 | | int i; |
984 | | |
985 | | if ((sig = SigAlloc()) == NULL) |
986 | | goto end; |
987 | | |
988 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
989 | | sig->proto.flags |= DETECT_PROTO_ANY; |
990 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
991 | | goto end; |
992 | | for (i = 0; i < (value1 / 8); i++) { |
993 | | if (sig->proto.proto[i] != 0xFF) |
994 | | goto end; |
995 | | } |
996 | | if (sig->proto.proto[value1 / 8] != 0x07) { |
997 | | goto end; |
998 | | } |
999 | | for (i = (value1 / 8) + 1; i < (256 / 8); i++) { |
1000 | | if (sig->proto.proto[i] != 0) |
1001 | | goto end; |
1002 | | } |
1003 | | if (DetectIPProtoSetup(NULL, sig, value2_str) == 0) |
1004 | | goto end; |
1005 | | |
1006 | | result = 1; |
1007 | | |
1008 | | end: |
1009 | | SigFree(NULL, sig); |
1010 | | return result; |
1011 | | |
1012 | | } |
1013 | | |
1014 | | static int DetectIPProtoTestSetup18(void) |
1015 | | { |
1016 | | int result = 0; |
1017 | | Signature *sig; |
1018 | | const char *value1_str = "<11"; |
1019 | | const char *value2_str = ">13"; |
1020 | | int value2 = 13; |
1021 | | int i; |
1022 | | |
1023 | | if ((sig = SigAlloc()) == NULL) |
1024 | | goto end; |
1025 | | |
1026 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1027 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1028 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) |
1029 | | goto end; |
1030 | | for (i = 0; i < (value2 / 8); i++) { |
1031 | | if (sig->proto.proto[i] != 0) |
1032 | | goto end; |
1033 | | } |
1034 | | if (sig->proto.proto[value2 / 8] != 0xC0) { |
1035 | | goto end; |
1036 | | } |
1037 | | for (i = (value2 / 8) + 1; i < (256 / 8); i++) { |
1038 | | if (sig->proto.proto[i] != 0xFF) |
1039 | | goto end; |
1040 | | } |
1041 | | if (DetectIPProtoSetup(NULL, sig, value1_str) == 0) |
1042 | | goto end; |
1043 | | |
1044 | | result = 1; |
1045 | | |
1046 | | end: |
1047 | | SigFree(NULL, sig); |
1048 | | return result; |
1049 | | |
1050 | | } |
1051 | | |
1052 | | static int DetectIPProtoTestSetup19(void) |
1053 | | { |
1054 | | int result = 0; |
1055 | | Signature *sig; |
1056 | | const char *value1_str = "<11"; |
1057 | | int value1 = 11; |
1058 | | const char *value2_str = "!13"; |
1059 | | const char *value3_str = ">36"; |
1060 | | int i; |
1061 | | |
1062 | | if ((sig = SigAlloc()) == NULL) |
1063 | | goto end; |
1064 | | |
1065 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1066 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1067 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
1068 | | goto end; |
1069 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) |
1070 | | goto end; |
1071 | | for (i = 0; i < (value1 / 8); i++) { |
1072 | | if (sig->proto.proto[i] != 0xFF) |
1073 | | goto end; |
1074 | | } |
1075 | | if (sig->proto.proto[value1 / 8] != 0x07) { |
1076 | | goto end; |
1077 | | } |
1078 | | for (i = (value1 / 8) + 1; i < (256 / 8); i++) { |
1079 | | if (sig->proto.proto[i] != 0) |
1080 | | goto end; |
1081 | | } |
1082 | | if (DetectIPProtoSetup(NULL, sig, value3_str) == 0) |
1083 | | goto end; |
1084 | | |
1085 | | result = 1; |
1086 | | |
1087 | | end: |
1088 | | SigFree(NULL, sig); |
1089 | | return result; |
1090 | | } |
1091 | | |
1092 | | static int DetectIPProtoTestSetup20(void) |
1093 | | { |
1094 | | int result = 0; |
1095 | | Signature *sig; |
1096 | | const char *value1_str = "<11"; |
1097 | | int value1 = 11; |
1098 | | const char *value3_str = ">36"; |
1099 | | int i; |
1100 | | |
1101 | | if ((sig = SigAlloc()) == NULL) |
1102 | | goto end; |
1103 | | |
1104 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1105 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1106 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
1107 | | goto end; |
1108 | | for (i = 0; i < (value1 / 8); i++) { |
1109 | | if (sig->proto.proto[i] != 0xFF) |
1110 | | goto end; |
1111 | | } |
1112 | | if (sig->proto.proto[value1 / 8] != 0x07) { |
1113 | | goto end; |
1114 | | } |
1115 | | for (i = (value1 / 8) + 1; i < (256 / 8); i++) { |
1116 | | if (sig->proto.proto[i] != 0) |
1117 | | goto end; |
1118 | | } |
1119 | | if (DetectIPProtoSetup(NULL, sig, value3_str) == 0) |
1120 | | goto end; |
1121 | | |
1122 | | result = 1; |
1123 | | |
1124 | | end: |
1125 | | SigFree(NULL, sig); |
1126 | | return result; |
1127 | | } |
1128 | | |
1129 | | static int DetectIPProtoTestSetup21(void) |
1130 | | { |
1131 | | int result = 0; |
1132 | | Signature *sig; |
1133 | | const char *value1_str = "<11"; |
1134 | | int value1 = 11; |
1135 | | const char *value2_str = "!13"; |
1136 | | const char *value3_str = ">36"; |
1137 | | int i; |
1138 | | |
1139 | | if ((sig = SigAlloc()) == NULL) |
1140 | | goto end; |
1141 | | |
1142 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1143 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1144 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) |
1145 | | goto end; |
1146 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
1147 | | goto end; |
1148 | | for (i = 0; i < (value1 / 8); i++) { |
1149 | | if (sig->proto.proto[i] != 0xFF) |
1150 | | goto end; |
1151 | | } |
1152 | | if (sig->proto.proto[value1 / 8] != 0x07) { |
1153 | | goto end; |
1154 | | } |
1155 | | for (i = (value1 / 8) + 1; i < (256 / 8); i++) { |
1156 | | if (sig->proto.proto[i] != 0) |
1157 | | goto end; |
1158 | | } |
1159 | | if (DetectIPProtoSetup(NULL, sig, value3_str) == 0) |
1160 | | goto end; |
1161 | | |
1162 | | result = 1; |
1163 | | |
1164 | | end: |
1165 | | SigFree(NULL, sig); |
1166 | | return result; |
1167 | | } |
1168 | | |
1169 | | static int DetectIPProtoTestSetup22(void) |
1170 | | { |
1171 | | int result = 0; |
1172 | | Signature *sig; |
1173 | | const char *value1_str = "<11"; |
1174 | | const char *value2_str = "!13"; |
1175 | | const char *value3_str = ">36"; |
1176 | | int value3 = 36; |
1177 | | int i; |
1178 | | |
1179 | | if ((sig = SigAlloc()) == NULL) |
1180 | | goto end; |
1181 | | |
1182 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1183 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1184 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) |
1185 | | goto end; |
1186 | | if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) |
1187 | | goto end; |
1188 | | for (i = 0; i < (value3 / 8); i++) { |
1189 | | if (sig->proto.proto[i] != 0) |
1190 | | goto end; |
1191 | | } |
1192 | | if (sig->proto.proto[value3 / 8] != 0xE0) { |
1193 | | goto end; |
1194 | | } |
1195 | | for (i = (value3 / 8) + 1; i < (256 / 8); i++) { |
1196 | | if (sig->proto.proto[i] != 0xFF) |
1197 | | goto end; |
1198 | | } |
1199 | | if (DetectIPProtoSetup(NULL, sig, value1_str) == 0) |
1200 | | goto end; |
1201 | | |
1202 | | result = 1; |
1203 | | |
1204 | | end: |
1205 | | SigFree(NULL, sig); |
1206 | | return result; |
1207 | | } |
1208 | | |
1209 | | static int DetectIPProtoTestSetup23(void) |
1210 | | { |
1211 | | int result = 0; |
1212 | | Signature *sig; |
1213 | | const char *value1_str = "<11"; |
1214 | | const char *value3_str = ">36"; |
1215 | | int value3 = 36; |
1216 | | int i; |
1217 | | |
1218 | | if ((sig = SigAlloc()) == NULL) |
1219 | | goto end; |
1220 | | |
1221 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1222 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1223 | | if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) |
1224 | | goto end; |
1225 | | for (i = 0; i < (value3 / 8); i++) { |
1226 | | if (sig->proto.proto[i] != 0) |
1227 | | goto end; |
1228 | | } |
1229 | | if (sig->proto.proto[value3 / 8] != 0xE0) { |
1230 | | goto end; |
1231 | | } |
1232 | | for (i = (value3 / 8) + 1; i < (256 / 8); i++) { |
1233 | | if (sig->proto.proto[i] != 0xFF) |
1234 | | goto end; |
1235 | | } |
1236 | | if (DetectIPProtoSetup(NULL, sig, value1_str) == 0) |
1237 | | goto end; |
1238 | | |
1239 | | result = 1; |
1240 | | |
1241 | | end: |
1242 | | SigFree(NULL, sig); |
1243 | | return result; |
1244 | | } |
1245 | | |
1246 | | static int DetectIPProtoTestSetup24(void) |
1247 | | { |
1248 | | int result = 0; |
1249 | | Signature *sig; |
1250 | | const char *value1_str = "<11"; |
1251 | | const char *value2_str = "!13"; |
1252 | | const char *value3_str = ">36"; |
1253 | | int value3 = 36; |
1254 | | int i; |
1255 | | |
1256 | | if ((sig = SigAlloc()) == NULL) |
1257 | | goto end; |
1258 | | |
1259 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1260 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1261 | | if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) |
1262 | | goto end; |
1263 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) |
1264 | | goto end; |
1265 | | for (i = 0; i < (value3 / 8); i++) { |
1266 | | if (sig->proto.proto[i] != 0) |
1267 | | goto end; |
1268 | | } |
1269 | | if (sig->proto.proto[value3 / 8] != 0xE0) { |
1270 | | goto end; |
1271 | | } |
1272 | | for (i = (value3 / 8) + 1; i < (256 / 8); i++) { |
1273 | | if (sig->proto.proto[i] != 0xFF) |
1274 | | goto end; |
1275 | | } |
1276 | | if (DetectIPProtoSetup(NULL, sig, value1_str) == 0) |
1277 | | goto end; |
1278 | | |
1279 | | result = 1; |
1280 | | |
1281 | | end: |
1282 | | SigFree(NULL, sig); |
1283 | | return result; |
1284 | | } |
1285 | | |
1286 | | static int DetectIPProtoTestSetup33(void) |
1287 | | { |
1288 | | int result = 0; |
1289 | | Signature *sig; |
1290 | | const char *value1_str = "<11"; |
1291 | | int value1 = 11; |
1292 | | const char *value2_str = "!34"; |
1293 | | const char *value3_str = ">36"; |
1294 | | int i; |
1295 | | |
1296 | | if ((sig = SigAlloc()) == NULL) |
1297 | | goto end; |
1298 | | |
1299 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1300 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1301 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) |
1302 | | goto end; |
1303 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
1304 | | goto end; |
1305 | | for (i = 0; i < (value1 / 8); i++) { |
1306 | | if (sig->proto.proto[i] != 0xFF) |
1307 | | goto end; |
1308 | | } |
1309 | | if (sig->proto.proto[value1 / 8] != 0x07) { |
1310 | | goto end; |
1311 | | } |
1312 | | for (i = (value1 / 8) + 1; i < (256 / 8); i++) { |
1313 | | if (sig->proto.proto[i] != 0) |
1314 | | goto end; |
1315 | | } |
1316 | | if (DetectIPProtoSetup(NULL, sig, value3_str) == 0) |
1317 | | goto end; |
1318 | | |
1319 | | result = 1; |
1320 | | |
1321 | | end: |
1322 | | SigFree(NULL, sig); |
1323 | | return result; |
1324 | | } |
1325 | | |
1326 | | static int DetectIPProtoTestSetup34(void) |
1327 | | { |
1328 | | int result = 0; |
1329 | | Signature *sig; |
1330 | | const char *value1_str = "<11"; |
1331 | | int value1 = 11; |
1332 | | const char *value2_str = "!34"; |
1333 | | const char *value3_str = ">36"; |
1334 | | int value3 = 36; |
1335 | | int i; |
1336 | | |
1337 | | if ((sig = SigAlloc()) == NULL) |
1338 | | goto end; |
1339 | | |
1340 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1341 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1342 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) |
1343 | | goto end; |
1344 | | if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) |
1345 | | goto end; |
1346 | | for (i = 0; i < (value1 / 8); i++) { |
1347 | | if (sig->proto.proto[i] != 0) |
1348 | | goto end; |
1349 | | } |
1350 | | if (sig->proto.proto[value3 / 8] != 0xE0) { |
1351 | | goto end; |
1352 | | } |
1353 | | for (i = (value3 / 8) + 1; i < (256 / 8); i++) { |
1354 | | if (sig->proto.proto[i] != 0xFF) |
1355 | | goto end; |
1356 | | } |
1357 | | if (DetectIPProtoSetup(NULL, sig, value1_str) == 0) |
1358 | | goto end; |
1359 | | |
1360 | | result = 1; |
1361 | | |
1362 | | end: |
1363 | | SigFree(NULL, sig); |
1364 | | return result; |
1365 | | } |
1366 | | |
1367 | | static int DetectIPProtoTestSetup36(void) |
1368 | | { |
1369 | | int result = 0; |
1370 | | Signature *sig; |
1371 | | const char *value1_str = "<11"; |
1372 | | const char *value2_str = "!34"; |
1373 | | const char *value3_str = ">36"; |
1374 | | int value3 = 36; |
1375 | | int i; |
1376 | | |
1377 | | if ((sig = SigAlloc()) == NULL) |
1378 | | goto end; |
1379 | | |
1380 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1381 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1382 | | if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) |
1383 | | goto end; |
1384 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) |
1385 | | goto end; |
1386 | | for (i = 0; i < (value3 / 8); i++) { |
1387 | | if (sig->proto.proto[i] != 0) |
1388 | | goto end; |
1389 | | } |
1390 | | if (sig->proto.proto[value3 / 8] != 0xE0) { |
1391 | | goto end; |
1392 | | } |
1393 | | for (i = (value3 / 8) + 1; i < (256 / 8); i++) { |
1394 | | if (sig->proto.proto[i] != 0xFF) |
1395 | | goto end; |
1396 | | } |
1397 | | if (DetectIPProtoSetup(NULL, sig, value1_str) == 0) |
1398 | | goto end; |
1399 | | |
1400 | | result = 1; |
1401 | | |
1402 | | end: |
1403 | | SigFree(NULL, sig); |
1404 | | return result; |
1405 | | } |
1406 | | |
1407 | | static int DetectIPProtoTestSetup43(void) |
1408 | | { |
1409 | | int result = 0; |
1410 | | Signature *sig; |
1411 | | const char *value1_str = "!4"; |
1412 | | int value1 = 4; |
1413 | | const char *value2_str = "<13"; |
1414 | | int value2 = 13; |
1415 | | const char *value3_str = ">34"; |
1416 | | int i; |
1417 | | |
1418 | | if ((sig = SigAlloc()) == NULL) |
1419 | | goto end; |
1420 | | |
1421 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1422 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1423 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
1424 | | goto end; |
1425 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) |
1426 | | goto end; |
1427 | | if (sig->proto.proto[value1 / 8] != 0xEF) { |
1428 | | goto end; |
1429 | | } |
1430 | | for (i = (value1 / 8) + 1; i < (value2 / 8); i++) { |
1431 | | if (sig->proto.proto[i] != 0xFF) |
1432 | | goto end; |
1433 | | } |
1434 | | if (sig->proto.proto[value2 / 8] != 0x1F) { |
1435 | | goto end; |
1436 | | } |
1437 | | for (i = (value2 / 8) + 1; i < 256 / 8; i++) { |
1438 | | if (sig->proto.proto[i] != 0) |
1439 | | goto end; |
1440 | | } |
1441 | | if (DetectIPProtoSetup(NULL, sig, value3_str) == 0) |
1442 | | goto end; |
1443 | | |
1444 | | result = 1; |
1445 | | |
1446 | | end: |
1447 | | SigFree(NULL, sig); |
1448 | | return result; |
1449 | | } |
1450 | | |
1451 | | static int DetectIPProtoTestSetup44(void) |
1452 | | { |
1453 | | int result = 0; |
1454 | | Signature *sig; |
1455 | | const char *value1_str = "!4"; |
1456 | | const char *value2_str = "<13"; |
1457 | | const char *value3_str = ">34"; |
1458 | | int value3 = 34; |
1459 | | int i; |
1460 | | |
1461 | | if ((sig = SigAlloc()) == NULL) |
1462 | | goto end; |
1463 | | |
1464 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1465 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1466 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
1467 | | goto end; |
1468 | | if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) |
1469 | | goto end; |
1470 | | for (i = 0; i < (value3 / 8); i++) { |
1471 | | if (sig->proto.proto[i] != 0) |
1472 | | goto end; |
1473 | | } |
1474 | | if (sig->proto.proto[value3 / 8] != 0xF8) { |
1475 | | goto end; |
1476 | | } |
1477 | | for (i = (value3 / 8) + 1; i < 256 / 8; i++) { |
1478 | | if (sig->proto.proto[i] != 0xFF) |
1479 | | goto end; |
1480 | | } |
1481 | | if (DetectIPProtoSetup(NULL, sig, value2_str) == 0) |
1482 | | goto end; |
1483 | | |
1484 | | result = 1; |
1485 | | |
1486 | | end: |
1487 | | SigFree(NULL, sig); |
1488 | | return result; |
1489 | | } |
1490 | | |
1491 | | static int DetectIPProtoTestSetup45(void) |
1492 | | { |
1493 | | int result = 0; |
1494 | | Signature *sig; |
1495 | | const char *value1_str = "!4"; |
1496 | | int value1 = 4; |
1497 | | const char *value2_str = "<13"; |
1498 | | int value2 = 13; |
1499 | | const char *value3_str = ">34"; |
1500 | | int i; |
1501 | | |
1502 | | if ((sig = SigAlloc()) == NULL) |
1503 | | goto end; |
1504 | | |
1505 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1506 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1507 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) |
1508 | | goto end; |
1509 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
1510 | | goto end; |
1511 | | if (sig->proto.proto[value1 / 8] != 0xEF) { |
1512 | | goto end; |
1513 | | } |
1514 | | for (i = (value1 / 8) + 1; i < (value2 / 8); i++) { |
1515 | | if (sig->proto.proto[i] != 0xFF) |
1516 | | goto end; |
1517 | | } |
1518 | | if (sig->proto.proto[value2 / 8] != 0x1F) { |
1519 | | goto end; |
1520 | | } |
1521 | | for (i = (value2 / 8) + 1; i < 256 / 8; i++) { |
1522 | | if (sig->proto.proto[i] != 0) |
1523 | | goto end; |
1524 | | } |
1525 | | if (DetectIPProtoSetup(NULL, sig, value3_str) == 0) |
1526 | | goto end; |
1527 | | |
1528 | | result = 1; |
1529 | | |
1530 | | end: |
1531 | | SigFree(NULL, sig); |
1532 | | return result; |
1533 | | } |
1534 | | |
1535 | | static int DetectIPProtoTestSetup56(void) |
1536 | | { |
1537 | | int result = 0; |
1538 | | Signature *sig; |
1539 | | const char *value1_str = "<13"; |
1540 | | int value1 = 13; |
1541 | | const char *value2_str = ">34"; |
1542 | | const char *value3_str = "!37"; |
1543 | | int i; |
1544 | | |
1545 | | if ((sig = SigAlloc()) == NULL) |
1546 | | goto end; |
1547 | | |
1548 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1549 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1550 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
1551 | | goto end; |
1552 | | if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) |
1553 | | goto end; |
1554 | | for (i = 0; i < (value1 / 8); i++) { |
1555 | | if (sig->proto.proto[i] != 0xFF) |
1556 | | goto end; |
1557 | | } |
1558 | | if (sig->proto.proto[value1 / 8] != 0x1F) { |
1559 | | goto end; |
1560 | | } |
1561 | | for (i = (value1 / 8) + 1; i < 256 / 8; i++) { |
1562 | | if (sig->proto.proto[i] != 0) |
1563 | | goto end; |
1564 | | } |
1565 | | if (DetectIPProtoSetup(NULL, sig, value2_str) == 0) |
1566 | | goto end; |
1567 | | |
1568 | | result = 1; |
1569 | | |
1570 | | end: |
1571 | | SigFree(NULL, sig); |
1572 | | return result; |
1573 | | } |
1574 | | |
1575 | | static int DetectIPProtoTestSetup75(void) |
1576 | | { |
1577 | | int result = 0; |
1578 | | Signature *sig; |
1579 | | const char *value1_str = "!8"; |
1580 | | const char *value2_str = ">10"; |
1581 | | int value2 = 10; |
1582 | | int i; |
1583 | | |
1584 | | if ((sig = SigAlloc()) == NULL) |
1585 | | goto end; |
1586 | | |
1587 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1588 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1589 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
1590 | | goto end; |
1591 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) |
1592 | | goto end; |
1593 | | for (i = 0; i < (value2 / 8); i++) { |
1594 | | if (sig->proto.proto[i] != 0) |
1595 | | goto end; |
1596 | | } |
1597 | | if (sig->proto.proto[value2 / 8] != 0xF8) { |
1598 | | goto end; |
1599 | | } |
1600 | | for (i = (value2 / 8) + 1; i < (256 / 8); i++) { |
1601 | | if (sig->proto.proto[i] != 0xFF) |
1602 | | goto end; |
1603 | | } |
1604 | | |
1605 | | result = 1; |
1606 | | |
1607 | | end: |
1608 | | SigFree(NULL, sig); |
1609 | | return result; |
1610 | | } |
1611 | | |
1612 | | static int DetectIPProtoTestSetup76(void) |
1613 | | { |
1614 | | int result = 0; |
1615 | | Signature *sig; |
1616 | | const char *value1_str = "!8"; |
1617 | | const char *value2_str = ">10"; |
1618 | | int value2 = 10; |
1619 | | int i; |
1620 | | |
1621 | | if ((sig = SigAlloc()) == NULL) |
1622 | | goto end; |
1623 | | |
1624 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1625 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1626 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) |
1627 | | goto end; |
1628 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
1629 | | goto end; |
1630 | | for (i = 0; i < (value2 / 8); i++) { |
1631 | | if (sig->proto.proto[i] != 0) |
1632 | | goto end; |
1633 | | } |
1634 | | if (sig->proto.proto[value2 / 8] != 0xF8) { |
1635 | | goto end; |
1636 | | } |
1637 | | for (i = (value2 / 8) + 1; i < (256 / 8); i++) { |
1638 | | if (sig->proto.proto[i] != 0xFF) |
1639 | | goto end; |
1640 | | } |
1641 | | |
1642 | | result = 1; |
1643 | | |
1644 | | end: |
1645 | | SigFree(NULL, sig); |
1646 | | return result; |
1647 | | } |
1648 | | |
1649 | | static int DetectIPProtoTestSetup129(void) |
1650 | | { |
1651 | | int result = 0; |
1652 | | Signature *sig; |
1653 | | const char *value1_str = "<10"; |
1654 | | int value1 = 10; |
1655 | | const char *value2_str = ">10"; |
1656 | | int i; |
1657 | | |
1658 | | if ((sig = SigAlloc()) == NULL) |
1659 | | goto end; |
1660 | | |
1661 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1662 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1663 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
1664 | | goto end; |
1665 | | for (i = 0; i < (value1 / 8); i++) { |
1666 | | if (sig->proto.proto[i] != 0xFF) |
1667 | | goto end; |
1668 | | } |
1669 | | if (sig->proto.proto[value1 / 8] != 0x03) { |
1670 | | goto end; |
1671 | | } |
1672 | | for (i = (value1 / 8) + 1; i < 256 / 8; i++) { |
1673 | | if (sig->proto.proto[i] != 0) |
1674 | | goto end; |
1675 | | } |
1676 | | if (DetectIPProtoSetup(NULL, sig, value2_str) == 0) |
1677 | | goto end; |
1678 | | |
1679 | | result = 1; |
1680 | | |
1681 | | end: |
1682 | | SigFree(NULL, sig); |
1683 | | return result; |
1684 | | } |
1685 | | |
1686 | | static int DetectIPProtoTestSetup130(void) |
1687 | | { |
1688 | | int result = 0; |
1689 | | Signature *sig; |
1690 | | const char *value1_str = "<10"; |
1691 | | const char *value2_str = ">10"; |
1692 | | int value2 = 10; |
1693 | | int i; |
1694 | | |
1695 | | if ((sig = SigAlloc()) == NULL) |
1696 | | goto end; |
1697 | | |
1698 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1699 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1700 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) |
1701 | | goto end; |
1702 | | if (DetectIPProtoSetup(NULL, sig, value1_str) == 0) |
1703 | | goto end; |
1704 | | for (i = 0; i < (value2 / 8); i++) { |
1705 | | if (sig->proto.proto[i] != 0) |
1706 | | goto end; |
1707 | | } |
1708 | | if (sig->proto.proto[value2 / 8] != 0xF8) { |
1709 | | goto end; |
1710 | | } |
1711 | | for (i = (value2 / 8) + 1; i < 256 / 8; i++) { |
1712 | | if (sig->proto.proto[i] != 0xFF) |
1713 | | goto end; |
1714 | | } |
1715 | | |
1716 | | result = 1; |
1717 | | |
1718 | | end: |
1719 | | SigFree(NULL, sig); |
1720 | | return result; |
1721 | | } |
1722 | | |
1723 | | static int DetectIPProtoTestSetup131(void) |
1724 | | { |
1725 | | int result = 0; |
1726 | | Signature *sig; |
1727 | | const char *value1_str = "<10"; |
1728 | | int value1 = 10; |
1729 | | const char *value2_str = "!10"; |
1730 | | int i; |
1731 | | |
1732 | | if ((sig = SigAlloc()) == NULL) |
1733 | | goto end; |
1734 | | |
1735 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1736 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1737 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
1738 | | goto end; |
1739 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) |
1740 | | goto end; |
1741 | | for (i = 0; i < (value1 / 8); i++) { |
1742 | | if (sig->proto.proto[i] != 0xFF) |
1743 | | goto end; |
1744 | | } |
1745 | | if (sig->proto.proto[value1 / 8] != 0x03) { |
1746 | | goto end; |
1747 | | } |
1748 | | for (i = (value1 / 8) + 1; i < 256 / 8; i++) { |
1749 | | if (sig->proto.proto[i] != 0x0) |
1750 | | goto end; |
1751 | | } |
1752 | | |
1753 | | result = 1; |
1754 | | |
1755 | | end: |
1756 | | SigFree(NULL, sig); |
1757 | | return result; |
1758 | | } |
1759 | | |
1760 | | static int DetectIPProtoTestSetup132(void) |
1761 | | { |
1762 | | int result = 0; |
1763 | | Signature *sig; |
1764 | | const char *value1_str = "<10"; |
1765 | | int value1 = 10; |
1766 | | const char *value2_str = "!10"; |
1767 | | int i; |
1768 | | |
1769 | | if ((sig = SigAlloc()) == NULL) |
1770 | | goto end; |
1771 | | |
1772 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1773 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1774 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) |
1775 | | goto end; |
1776 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
1777 | | goto end; |
1778 | | for (i = 0; i < (value1 / 8); i++) { |
1779 | | if (sig->proto.proto[i] != 0xFF) |
1780 | | goto end; |
1781 | | } |
1782 | | if (sig->proto.proto[value1 / 8] != 0x03) { |
1783 | | goto end; |
1784 | | } |
1785 | | for (i = (value1 / 8) + 1; i < 256 / 8; i++) { |
1786 | | if (sig->proto.proto[i] != 0x0) |
1787 | | goto end; |
1788 | | } |
1789 | | |
1790 | | result = 1; |
1791 | | |
1792 | | end: |
1793 | | SigFree(NULL, sig); |
1794 | | return result; |
1795 | | } |
1796 | | |
1797 | | static int DetectIPProtoTestSetup145(void) |
1798 | | { |
1799 | | int result = 0; |
1800 | | Signature *sig; |
1801 | | const char *value1_str = "!4"; |
1802 | | const char *value2_str = ">8"; |
1803 | | const char *value3_str = "!10"; |
1804 | | const char *value4_str = "!14"; |
1805 | | const char *value5_str = "!27"; |
1806 | | const char *value6_str = "!29"; |
1807 | | const char *value7_str = "!30"; |
1808 | | const char *value8_str = "!34"; |
1809 | | const char *value9_str = "<36"; |
1810 | | const char *value10_str = "!38"; |
1811 | | int value10 = 38; |
1812 | | |
1813 | | int i; |
1814 | | |
1815 | | if ((sig = SigAlloc()) == NULL) |
1816 | | goto end; |
1817 | | |
1818 | | sig->init_data->init_flags |= SIG_FLAG_INIT_FIRST_IPPROTO_SEEN; |
1819 | | sig->proto.flags |= DETECT_PROTO_ANY; |
1820 | | if (DetectIPProtoSetup(NULL, sig, value5_str) != 0) |
1821 | | goto end; |
1822 | | if (DetectIPProtoSetup(NULL, sig, value8_str) != 0) |
1823 | | goto end; |
1824 | | if (DetectIPProtoSetup(NULL, sig, value2_str) != 0) |
1825 | | goto end; |
1826 | | if (DetectIPProtoSetup(NULL, sig, value10_str) != 0) |
1827 | | goto end; |
1828 | | if (DetectIPProtoSetup(NULL, sig, value1_str) != 0) |
1829 | | goto end; |
1830 | | if (DetectIPProtoSetup(NULL, sig, value6_str) != 0) |
1831 | | goto end; |
1832 | | if (DetectIPProtoSetup(NULL, sig, value9_str) != 0) |
1833 | | goto end; |
1834 | | if (DetectIPProtoSetup(NULL, sig, value4_str) != 0) |
1835 | | goto end; |
1836 | | if (DetectIPProtoSetup(NULL, sig, value3_str) != 0) |
1837 | | goto end; |
1838 | | if (DetectIPProtoSetup(NULL, sig, value7_str) != 0) |
1839 | | goto end; |
1840 | | if (sig->proto.proto[0] != 0) { |
1841 | | goto end; |
1842 | | } |
1843 | | if (sig->proto.proto[1] != 0xBA) { |
1844 | | goto end; |
1845 | | } |
1846 | | if (sig->proto.proto[2] != 0xFF) { |
1847 | | goto end; |
1848 | | } |
1849 | | if (sig->proto.proto[3] != 0x97) { |
1850 | | goto end; |
1851 | | } |
1852 | | if (sig->proto.proto[4] != 0x0B) { |
1853 | | goto end; |
1854 | | } |
1855 | | for (i = (value10 / 8) + 1; i < 256 / 8; i++) { |
1856 | | if (sig->proto.proto[i] != 0) |
1857 | | goto end; |
1858 | | } |
1859 | | |
1860 | | result = 1; |
1861 | | |
1862 | | end: |
1863 | | SigFree(NULL, sig); |
1864 | | return result; |
1865 | | } |
1866 | | |
1867 | | static int DetectIPProtoTestSig1(void) |
1868 | | { |
1869 | | int result = 0; |
1870 | | uint8_t *buf = (uint8_t *) |
1871 | | "GET /one/ HTTP/1.1\r\n" |
1872 | | "Host: one.example.org\r\n" |
1873 | | "\r\n"; |
1874 | | uint16_t buflen = strlen((char *)buf); |
1875 | | Packet *p = UTHBuildPacket((uint8_t *)buf, buflen, IPPROTO_TCP); |
1876 | | if (p == NULL) |
1877 | | return 0; |
1878 | | |
1879 | | const char *sigs[4]; |
1880 | | sigs[0] = "alert ip any any -> any any " |
1881 | | "(msg:\"Not tcp\"; ip_proto:!tcp; content:\"GET \"; sid:1;)"; |
1882 | | sigs[1] = "alert ip any any -> any any " |
1883 | | "(msg:\"Less than 7\"; content:\"GET \"; ip_proto:<7; sid:2;)"; |
1884 | | sigs[2] = "alert ip any any -> any any " |
1885 | | "(msg:\"Greater than 5\"; content:\"GET \"; ip_proto:>5; sid:3;)"; |
1886 | | sigs[3] = "alert ip any any -> any any " |
1887 | | "(msg:\"Equals tcp\"; content:\"GET \"; ip_proto:tcp; sid:4;)"; |
1888 | | |
1889 | | /* sids to match */ |
1890 | | uint32_t sid[4] = {1, 2, 3, 4}; |
1891 | | /* expected matches for each sid within this packet we are testing */ |
1892 | | uint32_t results[4] = {0, 1, 1, 1}; |
1893 | | |
1894 | | /* remember that UTHGenericTest expect the first parameter |
1895 | | * as an array of packet pointers. And also a bidimensional array of results |
1896 | | * For example: |
1897 | | * results[numpacket][position] should hold the number of times |
1898 | | * that the sid at sid[position] matched that packet (should be always 1..) |
1899 | | * But here we built it as unidimensional array |
1900 | | */ |
1901 | | result = UTHGenericTest(&p, 1, sigs, sid, results, 4); |
1902 | | |
1903 | | UTHFreePacket(p); |
1904 | | return result; |
1905 | | } |
1906 | | |
1907 | | static int DetectIPProtoTestSig2(void) |
1908 | | { |
1909 | | int result = 0; |
1910 | | |
1911 | | uint8_t raw_eth[] = { |
1912 | | 0x01, 0x00, 0x5e, 0x00, 0x00, 0x0d, 0x00, 0x26, |
1913 | | 0x88, 0x61, 0x3a, 0x80, 0x08, 0x00, 0x45, 0xc0, |
1914 | | 0x00, 0x36, 0xe4, 0xcd, 0x00, 0x00, 0x01, 0x67, |
1915 | | 0xc7, 0xab, 0xac, 0x1c, 0x7f, 0xfe, 0xe0, 0x00, |
1916 | | 0x00, 0x0d, 0x20, 0x00, 0x90, 0x20, 0x00, 0x01, |
1917 | | 0x00, 0x02, 0x00, 0x69, 0x00, 0x02, 0x00, 0x04, |
1918 | | 0x81, 0xf4, 0x07, 0xd0, 0x00, 0x13, 0x00, 0x04, |
1919 | | 0x00, 0x00, 0x00, 0x01, 0x00, 0x14, 0x00, 0x04, |
1920 | | 0x4a, 0xea, 0x7a, 0x8e, |
1921 | | }; |
1922 | | |
1923 | | Packet *p = PacketGetFromAlloc(); |
1924 | | if (unlikely(p == NULL)) |
1925 | | return 0; |
1926 | | |
1927 | | DecodeThreadVars dtv; |
1928 | | ThreadVars th_v; |
1929 | | DetectEngineThreadCtx *det_ctx = NULL; |
1930 | | |
1931 | | p->proto = 0; |
1932 | | memset(&dtv, 0, sizeof(DecodeThreadVars)); |
1933 | | memset(&th_v, 0, sizeof(th_v)); |
1934 | | |
1935 | | FlowInitConfig(FLOW_QUIET); |
1936 | | DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth)); |
1937 | | |
1938 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
1939 | | if (de_ctx == NULL) { |
1940 | | goto end; |
1941 | | } |
1942 | | |
1943 | | de_ctx->mpm_matcher = mpm_default_matcher; |
1944 | | de_ctx->flags |= DE_QUIET; |
1945 | | |
1946 | | de_ctx->sig_list = SigInit(de_ctx, |
1947 | | "alert ip any any -> any any (msg:\"Check ipproto usage\"; " |
1948 | | "ip_proto:!103; sid:1;)"); |
1949 | | if (de_ctx->sig_list == NULL) { |
1950 | | result = 0; |
1951 | | goto end; |
1952 | | } |
1953 | | |
1954 | | SigGroupBuild(de_ctx); |
1955 | | DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |
1956 | | |
1957 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
1958 | | if (PacketAlertCheck(p, 1) == 0) { |
1959 | | result = 1; |
1960 | | goto end; |
1961 | | } else { |
1962 | | result = 0; |
1963 | | } |
1964 | | |
1965 | | SigGroupCleanup(de_ctx); |
1966 | | SigCleanSignatures(de_ctx); |
1967 | | |
1968 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
1969 | | DetectEngineCtxFree(de_ctx); |
1970 | | FlowShutdown(); |
1971 | | |
1972 | | SCFree(p); |
1973 | | return result; |
1974 | | |
1975 | | end: |
1976 | | if (de_ctx) { |
1977 | | SigGroupCleanup(de_ctx); |
1978 | | SigCleanSignatures(de_ctx); |
1979 | | } |
1980 | | |
1981 | | if (det_ctx) |
1982 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
1983 | | if (de_ctx) |
1984 | | DetectEngineCtxFree(de_ctx); |
1985 | | |
1986 | | FlowShutdown(); |
1987 | | SCFree(p); |
1988 | | |
1989 | | return result; |
1990 | | } |
1991 | | |
1992 | | static int DetectIPProtoTestSig3(void) |
1993 | | { |
1994 | | int result = 0; |
1995 | | |
1996 | | uint8_t raw_eth[] = { |
1997 | | 0x01, 0x00, 0x5e, 0x00, 0x00, 0x0d, 0x00, 0x26, |
1998 | | 0x88, 0x61, 0x3a, 0x80, 0x08, 0x00, 0x45, 0xc0, |
1999 | | 0x00, 0x36, 0xe4, 0xcd, 0x00, 0x00, 0x01, 0x67, |
2000 | | 0xc7, 0xab, 0xac, 0x1c, 0x7f, 0xfe, 0xe0, 0x00, |
2001 | | 0x00, 0x0d, 0x20, 0x00, 0x90, 0x20, 0x00, 0x01, |
2002 | | 0x00, 0x02, 0x00, 0x69, 0x00, 0x02, 0x00, 0x04, |
2003 | | 0x81, 0xf4, 0x07, 0xd0, 0x00, 0x13, 0x00, 0x04, |
2004 | | 0x00, 0x00, 0x00, 0x01, 0x00, 0x14, 0x00, 0x04, |
2005 | | 0x4a, 0xea, 0x7a, 0x8e, |
2006 | | }; |
2007 | | |
2008 | | Packet *p = UTHBuildPacket((uint8_t *)"boom", 4, IPPROTO_TCP); |
2009 | | if (p == NULL) |
2010 | | return 0; |
2011 | | |
2012 | | DecodeThreadVars dtv; |
2013 | | ThreadVars th_v; |
2014 | | DetectEngineThreadCtx *det_ctx = NULL; |
2015 | | |
2016 | | p->proto = 0; |
2017 | | memset(&dtv, 0, sizeof(DecodeThreadVars)); |
2018 | | memset(&th_v, 0, sizeof(th_v)); |
2019 | | |
2020 | | FlowInitConfig(FLOW_QUIET); |
2021 | | DecodeEthernet(&th_v, &dtv, p, raw_eth, sizeof(raw_eth)); |
2022 | | |
2023 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
2024 | | if (de_ctx == NULL) { |
2025 | | goto end; |
2026 | | } |
2027 | | |
2028 | | de_ctx->mpm_matcher = mpm_default_matcher; |
2029 | | de_ctx->flags |= DE_QUIET; |
2030 | | |
2031 | | de_ctx->sig_list = SigInit(de_ctx, |
2032 | | "alert ip any any -> any any (msg:\"Check ipproto usage\"; " |
2033 | | "ip_proto:103; sid:1;)"); |
2034 | | if (de_ctx->sig_list == NULL) { |
2035 | | result = 0; |
2036 | | goto end; |
2037 | | } |
2038 | | |
2039 | | SigGroupBuild(de_ctx); |
2040 | | DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |
2041 | | |
2042 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
2043 | | if (!PacketAlertCheck(p, 1)) { |
2044 | | result = 0; |
2045 | | goto end; |
2046 | | } else { |
2047 | | result = 1; |
2048 | | } |
2049 | | |
2050 | | SigGroupCleanup(de_ctx); |
2051 | | SigCleanSignatures(de_ctx); |
2052 | | |
2053 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
2054 | | DetectEngineCtxFree(de_ctx); |
2055 | | FlowShutdown(); |
2056 | | |
2057 | | SCFree(p); |
2058 | | return result; |
2059 | | |
2060 | | end: |
2061 | | if (de_ctx) { |
2062 | | SigGroupCleanup(de_ctx); |
2063 | | SigCleanSignatures(de_ctx); |
2064 | | } |
2065 | | |
2066 | | if (det_ctx) |
2067 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
2068 | | if (de_ctx) |
2069 | | DetectEngineCtxFree(de_ctx); |
2070 | | |
2071 | | FlowShutdown(); |
2072 | | SCFree(p); |
2073 | | |
2074 | | return result; |
2075 | | } |
2076 | | |
2077 | | /** |
2078 | | * \internal |
2079 | | * \brief Register ip_proto tests. |
2080 | | */ |
2081 | | static void DetectIPProtoRegisterTests(void) |
2082 | | { |
2083 | | UtRegisterTest("DetectIPProtoTestParse01", DetectIPProtoTestParse01); |
2084 | | UtRegisterTest("DetectIPProtoTestParse02", DetectIPProtoTestParse02); |
2085 | | UtRegisterTest("DetectIPProtoTestSetup01", DetectIPProtoTestSetup01); |
2086 | | UtRegisterTest("DetectIPProtoTestSetup02", DetectIPProtoTestSetup02); |
2087 | | UtRegisterTest("DetectIPProtoTestSetup03", DetectIPProtoTestSetup03); |
2088 | | UtRegisterTest("DetectIPProtoTestSetup04", DetectIPProtoTestSetup04); |
2089 | | UtRegisterTest("DetectIPProtoTestSetup05", DetectIPProtoTestSetup05); |
2090 | | UtRegisterTest("DetectIPProtoTestSetup06", DetectIPProtoTestSetup06); |
2091 | | UtRegisterTest("DetectIPProtoTestSetup07", DetectIPProtoTestSetup07); |
2092 | | UtRegisterTest("DetectIPProtoTestSetup08", DetectIPProtoTestSetup08); |
2093 | | UtRegisterTest("DetectIPProtoTestSetup09", DetectIPProtoTestSetup09); |
2094 | | UtRegisterTest("DetectIPProtoTestSetup10", DetectIPProtoTestSetup10); |
2095 | | UtRegisterTest("DetectIPProtoTestSetup11", DetectIPProtoTestSetup11); |
2096 | | UtRegisterTest("DetectIPProtoTestSetup12", DetectIPProtoTestSetup12); |
2097 | | UtRegisterTest("DetectIPProtoTestSetup13", DetectIPProtoTestSetup13); |
2098 | | UtRegisterTest("DetectIPProtoTestSetup14", DetectIPProtoTestSetup14); |
2099 | | UtRegisterTest("DetectIPProtoTestSetup15", DetectIPProtoTestSetup15); |
2100 | | UtRegisterTest("DetectIPProtoTestSetup16", DetectIPProtoTestSetup16); |
2101 | | UtRegisterTest("DetectIPProtoTestSetup17", DetectIPProtoTestSetup17); |
2102 | | UtRegisterTest("DetectIPProtoTestSetup18", DetectIPProtoTestSetup18); |
2103 | | UtRegisterTest("DetectIPProtoTestSetup19", DetectIPProtoTestSetup19); |
2104 | | UtRegisterTest("DetectIPProtoTestSetup20", DetectIPProtoTestSetup20); |
2105 | | UtRegisterTest("DetectIPProtoTestSetup21", DetectIPProtoTestSetup21); |
2106 | | UtRegisterTest("DetectIPProtoTestSetup22", DetectIPProtoTestSetup22); |
2107 | | UtRegisterTest("DetectIPProtoTestSetup23", DetectIPProtoTestSetup23); |
2108 | | UtRegisterTest("DetectIPProtoTestSetup24", DetectIPProtoTestSetup24); |
2109 | | UtRegisterTest("DetectIPProtoTestSetup33", DetectIPProtoTestSetup33); |
2110 | | UtRegisterTest("DetectIPProtoTestSetup34", DetectIPProtoTestSetup34); |
2111 | | UtRegisterTest("DetectIPProtoTestSetup36", DetectIPProtoTestSetup36); |
2112 | | UtRegisterTest("DetectIPProtoTestSetup43", DetectIPProtoTestSetup43); |
2113 | | UtRegisterTest("DetectIPProtoTestSetup44", DetectIPProtoTestSetup44); |
2114 | | UtRegisterTest("DetectIPProtoTestSetup45", DetectIPProtoTestSetup45); |
2115 | | UtRegisterTest("DetectIPProtoTestSetup56", DetectIPProtoTestSetup56); |
2116 | | UtRegisterTest("DetectIPProtoTestSetup75", DetectIPProtoTestSetup75); |
2117 | | UtRegisterTest("DetectIPProtoTestSetup76", DetectIPProtoTestSetup76); |
2118 | | UtRegisterTest("DetectIPProtoTestSetup129", DetectIPProtoTestSetup129); |
2119 | | UtRegisterTest("DetectIPProtoTestSetup130", DetectIPProtoTestSetup130); |
2120 | | UtRegisterTest("DetectIPProtoTestSetup131", DetectIPProtoTestSetup131); |
2121 | | UtRegisterTest("DetectIPProtoTestSetup132", DetectIPProtoTestSetup132); |
2122 | | UtRegisterTest("DetectIPProtoTestSetup145", DetectIPProtoTestSetup145); |
2123 | | |
2124 | | UtRegisterTest("DetectIPProtoTestSig1", DetectIPProtoTestSig1); |
2125 | | UtRegisterTest("DetectIPProtoTestSig2", DetectIPProtoTestSig2); |
2126 | | UtRegisterTest("DetectIPProtoTestSig3", DetectIPProtoTestSig3); |
2127 | | } |
2128 | | #endif /* UNITTESTS */ |