/src/suricata7/src/detect-iprep.c
Line | Count | Source |
1 | | /* Copyright (C) 2012-2021 Open Information Security Foundation |
2 | | * |
3 | | * You can copy, redistribute or modify this Program under the terms of |
4 | | * the GNU General Public License version 2 as published by the Free |
5 | | * Software Foundation. |
6 | | * |
7 | | * This program is distributed in the hope that it will be useful, |
8 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
9 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
10 | | * GNU General Public License for more details. |
11 | | * |
12 | | * You should have received a copy of the GNU General Public License |
13 | | * version 2 along with this program; if not, write to the Free Software |
14 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
15 | | * 02110-1301, USA. |
16 | | */ |
17 | | |
18 | | /** |
19 | | * \file |
20 | | * |
21 | | * \author Victor Julien <victor@inliniac.net> |
22 | | * |
23 | | * Implements the iprep keyword |
24 | | */ |
25 | | |
26 | | #include "suricata-common.h" |
27 | | #include "decode.h" |
28 | | #include "detect.h" |
29 | | #include "threads.h" |
30 | | #include "flow.h" |
31 | | #include "flow-bit.h" |
32 | | #include "flow-util.h" |
33 | | #include "detect-iprep.h" |
34 | | #include "util-spm.h" |
35 | | |
36 | | #include "app-layer-parser.h" |
37 | | |
38 | | #include "detect-parse.h" |
39 | | #include "detect-engine.h" |
40 | | #include "detect-engine-mpm.h" |
41 | | #include "detect-engine-state.h" |
42 | | #include "detect-engine-uint.h" |
43 | | #include "detect-engine-build.h" |
44 | | |
45 | | #include "util-debug.h" |
46 | | #include "util-byte.h" |
47 | | #include "util-unittest.h" |
48 | | #include "util-unittest-helper.h" |
49 | | #include "util-fmemopen.h" |
50 | | #include "util-validate.h" |
51 | | |
52 | | #include "reputation.h" |
53 | | #include "host.h" |
54 | | |
55 | | static int DetectIPRepMatch (DetectEngineThreadCtx *, Packet *, |
56 | | const Signature *, const SigMatchCtx *); |
57 | | static int DetectIPRepSetup (DetectEngineCtx *, Signature *, const char *); |
58 | | void DetectIPRepFree (DetectEngineCtx *, void *); |
59 | | #ifdef UNITTESTS |
60 | | static void IPRepRegisterTests(void); |
61 | | #endif |
62 | | |
63 | | void DetectIPRepRegister (void) |
64 | 73 | { |
65 | 73 | sigmatch_table[DETECT_IPREP].name = "iprep"; |
66 | 73 | sigmatch_table[DETECT_IPREP].desc = "match on the IP reputation information for a host"; |
67 | 73 | sigmatch_table[DETECT_IPREP].url = "/rules/ip-reputation-rules.html#iprep"; |
68 | 73 | sigmatch_table[DETECT_IPREP].Match = DetectIPRepMatch; |
69 | 73 | sigmatch_table[DETECT_IPREP].Setup = DetectIPRepSetup; |
70 | 73 | sigmatch_table[DETECT_IPREP].Free = DetectIPRepFree; |
71 | | #ifdef UNITTESTS |
72 | | sigmatch_table[DETECT_IPREP].RegisterTests = IPRepRegisterTests; |
73 | | #endif |
74 | | /* this is compatible to ip-only signatures */ |
75 | 73 | sigmatch_table[DETECT_IPREP].flags |= SIGMATCH_IPONLY_COMPAT; |
76 | 73 | } |
77 | | |
78 | | static inline int8_t GetRep(const SReputation *r, const uint8_t cat, const uint32_t version) |
79 | 0 | { |
80 | | /* allow higher versions as this happens during |
81 | | * rule reload */ |
82 | 0 | if (r != NULL && r->version >= version) { |
83 | 0 | return r->rep[cat]; |
84 | 0 | } |
85 | 0 | return -1; |
86 | 0 | } |
87 | | |
88 | | /** \returns: -2 no host, -1 no rep entry, 0-127 rep values */ |
89 | | static int8_t GetHostRepSrc(Packet *p, uint8_t cat, uint32_t version) |
90 | 0 | { |
91 | 0 | if (p->flags & PKT_HOST_SRC_LOOKED_UP && p->host_src == NULL) { |
92 | 0 | return -2; |
93 | 0 | } else if (p->host_src != NULL) { |
94 | 0 | Host *h = (Host *)p->host_src; |
95 | 0 | HostLock(h); |
96 | | /* use_cnt: 1 for having iprep, 1 for packet ref */ |
97 | 0 | DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 2); |
98 | 0 | int8_t val = GetRep(h->iprep, cat, version); |
99 | 0 | HostUnlock(h); |
100 | 0 | return val; |
101 | 0 | } else { |
102 | 0 | Host *h = HostLookupHostFromHash(&(p->src)); |
103 | 0 | p->flags |= PKT_HOST_SRC_LOOKED_UP; |
104 | 0 | if (h == NULL) |
105 | 0 | return -2; |
106 | 0 | HostReference(&p->host_src, h); |
107 | | /* use_cnt: 1 for having iprep, 1 for HostLookupHostFromHash, |
108 | | * 1 for HostReference to packet */ |
109 | 0 | DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 3); |
110 | 0 | int8_t val = GetRep(h->iprep, cat, version); |
111 | 0 | HostRelease(h); /* use_cnt >= 2: 1 for iprep, 1 for packet ref */ |
112 | 0 | return val; |
113 | 0 | } |
114 | 0 | } |
115 | | |
116 | | static int8_t GetHostRepDst(Packet *p, uint8_t cat, uint32_t version) |
117 | 0 | { |
118 | 0 | if (p->flags & PKT_HOST_DST_LOOKED_UP && p->host_dst == NULL) { |
119 | 0 | return -2; |
120 | 0 | } else if (p->host_dst != NULL) { |
121 | 0 | Host *h = (Host *)p->host_dst; |
122 | 0 | HostLock(h); |
123 | | /* use_cnt: 1 for having iprep, 1 for packet ref */ |
124 | 0 | DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 2); |
125 | 0 | int8_t val = GetRep(h->iprep, cat, version); |
126 | 0 | HostUnlock(h); |
127 | 0 | return val; |
128 | 0 | } else { |
129 | 0 | Host *h = HostLookupHostFromHash(&(p->dst)); |
130 | 0 | p->flags |= PKT_HOST_DST_LOOKED_UP; |
131 | 0 | if (h == NULL) |
132 | 0 | return -2; |
133 | 0 | HostReference(&p->host_dst, h); |
134 | | /* use_cnt: 1 for having iprep, 1 for HostLookupHostFromHash, |
135 | | * 1 for HostReference to packet */ |
136 | 0 | DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 3); |
137 | 0 | int8_t val = GetRep(h->iprep, cat, version); |
138 | 0 | HostRelease(h); /* use_cnt >= 2: 1 for iprep, 1 for packet ref */ |
139 | 0 | return val; |
140 | 0 | } |
141 | 0 | } |
142 | | |
143 | | /* |
144 | | * returns 0: no match |
145 | | * 1: match |
146 | | * -1: error |
147 | | */ |
148 | | static int DetectIPRepMatch (DetectEngineThreadCtx *det_ctx, Packet *p, |
149 | | const Signature *s, const SigMatchCtx *ctx) |
150 | 0 | { |
151 | 0 | const DetectIPRepData *rd = (const DetectIPRepData *)ctx; |
152 | 0 | if (rd == NULL) |
153 | 0 | return 0; |
154 | | |
155 | 0 | uint32_t version = det_ctx->de_ctx->srep_version; |
156 | 0 | int8_t val = 0; |
157 | |
|
158 | 0 | SCLogDebug("rd->cmd %u", rd->cmd); |
159 | 0 | switch (rd->cmd) { |
160 | 0 | case IPRepCmdAny: |
161 | 0 | if (!rd->isnotset) { |
162 | 0 | val = GetHostRepSrc(p, rd->cat, version); |
163 | 0 | if (val < 0) |
164 | 0 | val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version); |
165 | 0 | if (val >= 0) { |
166 | 0 | if (DetectU8Match((uint8_t)val, &rd->du8)) |
167 | 0 | return 1; |
168 | 0 | } |
169 | 0 | val = GetHostRepDst(p, rd->cat, version); |
170 | 0 | if (val < 0) |
171 | 0 | val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version); |
172 | 0 | if (val >= 0) { |
173 | 0 | return DetectU8Match((uint8_t)val, &rd->du8); |
174 | 0 | } |
175 | 0 | } else { |
176 | | /* isnotset for any */ |
177 | |
|
178 | 0 | val = GetHostRepSrc(p, rd->cat, version); |
179 | 0 | if (val < 0) |
180 | 0 | val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version); |
181 | 0 | if (val < 0) { |
182 | 0 | return 1; |
183 | 0 | } |
184 | 0 | val = GetHostRepDst(p, rd->cat, version); |
185 | 0 | if (val < 0) |
186 | 0 | val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version); |
187 | 0 | if (val < 0) { |
188 | 0 | return 1; |
189 | 0 | } |
190 | | /* both have a value, so none 'isnotset' */ |
191 | 0 | return 0; |
192 | 0 | } |
193 | 0 | break; |
194 | | |
195 | 0 | case IPRepCmdSrc: |
196 | 0 | val = GetHostRepSrc(p, rd->cat, version); |
197 | 0 | SCLogDebug("checking src -- val %d (looking for cat %u, val %u)", val, rd->cat, |
198 | 0 | rd->du8.arg1); |
199 | 0 | if (val < 0) |
200 | 0 | val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version); |
201 | 0 | if (val >= 0) { |
202 | 0 | return DetectU8Match((uint8_t)val, &rd->du8); |
203 | 0 | } |
204 | | /* implied: no value found */ |
205 | 0 | if (rd->isnotset) { |
206 | 0 | return 1; |
207 | 0 | } |
208 | 0 | break; |
209 | | |
210 | 0 | case IPRepCmdDst: |
211 | 0 | SCLogDebug("checking dst"); |
212 | 0 | val = GetHostRepDst(p, rd->cat, version); |
213 | 0 | if (val < 0) |
214 | 0 | val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version); |
215 | 0 | if (val >= 0) { |
216 | 0 | return DetectU8Match((uint8_t)val, &rd->du8); |
217 | 0 | } |
218 | | /* implied: no value found */ |
219 | 0 | if (rd->isnotset) { |
220 | 0 | return 1; |
221 | 0 | } |
222 | 0 | break; |
223 | | |
224 | 0 | case IPRepCmdBoth: |
225 | 0 | if (!rd->isnotset) { |
226 | 0 | val = GetHostRepSrc(p, rd->cat, version); |
227 | 0 | if (val < 0) |
228 | 0 | val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version); |
229 | 0 | if (val < 0 || DetectU8Match((uint8_t)val, &rd->du8) == 0) |
230 | 0 | return 0; |
231 | 0 | val = GetHostRepDst(p, rd->cat, version); |
232 | 0 | if (val < 0) |
233 | 0 | val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version); |
234 | 0 | if (val >= 0) { |
235 | 0 | return DetectU8Match((uint8_t)val, &rd->du8); |
236 | 0 | } |
237 | 0 | } else { |
238 | 0 | val = GetHostRepSrc(p, rd->cat, version); |
239 | 0 | if (val >= 0) |
240 | 0 | return 0; |
241 | 0 | val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version); |
242 | 0 | if (val >= 0) |
243 | 0 | return 0; |
244 | 0 | val = GetHostRepDst(p, rd->cat, version); |
245 | 0 | if (val >= 0) |
246 | 0 | return 0; |
247 | 0 | val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version); |
248 | 0 | if (val >= 0) |
249 | 0 | return 0; |
250 | 0 | return 1; |
251 | 0 | } |
252 | 0 | break; |
253 | 0 | } |
254 | | |
255 | 0 | return 0; |
256 | 0 | } |
257 | | |
258 | | int DetectIPRepSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr) |
259 | 1.55k | { |
260 | 1.55k | SigMatch *sm = NULL; |
261 | | |
262 | 1.55k | DetectIPRepData *cd = rs_detect_iprep_parse(rawstr); |
263 | 1.55k | if (cd == NULL) { |
264 | 1.55k | SCLogError("\"%s\" is not a valid setting for iprep", rawstr); |
265 | 1.55k | goto error; |
266 | 1.55k | } |
267 | | |
268 | 0 | SCLogDebug("cmd %u, cat %u, op %u, val %u", cd->cmd, cd->cat, cd->du8.mode, cd->du8.arg1); |
269 | | |
270 | | /* Okay so far so good, lets get this into a SigMatch |
271 | | * and put it in the Signature. */ |
272 | 0 | sm = SigMatchAlloc(); |
273 | 0 | if (sm == NULL) |
274 | 0 | goto error; |
275 | | |
276 | 0 | sm->type = DETECT_IPREP; |
277 | 0 | sm->ctx = (SigMatchCtx *)cd; |
278 | |
|
279 | 0 | SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH); |
280 | |
|
281 | 0 | return 0; |
282 | | |
283 | 1.55k | error: |
284 | 1.55k | if (cd != NULL) |
285 | 0 | DetectIPRepFree(de_ctx, cd); |
286 | 1.55k | if (sm != NULL) |
287 | 0 | SCFree(sm); |
288 | 1.55k | return -1; |
289 | 0 | } |
290 | | |
291 | | void DetectIPRepFree (DetectEngineCtx *de_ctx, void *ptr) |
292 | 0 | { |
293 | 0 | DetectIPRepData *fd = (DetectIPRepData *)ptr; |
294 | 0 | if (fd == NULL) |
295 | 0 | return; |
296 | | |
297 | 0 | rs_detect_iprep_free(fd); |
298 | 0 | } |
299 | | |
300 | | #ifdef UNITTESTS |
301 | | #include "packet.h" |
302 | | #include "action-globals.h" |
303 | | |
304 | | static FILE *DetectIPRepGenerateCategoriesDummy(void) |
305 | | { |
306 | | FILE *fd = NULL; |
307 | | const char *buffer = "1,BadHosts,Know bad hosts"; |
308 | | |
309 | | fd = SCFmemopen((void *)buffer, strlen(buffer), "r"); |
310 | | if (fd == NULL) |
311 | | SCLogDebug("Error with SCFmemopen()"); |
312 | | |
313 | | return fd; |
314 | | } |
315 | | |
316 | | static FILE *DetectIPRepGenerateCategoriesDummy2(void) |
317 | | { |
318 | | FILE *fd = NULL; |
319 | | const char *buffer = |
320 | | "1,BadHosts,Know bad hosts\n" |
321 | | "2,GoodHosts,Know good hosts\n"; |
322 | | |
323 | | fd = SCFmemopen((void *)buffer, strlen(buffer), "r"); |
324 | | if (fd == NULL) |
325 | | SCLogDebug("Error with SCFmemopen()"); |
326 | | |
327 | | return fd; |
328 | | } |
329 | | |
330 | | static FILE *DetectIPRepGenerateNetworksDummy(void) |
331 | | { |
332 | | FILE *fd = NULL; |
333 | | const char *buffer = "10.0.0.0/24,1,20"; |
334 | | |
335 | | fd = SCFmemopen((void *)buffer, strlen(buffer), "r"); |
336 | | if (fd == NULL) |
337 | | SCLogDebug("Error with SCFmemopen()"); |
338 | | |
339 | | return fd; |
340 | | } |
341 | | |
342 | | static FILE *DetectIPRepGenerateNetworksDummy2(void) |
343 | | { |
344 | | FILE *fd = NULL; |
345 | | const char *buffer = |
346 | | "0.0.0.0/0,1,10\n" |
347 | | "192.168.0.0/16,2,127"; |
348 | | |
349 | | fd = SCFmemopen((void *)buffer, strlen(buffer), "r"); |
350 | | if (fd == NULL) |
351 | | SCLogDebug("Error with SCFmemopen()"); |
352 | | |
353 | | return fd; |
354 | | } |
355 | | |
356 | | static int DetectIPRepTest01(void) |
357 | | { |
358 | | ThreadVars th_v; |
359 | | DetectEngineThreadCtx *det_ctx = NULL; |
360 | | Signature *sig = NULL; |
361 | | FILE *fd = NULL; |
362 | | int r = 0; |
363 | | Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); |
364 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
365 | | |
366 | | HostInitConfig(HOST_QUIET); |
367 | | memset(&th_v, 0, sizeof(th_v)); |
368 | | |
369 | | FAIL_IF_NULL(de_ctx); |
370 | | FAIL_IF_NULL(p); |
371 | | |
372 | | p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1"); |
373 | | de_ctx->flags |= DE_QUIET; |
374 | | |
375 | | SRepInit(de_ctx); |
376 | | SRepResetVersion(); |
377 | | |
378 | | fd = DetectIPRepGenerateCategoriesDummy(); |
379 | | r = SRepLoadCatFileFromFD(fd); |
380 | | FAIL_IF(r < 0); |
381 | | |
382 | | fd = DetectIPRepGenerateNetworksDummy(); |
383 | | r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); |
384 | | FAIL_IF(r < 0); |
385 | | |
386 | | sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value " |
387 | | "badhost\"; iprep:any,BadHosts,>,1; sid:1;rev:1;)"); |
388 | | FAIL_IF_NULL(sig); |
389 | | |
390 | | SigGroupBuild(de_ctx); |
391 | | DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |
392 | | |
393 | | p->alerts.cnt = 0; |
394 | | p->action = 0; |
395 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
396 | | |
397 | | FAIL_IF(p->alerts.cnt != 1); |
398 | | FAIL_IF(PacketTestAction(p, ACTION_DROP)); |
399 | | |
400 | | UTHFreePacket(p); |
401 | | |
402 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
403 | | DetectEngineCtxFree(de_ctx); |
404 | | |
405 | | HostShutdown(); |
406 | | PASS; |
407 | | } |
408 | | |
409 | | static int DetectIPRepTest02(void) |
410 | | { |
411 | | ThreadVars th_v; |
412 | | DetectEngineThreadCtx *det_ctx = NULL; |
413 | | Signature *sig = NULL; |
414 | | FILE *fd = NULL; |
415 | | int r = 0; |
416 | | Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); |
417 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
418 | | |
419 | | HostInitConfig(HOST_QUIET); |
420 | | memset(&th_v, 0, sizeof(th_v)); |
421 | | |
422 | | FAIL_IF_NULL(de_ctx); |
423 | | FAIL_IF_NULL(p); |
424 | | |
425 | | p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1"); |
426 | | de_ctx->flags |= DE_QUIET; |
427 | | |
428 | | SRepInit(de_ctx); |
429 | | SRepResetVersion(); |
430 | | |
431 | | fd = DetectIPRepGenerateCategoriesDummy(); |
432 | | r = SRepLoadCatFileFromFD(fd); |
433 | | FAIL_IF(r < 0); |
434 | | |
435 | | fd = DetectIPRepGenerateNetworksDummy(); |
436 | | r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); |
437 | | FAIL_IF(r < 0); |
438 | | |
439 | | sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value " |
440 | | "badhost\"; iprep:src,BadHosts,>,1; sid:1; rev:1;)"); |
441 | | FAIL_IF_NULL(sig); |
442 | | |
443 | | SigGroupBuild(de_ctx); |
444 | | DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |
445 | | |
446 | | p->alerts.cnt = 0; |
447 | | p->action = 0; |
448 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
449 | | FAIL_IF(p->alerts.cnt != 1); |
450 | | FAIL_IF(PacketTestAction(p, ACTION_DROP)); |
451 | | |
452 | | UTHFreePacket(p); |
453 | | |
454 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
455 | | DetectEngineCtxFree(de_ctx); |
456 | | |
457 | | HostShutdown(); |
458 | | PASS; |
459 | | } |
460 | | |
461 | | static int DetectIPRepTest03(void) |
462 | | { |
463 | | ThreadVars th_v; |
464 | | DetectEngineThreadCtx *det_ctx = NULL; |
465 | | Signature *sig = NULL; |
466 | | FILE *fd = NULL; |
467 | | int r = 0; |
468 | | Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); |
469 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
470 | | |
471 | | HostInitConfig(HOST_QUIET); |
472 | | memset(&th_v, 0, sizeof(th_v)); |
473 | | |
474 | | FAIL_IF_NULL(de_ctx); |
475 | | FAIL_IF_NULL(p); |
476 | | |
477 | | p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2"); |
478 | | de_ctx->flags |= DE_QUIET; |
479 | | |
480 | | SRepInit(de_ctx); |
481 | | SRepResetVersion(); |
482 | | |
483 | | fd = DetectIPRepGenerateCategoriesDummy(); |
484 | | r = SRepLoadCatFileFromFD(fd); |
485 | | FAIL_IF(r < 0); |
486 | | |
487 | | fd = DetectIPRepGenerateNetworksDummy(); |
488 | | r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); |
489 | | FAIL_IF(r < 0); |
490 | | |
491 | | sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value " |
492 | | "badhost\"; iprep:dst,BadHosts,>,1; sid:1; rev:1;)"); |
493 | | FAIL_IF_NULL(sig); |
494 | | |
495 | | SigGroupBuild(de_ctx); |
496 | | DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |
497 | | |
498 | | p->alerts.cnt = 0; |
499 | | p->action = 0; |
500 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
501 | | FAIL_IF(p->alerts.cnt != 1); |
502 | | FAIL_IF(PacketTestAction(p, ACTION_DROP)); |
503 | | |
504 | | UTHFreePacket(p); |
505 | | |
506 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
507 | | DetectEngineCtxFree(de_ctx); |
508 | | |
509 | | HostShutdown(); |
510 | | PASS; |
511 | | } |
512 | | |
513 | | static int DetectIPRepTest04(void) |
514 | | { |
515 | | ThreadVars th_v; |
516 | | DetectEngineThreadCtx *det_ctx = NULL; |
517 | | Signature *sig = NULL; |
518 | | FILE *fd = NULL; |
519 | | int r = 0; |
520 | | Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); |
521 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
522 | | |
523 | | HostInitConfig(HOST_QUIET); |
524 | | memset(&th_v, 0, sizeof(th_v)); |
525 | | |
526 | | FAIL_IF_NULL(de_ctx); |
527 | | FAIL_IF_NULL(p); |
528 | | |
529 | | p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1"); |
530 | | p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2"); |
531 | | de_ctx->flags |= DE_QUIET; |
532 | | |
533 | | SRepInit(de_ctx); |
534 | | SRepResetVersion(); |
535 | | |
536 | | fd = DetectIPRepGenerateCategoriesDummy(); |
537 | | r = SRepLoadCatFileFromFD(fd); |
538 | | FAIL_IF(r < 0); |
539 | | |
540 | | fd = DetectIPRepGenerateNetworksDummy(); |
541 | | r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); |
542 | | FAIL_IF(r < 0); |
543 | | |
544 | | sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value " |
545 | | "badhost\"; iprep:both,BadHosts,>,1; sid:1; rev:1;)"); |
546 | | FAIL_IF_NULL(sig); |
547 | | |
548 | | SigGroupBuild(de_ctx); |
549 | | DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |
550 | | |
551 | | p->alerts.cnt = 0; |
552 | | p->action = 0; |
553 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
554 | | FAIL_IF(p->alerts.cnt != 1); |
555 | | FAIL_IF(PacketTestAction(p, ACTION_DROP)); |
556 | | |
557 | | UTHFreePacket(p); |
558 | | |
559 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
560 | | DetectEngineCtxFree(de_ctx); |
561 | | |
562 | | HostShutdown(); |
563 | | PASS; |
564 | | } |
565 | | |
566 | | static int DetectIPRepTest05(void) |
567 | | { |
568 | | ThreadVars th_v; |
569 | | DetectEngineThreadCtx *det_ctx = NULL; |
570 | | Signature *sig = NULL; |
571 | | FILE *fd = NULL; |
572 | | int r = 0; |
573 | | Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); |
574 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
575 | | |
576 | | HostInitConfig(HOST_QUIET); |
577 | | memset(&th_v, 0, sizeof(th_v)); |
578 | | |
579 | | FAIL_IF_NULL(de_ctx); |
580 | | FAIL_IF_NULL(p); |
581 | | |
582 | | p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1"); |
583 | | de_ctx->flags |= DE_QUIET; |
584 | | |
585 | | SRepInit(de_ctx); |
586 | | SRepResetVersion(); |
587 | | |
588 | | fd = DetectIPRepGenerateCategoriesDummy(); |
589 | | r = SRepLoadCatFileFromFD(fd); |
590 | | FAIL_IF(r < 0); |
591 | | |
592 | | fd = DetectIPRepGenerateNetworksDummy(); |
593 | | r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); |
594 | | FAIL_IF(r < 0); |
595 | | |
596 | | sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value " |
597 | | "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)"); |
598 | | FAIL_IF_NULL(sig); |
599 | | |
600 | | SigGroupBuild(de_ctx); |
601 | | DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |
602 | | |
603 | | p->alerts.cnt = 0; |
604 | | p->action = 0; |
605 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
606 | | FAIL_IF(p->alerts.cnt != 0); |
607 | | FAIL_IF(PacketTestAction(p, ACTION_DROP)); |
608 | | |
609 | | UTHFreePacket(p); |
610 | | |
611 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
612 | | DetectEngineCtxFree(de_ctx); |
613 | | |
614 | | HostShutdown(); |
615 | | PASS; |
616 | | } |
617 | | |
618 | | static int DetectIPRepTest06(void) |
619 | | { |
620 | | ThreadVars th_v; |
621 | | DetectEngineThreadCtx *det_ctx = NULL; |
622 | | Signature *sig = NULL; |
623 | | FILE *fd = NULL; |
624 | | int r = 0; |
625 | | Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); |
626 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
627 | | |
628 | | HostInitConfig(HOST_QUIET); |
629 | | memset(&th_v, 0, sizeof(th_v)); |
630 | | |
631 | | FAIL_IF_NULL(de_ctx); |
632 | | FAIL_IF_NULL(p); |
633 | | |
634 | | p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1"); |
635 | | de_ctx->flags |= DE_QUIET; |
636 | | |
637 | | SRepInit(de_ctx); |
638 | | SRepResetVersion(); |
639 | | |
640 | | fd = DetectIPRepGenerateCategoriesDummy(); |
641 | | r = SRepLoadCatFileFromFD(fd); |
642 | | FAIL_IF(r < 0); |
643 | | |
644 | | fd = DetectIPRepGenerateNetworksDummy2(); |
645 | | r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); |
646 | | FAIL_IF(r < 0); |
647 | | |
648 | | sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value " |
649 | | "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)"); |
650 | | FAIL_IF_NULL(sig); |
651 | | |
652 | | SigGroupBuild(de_ctx); |
653 | | DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |
654 | | |
655 | | p->alerts.cnt = 0; |
656 | | p->action = 0; |
657 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
658 | | FAIL_IF(p->alerts.cnt != 1); |
659 | | FAIL_IF(PacketTestAction(p, ACTION_DROP)); |
660 | | |
661 | | UTHFreePacket(p); |
662 | | |
663 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
664 | | DetectEngineCtxFree(de_ctx); |
665 | | |
666 | | HostShutdown(); |
667 | | PASS; |
668 | | } |
669 | | |
670 | | static int DetectIPRepTest07(void) |
671 | | { |
672 | | ThreadVars th_v; |
673 | | DetectEngineThreadCtx *det_ctx = NULL; |
674 | | Signature *sig = NULL; |
675 | | FILE *fd = NULL; |
676 | | int r = 0; |
677 | | Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); |
678 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
679 | | |
680 | | HostInitConfig(HOST_QUIET); |
681 | | memset(&th_v, 0, sizeof(th_v)); |
682 | | |
683 | | FAIL_IF_NULL(de_ctx); |
684 | | FAIL_IF_NULL(p); |
685 | | |
686 | | p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2"); |
687 | | de_ctx->flags |= DE_QUIET; |
688 | | |
689 | | SRepInit(de_ctx); |
690 | | SRepResetVersion(); |
691 | | |
692 | | fd = DetectIPRepGenerateCategoriesDummy(); |
693 | | r = SRepLoadCatFileFromFD(fd); |
694 | | FAIL_IF(r < 0); |
695 | | |
696 | | fd = DetectIPRepGenerateNetworksDummy2(); |
697 | | r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); |
698 | | FAIL_IF(r < 0); |
699 | | |
700 | | sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value " |
701 | | "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)"); |
702 | | FAIL_IF_NULL(sig); |
703 | | |
704 | | SigGroupBuild(de_ctx); |
705 | | DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |
706 | | |
707 | | p->alerts.cnt = 0; |
708 | | p->action = 0; |
709 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
710 | | FAIL_IF(p->alerts.cnt != 1); |
711 | | FAIL_IF(PacketTestAction(p, ACTION_DROP)); |
712 | | |
713 | | UTHFreePacket(p); |
714 | | |
715 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
716 | | DetectEngineCtxFree(de_ctx); |
717 | | |
718 | | HostShutdown(); |
719 | | PASS; |
720 | | } |
721 | | |
722 | | static int DetectIPRepTest08(void) |
723 | | { |
724 | | ThreadVars th_v; |
725 | | DetectEngineThreadCtx *det_ctx = NULL; |
726 | | Signature *sig = NULL; |
727 | | FILE *fd = NULL; |
728 | | int r = 0; |
729 | | Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); |
730 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
731 | | |
732 | | HostInitConfig(HOST_QUIET); |
733 | | memset(&th_v, 0, sizeof(th_v)); |
734 | | |
735 | | FAIL_IF_NULL(de_ctx); |
736 | | FAIL_IF_NULL(p); |
737 | | |
738 | | p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1"); |
739 | | p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2"); |
740 | | de_ctx->flags |= DE_QUIET; |
741 | | |
742 | | SRepInit(de_ctx); |
743 | | SRepResetVersion(); |
744 | | |
745 | | fd = DetectIPRepGenerateCategoriesDummy(); |
746 | | r = SRepLoadCatFileFromFD(fd); |
747 | | FAIL_IF(r < 0); |
748 | | |
749 | | fd = DetectIPRepGenerateNetworksDummy(); |
750 | | r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); |
751 | | FAIL_IF(r < 0); |
752 | | |
753 | | sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value " |
754 | | "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)"); |
755 | | FAIL_IF_NULL(sig); |
756 | | |
757 | | SigGroupBuild(de_ctx); |
758 | | DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |
759 | | |
760 | | p->alerts.cnt = 0; |
761 | | p->action = 0; |
762 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
763 | | FAIL_IF(p->alerts.cnt != 0); |
764 | | FAIL_IF(PacketTestAction(p, ACTION_DROP)); |
765 | | |
766 | | UTHFreePacket(p); |
767 | | |
768 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
769 | | DetectEngineCtxFree(de_ctx); |
770 | | |
771 | | HostShutdown(); |
772 | | PASS; |
773 | | } |
774 | | |
775 | | static int DetectIPRepTest09(void) |
776 | | { |
777 | | ThreadVars th_v; |
778 | | DetectEngineThreadCtx *det_ctx = NULL; |
779 | | Signature *sig = NULL; |
780 | | FILE *fd = NULL; |
781 | | int r = 0; |
782 | | Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); |
783 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
784 | | |
785 | | HostInitConfig(HOST_QUIET); |
786 | | memset(&th_v, 0, sizeof(th_v)); |
787 | | |
788 | | FAIL_IF_NULL(de_ctx); |
789 | | FAIL_IF_NULL(p); |
790 | | |
791 | | p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1"); |
792 | | p->dst.addr_data32[0] = UTHSetIPv4Address("192.168.0.2"); |
793 | | de_ctx->flags |= DE_QUIET; |
794 | | |
795 | | SRepInit(de_ctx); |
796 | | SRepResetVersion(); |
797 | | |
798 | | fd = DetectIPRepGenerateCategoriesDummy2(); |
799 | | r = SRepLoadCatFileFromFD(fd); |
800 | | FAIL_IF(r < 0); |
801 | | |
802 | | fd = DetectIPRepGenerateNetworksDummy2(); |
803 | | r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); |
804 | | FAIL_IF(r < 0); |
805 | | |
806 | | sig = DetectEngineAppendSig(de_ctx, |
807 | | "alert tcp any any -> any any (msg:\"test\"; iprep:src,BadHosts,>,9; sid:1; rev:1;)"); |
808 | | FAIL_IF_NULL(sig); |
809 | | |
810 | | SigGroupBuild(de_ctx); |
811 | | DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |
812 | | |
813 | | p->alerts.cnt = 0; |
814 | | p->action = 0; |
815 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
816 | | FAIL_IF(p->alerts.cnt != 1); |
817 | | FAIL_IF(PacketTestAction(p, ACTION_DROP)); |
818 | | |
819 | | UTHFreePacket(p); |
820 | | |
821 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
822 | | DetectEngineCtxFree(de_ctx); |
823 | | |
824 | | HostShutdown(); |
825 | | PASS; |
826 | | } |
827 | | |
828 | | static FILE *DetectIPRepGenerateNetworksDummy3(void) |
829 | | { |
830 | | FILE *fd = NULL; |
831 | | const char *buffer = "192.168.0.0/16,1,127"; // BadHosts |
832 | | |
833 | | fd = SCFmemopen((void *)buffer, strlen(buffer), "r"); |
834 | | if (fd == NULL) |
835 | | SCLogDebug("Error with SCFmemopen()"); |
836 | | |
837 | | return fd; |
838 | | } |
839 | | |
840 | | static int DetectIPRepTest10(void) |
841 | | { |
842 | | ThreadVars th_v; |
843 | | DetectEngineThreadCtx *det_ctx = NULL; |
844 | | Signature *sig = NULL; |
845 | | FILE *fd = NULL; |
846 | | int r = 0; |
847 | | Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); |
848 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
849 | | |
850 | | HostInitConfig(HOST_QUIET); |
851 | | memset(&th_v, 0, sizeof(th_v)); |
852 | | |
853 | | FAIL_IF_NULL(de_ctx); |
854 | | FAIL_IF_NULL(p); |
855 | | |
856 | | p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1"); |
857 | | p->dst.addr_data32[0] = UTHSetIPv4Address("192.168.0.2"); |
858 | | de_ctx->flags |= DE_QUIET; |
859 | | |
860 | | SRepInit(de_ctx); |
861 | | SRepResetVersion(); |
862 | | |
863 | | fd = DetectIPRepGenerateCategoriesDummy2(); |
864 | | r = SRepLoadCatFileFromFD(fd); |
865 | | FAIL_IF(r < 0); |
866 | | |
867 | | fd = DetectIPRepGenerateNetworksDummy3(); |
868 | | r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); |
869 | | FAIL_IF(r < 0); |
870 | | |
871 | | sig = DetectEngineAppendSig(de_ctx, |
872 | | "alert tcp any any -> any any (msg:\"test\"; iprep:src,BadHosts,isset; sid:1; rev:1;)"); |
873 | | FAIL_IF_NULL(sig); |
874 | | |
875 | | SigGroupBuild(de_ctx); |
876 | | DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |
877 | | |
878 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
879 | | FAIL_IF_NOT(p->alerts.cnt == 1); |
880 | | |
881 | | UTHFreePacket(p); |
882 | | |
883 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
884 | | DetectEngineCtxFree(de_ctx); |
885 | | |
886 | | HostShutdown(); |
887 | | PASS; |
888 | | } |
889 | | |
890 | | static int DetectIPRepTest11(void) |
891 | | { |
892 | | ThreadVars th_v; |
893 | | DetectEngineThreadCtx *det_ctx = NULL; |
894 | | Signature *sig = NULL; |
895 | | FILE *fd = NULL; |
896 | | int r = 0; |
897 | | Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); |
898 | | DetectEngineCtx *de_ctx = DetectEngineCtxInit(); |
899 | | |
900 | | HostInitConfig(HOST_QUIET); |
901 | | memset(&th_v, 0, sizeof(th_v)); |
902 | | |
903 | | FAIL_IF_NULL(de_ctx); |
904 | | FAIL_IF_NULL(p); |
905 | | |
906 | | p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1"); |
907 | | p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2"); |
908 | | de_ctx->flags |= DE_QUIET; |
909 | | |
910 | | SRepInit(de_ctx); |
911 | | SRepResetVersion(); |
912 | | |
913 | | fd = DetectIPRepGenerateCategoriesDummy2(); |
914 | | r = SRepLoadCatFileFromFD(fd); |
915 | | FAIL_IF(r < 0); |
916 | | |
917 | | fd = DetectIPRepGenerateNetworksDummy3(); |
918 | | r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); |
919 | | FAIL_IF(r < 0); |
920 | | |
921 | | sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"test\"; " |
922 | | "iprep:src,BadHosts,isnotset; sid:1; rev:1;)"); |
923 | | FAIL_IF_NULL(sig); |
924 | | |
925 | | SigGroupBuild(de_ctx); |
926 | | DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); |
927 | | |
928 | | SigMatchSignatures(&th_v, de_ctx, det_ctx, p); |
929 | | FAIL_IF_NOT(p->alerts.cnt == 1); |
930 | | |
931 | | UTHFreePacket(p); |
932 | | |
933 | | DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); |
934 | | DetectEngineCtxFree(de_ctx); |
935 | | |
936 | | HostShutdown(); |
937 | | PASS; |
938 | | } |
939 | | |
940 | | /** |
941 | | * \brief this function registers unit tests for IPRep |
942 | | */ |
943 | | void IPRepRegisterTests(void) |
944 | | { |
945 | | UtRegisterTest("DetectIPRepTest01", DetectIPRepTest01); |
946 | | UtRegisterTest("DetectIPRepTest02", DetectIPRepTest02); |
947 | | UtRegisterTest("DetectIPRepTest03", DetectIPRepTest03); |
948 | | UtRegisterTest("DetectIPRepTest04", DetectIPRepTest04); |
949 | | UtRegisterTest("DetectIPRepTest05", DetectIPRepTest05); |
950 | | UtRegisterTest("DetectIPRepTest06", DetectIPRepTest06); |
951 | | UtRegisterTest("DetectIPRepTest07", DetectIPRepTest07); |
952 | | UtRegisterTest("DetectIPRepTest08", DetectIPRepTest08); |
953 | | UtRegisterTest("DetectIPRepTest09", DetectIPRepTest09); |
954 | | UtRegisterTest("DetectIPRepTest10 -- isset", DetectIPRepTest10); |
955 | | UtRegisterTest("DetectIPRepTest11 -- isnotset", DetectIPRepTest11); |
956 | | } |
957 | | #endif /* UNITTESTS */ |