本文整理汇总了C++中DetectEngineCtxFree函数的典型用法代码示例。如果您正苦于以下问题:C++ DetectEngineCtxFree函数的具体用法?C++ DetectEngineCtxFree怎么用?C++ DetectEngineCtxFree使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了DetectEngineCtxFree函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: DetectReplaceLongPatternMatchTest
/**
* \test Test packet Matches
* \param raw_eth_pkt pointer to the ethernet packet
* \param pktsize size of the packet
* \param sig pointer to the signature to test
* \param sid sid number of the signature
* \retval return 1 if match
* \retval return 0 if not
*/
int DetectReplaceLongPatternMatchTest(uint8_t *raw_eth_pkt, uint16_t pktsize, char *sig,
uint32_t sid, uint8_t *pp, uint16_t *len)
{
int result = 0;
Packet *p = NULL;
p = SCMalloc(SIZE_OF_PACKET);
if (unlikely(p == NULL))
return 0;
DecodeThreadVars dtv;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
if (pp == NULL) {
SCLogDebug("replace: looks like a second run");
}
memset(p, 0, SIZE_OF_PACKET);
p->pkt = (uint8_t *)(p + 1);
PacketCopyData(p, raw_eth_pkt, pktsize);
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&th_v, 0, sizeof(th_v));
FlowInitConfig(FLOW_QUIET);
DecodeEthernet(&th_v, &dtv, p, GET_PKT_DATA(p), pktsize, NULL);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, sig);
if (de_ctx->sig_list == NULL) {
goto end;
}
de_ctx->sig_list->next = NULL;
if (de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->type == DETECT_CONTENT) {
DetectContentData *co = (DetectContentData *)de_ctx->sig_list->sm_lists_tail[DETECT_SM_LIST_PMATCH]->ctx;
if (co->flags & DETECT_CONTENT_RELATIVE_NEXT) {
printf("relative next flag set on final match which is content: ");
goto end;
}
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, sid) != 1) {
SCLogDebug("replace: no alert on sig %d", sid);
goto end;
}
if (pp) {
memcpy(pp, GET_PKT_DATA(p), GET_PKT_LEN(p));
*len = pktsize;
SCLogDebug("replace: copying %d on %p", *len, pp);
}
result = 1;
end:
if (de_ctx != NULL)
{
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
if (det_ctx != NULL)
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
}
FlowShutdown();
SCFree(p);
return result;
}示例2: DetectHttpMethodSigTest04
/** \test Check a signature with an request method and negation of the same */
static int DetectHttpMethodSigTest04(void)
{
int result = 0;
Flow f;
uint8_t httpbuf1[] = "GET / HTTP/1.0\r\n"
"Host: foo.bar.tld\r\n"
"\r\n";
uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
HtpState *http_state = NULL;
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.flags |= FLOW_IPV4;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"Testing http_method\"; "
"content:\"GET\"; http_method; sid:1;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,
"alert tcp any any -> any any (msg:\"Testing http_method\"; "
"content:!\"GET\"; http_method; sid:2;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SCMutexLock(&f.m);
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, httpbuf1, httplen1);
if (r != 0) {
SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
SCMutexUnlock(&f.m);
goto end;
}
SCMutexUnlock(&f.m);
http_state = f.alstate;
if (http_state == NULL) {
SCLogDebug("no http state: ");
goto end;
}
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!(PacketAlertCheck(p, 1))) {
printf("sid 1 didn't match but should have: ");
goto end;
}
if (PacketAlertCheck(p, 2)) {
printf("sid 2 matched but shouldn't have: ");
goto end;
}
result = 1;
end:
if (de_ctx != NULL) {
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
}
if (det_ctx != NULL) {
DetectEngineThreadCtxDeinit(&th_v, (void *) det_ctx);
}
if (de_ctx != NULL) {
DetectEngineCtxFree(de_ctx);
}
StreamTcpFreeConfig(TRUE);
//.........这里部分代码省略.........
示例3: DetectSslVersionTestDetect02
static int DetectSslVersionTestDetect02(void)
{
Flow f;
uint8_t sslbuf1[] = { 0x16 };
uint32_t ssllen1 = sizeof(sslbuf1);
uint8_t sslbuf2[] = { 0x03 };
uint32_t ssllen2 = sizeof(sslbuf2);
uint8_t sslbuf3[] = { 0x01 };
uint32_t ssllen3 = sizeof(sslbuf3);
uint8_t sslbuf4[] = { 0x01, 0x00, 0x00, 0xad, 0x03, 0x02 };
uint32_t ssllen4 = sizeof(sslbuf4);
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
f.alproto = ALPROTO_TLS;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tls any any -> any any (msg:\"TLS\"; ssl_version:tls1.0; sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, sslbuf1, ssllen1);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
sslbuf2, ssllen2);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
sslbuf3, ssllen3);
FAIL_IF(r != 0);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
sslbuf4, ssllen4);
FAIL_IF(r != 0);
FLOWLOCK_UNLOCK(&f);
SSLState *app_state = f.alstate;
FAIL_IF_NULL(app_state);
FAIL_IF(app_state->client_connp.content_type != 0x16);
FAIL_IF(app_state->client_connp.version != TLS_VERSION_10);
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF_NOT(PacketAlertCheck(p, 1));
AppLayerParserThreadCtxFree(alp_tctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
PASS;
}示例4: DetectHttpCookieSigTest07
/** \test Check the signature working to alert when http_cookie is not present */
static int DetectHttpCookieSigTest07(void)
{
int result = 0;
Flow f;
uint8_t httpbuf1[] = "POST / HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\n"
"Cookie: dummy\r\n\r\n";
uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
HtpState *http_state = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
f.flags |= FLOW_IPV4;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any (msg:"
"\"HTTP cookie\"; content:!\"dummy\"; "
"http_cookie; sid:1;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SCMutexLock(&f.m);
int r = AppLayerParserParse(alp_tctx, &f, ALPROTO_HTTP, STREAM_TOSERVER, httpbuf1, httplen1);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
SCMutexUnlock(&f.m);
goto end;
}
SCMutexUnlock(&f.m);
http_state = f.alstate;
if (http_state == NULL) {
printf("no http state: ");
result = 0;
goto end;
}
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1)) {
goto end;
}
result = 1;
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL) {
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
}
if (de_ctx != NULL) {
SigGroupCleanup(de_ctx);
DetectEngineCtxFree(de_ctx);
}
StreamTcpFreeConfig(TRUE);
UTHFreePackets(&p, 1);
return result;
}示例5: DetectHttpHeaderTest12
/**
*\test Negative test that the negated http_header content matches against a
* http request which holds hold the content.
*/
static int DetectHttpHeaderTest12(void)
{
TcpSession ssn;
Packet *p = NULL;
ThreadVars th_v;
DetectEngineCtx *de_ctx = NULL;
DetectEngineThreadCtx *det_ctx = NULL;
HtpState *http_state = NULL;
Flow f;
uint8_t http_buf[] =
"GET /index.html HTTP/1.0\r\n"
"Host: www.openinfosecfoundation.org\r\n"
"User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7\r\n"
"Content-Type: text/html\r\n"
"Content-Length: 26\r\n"
"\r\n"
"This is dummy message body\r\n";
uint32_t http_len = sizeof(http_buf) - 1;
int result = 0;
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.flags |= FLOW_IPV4;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(msg:\"http header test\"; "
"content:!\"User-Agent: Mozilla/5.0 \"; http_header; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER, http_buf, http_len);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
goto end;
}
http_state = f.alstate;
if (http_state == NULL) {
printf("no http state: ");
result = 0;
goto end;
}
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if ((PacketAlertCheck(p, 1))) {
printf("sid 1 didn't match but should have: ");
goto end;
}
result = 1;
end:
if (de_ctx != NULL)
SigGroupCleanup(de_ctx);
if (de_ctx != NULL)
SigCleanSignatures(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
return result;
}示例6: DetectFragOffsetMatchTest01
/**
* \test DetectFragOffsetMatchTest01 is a test for checking the working of
* fragoffset keyword by creating 2 rules and matching a crafted packet
* against them. Only the first one shall trigger.
*/
int DetectFragOffsetMatchTest01 (void)
{
int result = 0;
Packet *p = SCMalloc(SIZE_OF_PACKET);
if (unlikely(p == NULL))
return 0;
Signature *s = NULL;
DecodeThreadVars dtv;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
IPV4Hdr ip4h;
memset(p, 0, SIZE_OF_PACKET);
memset(&ip4h, 0, sizeof(IPV4Hdr));
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&th_v, 0, sizeof(ThreadVars));
FlowInitConfig(FLOW_QUIET);
p->src.family = AF_INET;
p->dst.family = AF_INET;
p->src.addr_data32[0] = 0x01020304;
p->dst.addr_data32[0] = 0x04030201;
ip4h.s_ip_src.s_addr = p->src.addr_data32[0];
ip4h.s_ip_dst.s_addr = p->dst.addr_data32[0];
ip4h.ip_off = 0x2222;
p->ip4h = &ip4h;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any any (fragoffset:546; sid:1;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx, "alert ip any any -> any any (fragoffset:5000; sid:2;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1) == 0) {
printf("sid 1 did not alert, but should have: ");
goto cleanup;
} else if (PacketAlertCheck(p, 2)) {
printf("sid 2 alerted, but should not have: ");
goto cleanup;
}
result = 1;
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
FlowShutdown();
end:
SCFree(p);
return result;
}示例7: DetectProtoTestSetup02
/**
* \test DetectrotoTestSetup02 is a test for a icmpv4 and icmpv6
* protocol setting up in signature.
*/
static int DetectProtoTestSetup02(void)
{
DetectProto dp;
Signature *sig_icmpv4 = NULL;
Signature *sig_icmpv6 = NULL;
Signature *sig_icmp = NULL;
DetectEngineCtx *de_ctx = NULL;
int result = 0;
int i;
memset(&dp, 0, sizeof(dp));
if (DetectProtoInitTest(&de_ctx, &sig_icmpv4, &dp, "icmpv4") == 0) {
printf("failure - imcpv4.\n");
goto end;
}
if (DetectProtoInitTest(&de_ctx, &sig_icmpv6, &dp, "icmpv6") == 0) {
printf("failure - imcpv6.\n");
goto end;
}
if (DetectProtoInitTest(&de_ctx, &sig_icmp, &dp, "icmp") == 0) {
printf("failure - imcp.\n");
goto end;
}
for (i = 0; i < 256 / 8; i++) {
if (i == IPPROTO_ICMP) {
if (!(sig_icmpv4->proto.proto[i / 8] & (1 << (i % 8)))) {
printf("failed in sig matching - icmpv4 - icmpv4.\n");
goto end;
}
continue;
}
if (sig_icmpv4->proto.proto[i / 8] & (1 << (i % 8))) {
printf("failed in sig matching - icmpv4 - others.\n");
goto end;
}
}
for (i = 0; i < 256 / 8; i++) {
if (i == IPPROTO_ICMPV6) {
if (!(sig_icmpv6->proto.proto[i / 8] & (1 << (i % 8)))) {
printf("failed in sig matching - icmpv6 - icmpv6.\n");
goto end;
}
continue;
}
if (sig_icmpv6->proto.proto[i / 8] & (1 << (i % 8))) {
printf("failed in sig matching - icmpv6 - others.\n");
goto end;
}
}
for (i = 0; i < 256 / 8; i++) {
if (i == IPPROTO_ICMP || i == IPPROTO_ICMPV6) {
if (!(sig_icmp->proto.proto[i / 8] & (1 << (i % 8)))) {
printf("failed in sig matching - icmp - icmp.\n");
goto end;
}
continue;
}
if (sig_icmpv6->proto.proto[i / 8] & (1 << (i % 8))) {
printf("failed in sig matching - icmp - others.\n");
goto end;
}
}
result = 1;
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineCtxFree(de_ctx);
return result;
}示例8: DetectProtoTestSig01
static int DetectProtoTestSig01(void) {
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
Flow f;
memset(&f, 0, sizeof(Flow));
memset(&th_v, 0, sizeof(th_v));
FLOW_INITIALIZE(&f);
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flags |= PKT_HAS_FLOW;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert udp any any -> any any "
"(msg:\"Not tcp\"; flow:to_server; sid:1;)");
if (s == NULL)
goto end;
s = s->next = SigInit(de_ctx,"alert ip any any -> any any "
"(msg:\"IP\"; flow:to_server; sid:2;)");
if (s == NULL)
goto end;
s = s->next = SigInit(de_ctx,"alert tcp any any -> any any "
"(msg:\"TCP\"; flow:to_server; sid:3;)");
if (s == NULL)
goto end;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1)) {
printf("sid 1 alerted, but should not have: ");
goto cleanup;
} else if (PacketAlertCheck(p, 2) == 0) {
printf("sid 2 did not alert, but should have: ");
goto cleanup;
} else if (PacketAlertCheck(p, 3) == 0) {
printf("sid 3 did not alert, but should have: ");
goto cleanup;
}
result = 1;
cleanup:
FLOW_DESTROY(&f);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
UTHFreePackets(&p, 1);
end:
return result;
}示例9: DetectFtpbounceTestALMatch02
//.........这里部分代码省略.........
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_FTP;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
"(msg:\"Ftp Bounce\"; ftpbounce; sid:1;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v,(void *)de_ctx,(void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
STREAM_TOSERVER, ftpbuf1, ftplen1);
if (r != 0) {
SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
FLOWLOCK_UNLOCK(&f);
goto end;
}
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
ftpbuf2, ftplen2);
if (r != 0) {
SCLogDebug("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
result = 0;
FLOWLOCK_UNLOCK(&f);
goto end;
}
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
ftpbuf3, ftplen3);
if (r != 0) {
SCLogDebug("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
result = 0;
FLOWLOCK_UNLOCK(&f);
goto end;
}
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
ftpbuf4, ftplen4);
if (r != 0) {
SCLogDebug("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
result = 0;
FLOWLOCK_UNLOCK(&f);
goto end;
}
FLOWLOCK_UNLOCK(&f);
FtpState *ftp_state = f.alstate;
if (ftp_state == NULL) {
SCLogDebug("no ftp state: ");
result = 0;
goto end;
}
if (ftp_state->command != FTP_COMMAND_PORT) {
SCLogDebug("expected command port not detected");
result = 0;
goto end;
}
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (!(PacketAlertCheck(p, 1))) {
goto end;
}
result = 1;
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v,(void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
return result;
}示例10: DetectFtpbounceTestALMatch03
//.........这里部分代码省略.........
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_FTP;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any any "
"(msg:\"Ftp Bounce\"; ftpbounce; sid:1;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v,(void *)de_ctx,(void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP,
STREAM_TOSERVER, ftpbuf1, ftplen1);
if (r != 0) {
SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
FLOWLOCK_UNLOCK(&f);
goto end;
}
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
ftpbuf2, ftplen2);
if (r != 0) {
SCLogDebug("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
result = 0;
FLOWLOCK_UNLOCK(&f);
goto end;
}
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
ftpbuf3, ftplen3);
if (r != 0) {
SCLogDebug("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
result = 0;
FLOWLOCK_UNLOCK(&f);
goto end;
}
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_FTP, STREAM_TOSERVER,
ftpbuf4, ftplen4);
if (r != 0) {
SCLogDebug("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
result = 0;
FLOWLOCK_UNLOCK(&f);
goto end;
}
FLOWLOCK_UNLOCK(&f);
FtpState *ftp_state = f.alstate;
if (ftp_state == NULL) {
SCLogDebug("no ftp state: ");
result = 0;
goto end;
}
if (ftp_state->command != FTP_COMMAND_PORT) {
SCLogDebug("expected command port not detected");
result = 0;
goto end;
}
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
/* It should not match */
if (!(PacketAlertCheck(p, 1))) {
result = 1;
} else {
SCLogDebug("It should not match here!");
}
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v,(void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
SCFree(p);
return result;
}示例11: DetectTtlTestSig1
static int DetectTtlTestSig1(void)
{
Packet *p = PacketGetFromAlloc();
if (unlikely(p == NULL))
return 0;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
IPV4Hdr ip4h;
memset(&th_v, 0, sizeof(th_v));
memset(&ip4h, 0, sizeof(ip4h));
p->src.family = AF_INET;
p->dst.family = AF_INET;
p->proto = IPPROTO_TCP;
ip4h.ip_ttl = 15;
p->ip4h = &ip4h;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"with in ttl limit\"; ttl: >16; sid:1;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Less than 17\"; ttl: <17; sid:2;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Greater than 5\"; ttl:15; sid:3;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,"alert ip any any -> any any (msg:\"Equals tcp\"; ttl: 1-30; sid:4;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1)) {
printf("sid 1 alerted, but should not have: ");
goto cleanup;
} else if (PacketAlertCheck(p, 2) == 0) {
printf("sid 2 did not alert, but should have: ");
goto cleanup;
} else if (PacketAlertCheck(p, 3) == 0) {
printf("sid 3 did not alert, but should have: ");
goto cleanup;
} else if (PacketAlertCheck(p, 4) == 0) {
printf("sid 4 did not alert, but should have: ");
goto cleanup;
}
result = 1;
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
SCFree(p);
return result;
}示例12: PayloadTestSig13
/**
* \test Used to check the working of recursion_limit counter.
*/
static int PayloadTestSig13(void)
{
uint8_t *buf = (uint8_t *)"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
uint16_t buflen = strlen((char *)buf);
Packet *p = UTHBuildPacket( buf, buflen, IPPROTO_TCP);
int result = 0;
uint16_t mpm_type = MPM_B2G;
char sig[] = "alert tcp any any -> any any (msg:\"dummy\"; "
"content:\"aa\"; content:\"aa\"; distance:0; content:\"aa\"; distance:0; "
"byte_test:1,>,200,0,relative; sid:1;)";
struct timeval tv_start, tv_end, tv_diff;
gettimeofday(&tv_start, NULL);
do {
DecodeThreadVars dtv;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&th_v, 0, sizeof(th_v));
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
printf("de_ctx == NULL: ");
goto end;
}
de_ctx->inspection_recursion_limit = 3000;
de_ctx->flags |= DE_QUIET;
de_ctx->mpm_matcher = mpm_type;
de_ctx->sig_list = SigInit(de_ctx, sig);
if (de_ctx->sig_list == NULL) {
printf("signature == NULL: ");
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, de_ctx->sig_list->id) != 1) {
goto end;
}
result = 1;
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
if (det_ctx != NULL)
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
} while (0);
gettimeofday(&tv_end, NULL);
tv_diff.tv_sec = tv_end.tv_sec - tv_start.tv_sec;
tv_diff.tv_usec = tv_end.tv_usec - tv_start.tv_usec;
printf("%ld.%06ld\n", tv_diff.tv_sec, (long int)tv_diff.tv_usec);
result = 1;
if (p != NULL)
UTHFreePacket(p);
return result;
}示例13: DetectHttpMethodSigTest03
/** \test Check a signature against an unparsable request */
static int DetectHttpMethodSigTest03(void)
{
int result = 0;
Flow f;
uint8_t httpbuf1[] = " ";
uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
HtpState *http_state = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
f.flags |= FLOW_IPV4;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing http_method\"; "
"content:\"GET\"; "
"http_method; sid:1;)");
if (s == NULL) {
SCLogDebug("Bad signature");
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_HTTP,
STREAM_TOSERVER, httpbuf1, httplen1);
if (r != 0) {
SCLogDebug("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
goto end;
}
FLOWLOCK_UNLOCK(&f);
http_state = f.alstate;
if (http_state == NULL) {
SCLogDebug("no http state: ");
goto end;
}
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1)) {
goto end;
}
result = 1;
end:
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (de_ctx != NULL) SigGroupCleanup(de_ctx);
if (de_ctx != NULL) SigCleanSignatures(de_ctx);
if (de_ctx != NULL) DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
return result;
}示例14: DetectTlsIssuerTest02
//.........这里部分代码省略.........
p2 = UTHBuildPacketReal(server_hello, sizeof(server_hello), IPPROTO_TCP,
"192.168.1.1", "192.168.1.5", 443, 51251);
p3 = UTHBuildPacketReal(certificate, sizeof(certificate), IPPROTO_TCP,
"192.168.1.1", "192.168.1.5", 443, 51251);
FLOW_INITIALIZE(&f);
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_TCP;
f.protomap = FlowGetProtoMapping(f.proto);
f.alproto = ALPROTO_TLS;
p1->flow = &f;
p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->pcap_cnt = 1;
p2->flow = &f;
p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
p2->flowflags |= FLOW_PKT_TOCLIENT;
p2->flowflags |= FLOW_PKT_ESTABLISHED;
p2->pcap_cnt = 2;
p3->flow = &f;
p3->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
p3->flowflags |= FLOW_PKT_TOCLIENT;
p3->flowflags |= FLOW_PKT_ESTABLISHED;
p3->pcap_cnt = 3;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert tls any any -> any any "
"(msg:\"Test tls_cert_issuer\"; "
"tls_cert_issuer; content:\"google\"; nocase; "
"sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER, client_hello,
sizeof(client_hello));
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
ssl_state = f.alstate;
FAIL_IF_NULL(ssl_state);
SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
FAIL_IF(PacketAlertCheck(p1, 1));
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
server_hello, sizeof(server_hello));
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
FAIL_IF(PacketAlertCheck(p2, 1));
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
certificate, sizeof(certificate));
FLOWLOCK_UNLOCK(&f);
FAIL_IF(r != 0);
SigMatchSignatures(&tv, de_ctx, det_ctx, p3);
FAIL_IF_NOT(PacketAlertCheck(p3, 1));
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL)
DetectEngineThreadCtxDeinit(&tv, det_ctx);
if (de_ctx != NULL)
SigGroupCleanup(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePacket(p1);
UTHFreePacket(p2);
UTHFreePacket(p3);
PASS;
}示例15: DetectDnsQueryTest04
//.........这里部分代码省略.........
ThreadVars tv;
DetectEngineThreadCtx *det_ctx = NULL;
TcpSession ssn;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&tv, 0, sizeof(ThreadVars));
memset(&f, 0, sizeof(Flow));
memset(&ssn, 0, sizeof(TcpSession));
p1 = UTHBuildPacketReal(buf1, sizeof(buf1), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1",
41424, 53);
p2 = UTHBuildPacketReal(buf2, sizeof(buf2), IPPROTO_TCP,
"192.168.1.5", "192.168.1.1",
41424, 53);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.flags |= FLOW_IPV4;
f.proto = IPPROTO_TCP;
f.protomap = FlowGetProtoMapping(f.proto);
f.alproto = ALPROTO_DNS;
p1->flow = &f;
p1->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p1->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;
p2->flow = &f;
p2->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
p2->flowflags |= FLOW_PKT_TOSERVER|FLOW_PKT_ESTABLISHED;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
de_ctx->mpm_matcher = mpm_default_matcher;
de_ctx->flags |= DE_QUIET;
s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
"(msg:\"Test dns_query option\"; "
"dns_query; content:\"google\"; nocase; sid:1;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
int r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS,
STREAM_TOSERVER, buf1, sizeof(buf1));
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
FLOWLOCK_UNLOCK(&f);
FAIL;
}
FLOWLOCK_UNLOCK(&f);
dns_state = f.alstate;
FAIL_IF_NULL(dns_state);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p1);
if (PacketAlertCheck(p1, 1)) {
printf("sig 1 alerted, but it should not have: ");
FAIL;
}
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_DNS, STREAM_TOSERVER,
buf2, sizeof(buf2));
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0\n", r);
FLOWLOCK_UNLOCK(&f);
FAIL;
}
FLOWLOCK_UNLOCK(&f);
/* do detect */
SigMatchSignatures(&tv, de_ctx, det_ctx, p2);
if (!(PacketAlertCheck(p2, 1))) {
printf("sig 1 didn't alert, but it should have: ");
FAIL;
}
if (alp_tctx != NULL)
AppLayerParserThreadCtxFree(alp_tctx);
if (det_ctx != NULL)
DetectEngineThreadCtxDeinit(&tv, det_ctx);
if (de_ctx != NULL)
SigGroupCleanup(de_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePacket(p1);
UTHFreePacket(p2);
PASS;
}