diff options
Diffstat (limited to 'src/detect-iprep.c')
| -rw-r--r-- | src/detect-iprep.c | 800 |
1 files changed, 800 insertions, 0 deletions
diff --git a/src/detect-iprep.c b/src/detect-iprep.c new file mode 100644 index 0000000..cc3d9a0 --- /dev/null +++ b/src/detect-iprep.c @@ -0,0 +1,800 @@ +/* Copyright (C) 2012-2021 Open Information Security Foundation + * + * You can copy, redistribute or modify this Program under the terms of + * the GNU General Public License version 2 as published by the Free + * Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * version 2 along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA + * 02110-1301, USA. + */ + +/** + * \file + * + * \author Victor Julien <victor@inliniac.net> + * + * Implements the iprep keyword + */ + +#include "suricata-common.h" +#include "decode.h" +#include "detect.h" +#include "threads.h" +#include "flow.h" +#include "flow-bit.h" +#include "flow-util.h" +#include "detect-iprep.h" +#include "util-spm.h" + +#include "app-layer-parser.h" + +#include "detect-parse.h" +#include "detect-engine.h" +#include "detect-engine-mpm.h" +#include "detect-engine-state.h" +#include "detect-engine-uint.h" +#include "detect-engine-build.h" + +#include "util-debug.h" +#include "util-byte.h" +#include "util-unittest.h" +#include "util-unittest-helper.h" +#include "util-fmemopen.h" +#include "util-validate.h" + +#include "reputation.h" +#include "host.h" + +static int DetectIPRepMatch (DetectEngineThreadCtx *, Packet *, + const Signature *, const SigMatchCtx *); +static int DetectIPRepSetup (DetectEngineCtx *, Signature *, const char *); +void DetectIPRepFree (DetectEngineCtx *, void *); +#ifdef UNITTESTS +static void IPRepRegisterTests(void); +#endif + +void DetectIPRepRegister (void) +{ + sigmatch_table[DETECT_IPREP].name = "iprep"; + sigmatch_table[DETECT_IPREP].desc = "match on the IP reputation information for a host"; + sigmatch_table[DETECT_IPREP].url = "/rules/ip-reputation-rules.html#iprep"; + sigmatch_table[DETECT_IPREP].Match = DetectIPRepMatch; + sigmatch_table[DETECT_IPREP].Setup = DetectIPRepSetup; + sigmatch_table[DETECT_IPREP].Free = DetectIPRepFree; +#ifdef UNITTESTS + sigmatch_table[DETECT_IPREP].RegisterTests = IPRepRegisterTests; +#endif + /* this is compatible to ip-only signatures */ + sigmatch_table[DETECT_IPREP].flags |= SIGMATCH_IPONLY_COMPAT; +} + +static inline uint8_t GetRep(const SReputation *r, const uint8_t cat, const uint32_t version) +{ + /* allow higher versions as this happens during + * rule reload */ + if (r != NULL && r->version >= version) { + return r->rep[cat]; + } + return 0; +} + +static uint8_t GetHostRepSrc(Packet *p, uint8_t cat, uint32_t version) +{ + if (p->flags & PKT_HOST_SRC_LOOKED_UP && p->host_src == NULL) { + return 0; + } else if (p->host_src != NULL) { + Host *h = (Host *)p->host_src; + HostLock(h); + /* use_cnt: 1 for having iprep, 1 for packet ref */ + DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 2); + uint8_t val = GetRep(h->iprep, cat, version); + HostUnlock(h); + return val; + } else { + Host *h = HostLookupHostFromHash(&(p->src)); + p->flags |= PKT_HOST_SRC_LOOKED_UP; + if (h == NULL) + return 0; + HostReference(&p->host_src, h); + /* use_cnt: 1 for having iprep, 1 for HostLookupHostFromHash, + * 1 for HostReference to packet */ + DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 3); + uint8_t val = GetRep(h->iprep, cat, version); + HostRelease(h); /* use_cnt >= 2: 1 for iprep, 1 for packet ref */ + return val; + } +} + +static uint8_t GetHostRepDst(Packet *p, uint8_t cat, uint32_t version) +{ + if (p->flags & PKT_HOST_DST_LOOKED_UP && p->host_dst == NULL) { + return 0; + } else if (p->host_dst != NULL) { + Host *h = (Host *)p->host_dst; + HostLock(h); + /* use_cnt: 1 for having iprep, 1 for packet ref */ + DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 2); + uint8_t val = GetRep(h->iprep, cat, version); + HostUnlock(h); + return val; + } else { + Host *h = HostLookupHostFromHash(&(p->dst)); + p->flags |= PKT_HOST_DST_LOOKED_UP; + if (h == NULL) + return 0; + HostReference(&p->host_dst, h); + /* use_cnt: 1 for having iprep, 1 for HostLookupHostFromHash, + * 1 for HostReference to packet */ + DEBUG_VALIDATE_BUG_ON(h->iprep != NULL && SC_ATOMIC_GET(h->use_cnt) < 3); + uint8_t val = GetRep(h->iprep, cat, version); + HostRelease(h); /* use_cnt >= 2: 1 for iprep, 1 for packet ref */ + return val; + } +} + +/* + * returns 0: no match + * 1: match + * -1: error + */ +static int DetectIPRepMatch (DetectEngineThreadCtx *det_ctx, Packet *p, + const Signature *s, const SigMatchCtx *ctx) +{ + const DetectIPRepData *rd = (const DetectIPRepData *)ctx; + if (rd == NULL) + return 0; + + uint32_t version = det_ctx->de_ctx->srep_version; + uint8_t val = 0; + + SCLogDebug("rd->cmd %u", rd->cmd); + switch(rd->cmd) { + case IPRepCmdAny: + val = GetHostRepSrc(p, rd->cat, version); + if (val == 0) + val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version); + if (val > 0) { + if (DetectU8Match(val, &rd->du8)) + return 1; + } + val = GetHostRepDst(p, rd->cat, version); + if (val == 0) + val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version); + if (val > 0) { + return DetectU8Match(val, &rd->du8); + } + break; + + case IPRepCmdSrc: + val = GetHostRepSrc(p, rd->cat, version); + SCLogDebug("checking src -- val %u (looking for cat %u, val %u)", val, rd->cat, + rd->du8.arg1); + if (val == 0) + val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version); + if (val > 0) { + return DetectU8Match(val, &rd->du8); + } + break; + + case IPRepCmdDst: + SCLogDebug("checking dst"); + val = GetHostRepDst(p, rd->cat, version); + if (val == 0) + val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version); + if (val > 0) { + return DetectU8Match(val, &rd->du8); + } + break; + + case IPRepCmdBoth: + val = GetHostRepSrc(p, rd->cat, version); + if (val == 0) + val = SRepCIDRGetIPRepSrc(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version); + if (val == 0 || DetectU8Match(val, &rd->du8) == 0) + return 0; + val = GetHostRepDst(p, rd->cat, version); + if (val == 0) + val = SRepCIDRGetIPRepDst(det_ctx->de_ctx->srepCIDR_ctx, p, rd->cat, version); + if (val > 0) { + return DetectU8Match(val, &rd->du8); + } + break; + } + + return 0; +} + +int DetectIPRepSetup (DetectEngineCtx *de_ctx, Signature *s, const char *rawstr) +{ + SigMatch *sm = NULL; + + DetectIPRepData *cd = rs_detect_iprep_parse(rawstr); + if (cd == NULL) { + SCLogError("\"%s\" is not a valid setting for iprep", rawstr); + goto error; + } + + SCLogDebug("cmd %u, cat %u, op %u, val %u", cd->cmd, cd->cat, cd->du8.mode, cd->du8.arg1); + + /* Okay so far so good, lets get this into a SigMatch + * and put it in the Signature. */ + sm = SigMatchAlloc(); + if (sm == NULL) + goto error; + + sm->type = DETECT_IPREP; + sm->ctx = (SigMatchCtx *)cd; + + SigMatchAppendSMToList(s, sm, DETECT_SM_LIST_MATCH); + + return 0; + +error: + if (cd != NULL) + DetectIPRepFree(de_ctx, cd); + if (sm != NULL) + SCFree(sm); + return -1; +} + +void DetectIPRepFree (DetectEngineCtx *de_ctx, void *ptr) +{ + DetectIPRepData *fd = (DetectIPRepData *)ptr; + + if (fd == NULL) + return; + + rs_detect_iprep_free(fd); +} + +#ifdef UNITTESTS +#include "packet.h" +#include "action-globals.h" + +static FILE *DetectIPRepGenerateCategoriesDummy(void) +{ + FILE *fd = NULL; + const char *buffer = "1,BadHosts,Know bad hosts"; + + fd = SCFmemopen((void *)buffer, strlen(buffer), "r"); + if (fd == NULL) + SCLogDebug("Error with SCFmemopen()"); + + return fd; +} + +static FILE *DetectIPRepGenerateCategoriesDummy2(void) +{ + FILE *fd = NULL; + const char *buffer = + "1,BadHosts,Know bad hosts\n" + "2,GoodHosts,Know good hosts\n"; + + fd = SCFmemopen((void *)buffer, strlen(buffer), "r"); + if (fd == NULL) + SCLogDebug("Error with SCFmemopen()"); + + return fd; +} + +static FILE *DetectIPRepGenerateNetworksDummy(void) +{ + FILE *fd = NULL; + const char *buffer = "10.0.0.0/24,1,20"; + + fd = SCFmemopen((void *)buffer, strlen(buffer), "r"); + if (fd == NULL) + SCLogDebug("Error with SCFmemopen()"); + + return fd; +} + +static FILE *DetectIPRepGenerateNetworksDummy2(void) +{ + FILE *fd = NULL; + const char *buffer = + "0.0.0.0/0,1,10\n" + "192.168.0.0/16,2,127"; + + fd = SCFmemopen((void *)buffer, strlen(buffer), "r"); + if (fd == NULL) + SCLogDebug("Error with SCFmemopen()"); + + return fd; +} + +static int DetectIPRepTest01(void) +{ + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + Signature *sig = NULL; + FILE *fd = NULL; + int r = 0; + Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + + HostInitConfig(HOST_QUIET); + memset(&th_v, 0, sizeof(th_v)); + + FAIL_IF_NULL(de_ctx); + FAIL_IF_NULL(p); + + p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1"); + de_ctx->flags |= DE_QUIET; + + SRepInit(de_ctx); + SRepResetVersion(); + + fd = DetectIPRepGenerateCategoriesDummy(); + r = SRepLoadCatFileFromFD(fd); + FAIL_IF(r < 0); + + fd = DetectIPRepGenerateNetworksDummy(); + r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); + FAIL_IF(r < 0); + + sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value " + "badhost\"; iprep:any,BadHosts,>,1; sid:1;rev:1;)"); + FAIL_IF_NULL(sig); + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + p->alerts.cnt = 0; + p->action = 0; + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + + FAIL_IF(p->alerts.cnt != 1); + FAIL_IF(PacketTestAction(p, ACTION_DROP)); + + UTHFreePacket(p); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + HostShutdown(); + PASS; +} + +static int DetectIPRepTest02(void) +{ + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + Signature *sig = NULL; + FILE *fd = NULL; + int r = 0; + Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + + HostInitConfig(HOST_QUIET); + memset(&th_v, 0, sizeof(th_v)); + + FAIL_IF_NULL(de_ctx); + FAIL_IF_NULL(p); + + p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1"); + de_ctx->flags |= DE_QUIET; + + SRepInit(de_ctx); + SRepResetVersion(); + + fd = DetectIPRepGenerateCategoriesDummy(); + r = SRepLoadCatFileFromFD(fd); + FAIL_IF(r < 0); + + fd = DetectIPRepGenerateNetworksDummy(); + r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); + FAIL_IF(r < 0); + + sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value " + "badhost\"; iprep:src,BadHosts,>,1; sid:1; rev:1;)"); + FAIL_IF_NULL(sig); + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + p->alerts.cnt = 0; + p->action = 0; + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + FAIL_IF(p->alerts.cnt != 1); + FAIL_IF(PacketTestAction(p, ACTION_DROP)); + + UTHFreePacket(p); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + HostShutdown(); + PASS; +} + +static int DetectIPRepTest03(void) +{ + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + Signature *sig = NULL; + FILE *fd = NULL; + int r = 0; + Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + + HostInitConfig(HOST_QUIET); + memset(&th_v, 0, sizeof(th_v)); + + FAIL_IF_NULL(de_ctx); + FAIL_IF_NULL(p); + + p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2"); + de_ctx->flags |= DE_QUIET; + + SRepInit(de_ctx); + SRepResetVersion(); + + fd = DetectIPRepGenerateCategoriesDummy(); + r = SRepLoadCatFileFromFD(fd); + FAIL_IF(r < 0); + + fd = DetectIPRepGenerateNetworksDummy(); + r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); + FAIL_IF(r < 0); + + sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value " + "badhost\"; iprep:dst,BadHosts,>,1; sid:1; rev:1;)"); + FAIL_IF_NULL(sig); + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + p->alerts.cnt = 0; + p->action = 0; + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + FAIL_IF(p->alerts.cnt != 1); + FAIL_IF(PacketTestAction(p, ACTION_DROP)); + + UTHFreePacket(p); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + HostShutdown(); + PASS; +} + +static int DetectIPRepTest04(void) +{ + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + Signature *sig = NULL; + FILE *fd = NULL; + int r = 0; + Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + + HostInitConfig(HOST_QUIET); + memset(&th_v, 0, sizeof(th_v)); + + FAIL_IF_NULL(de_ctx); + FAIL_IF_NULL(p); + + p->src.addr_data32[0] = UTHSetIPv4Address("10.0.0.1"); + p->dst.addr_data32[0] = UTHSetIPv4Address("10.0.0.2"); + de_ctx->flags |= DE_QUIET; + + SRepInit(de_ctx); + SRepResetVersion(); + + fd = DetectIPRepGenerateCategoriesDummy(); + r = SRepLoadCatFileFromFD(fd); + FAIL_IF(r < 0); + + fd = DetectIPRepGenerateNetworksDummy(); + r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); + FAIL_IF(r < 0); + + sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value " + "badhost\"; iprep:both,BadHosts,>,1; sid:1; rev:1;)"); + FAIL_IF_NULL(sig); + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + p->alerts.cnt = 0; + p->action = 0; + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + FAIL_IF(p->alerts.cnt != 1); + FAIL_IF(PacketTestAction(p, ACTION_DROP)); + + UTHFreePacket(p); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + HostShutdown(); + PASS; +} + +static int DetectIPRepTest05(void) +{ + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + Signature *sig = NULL; + FILE *fd = NULL; + int r = 0; + Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + + HostInitConfig(HOST_QUIET); + memset(&th_v, 0, sizeof(th_v)); + + FAIL_IF_NULL(de_ctx); + FAIL_IF_NULL(p); + + p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1"); + de_ctx->flags |= DE_QUIET; + + SRepInit(de_ctx); + SRepResetVersion(); + + fd = DetectIPRepGenerateCategoriesDummy(); + r = SRepLoadCatFileFromFD(fd); + FAIL_IF(r < 0); + + fd = DetectIPRepGenerateNetworksDummy(); + r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); + FAIL_IF(r < 0); + + sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value " + "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)"); + FAIL_IF_NULL(sig); + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + p->alerts.cnt = 0; + p->action = 0; + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + FAIL_IF(p->alerts.cnt != 0); + FAIL_IF(PacketTestAction(p, ACTION_DROP)); + + UTHFreePacket(p); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + HostShutdown(); + PASS; +} + +static int DetectIPRepTest06(void) +{ + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + Signature *sig = NULL; + FILE *fd = NULL; + int r = 0; + Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + + HostInitConfig(HOST_QUIET); + memset(&th_v, 0, sizeof(th_v)); + + FAIL_IF_NULL(de_ctx); + FAIL_IF_NULL(p); + + p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1"); + de_ctx->flags |= DE_QUIET; + + SRepInit(de_ctx); + SRepResetVersion(); + + fd = DetectIPRepGenerateCategoriesDummy(); + r = SRepLoadCatFileFromFD(fd); + FAIL_IF(r < 0); + + fd = DetectIPRepGenerateNetworksDummy2(); + r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); + FAIL_IF(r < 0); + + sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value " + "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)"); + FAIL_IF_NULL(sig); + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + p->alerts.cnt = 0; + p->action = 0; + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + FAIL_IF(p->alerts.cnt != 1); + FAIL_IF(PacketTestAction(p, ACTION_DROP)); + + UTHFreePacket(p); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + HostShutdown(); + PASS; +} + +static int DetectIPRepTest07(void) +{ + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + Signature *sig = NULL; + FILE *fd = NULL; + int r = 0; + Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + + HostInitConfig(HOST_QUIET); + memset(&th_v, 0, sizeof(th_v)); + + FAIL_IF_NULL(de_ctx); + FAIL_IF_NULL(p); + + p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2"); + de_ctx->flags |= DE_QUIET; + + SRepInit(de_ctx); + SRepResetVersion(); + + fd = DetectIPRepGenerateCategoriesDummy(); + r = SRepLoadCatFileFromFD(fd); + FAIL_IF(r < 0); + + fd = DetectIPRepGenerateNetworksDummy2(); + r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); + FAIL_IF(r < 0); + + sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value " + "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)"); + FAIL_IF_NULL(sig); + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + p->alerts.cnt = 0; + p->action = 0; + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + FAIL_IF(p->alerts.cnt != 1); + FAIL_IF(PacketTestAction(p, ACTION_DROP)); + + UTHFreePacket(p); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + HostShutdown(); + PASS; +} + +static int DetectIPRepTest08(void) +{ + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + Signature *sig = NULL; + FILE *fd = NULL; + int r = 0; + Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + + HostInitConfig(HOST_QUIET); + memset(&th_v, 0, sizeof(th_v)); + + FAIL_IF_NULL(de_ctx); + FAIL_IF_NULL(p); + + p->src.addr_data32[0] = UTHSetIPv4Address("1.0.0.1"); + p->dst.addr_data32[0] = UTHSetIPv4Address("1.0.0.2"); + de_ctx->flags |= DE_QUIET; + + SRepInit(de_ctx); + SRepResetVersion(); + + fd = DetectIPRepGenerateCategoriesDummy(); + r = SRepLoadCatFileFromFD(fd); + FAIL_IF(r < 0); + + fd = DetectIPRepGenerateNetworksDummy(); + r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); + FAIL_IF(r < 0); + + sig = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (msg:\"IPREP High value " + "badhost\"; iprep:any,BadHosts,>,1; sid:1; rev:1;)"); + FAIL_IF_NULL(sig); + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + p->alerts.cnt = 0; + p->action = 0; + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + FAIL_IF(p->alerts.cnt != 0); + FAIL_IF(PacketTestAction(p, ACTION_DROP)); + + UTHFreePacket(p); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + HostShutdown(); + PASS; +} + +static int DetectIPRepTest09(void) +{ + ThreadVars th_v; + DetectEngineThreadCtx *det_ctx = NULL; + Signature *sig = NULL; + FILE *fd = NULL; + int r = 0; + Packet *p = UTHBuildPacket((uint8_t *)"lalala", 6, IPPROTO_TCP); + DetectEngineCtx *de_ctx = DetectEngineCtxInit(); + + HostInitConfig(HOST_QUIET); + memset(&th_v, 0, sizeof(th_v)); + + FAIL_IF_NULL(de_ctx); + FAIL_IF_NULL(p); + + p->src.addr_data32[0] = UTHSetIPv4Address("192.168.0.1"); + p->dst.addr_data32[0] = UTHSetIPv4Address("192.168.0.2"); + de_ctx->flags |= DE_QUIET; + + SRepInit(de_ctx); + SRepResetVersion(); + + fd = DetectIPRepGenerateCategoriesDummy2(); + r = SRepLoadCatFileFromFD(fd); + FAIL_IF(r < 0); + + fd = DetectIPRepGenerateNetworksDummy2(); + r = SRepLoadFileFromFD(de_ctx->srepCIDR_ctx, fd); + FAIL_IF(r < 0); + + sig = DetectEngineAppendSig(de_ctx, + "alert tcp any any -> any any (msg:\"test\"; iprep:src,BadHosts,>,9; sid:1; rev:1;)"); + FAIL_IF_NULL(sig); + + SigGroupBuild(de_ctx); + DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); + + p->alerts.cnt = 0; + p->action = 0; + SigMatchSignatures(&th_v, de_ctx, det_ctx, p); + FAIL_IF(p->alerts.cnt != 1); + FAIL_IF(PacketTestAction(p, ACTION_DROP)); + + UTHFreePacket(p); + + DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); + DetectEngineCtxFree(de_ctx); + + HostShutdown(); + PASS; +} + +/** + * \brief this function registers unit tests for IPRep + */ +void IPRepRegisterTests(void) +{ + UtRegisterTest("DetectIPRepTest01", DetectIPRepTest01); + UtRegisterTest("DetectIPRepTest02", DetectIPRepTest02); + UtRegisterTest("DetectIPRepTest03", DetectIPRepTest03); + UtRegisterTest("DetectIPRepTest04", DetectIPRepTest04); + UtRegisterTest("DetectIPRepTest05", DetectIPRepTest05); + UtRegisterTest("DetectIPRepTest06", DetectIPRepTest06); + UtRegisterTest("DetectIPRepTest07", DetectIPRepTest07); + UtRegisterTest("DetectIPRepTest08", DetectIPRepTest08); + UtRegisterTest("DetectIPRepTest09", DetectIPRepTest09); +} +#endif /* UNITTESTS */ |