本文整理汇总了C++中PacketAlertCheck函数的典型用法代码示例。如果您正苦于以下问题:C++ PacketAlertCheck函数的具体用法?C++ PacketAlertCheck怎么用?C++ PacketAlertCheck使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了PacketAlertCheck函数的20个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于我们的系统推荐出更棒的C++代码示例。
示例1: DetectFlowintTestPacket03Real
/**
* \test DetectFlowintTestPacket03Real
* \brief Check the behaviour of isset/notset
*/
int DetectFlowintTestPacket03Real()
{
Packet *p = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
memset(&th_v, 0, sizeof(th_v));
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF(de_ctx == NULL);
de_ctx->flags |= DE_QUIET;
char *sigs[3];
sigs[0] = "alert tcp any any -> any any (msg:\"check notset\"; content:\"GET\"; flowint: myvar, notset; flowint: myvar,=,0; flowint: other,=,10; sid:101;)";
sigs[1] = "alert tcp any any -> any any (msg:\"check isset\"; content:\"Unauthorized\"; flowint:myvar,isset; flowint: other,isset; sid:102;)";
sigs[2] = "alert tcp any any -> any any (msg:\"check notset\"; content:\"Unauthorized\"; flowint:lala,isset; sid:103;)";
FAIL_IF(UTHAppendSigs(de_ctx, sigs, 3) == 0);
SCSigRegisterSignatureOrderingFuncs(de_ctx);
SCSigOrderSignatures(de_ctx);
SCSigSignatureOrderingModuleCleanup(de_ctx);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v,(void *) de_ctx,(void *) &det_ctx);
Flow *f = UTHBuildFlow(AF_INET, "192.168.1.5", "192.168.1.1",
41424, 80);
FAIL_IF(f == NULL);
f->proto = IPPROTO_TCP;
p = UTHBuildPacket((uint8_t *)"GET", 3, IPPROTO_TCP);
FAIL_IF(p == NULL);
p->flow = f;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(!PacketAlertCheck(p, 101));
UTHFreePacket(p);
p = UTHBuildPacket((uint8_t *)"Unauthorized", 12, IPPROTO_TCP);
FAIL_IF(p == NULL);
p->flow = f;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(!PacketAlertCheck(p, 102));
FAIL_IF(PacketAlertCheck(p, 103));
UTHFreePacket(p);
p = UTHBuildPacket((uint8_t *)"1", 1, IPPROTO_TCP);
FAIL_IF(p == NULL);
p->flow = f;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(PacketAlertCheck(p, 102));
FAIL_IF(PacketAlertCheck(p, 103));
UTHFreePacket(p);
UTHFreeFlow(f);
DetectEngineThreadCtxDeinit(&th_v,(void *) det_ctx);
DetectEngineCtxFree(de_ctx);
PASS;
}
开发者ID:thus,项目名称:suricata,代码行数:62,代码来源:detect-flowint.c
示例2: DetectIcmpIdMatchTest01
/**
* \test DetectIcmpIdMatchTest01 is a test for checking the working of
* icmp_id keyword by creating 2 rules and matching a crafted packet
* against them. Only the first one shall trigger.
*/
int DetectIcmpIdMatchTest01 (void)
{
int result = 0;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
memset(&th_v, 0, sizeof(ThreadVars));
p = UTHBuildPacket(NULL, 0, IPPROTO_ICMP);
p->icmpv4vars.id = htons(21781);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21781; sid:1;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx, "alert icmp any any -> any any (icmp_id:21782; sid:2;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1) == 0) {
printf("sid 1 did not alert, but should have: ");
goto cleanup;
} else if (PacketAlertCheck(p, 2)) {
printf("sid 2 alerted, but should not have: ");
goto cleanup;
}
result = 1;
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
UTHFreePackets(&p, 1);
end:
return result;
}
开发者ID:BreakingTheory,项目名称:suricata,代码行数:61,代码来源:detect-icmp-id.c
示例3: DetectDetectionFilterTestSig1
/**
* \test DetectDetectionFilterTestSig1 is a test for checking the working of detection_filter keyword
* by setting up the signature and later testing its working by matching
* the received packet against the sig.
*
* \retval 1 on succces
* \retval 0 on failure
*/
static int DetectDetectionFilterTestSig1(void) {
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
HostInitConfig(HOST_QUIET);
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"detection_filter Test\"; detection_filter: track by_dst, count 4, seconds 60; sid:1;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
if(alerts == 4)
result = 1;
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
UTHFreePackets(&p, 1);
HostShutdown();
return result;
}
开发者ID:javarange,项目名称:suricata,代码行数:68,代码来源:detect-detection-filter.c
示例4: UTHPacketMatchSigMpm
/**
* \test Test if a packet match a signature given as string and a mpm_type
* Hint: Useful for unittests with only one packet and one signature
*
* \param sig pointer to the string signature to test
* \param sid sid number of the signature
*
* \retval return 1 if match
* \retval return 0 if not
*/
int UTHPacketMatchSigMpm(Packet *p, char *sig, uint16_t mpm_type)
{
SCEnter();
int result = 0;
DecodeThreadVars dtv;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&th_v, 0, sizeof(th_v));
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
printf("de_ctx == NULL: ");
goto end;
}
de_ctx->flags |= DE_QUIET;
de_ctx->mpm_matcher = mpm_type;
de_ctx->sig_list = SigInit(de_ctx, sig);
if (de_ctx->sig_list == NULL) {
printf("signature == NULL: ");
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, de_ctx->sig_list->id) != 1) {
printf("signature didn't alert: ");
goto end;
}
result = 1;
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
if (det_ctx != NULL)
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
SCReturnInt(result);
}
开发者ID:EmergingThreats,项目名称:suricata,代码行数:60,代码来源:util-unittest-helper.c
示例5: GeoipMatchTest
/**
* \internal
* \brief This test tests geoip success and failure.
*/
static int GeoipMatchTest(char *rule, char *srcip, char *dstip)
{
uint8_t *buf = (uint8_t *) "GET / HTTP/1.0\r\n\r\n";
uint16_t buflen = strlen((char *)buf);
Packet *p1 = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
memset(&th_v, 0, sizeof(th_v));
p1 = UTHBuildPacketSrcDst(buf, buflen, IPPROTO_TCP, srcip, dstip);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, rule);
if (de_ctx->sig_list == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
result = 2;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
if (PacketAlertCheck(p1, 1) == 0) {
goto cleanup;
}
result = 1;
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
return result;
}
开发者ID:prabhakaran1989,项目名称:suricata,代码行数:52,代码来源:detect-geoip.c
示例6: UTHPacketMatchSig
/**
* \test Test if a packet match a signature given as string
* Hint: Useful for unittests with only one packet and one signature
*
* \param sig pointer to the string signature to test
* \param sid sid number of the signature
*
* \retval return 1 if match
* \retval return 0 if not
*/
int UTHPacketMatchSig(Packet *p, char *sig)
{
int result = 1;
DecodeThreadVars dtv;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&th_v, 0, sizeof(th_v));
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
result=0;
goto end;
}
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, sig);
if (de_ctx->sig_list == NULL) {
result = 0;
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, de_ctx->sig_list->id) != 1) {
result = 0;
goto end;
}
end:
if (de_ctx) {
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
}
if (det_ctx != NULL)
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
if (de_ctx != NULL)
DetectEngineCtxFree(de_ctx);
return result;
}
开发者ID:EmergingThreats,项目名称:suricata,代码行数:58,代码来源:util-unittest-helper.c
示例7: UTHCheckPacketMatchResults
/**
* \brief UTHCheckPacketMatches: function to check if a packet match some sids
*
*
* \param p pointer to the Packet
* \param sigs array of char* pointing to signatures to load
* \param numsigs number of signatures to load from the array
* \param results pointer to an array of numbers to check if sids matches
* that number of times or not.
*
* \retval int 1 if the match of all the sids is the specified has the
* specified results; 0 if not
*/
int UTHCheckPacketMatchResults(Packet *p, uint32_t sids[],
uint32_t results[], int numsids)
{
if (p == NULL || sids == NULL) {
SCLogError(SC_ERR_INVALID_ARGUMENT, "Arguments invalid, check if the "
"packet is NULL, and if the array contain sids is set");
return 0;
}
int i = 0;
int res = 1;
for (; i < numsids; i++) {
uint16_t r = PacketAlertCheck(p, sids[i]);
if (r != results[i]) {
SCLogInfo("Sid %"PRIu32" matched %"PRIu16" times, and not %"PRIu16
" as expected", sids[i], r, results[i]);
res = 0;
} else {
SCLogInfo("Sid %"PRIu32" matched %"PRIu16" times, as expected", sids[i], r);
}
}
return res;
}
开发者ID:EmergingThreats,项目名称:suricata,代码行数:36,代码来源:util-unittest-helper.c
示例8: DetectDsizeIcmpv6Test01
/**
* \test DetectDsizeIcmpv6Test01 is a test for checking the working of
* dsize keyword by creating 2 rules and matching a crafted packet
* against them. Only the first one shall trigger.
*/
int DetectDsizeIcmpv6Test01 (void) {
int result = 0;
static uint8_t raw_icmpv6[] = {
0x60, 0x00, 0x00, 0x00, 0x00, 0x30, 0x3a, 0xff,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
0x01, 0x00, 0x7b, 0x85, 0x00, 0x00, 0x00, 0x00,
0x60, 0x4b, 0xe8, 0xbd, 0x00, 0x00, 0x3b, 0xff,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xff, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 };
Packet *p = SCMalloc(SIZE_OF_PACKET);
if (p == NULL)
return 0;
IPV6Hdr ip6h;
ThreadVars tv;
DecodeThreadVars dtv;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
memset(&tv, 0, sizeof(ThreadVars));
memset(p, 0, SIZE_OF_PACKET);
p->pkt = (uint8_t *)(p + 1);
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&ip6h, 0, sizeof(IPV6Hdr));
memset(&th_v, 0, sizeof(ThreadVars));
FlowInitConfig(FLOW_QUIET);
p->src.family = AF_INET6;
p->dst.family = AF_INET6;
p->ip6h = &ip6h;
DecodeIPV6(&tv, &dtv, p, raw_icmpv6, sizeof(raw_icmpv6), NULL);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert icmp any any -> any any "
"(msg:\"ICMP Large ICMP Packet\"; dsize:>8; sid:1; rev:4;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx, "alert icmp any any -> any any "
"(msg:\"ICMP Large ICMP Packet\"; dsize:>800; sid:2; rev:4;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1) == 0) {
printf("sid 1 did not alert, but should have: ");
goto cleanup;
} else if (PacketAlertCheck(p, 2)) {
printf("sid 2 alerted, but should not have: ");
goto cleanup;
}
result = 1;
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
FlowShutdown();
end:
SCFree(p);
return result;
}
开发者ID:jerryma119,项目名称:suricata,代码行数:91,代码来源:detect-dsize.c
示例9: DetectFragOffsetMatchTest01
/**
* \test DetectFragOffsetMatchTest01 is a test for checking the working of
* fragoffset keyword by creating 2 rules and matching a crafted packet
* against them. Only the first one shall trigger.
*/
int DetectFragOffsetMatchTest01 (void)
{
int result = 0;
Packet *p = SCMalloc(SIZE_OF_PACKET);
if (unlikely(p == NULL))
return 0;
Signature *s = NULL;
DecodeThreadVars dtv;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
IPV4Hdr ip4h;
memset(p, 0, SIZE_OF_PACKET);
memset(&ip4h, 0, sizeof(IPV4Hdr));
memset(&dtv, 0, sizeof(DecodeThreadVars));
memset(&th_v, 0, sizeof(ThreadVars));
FlowInitConfig(FLOW_QUIET);
p->src.family = AF_INET;
p->dst.family = AF_INET;
p->src.addr_data32[0] = 0x01020304;
p->dst.addr_data32[0] = 0x04030201;
ip4h.s_ip_src.s_addr = p->src.addr_data32[0];
ip4h.s_ip_dst.s_addr = p->dst.addr_data32[0];
ip4h.ip_off = 0x2222;
p->ip4h = &ip4h;
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx, "alert ip any any -> any any (fragoffset:546; sid:1;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx, "alert ip any any -> any any (fragoffset:5000; sid:2;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1) == 0) {
printf("sid 1 did not alert, but should have: ");
goto cleanup;
} else if (PacketAlertCheck(p, 2)) {
printf("sid 2 alerted, but should not have: ");
goto cleanup;
}
result = 1;
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
FlowShutdown();
end:
SCFree(p);
return result;
}
开发者ID:EmergingThreats,项目名称:suricata,代码行数:78,代码来源:detect-fragoffset.c
示例10: DetectHttpCookieSigTest08
/**
* \test Check the signature working to alert against set-cookie
*/
static int DetectHttpCookieSigTest08(void)
{
int result = 0;
Flow f;
uint8_t httpbuf_request[] =
"GET / HTTP/1.1\r\n"
"User-Agent: Mozilla/1.0\r\n"
"\r\n";
uint32_t httpbuf_request_len = sizeof(httpbuf_request) - 1; /* minus the \0 */
uint8_t httpbuf_response[] =
"HTTP/1.1 200 OK\r\n"
"Set-Cookie: response_user_agent\r\n"
"\r\n";
uint32_t httpbuf_response_len = sizeof(httpbuf_response) - 1; /* minus the \0 */
TcpSession ssn;
Packet *p1 = NULL, *p2 = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
HtpState *http_state = NULL;
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.flags |= FLOW_IPV4;
f.alproto = ALPROTO_HTTP;
p1 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p1->flow = &f;
p1->flowflags |= FLOW_PKT_TOSERVER;
p1->flowflags |= FLOW_PKT_ESTABLISHED;
p1->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
p2 = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
p2->flow = &f;
p2->flowflags |= FLOW_PKT_TOCLIENT;
p2->flowflags |= FLOW_PKT_ESTABLISHED;
p2->flags |= PKT_HAS_FLOW | PKT_STREAM_EST;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert http any any -> any any "
"(flow:to_client; content:\"response_user_agent\"; "
"http_cookie; sid:1;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
/* request */
SCMutexLock(&f.m);
int r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOSERVER,
httpbuf_request, httpbuf_request_len);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
SCMutexUnlock(&f.m);
goto end;
}
SCMutexUnlock(&f.m);
http_state = f.alstate;
if (http_state == NULL) {
printf("no http state: ");
goto end;
}
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
if (PacketAlertCheck(p1, 1)) {
goto end;
}
/* response */
SCMutexLock(&f.m);
r = AppLayerParse(NULL, &f, ALPROTO_HTTP, STREAM_TOCLIENT,
httpbuf_response, httpbuf_response_len);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
result = 0;
SCMutexUnlock(&f.m);
goto end;
//.........这里部分代码省略.........
开发者ID:codercold,项目名称:suricata,代码行数:101,代码来源:detect-http-cookie.c
示例11: DetectSshVersionTestDetect03
/** \test Send a get request in three chunks + more data. */
static int DetectSshVersionTestDetect03(void) {
int result = 0;
Flow f;
uint8_t sshbuf1[] = "SSH-1.";
uint32_t sshlen1 = sizeof(sshbuf1) - 1;
uint8_t sshbuf2[] = "7-PuTTY_2.123" ;
uint32_t sshlen2 = sizeof(sshbuf2) - 1;
uint8_t sshbuf3[] = "\n";
uint32_t sshlen3 = sizeof(sshbuf3) - 1;
uint8_t sshbuf4[] = "whatever...";
uint32_t sshlen4 = sizeof(sshbuf4) - 1;
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx = NULL;
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_SSH;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert ssh any any -> any any (msg:\"SSH\"; ssh.protoversion:2_compat; sid:1;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
int r = AppLayerParse(NULL, &f, ALPROTO_SSH, STREAM_TOSERVER, sshbuf1, sshlen1);
if (r != 0) {
printf("toserver chunk 1 returned %" PRId32 ", expected 0: ", r);
goto end;
}
r = AppLayerParse(NULL, &f, ALPROTO_SSH, STREAM_TOSERVER, sshbuf2, sshlen2);
if (r != 0) {
printf("toserver chunk 2 returned %" PRId32 ", expected 0: ", r);
goto end;
}
r = AppLayerParse(NULL, &f, ALPROTO_SSH, STREAM_TOSERVER, sshbuf3, sshlen3);
if (r != 0) {
printf("toserver chunk 3 returned %" PRId32 ", expected 0: ", r);
goto end;
}
r = AppLayerParse(NULL, &f, ALPROTO_SSH, STREAM_TOSERVER, sshbuf4, sshlen4);
if (r != 0) {
printf("toserver chunk 4 returned %" PRId32 ", expected 0: ", r);
goto end;
}
SshState *ssh_state = f.alstate;
if (ssh_state == NULL) {
printf("no ssh state: ");
goto end;
}
/* do detect */
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1)) {
printf("Error, 1.7 version is not 2 compat, so the sig should not match: ");
goto end;
}
result = 1;
end:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
StreamTcpFreeConfig(TRUE);
FLOW_DESTROY(&f);
UTHFreePackets(&p, 1);
return result;
//.........这里部分代码省略.........
开发者ID:jerryma119,项目名称:suricata,代码行数:101,代码来源:detect-ssh-proto-version.c
示例12: DetectSameipSigTest01Real
/**
* \internal
* \brief This test tests sameip success and failure.
*/
static int DetectSameipSigTest01Real(int mpm_type)
{
uint8_t *buf = (uint8_t *)
"GET / HTTP/1.0\r\n"
"\r\n";
uint16_t buflen = strlen((char *)buf);
Packet *p1 = NULL;
Packet *p2 = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
memset(&th_v, 0, sizeof(th_v));
/* First packet has same IPs */
p1 = UTHBuildPacketSrcDst(buf, buflen, IPPROTO_TCP, "1.2.3.4", "1.2.3.4");
/* Second packet does not have same IPs */
p2 = UTHBuildPacketSrcDst(buf, buflen, IPPROTO_TCP, "1.2.3.4", "4.3.2.1");
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->mpm_matcher = mpm_type;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing sameip\"; sameip; sid:1;)");
if (de_ctx->sig_list == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p1);
if (PacketAlertCheck(p1, 1) == 0) {
printf("sid 2 did not alert, but should have: ");
goto cleanup;
}
SigMatchSignatures(&th_v, de_ctx, det_ctx, p2);
if (PacketAlertCheck(p2, 1) != 0) {
printf("sid 2 alerted, but should not have: ");
goto cleanup;
}
result = 1;
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
return result;
}
开发者ID:H5eye,项目名称:suricata,代码行数:66,代码来源:detect-sameip.c
示例13: DetectSslStateTest07
//.........这里部分代码省略.........
"ssl_state:client_keyx; "
"sid:3;)");
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
"(msg:\"ssl state\"; "
"ssl_state:server_keyx; "
"sid:4;)");
FAIL_IF_NULL(s);
s = DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any "
"(msg:\"ssl state\"; "
"ssl_state:!client_hello; "
"sid:5;)");
FAIL_IF_NULL(s);
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS,
STREAM_TOSERVER | STREAM_START, chello_buf,
chello_buf_len);
FAIL_IF(r != 0);
FLOWLOCK_UNLOCK(&f);
ssl_state = f.alstate;
FAIL_IF(ssl_state == NULL);
/* do detect */
p->alerts.cnt = 0;
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(!PacketAlertCheck(p, 1));
FAIL_IF(PacketAlertCheck(p, 2));
FAIL_IF(PacketAlertCheck(p, 3));
FAIL_IF(PacketAlertCheck(p, 4));
FAIL_IF(PacketAlertCheck(p, 5));
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOCLIENT,
shello_buf, shello_buf_len);
FAIL_IF(r != 0);
FLOWLOCK_UNLOCK(&f);
/* do detect */
p->alerts.cnt = 0;
p->flowflags = (FLOW_PKT_TOCLIENT | FLOW_PKT_ESTABLISHED);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
FAIL_IF(PacketAlertCheck(p, 1));
FAIL_IF(!PacketAlertCheck(p, 2));
FAIL_IF(PacketAlertCheck(p, 3));
FAIL_IF(PacketAlertCheck(p, 4));
FAIL_IF(!PacketAlertCheck(p, 5));
PASS;
FLOWLOCK_WRLOCK(&f);
r = AppLayerParserParse(NULL, alp_tctx, &f, ALPROTO_TLS, STREAM_TOSERVER,
client_change_cipher_spec_buf,
client_change_cipher_spec_buf_len);
FAIL_IF(r != 0);
FLOWLOCK_UNLOCK(&f);
开发者ID:P1sec,项目名称:suricata,代码行数:66,代码来源:detect-ssl-state.c
示例14: DetectAppLayerEventTest04
int DetectAppLayerEventTest04(void)
{
int result = 0;
ThreadVars tv;
TcpReassemblyThreadCtx *ra_ctx = NULL;
Packet *p = NULL;
Flow *f = NULL;
TcpSession ssn;
TcpStream stream_ts, stream_tc;
DetectEngineCtx *de_ctx = NULL;
DetectEngineThreadCtx *det_ctx = NULL;
uint8_t buf_ts[] = "GET /index.html HTTP/1.1\r\n"
"Host: 127.0.0.1\r\n"
"User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.3) Gecko/20100402 Firefox/3.6.3\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
"Accept-Language: en-us,en;q=0.5\r\n"
"Accept-Encoding: gzip,deflate\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
"Keep-Alive: 115\r\n"
"Connection: keep-alive\r\n"
"\r\n";
uint8_t buf_tc[] = "XTTP/1.1 200 OK\r\n"
"Date: Fri, 22 Oct 2010 12:31:08 GMT\r\n"
"Server: Apache/2.2.15 (Unix) DAV/2\r\n"
"Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT\r\n"
"ETag: \"ab8486-2c-3e9564c23b600\"\r\n"
"Accept-Ranges: bytes\r\n"
"Content-Length: 44\r\n"
"Keep-Alive: timeout=5, max=100\r\n"
"Connection: Keep-Alive\r\n"
"Content-Type: text/html\r\n"
"\r\n"
"<html><body><h1>It works!</h1></body></html>";
memset(&tv, 0, sizeof (ThreadVars));
memset(&ssn, 0, sizeof(TcpSession));
memset(&stream_ts, 0, sizeof(TcpStream));
memset(&stream_tc, 0, sizeof(TcpStream));
ssn.data_first_seen_dir = STREAM_TOSERVER;
de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL)
goto end;
de_ctx->flags |= DE_QUIET;
de_ctx->sig_list = SigInit(de_ctx, "alert tcp any any -> any any "
"(app-layer-event: applayer_detect_protocol_only_one_direction; "
"sid:1;)");
if (de_ctx->sig_list == NULL)
goto end;
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 200, 220);
if (f == NULL)
goto end;
FLOW_INITIALIZE(f);
f->protoctx = &ssn;
f->proto = IPPROTO_TCP;
f->flags |= FLOW_IPV4;
p = PacketGetFromAlloc();
if (unlikely(p == NULL))
goto end;
p->flow = f;
p->src.family = AF_INET;
p->dst.family = AF_INET;
p->proto = IPPROTO_TCP;
ra_ctx = StreamTcpReassembleInitThreadCtx(&tv);
if (ra_ctx == NULL)
goto end;
StreamTcpInitConfig(TRUE);
p->flowflags = FLOW_PKT_TOSERVER;
if (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream_ts, buf_ts,
sizeof(buf_ts), STREAM_TOSERVER | STREAM_START) < 0) {
printf("AppLayerHandleTCPData failure\n");
goto end;
}
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
if (PacketAlertCheck(p, 1)) {
printf("sid 1 matched but shouldn't have\n");
goto end;
}
p->flowflags = FLOW_PKT_TOCLIENT;
if (AppLayerHandleTCPData(&tv, ra_ctx, p, f, &ssn, &stream_tc, buf_tc,
sizeof(buf_tc), STREAM_TOCLIENT | STREAM_START) < 0) {
printf("AppLayerHandleTCPData failure\n");
goto end;
}
SigMatchSignatures(&tv, de_ctx, det_ctx, p);
if (!PacketAlertCheck(p, 1)) {
printf("sid 1 didn't match but should have\n");
goto end;
}
result = 1;
//.........这里部分代码省略.........
开发者ID:awick,项目名称:suricata,代码行数:101,代码来源:detect-app-layer-event.c
示例15: DetectThresholdTestSig6Ticks
static int DetectThresholdTestSig6Ticks(void) {
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
if (s == NULL) {
goto end;
}
s = s->next = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit sid 1000\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1000;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
uint64_t ticks_start = 0;
uint64_t ticks_end = 0;
ticks_start = UtilCpuGetTicks();
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
alerts += PacketAlertCheck(p, 1000);
ticks_end = UtilCpuGetTicks();
printf("test run %"PRIu64"\n", (ticks_end - ticks_start));
if(alerts == 10)
result = 1;
else
goto cleanup;
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
UTHFreePackets(&p, 1);
return result;
}
开发者ID:58698301,项目名称:suricata,代码行数:78,代码来源:detect-threshold.c
示例16: DetectThresholdTestSig4
static int DetectThresholdTestSig4(void) {
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
struct timeval ts;
memset (&ts, 0, sizeof(struct timeval));
TimeGet(&ts);
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold both\"; threshold: type both, track by_dst, count 2, seconds 60; sid:10;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 10);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
TimeSetIncrementTime(200);
TimeGet(&p->ts);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 10);
if (alerts == 2)
result = 1;
else
goto cleanup;
cleanup:
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
end:
UTHFreePackets(&p, 1);
return result;
}
开发者ID:58698301,项目名称:suricata,代码行数:64,代码来源:detect-threshold.c
示例17: DetectThresholdTestSig1
static int DetectThresholdTestSig1(void) {
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
int result = 0;
int alerts = 0;
memset(&th_v, 0, sizeof(th_v));
p = UTHBuildPacketReal((uint8_t *)"A",1,IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,"alert tcp any any -> any 80 (msg:\"Threshold limit\"; threshold: type limit, track by_dst, count 5, seconds 60; sid:1;)");
if (s == NULL) {
goto end;
}
SigGroupBuild(de_ctx);
if (s->flags & SIG_FLAG_IPONLY) {
printf("signature is ip-only: ");
goto end;
}
DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts = PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
alerts += PacketAlertCheck(p, 1);
if(alerts == 5)
result = 1;
else
printf("alerts %"PRIi32", expected 5: ", alerts);
SigGroupCleanup(de_ctx);
SigCleanSignatures(de_ctx);
DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
DetectEngineCtxFree(de_ctx);
UTHFreePackets(&p, 1);
end:
return result;
}
开发者ID:58698301,项目名称:suricata,代码行数:66,代码来源:detect-threshold.c
示例18: DetectHttpMethodSigTest03
/** \test Check a signature against an unparsable request */
static int DetectHttpMethodSigTest03(void)
{
int result = 0;
Flow f;
uint8_t httpbuf1[] = " ";
uint32_t httplen1 = sizeof(httpbuf1) - 1; /* minus the \0 */
TcpSession ssn;
Packet *p = NULL;
Signature *s = NULL;
ThreadVars th_v;
DetectEngineThreadCtx *det_ctx;
HtpState *http_state = NULL;
AppLayerParserThreadCtx *alp_tctx = AppLayerParserThreadCtxAlloc();
memset(&th_v, 0, sizeof(th_v));
memset(&f, 0, sizeof(f));
memset(&ssn, 0, sizeof(ssn));
p = UTHBuildPacket(NULL, 0, IPPROTO_TCP);
FLOW_INITIALIZE(&f);
f.protoctx = (void *)&ssn;
f.proto = IPPROTO_TCP;
f.flags |= FLOW_IPV4;
p->flow = &f;
p->flowflags |= FLOW_PKT_TOSERVER;
p->flowflags |= FLOW_PKT_ESTABLISHED;
p->flags |= PKT_HAS_FLOW|PKT_STREAM_EST;
f.alproto = ALPROTO_HTTP;
StreamTcpInitConfig(TRUE);
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
if (de_ctx == NULL) {
goto end;
}
de_ctx->flags |= DE_QUIET;
s = de_ctx->sig_list = SigInit(de_ctx,
"alert tcp any any -> any any "
"(msg:\"Testing http_method\"; "
"content:\"GET\"; "
"http_method; sid:1;)");
if (s == NULL) {
SCLogDebug("Bad signature");
goto end;
}
SigGroupBuild(de_ctx);
Detect
|
客服电话
APP下载
官方微信
请发表评论