23350122333

Committed 20 Mar 2026 03:33PM UTC coverage: 76.492% (-2.8%) from 79.315%

Build # 23350122333

Build Type

Pull #15053

github

Committed by

web-flow

Commit Message

Merge f5bf69f97 into 6587e363a

Pull Request Pull Request #15053: Flow queue/v3

Coverage Stats

113 of 129 new or added lines in 9 files covered. (87.6%)

9534 existing lines in 453 files now uncovered.

256601 of 335461 relevant lines covered (76.49%)

4680806.66 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

95.28

/src/detect-msg.c

/* Copyright (C) 2007-2010 Open Information Security Foundation
 *
 * You can copy, redistribute or modify this Program under the terms of
 * the GNU General Public License version 2 as published by the Free
 * Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * version 2 along with this program; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301, USA.
 */

/**
 * \file
 *
 * \author Victor Julien <victor@inliniac.net>
 *
 * Implements the msg keyword
 */

#include "suricata-common.h"
#include "detect.h"
#include "util-classification-config.h"
#include "util-debug.h"
#include "util-unittest.h"

#include "detect-parse.h"
#include "detect-engine.h"
#include "detect-engine-mpm.h"
#include "detect-msg.h"

static int DetectMsgSetup (DetectEngineCtx *, Signature *, const char *);
#ifdef UNITTESTS
static void DetectMsgRegisterTests(void);
#endif

void DetectMsgRegister (void)
{
    sigmatch_table[DETECT_MSG].name = "msg";
    sigmatch_table[DETECT_MSG].desc = "information about the rule and the possible alert";
    sigmatch_table[DETECT_MSG].url = "/rules/meta.html#msg-message";
    sigmatch_table[DETECT_MSG].Match = NULL;
    sigmatch_table[DETECT_MSG].Setup = DetectMsgSetup;
    sigmatch_table[DETECT_MSG].Free = NULL;
#ifdef UNITTESTS
    sigmatch_table[DETECT_MSG].RegisterTests = DetectMsgRegisterTests;
#endif
    sigmatch_table[DETECT_MSG].flags = (SIGMATCH_QUOTES_MANDATORY | SIGMATCH_SUPPORT_FIREWALL);
}

static int DetectMsgSetup (DetectEngineCtx *de_ctx, Signature *s, const char *msgstr)
{
    size_t slen = strlen(msgstr);
    if (slen == 0)
        return -1;

    if (s->msg != NULL) {
        SCLogError("duplicated 'msg' keyword detected");
        return -1;
    }

    char *str = SCStrdup(msgstr);
    if (str == NULL)
        return -1;

    char converted = 0;

    {
        size_t i, x;
        uint8_t escape = 0;

        /* it doesn't matter if we need to escape or not we remove the extra "\" to mimic snort */
        for (i = 0, x = 0; i < slen; i++) {
            //printf("str[%02u]: %c\n", i, str[i]);
            if(!escape && str[i] == '\\') {
                escape = 1;
            } else if (escape) {
                if (str[i] != ':' &&
                        str[i] != ';' &&
                        str[i] != '\\' &&
                        str[i] != '\"')
                {
                    SCLogDebug("character \"%c\" does not need to be escaped but is" ,str[i]);
                }
                escape = 0;
                converted = 1;

                str[x] = str[i];
                x++;
            }else{
                str[x] = str[i];
                x++;
            }

        }
#if 0 //def DEBUG
        if (SCLogDebugEnabled()) {
            for (i = 0; i < x; i++) {
                printf("%c", str[i]);
            }
            printf("\n");
        }
#endif

        if (converted) {
            slen = x;
            str[slen] = '\0';
        }
    }

    s->msg = str;
    return 0;
}

/* -------------------------------------Unittests-----------------------------*/

#ifdef UNITTESTS
static int DetectMsgParseTest01(void)
{
    const char *teststringparsed = "flow stateless to_server";
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
    FAIL_IF_NULL(de_ctx);

    SCClassConfDeInitContext(de_ctx);
    FILE *fd = SCClassConfGenerateValidDummyClassConfigFD01();
    SCClassConfLoadClassificationConfigFile(de_ctx, fd);

    Signature *sig = DetectEngineAppendSig(de_ctx,
            "alert tcp any any -> any any (msg:\"flow stateless to_server\"; "
            "flow:stateless,to_server; content:\"flowstatelesscheck\"; "
            "classtype:bad-unknown; sid: 40000002; rev: 1;)");
    FAIL_IF_NULL(sig);
    FAIL_IF(strcmp(sig->msg, teststringparsed) != 0);

    SCClassConfDeInitContext(de_ctx);
    DetectEngineCtxFree(de_ctx);
    PASS;
}

static int DetectMsgParseTest02(void)
{
    const char *teststringparsed = "msg escape tests wxy'\"\\;:";
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
    FAIL_IF_NULL(de_ctx);

    Signature *sig = DetectEngineAppendSig(de_ctx,
            "alert tcp any any -> any any (msg:\"msg escape tests \\w\\x\\y\\'\\\"\\\\;\\:\"; "
            "flow:to_server,established; content:\"blah\"; uricontent:\"/blah/\"; sid: 100;)");
    FAIL_IF_NULL(sig);

    FAIL_IF(strcmp(sig->msg, teststringparsed) != 0);

    DetectEngineCtxFree(de_ctx);

    PASS;
}

static int DetectMsgParseTest03(void)
{
    const char *teststringparsed = "flow stateless to_server";
    DetectEngineCtx *de_ctx = DetectEngineCtxInit();
    FAIL_IF_NULL(de_ctx);

    SCClassConfDeInitContext(de_ctx);
    FILE *fd = SCClassConfGenerateValidDummyClassConfigFD01();
    SCClassConfLoadClassificationConfigFile(de_ctx, fd);

    Signature *sig = DetectEngineAppendSig(de_ctx,
            "alert tcp any any -> any any (msg: \"flow stateless to_server\"; "
            "flow:stateless,to_server; content:\"flowstatelesscheck\"; "
            "classtype:bad-unknown; sid: 40000002; rev: 1;)");
    FAIL_IF_NULL(sig);
    FAIL_IF(strcmp(sig->msg, teststringparsed) != 0);

    SCClassConfDeInitContext(de_ctx);
    DetectEngineCtxFree(de_ctx);
    PASS;
}

/**
 * \brief this function registers unit tests for DetectMsg
 */
void DetectMsgRegisterTests(void)
{
    UtRegisterTest("DetectMsgParseTest01", DetectMsgParseTest01);
    UtRegisterTest("DetectMsgParseTest02", DetectMsgParseTest02);
    UtRegisterTest("DetectMsgParseTest03", DetectMsgParseTest03);
}
#endif /* UNITTESTS */

1	/* Copyright (C) 2007-2010 Open Information Security Foundation
2	*
3	* You can copy, redistribute or modify this Program under the terms of
4	* the GNU General Public License version 2 as published by the Free
5	* Software Foundation.
6	*
7	* This program is distributed in the hope that it will be useful,
8	* but WITHOUT ANY WARRANTY; without even the implied warranty of
9	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10	* GNU General Public License for more details.
11	*
12	* You should have received a copy of the GNU General Public License
13	* version 2 along with this program; if not, write to the Free Software
14	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15	* 02110-1301, USA.
16	*/
17
18	/**
19	* \file
20	*
21	* \author Victor Julien <victor@inliniac.net>
22	*
23	* Implements the msg keyword
24	*/
25
26	#include "suricata-common.h"
27	#include "detect.h"
28	#include "util-classification-config.h"
29	#include "util-debug.h"
30	#include "util-unittest.h"
31
32	#include "detect-parse.h"
33	#include "detect-engine.h"
34	#include "detect-engine-mpm.h"
35	#include "detect-msg.h"
36
37	static int DetectMsgSetup (DetectEngineCtx , Signature , const char *);
38	#ifdef UNITTESTS
39	static void DetectMsgRegisterTests(void);
40	#endif
41
42	void DetectMsgRegister (void)
43	{	2,222✔
44	sigmatch_table[DETECT_MSG].name = "msg";	2,222✔
45	sigmatch_table[DETECT_MSG].desc = "information about the rule and the possible alert";	2,222✔
46	sigmatch_table[DETECT_MSG].url = "/rules/meta.html#msg-message";	2,222✔
47	sigmatch_table[DETECT_MSG].Match = NULL;	2,222✔
48	sigmatch_table[DETECT_MSG].Setup = DetectMsgSetup;	2,222✔
49	sigmatch_table[DETECT_MSG].Free = NULL;	2,222✔
50	#ifdef UNITTESTS	3✔
51	sigmatch_table[DETECT_MSG].RegisterTests = DetectMsgRegisterTests;	3✔
52	#endif	3✔
53	sigmatch_table[DETECT_MSG].flags = (SIGMATCH_QUOTES_MANDATORY \| SIGMATCH_SUPPORT_FIREWALL);	2,222✔
54	}	2,222✔
55
56	static int DetectMsgSetup (DetectEngineCtx de_ctx, Signature s, const char *msgstr)
57	{	145,159✔
58	size_t slen = strlen(msgstr);	145,159✔
59	if (slen == 0)	145,159✔
60	return -1;	×
61
62	if (s->msg != NULL) {	145,159✔
UNCOV 63	SCLogError("duplicated 'msg' keyword detected");	×
UNCOV 64	return -1;	×
UNCOV 65	}	×
66
67	char *str = SCStrdup(msgstr);	145,159✔
68	if (str == NULL)	145,159✔
69	return -1;	×
70
71	char converted = 0;	145,159✔
72
73	{	145,159✔
74	size_t i, x;	145,159✔
75	uint8_t escape = 0;	145,159✔
76
77	/* it doesn't matter if we need to escape or not we remove the extra "\" to mimic snort */
78	for (i = 0, x = 0; i < slen; i++) {	5,916,738✔
79	//printf("str[%02u]: %c\n", i, str[i]);
80	if(!escape && str[i] == '\\') {	5,771,579✔
81	escape = 1;	31✔
82	} else if (escape) {	5,771,548✔
83	if (str[i] != ':' &&	31✔
84	str[i] != ';' &&	31✔
85	str[i] != '\\' &&	31✔
86	str[i] != '\"')	31✔
87	{	28✔
88	SCLogDebug("character \"%c\" does not need to be escaped but is" ,str[i]);	28✔
89	}	28✔
90	escape = 0;	31✔
91	converted = 1;	31✔
92
93	str[x] = str[i];	31✔
94	x++;	31✔
95	}else{	5,771,517✔
96	str[x] = str[i];	5,771,517✔
97	x++;	5,771,517✔
98	}	5,771,517✔
99
100	}	5,771,579✔
101	#if 0 //def DEBUG
102	if (SCLogDebugEnabled()) {
103	for (i = 0; i < x; i++) {
104	printf("%c", str[i]);
105	}
106	printf("\n");
107	}
108	#endif
109
110	if (converted) {	145,159✔
111	slen = x;	21✔
112	str[slen] = '\0';	21✔
113	}	21✔
114	}	145,159✔
115
116	s->msg = str;	145,159✔
117	return 0;	145,159✔
118	}	145,159✔
119
120	/* -------------------------------------Unittests-----------------------------*/
121
122	#ifdef UNITTESTS
123	static int DetectMsgParseTest01(void)
124	{	1✔
125	const char *teststringparsed = "flow stateless to_server";	1✔
126	DetectEngineCtx *de_ctx = DetectEngineCtxInit();	1✔
127	FAIL_IF_NULL(de_ctx);	1✔
128
129	SCClassConfDeInitContext(de_ctx);	1✔
130	FILE *fd = SCClassConfGenerateValidDummyClassConfigFD01();	1✔
131	SCClassConfLoadClassificationConfigFile(de_ctx, fd);	1✔
132
133	Signature *sig = DetectEngineAppendSig(de_ctx,	1✔
134	"alert tcp any any -> any any (msg:\"flow stateless to_server\"; "	1✔
135	"flow:stateless,to_server; content:\"flowstatelesscheck\"; "	1✔
136	"classtype:bad-unknown; sid: 40000002; rev: 1;)");	1✔
137	FAIL_IF_NULL(sig);	1✔
138	FAIL_IF(strcmp(sig->msg, teststringparsed) != 0);	1✔
139
140	SCClassConfDeInitContext(de_ctx);	1✔
141	DetectEngineCtxFree(de_ctx);	1✔
142	PASS;	1✔
143	}	1✔
144
145	static int DetectMsgParseTest02(void)
146	{	1✔
147	const char *teststringparsed = "msg escape tests wxy'\"\\;:";	1✔
148	DetectEngineCtx *de_ctx = DetectEngineCtxInit();	1✔
149	FAIL_IF_NULL(de_ctx);	1✔
150
151	Signature *sig = DetectEngineAppendSig(de_ctx,	1✔
152	"alert tcp any any -> any any (msg:\"msg escape tests \\w\\x\\y\\'\\\"\\\\;\\:\"; "	1✔
153	"flow:to_server,established; content:\"blah\"; uricontent:\"/blah/\"; sid: 100;)");	1✔
154	FAIL_IF_NULL(sig);	1✔
155
156	FAIL_IF(strcmp(sig->msg, teststringparsed) != 0);	1✔
157
158	DetectEngineCtxFree(de_ctx);	1✔
159
160	PASS;	1✔
161	}	1✔
162
163	static int DetectMsgParseTest03(void)
164	{	1✔
165	const char *teststringparsed = "flow stateless to_server";	1✔
166	DetectEngineCtx *de_ctx = DetectEngineCtxInit();	1✔
167	FAIL_IF_NULL(de_ctx);	1✔
168
169	SCClassConfDeInitContext(de_ctx);	1✔
170	FILE *fd = SCClassConfGenerateValidDummyClassConfigFD01();	1✔
171	SCClassConfLoadClassificationConfigFile(de_ctx, fd);	1✔
172
173	Signature *sig = DetectEngineAppendSig(de_ctx,	1✔
174	"alert tcp any any -> any any (msg: \"flow stateless to_server\"; "	1✔
175	"flow:stateless,to_server; content:\"flowstatelesscheck\"; "	1✔
176	"classtype:bad-unknown; sid: 40000002; rev: 1;)");	1✔
177	FAIL_IF_NULL(sig);	1✔
178	FAIL_IF(strcmp(sig->msg, teststringparsed) != 0);	1✔
179
180	SCClassConfDeInitContext(de_ctx);	1✔
181	DetectEngineCtxFree(de_ctx);	1✔
182	PASS;	1✔
183	}	1✔
184
185	/**
186	* \brief this function registers unit tests for DetectMsg
187	*/
188	void DetectMsgRegisterTests(void)
189	{	1✔
190	UtRegisterTest("DetectMsgParseTest01", DetectMsgParseTest01);	1✔
191	UtRegisterTest("DetectMsgParseTest02", DetectMsgParseTest02);	1✔
192	UtRegisterTest("DetectMsgParseTest03", DetectMsgParseTest03);	1✔
193	}	1✔
194	#endif /* UNITTESTS */

OISF / suricata / 23350122333

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous