# File covered: evl.c
set pathToTestFiles "./tests/"
puts $pathToTestFiles
if {[lsearch [namespace children] ::tcltest] == -1} {
package require tcltest
namespace import -force ::tcltest::*
}
proc check { testId result expectedResult pktString mgrString } {
if { $result != $expectedResult } {
puts "Test $testId failed"
puts "\tPkt=\t$pktString"
puts "\tRules=\t$mgrString"
puts "\tExpected result=$expectedResult, actual result=$result"
} else {
puts "Test $testId passed"
}
}
proc indivTests { } {
global pathToTestFiles
set testId 0
# set pkt [pktCreateFromString "srcip:192.168.1.1; destip:1.2.3.4; ipflags:MF; ipoptions:EOOL; offset:1234; ttl:255; protocol:tcp; srcport:80; destport:80; seqnum:100; acknum:100; tcpflag:fin; size:100; content:\"foo\"; depth:0; content:\"bar\"; depth:4; mesg:\"a message\";"]
lappend TESTS [ list evl-0 \
{Check on source IP} \
{ protocol:tcp; srcip:192.168.1.1; } \
{ tcp 192.168.1.1 any -> any any ( ) drop; } \
{0} ]
lappend TESTS [ list evl-1 \
{DOC srcip} \
{ protocol:tcp; srcip:192.168.1.2; } \
{ tcp 192.168.1.1 any -> any any ( ) drop; } \
{} ]
lappend TESTS [ list evl-2 \
{srcip, src port} \
{ protocol:tcp; srcip:192.168.1.1; srcport:80; } \
{ tcp 192.168.1.1 80 -> any any ( ) drop; } \
{0} ]
lappend TESTS [ list evl-3 \
{dest ip, dest port} \
{ protocol:tcp; destip:192.168.1.1; destport:80; } \
{ tcp any any -> 192.168.1.1; 80 ( ) drop; } \
{0} ]
lappend TESTS [ list evl-4 \
{src/dest ip/port} \
{ protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; destport:80; } \
{ tcp 192.168.1.1 80 -> 192.168.1.1 80 ( ) drop; } \
{0} ]
lappend TESTS [ list evl-5-0 \
{DOC Check on source and destination addresses and ports} \
{ protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; destport:80; } \
{ tcp 192.168.1.0 80 -> 192.168.1.1 80 ( ) drop;
tcp 192.168.1.1 80 -> 192.168.1.1 80 ( ) drop; } \
{1} ]
lappend TESTS [ list evl-6 \
{two rules, src/dest ip/tcp} \
{ protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; destport:80; } \
{ tcp 192.168.1.1 80 -> 192.168.1.1 80 ( ) drop;
tcp 192.168.1.1 80 -> 192.168.1.1 80 ( ) drop; } \
{0,1} ]
lappend TESTS [ list evl-7 \
{ip masking} \
{ protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; destport:80; } \
{ tcp 192.168.0.1/255.255.255.0 80 -> 192.168.1.1 80 ( ) drop; } \
{} ]
lappend TESTS [ list evl-8 \
{ip negation} \
{ protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; destport:80; } \
{ tcp !192.168.1.1 80 -> 192.168.1.1 80 ( ) drop; } \
{} ]
lappend TESTS [ list evl-9 \
{ip negation} \
{ protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; destport:80; } \
{ tcp !192.168.1.0 80 -> 192.168.1.1 80 ( ) drop; } \
{0} ]
lappend TESTS [ list evl-10 \
{ip list} \
{ protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; destport:80; } \
{ tcp 192.168.1.0,192.168.1.2 80 -> 192.168.1.1 80 ( ) drop; } \
{} ]
lappend TESTS [ list evl-11 \
{ip list} \
{ protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; destport:80; } \
{ tcp 192.168.1.0,192.168.1.2,192.168.1.1 80 -> 192.168.1.1 80 ( ) drop; } \
{0} ]
lappend TESTS [ list evl-12 \
{define ip} \
{ protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; destport:80; } \
{ var HN 192.168.1.1
tcp HN 80 -> 192.168.1.1 80 ( ) drop; } \
{0} ]
lappend TESTS [ list evl-13 \
{define ip} \
{ protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; destport:80; } \
{ var HN 192.168.1.1/255.0.0.0
tcp HN 80 -> 192.168.1.1 80 ( ) drop; } \
{0} ]
lappend TESTS [ list evl-14 \
{define ip, tcp} \
{ protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; destport:80; } \
{ var HN 192.168.1.1/255.0.0.0
var HTTP_PORTS 80
tcp HN 80 -> 192.168.1.1 80 ( ) drop;
tcp HN 80 -> 192.168.1.1 HTTP_PORTS ( ) drop; } \
{0,1} ]
lappend TESTS [ list evl-15 \
{define ip, tcp with negation} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:80; } \
{ var HN !1.2.3.4
var HTTP_PORTS 80
tcp HN 80 -> any 80 ( ) drop;
tcp 192.168.1.1 80 -> any HTTP_PORTS ( ) drop; } \
{} ]
lappend TESTS [ list evl-16 \
{define ip, tcp with range, mask} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:80; destip:192.168.1.1; } \
{ var HN 192.168.1.1/255.0.0.0,1.2.3.4
var HTTP_PORTS 80
tcp HN 80 -> 192.168.1.1 80 ( ) drop;
tcp 192.168.1.1 80 -> 192.168.1.1 HTTP_PORTS ( ) drop; } \
{0} ]
lappend TESTS [ list evl-17 \
{define ip, tcp with range, mask} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:80; destip:192.168.1.1; } \
{ var HN !1.2.3.4
var HTTP_PORTS 80
tcp !HN 80 -> 192.168.1.1 80 ( ) drop;
tcp 192.168.1.1 80 -> 192.168.1.1 HTTP_PORTS ( ) drop; } \
{0} ]
lappend TESTS [ list evl-18 \
{define ip, tcp with range, mask} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; } \
{ var HTTP_PORTS 80
tcp 1.2.3.4 HTTP_PORTS -> any !HTTP_PORTS ( ) drop;
tcp 192.168.1.1 80 -> any HTTP_PORTS ( ) drop; } \
{0} ]
lappend TESTS [ list evl-19 \
{define ip, tcp with range, mask} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; } \
{ var HTTP_PORTS 0:1024
tcp 1.2.3.4 HTTP_PORTS -> any !HTTP_PORTS ( ) drop;
tcp 1.2.3.4 80 -> any HTTP_PORTS ( ) drop; } \
{1} ]
lappend TESTS [ list evl-20 \
{define port with half range} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; } \
{ var HTTP_PORTS :1024
tcp 1.2.3.4 HTTP_PORTS -> any !HTTP_PORTS ( ) drop;
tcp 1.2.3.4 80 -> any HTTP_PORTS ( ) drop; } \
{1} ]
lappend TESTS [ list evl-21 \
{define port with half range} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; } \
{ var HTTP_PORTS 1024:
tcp 1.2.3.4 !HTTP_PORTS -> any !HTTP_PORTS ( ) drop;
tcp 1.2.3.4 80 -> any HTTP_PORTS ( ) drop; } \
{0} ]
lappend TESTS [ list evl-22-1 \
{content check} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:100; content:foo;} \
{ tcp 1.2.3.4 80 -> any 0 ( content:"foo"; ) drop; } \
{0} ]
lappend TESTS [ list evl-22-2 \
{content check, test result on udp packet} \
{ protocol:udp; srcip:1.2.3.4; srcport:80; destport:0; size:100; content:foo;} \
{ udp 1.2.3.4 80 -> any 0 ( content:"foo"; ) drop; } \
{0} ]
lappend TESTS [ list evl-22-3 \
{content check, test result on ip packet} \
{ protocol:udp; srcip:1.2.3.4; srcport:80; destport:0; size:100; content:foo;} \
{ ip 1.2.3.4 80 -> any 0 ( content:"foo"; ) drop; } \
{0} ]
lappend TESTS [ list evl-22-4 \
{content check, test result on ip packet} \
{ protocol:udp; srcip:1.2.3.4; srcport:80; destport:0; size:1; content:0; } \
{ ip 1.2.3.4 80 -> any 0 ( content:"|30|"; ) drop; } \
{0} ]
lappend TESTS [ list evl-23 \
{content check} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:100; content:goodboy;} \
{ tcp 1.2.3.4 80 -> any 0 ( content:"goodboys"; ) drop; } \
{} ]
lappend TESTS [ list evl-24 \
{tcp seq number} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; seq:0; destport:0; } \
{ tcp 1.2.3.4 80 -> any 0 ( seq:0; ) drop; } \
{0} ]
lappend TESTS [ list evl-25 \
{multiple content} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:100; content:good; content:abc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"good"; content:"abc"; ) drop; } \
{} ]
lappend TESTS [ list evl-26 \
{tcp seq number} \
{ protocol:tcp; srcip:1.2.3.4; seq:131; } \
{ tcp 1.2.3.4 any -> any any ( seq:131; ) drop; } \
{0} ]
lappend TESTS [ list evl-27 \
{tcp ack number} \
{ protocol:tcp; srcip:1.2.3.4; ack:131; } \
{ tcp 1.2.3.4 any -> any any ( ack:131; ) drop; } \
{0} ]
lappend TESTS [ list evl-28 \
{tcp ack number} \
{ protocol:tcp; srcip:1.2.3.4; ack:131; } \
{ tcp 1.2.3.4 any -> any any ( ack:0; ) drop; } \
{} ]
lappend TESTS [ list evl-29 \
{seq and ack} \
{ protocol:tcp; srcip:1.2.3.4; seq:0; ack:131; } \
{ tcp 1.2.3.4 any -> any any ( seq:0; ack:131; ) drop; } \
{0} ]
lappend TESTS [ list evl-30 \
{seq} \
{ protocol:tcp; srcip:1.2.3.4; seq:131; } \
{ tcp 1.2.3.4 any -> any any ( seq:1131; ) drop; } \
{} ]
lappend TESTS [ list evl-31 \
{seq and content} \
{ protocol:tcp; srcip:1.2.3.4; seq:100; srcport:80; destport:0; size:100; content:good; } \
{ tcp 1.2.3.4 80 -> any 0 ( seq:100; content:"good"; ) drop; } \
{0} ]
lappend TESTS [ list evl-32 \
{size} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"good"; content:"abc"; ) drop; } \
{0} ]
lappend TESTS [ list evl-33 \
{size} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"bc"; ) drop; } \
{0} ]
lappend TESTS [ list evl-34-1 \
{pcre} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( pcre:"bc"; ) drop; } \
{0} ]
lappend TESTS [ list evl-34-2 \
{pcre} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzacb; } \
{ tcp 1.2.3.4 80 -> any 0 ( pcre:"bc"; ) drop; } \
{} ]
lappend TESTS [ list evl-34-3 \
{pcre} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:20; content:goodxyzabcd; } \
{ tcp 1.2.3.4 80 -> any 0 ( pcre:"ab.*cd"; ) drop; } \
{0} ]
lappend TESTS [ list evl-34-4 \
{pcre} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:20; content:goodxyzabcd; } \
{ tcp 1.2.3.4 80 -> any 0 ( pcre:"[g]+[o]+.*abcd"; ) drop; } \
{0} ]
lappend TESTS [ list evl-35-2 \
{depth} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:bgoodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"bc"; depth:10; ) drop; } \
{} ]
lappend TESTS [ list evl-36 \
{depth} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"bc"; depth:0; ) drop; } \
{} ]
lappend TESTS [ list evl-37 \
{depth} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"bc"; depth:9; ) drop; } \
{} ]
# depth = 8 means we look only up to "abc"
lappend TESTS [ list evl-38 \
{depth} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"bc"; depth:8; ) drop; } \
{} ]
lappend TESTS [ list evl-39 \
{offset} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; offset:3; ) drop; } \
{} ]
lappend TESTS [ list evl-40-1 \
{offsetsrcip} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; offset:8; ) drop; } \
{} ]
lappend TESTS [ list evl-40-2 \
{offsetsrcip} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:16; content:12345678odxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; offset:8; ) drop; } \
{0} ]
lappend TESTS [ list evl-40-3 \
{offsetsrcip} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:15; content:1234567odxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; offset:8; ) drop; } \
{} ]
lappend TESTS [ list evl-41 \
{content} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc;} \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; offset:2; ) drop; } \
{0} ]
lappend TESTS [ list evl-42-1 \
{offset, within} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; offset:2; content:"abc"; within:2; ) drop; } \
{} ]
lappend TESTS [ list evl-42-2 \
{offset, within} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:8; content:goodxabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; offset:2; content:"abc"; within:2; ) drop; } \
{} ]
lappend TESTS [ list evl-42-3 \
{offset, within} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:8; content:goodxabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; offset:2; content:"abc"; within:3; ) drop; } \
{0} ]
lappend TESTS [ list evl-42-4 \
{offset, within} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:9; content:goodxyabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; offset:2; content:"abc"; within:4; ) drop; } \
{0} ]
lappend TESTS [ list evl-42-5 \
{offset, within} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:8; content:goodxabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; offset:2; content:"ab"; within:2; ) drop; } \
{0} ]
lappend TESTS [ list evl-42-6 \
{within} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:8; content:goodxabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; content:"ab"; within:6; ) drop; } \
{0} ]
lappend TESTS [ list evl-42-7 \
{within} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:12; content:goodx1234abc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; content:"ab"; within:5; ) drop; } \
{} ]
lappend TESTS [ list evl-42-8 \
{within} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:12; content:goodx1234abc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; content:"ab"; within:6; ) drop; } \
{0} ]
lappend TESTS [ list evl-42-9 \
{within} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:11; content:goodx1234ab; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; content:"ab"; within:6; ) drop; } \
{0} ]
lappend TESTS [ list evl-42-10 \
{within} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:20; content:goodxy1234abc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; content:"abc"; within:6; ) drop; } \
{} ]
lappend TESTS [ list evl-42-11 \
{within} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:20; content:goodx123abc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; content:"abc"; within:6; ) drop; } \
{0} ]
lappend TESTS [ list evl-42-12 \
{two within} \
{ protocol:tcp; size:15; content:foo123barxyzabc; } \
{ tcp any any -> any any ( content:"foo"; content:"bar"; within:6; content:"abc"; within:6; ) drop; } \
{0} ]
lappend TESTS [ list evl-42-13 \
{two withins} \
{ protocol:tcp; size:15; content:foobarbarxyzabc; } \
{ tcp any any -> any any ( content:"foo"; content:"bar"; within:6; content:"abc"; within:6; ) drop; } \
{} ]
lappend TESTS [ list evl-43 \
{within} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; offset:2; content:"a"; within:10; content:"bc"; ) drop; } \
{0} ]
lappend TESTS [ list evl-44-1 \
{within} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; offset:2; content:"a"; within:1; content:"c"; ) drop; } \
{} ]
lappend TESTS [ list evl-44-2 \
{distance} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; offset:2; content:"a"; distance:1; content:"c"; ) drop; } \
{0} ]
lappend TESTS [ list evl-44-3-1 \
{distance} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; offset:2; content:"a"; distance:2; content:"c"; ) drop; } \
{0} ]
lappend TESTS [ list evl-44-3-2 \
{distance} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; offset:2; content:"a"; distance:3; content:"c"; ) drop; } \
{} ]
lappend TESTS [ list evl-44-3-3-1 \
{distance} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"a"; distance:3; content:"c"; ) drop; } \
{0} ]
lappend TESTS [ list evl-44-3-3-2 \
{distance} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"a"; distance:2; content:"c"; ) drop; } \
{0} ]
lappend TESTS [ list evl-44-3-3-3 \
{distance} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:abcgood; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"a"; distance:3; content:"c"; ) drop; } \
{} ]
lappend TESTS [ list evl-44-3-3-4 \
{depth} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:15; content:goodxyzabc12345; } \
{tcp 1.2.3.4 80 -> any 0 ( content:"a"; depth:3; content:"c"; ) drop; } \
{} ]
lappend TESTS [ list evl-44-3-3-5 \
{within} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:15; content:goodxyzabc12345; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"a"; within:10; content:"c"; ) drop; } \
{0} ]
lappend TESTS [ list evl-44-3-3-6 \
{distance} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:15; content:goodxyzabc12345; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"a"; distance:8; content:"c"; ) drop; } \
{} ]
lappend TESTS [ list evl-44-3-4-1 \
{depth} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:4; content:abcd; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"a"; depth:1; content:"c"; ) drop; } \
{0} ]
lappend TESTS [ list evl-44-3-4-2 \
{depth} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:4; content:abcd; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"a"; depth:2; content:"c"; ) drop; } \
{0} ]
lappend TESTS [ list evl-44-3-4-3 \
{distance} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:4; content:abcd; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"a"; distance:3; content:"c"; ) drop; } \
{} ]
lappend TESTS [ list evl-44-3-4-4 \
{distance} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:4; content:abcd; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"a"; distance:4; content:"c"; ) drop; } \
{} ]
lappend TESTS [ list evl-44-4 \
{offset,distance} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; offset:2; content:"good"; distance:2; content:"abc"; ) drop; } \
{} ]
lappend TESTS [ list evl-44-5 \
{distance} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:20; content:goodx12345abc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; content:"abc"; distance:6; ) drop; } \
{} ]
lappend TESTS [ list evl-44-6 \
{distance} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:20; content:goodx123456abc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odx"; content:"abc"; distance:6; ) drop; } \
{0} ]
lappend TESTS [ list evl-44-7 \
{offset,depth} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"odxy"; offset:2; depth:8; ) drop; } \
{0} ]
lappend TESTS [ list evl-44-8 \
{distance,offset,depth,within} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:11; content:0abc1234foO; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"abc"; depth:6; offset:1; content:"foo"; nocase; distance:4; within:7; ) drop; } \
{0} ]
lappend TESTS [ list evl-44-9 \
{negated check, offset} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:4; content:abcd; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:!"abc"; offset:1; ) drop; } \
{0} ]
lappend TESTS [ list evl-44-10 \
{negated check, offset} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:4; content:xabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:!"abc"; offset:1; ) drop; } \
{} ]
lappend TESTS [ list evl-44-11 \
{large offset} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:4; content:xabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"xyz"; offset:10000; ) drop; } \
{} ]
lappend TESTS [ list evl-45 \
{content, case} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"ABC"; ) drop; } \
{} ]
lappend TESTS [ list evl-46 \
{s, casercip} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:goodxyzabc; } \
{ tcp 1.2.3.4 80 -> any 0 ( content:"ABC"; nocase; ) drop; } \
{0} ]
lappend TESTS [ list evl-47 \
{ttl} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; ttl:100; } \
{ tcp 1.2.3.4 80 -> any 0 ( ttl:100; ) drop; } \
{0} ]
lappend TESTS [ list evl-48 \
{ttl >} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; ttl:100; } \
{ tcp 1.2.3.4 80 -> any 0 ( ttl:>100; ) drop; } \
{} ]
lappend TESTS [ list evl-49 \
{tl <} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; ttl:100; } \
{ tcp 1.2.3.4 80 -> any 0 ( ttl:<100; ) drop; } \
{} ]
lappend TESTS [ list evl-50 \
{tl <} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; ttl:100; } \
{ tcp 1.2.3.4 80 -> any 0 ( ttl:<101; ) drop; } \
{0} ]
# note dsize is not the same as size, latter is for just tcp payload
lappend TESTS [ list evl-51 \
{dsize} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:100; content:foo; } \
{ tcp 1.2.3.4 80 -> any 0 ( dsize:140; ) drop; } \
{0} ]
# note dsize is not the same as size, latter is for just tcp payload
lappend TESTS [ list evl-52 \
{dsize <} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:100; content:foo; } \
{ tcp 1.2.3.4 80 -> any 0 ( dsize:<140; ) drop; } \
{} ]
# note dsize is not the same as size, latter is for just tcp payload
lappend TESTS [ list evl-53 \
{dsize >} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; size:10; content:foo; } \
{ tcp 1.2.3.4 80 -> any 0 ( dsize:>0; ) drop; } \
{0} ]
lappend TESTS [ list evl-54 \
{tcpflags} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; tcpflags:S; } \
{ tcp 1.2.3.4 80 -> any 0 ( flags:S; ) drop; } \
{0} ]
lappend TESTS [ list evl-55 \
{tcpflags} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; tcpflags:S; tcpflags:A; tcpflags:!C; } \
{ tcp 1.2.3.4 80 -> any 0 ( flags:SAC; ) drop; } \
{} ]
lappend TESTS [ list evl-56 \
{tcpflags} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; tcpflags:S; tcpflags:A; tcpflags:C; } \
{ tcp 1.2.3.4 80 -> any 0 ( flags:SAC; ) drop; } \
{0} ]
lappend TESTS [ list evl-57 \
{tcpflags} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; tcpflags:S; tcpflags:A; tcpflags:C; } \
{ tcp 1.2.3.4 80 -> any 0 ( flags:!S!A!C; ) drop; } \
{} ]
lappend TESTS [ list evl-58 \
{tcpflags} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; tcpflags:S; tcpflags:A; tcpflags:C; } \
{ tcp 1.2.3.4 80 -> any 0 ( flags:SA!C; ) drop; } \
{} ]
lappend TESTS [ list evl-59 \
{tcpflags} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; tcpflags:!F; tcpflags:E; tcpflags:C; } \
{ tcp 1.2.3.4 80 -> any 0 ( flags:ECF; ) drop; } \
{} ]
lappend TESTS [ list evl-59-1 \
{tcpflags} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; tcpflags:!U; tcpflags:E; tcpflags:C; } \
{ tcp 1.2.3.4 80 -> any 0 ( flags:UCE; ) drop; } \
{} ]
lappend TESTS [ list evl-59-2 \
{tcpflags} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; tcpflags:!R; tcpflags:E; tcpflags:C; } \
{ tcp 1.2.3.4 80 -> any 0 ( flags:RCE; ) drop; } \
{} ]
lappend TESTS [ list evl-59-3 \
{tcpflags} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; tcpflags:P; tcpflags:E; tcpflags:C; } \
{ tcp 1.2.3.4 80 -> any 0 ( flags:!PCF; ) drop; } \
{} ]
lappend TESTS [ list evl-59-4 \
{tcpflags} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; tcpflags:!A; tcpflags:E; tcpflags:C; } \
{ tcp 1.2.3.4 80 -> any 0 ( flags:ACE; ) drop; } \
{} ]
lappend TESTS [ list evl-59-5 \
{tcpflags} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; tcpflags:!E; tcpflags:C; } \
{ tcp 1.2.3.4 80 -> any 0 ( flags:E; ) drop; } \
{} ]
lappend TESTS [ list evl-59-6 \
{tcpflags} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; tcpflags:!P; } \
{ tcp 1.2.3.4 80 -> any 0 ( flags:P; ) drop; } \
{} ]
lappend TESTS [ list evl-60 \
{ipflags} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; ipflags:!RB; } \
{ tcp 1.2.3.4 80 -> any 0 ( fragbits:!R; ) drop; } \
{0} ]
lappend TESTS [ list evl-61 \
{ipflags} \
{ protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; ipflags:RB; } \
{ tcp 1.2.3.4 80 -> any 0 ( fragbits:R; ) drop; } \
{0} ]
lappend TESTS [ list evl-62 \
{ipflags} \
{protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; ipflags:!RB; } \
{ tcp 1.2.3.4 80 -> any 0 ( fragbits:R; ) drop; } \
{} ]
lappend TESTS [ list evl-63-1 \
{ipflags} \
{protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; ipflags:RB; ipflags:MF; ipflags:DF; } \
{tcp 1.2.3.4 80 -> any 0 ( fragbits:!R; ) drop; } \
{} ]
lappend TESTS [ list evl-63-2\
{ipflags} \
{protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; ipflags:RB; ipflags:MF; ipflags:DF; } \
{tcp 1.2.3.4 80 -> any 0 ( fragbits:R; ) drop; } \
{0} ]
lappend TESTS [ list evl-63-3 \
{ipflags} \
{protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; ipflags:RB; ipflags:MF; ipflags:DF; } \
{tcp 1.2.3.4 80 -> any 0 ( fragbits:!D; ) drop; } \
{} ]
lappend TESTS [ list evl-63-4\
{ipflags} \
{protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; ipflags:RB; ipflags:MF; ipflags:DF; } \
{tcp 1.2.3.4 80 -> any 0 ( fragbits:D; ) drop; } \
{0} ]
lappend TESTS [ list evl-63-4\
{ipflags} \
{protocol:tcp; srcip:1.2.3.4; srcport:80; destport:0; ipflags:RB; ipflags:MF; ipflags:DF; } \
{tcp 1.2.3.4 80 -> any 0 ( fragbits:!M; ) drop; } \
{} ]
lappend TESTS [ list evl-64 \
{srcip, with ip} \
{ protocol:tcp; srcip:192.168.1.1; } \
{ ip 192.168.1.1 any -> any any ( ) drop; } \
{0} ]
lappend TESTS [ list evl-65 \
{srcip, with udp} \
{ protocol:tcp; srcip:192.168.1.1; destport:1111; } \
{ udp 192.168.1.1 any -> any any ( ) drop; } \
{} ]
lappend TESTS [ list evl-66 \
{srcip, with any} \
{protocol:tcp; srcip:192.168.1.1; } \
{ip 192.168.1.1 any -> any any ( ) drop; } \
{0} ]
lappend TESTS [ list evl-67-1 \
{srcip, with icmp} \
{ protocol:icmp; srcip:192.168.1.1; icode:0; icmp_seq:0; itype:0; icmp_id:0; } \
{ icmp 192.168.1.1 any -> any any ( ) drop; } \
{0} ]
lappend TESTS [ list evl-67-0 \
{srcip, with tcp} \
{ protocol:tcp; srcip:192.168.1.1; icode:0; icmp_seq:0; itype:0; icmp_id:0; } \
{ tcp 192.168.1.1 any -> any any ( ) drop; } \
{0} ]
lappend TESTS [ list evl-67-2 \
{srcip, with icmp} \
{ protocol:icmp; srcip:192.168.1.1; icode:0; icmp_seq:0; itype:0; icmp_id:0; } \
{ icmp 192.168.1.1 any -> any any ( icode:0; ) drop; } \
{0} ]
lappend TESTS [ list evl-67-3 \
{srcip, with icmp} \
{ protocol:icmp; srcip:192.168.1.1; icode:0; icmp_seq:0; itype:0; icmp_id:0; } \
{ icmp 192.168.1.1 any -> any any ( icode:1; ) drop; } \
{} ]
lappend TESTS [ list evl-67-4 \
{srcip, with icmp} \
{ protocol:icmp; srcip:192.168.1.1; icode:0; icmp_seq:0; itype:0; icmp_id:0; } \
{ icmp 192.168.1.1 any -> any any ( itype:1; ) drop; } \
{} ]
lappend TESTS [ list evl-67-4 \
{srcip, with icmp} \
{ protocol:icmp; srcip:192.168.1.1; icode:0; icmp_seq:0; itype:0; icmp_id:0; } \
{ icmp 192.168.1.1 any -> any any ( icmp_seq:1; ) drop; } \
{} ]
lappend TESTS [ list evl-67-4 \
{srcip, with icmp} \
{ protocol:icmp; srcip:192.168.1.1; icode:0; icmp_seq:0; itype:0; icmp_id:0; } \
{ icmp 192.168.1.1 any -> any any ( icmp_id:1; ) drop; } \
{} ]
lappend TESTS [ list evl-68 \
{srcip, with parens} \
{ protocol:tcp; srcip:192.168.1.1; } \
{ ip [192.168.1.1] any -> any any ( ) drop; } \
{0} ]
lappend TESTS [ list evl-69 \
{srcip, with parens} \
{ protocol:tcp; srcip:192.168.1.1; } \
{ ip ![192.168.1.1] any -> any any ( ) drop; } \
{0} ]
lappend TESTS [ list evl-70 \
{srcip, with parens} \
{ protocol:tcp; srcip:192.168.1.1; } \
{ ip ![192.168.1.1,192.12.12.12] any -> any any ( ) drop; } \
{0} ]
lappend TESTS [ list evl-71 \
{srcip, with list} \
{ protocol:tcp; srcip:192.168.1.1; } \
{ ip 192.168.1.1,192.12.12.12 any -> any any ( ) drop; } \
{0} ]
lappend TESTS [ list evl-72 \
{srcip, with /24} \
{ protocol:tcp; srcip:192.168.1.1; } \
{ ip 192.168.1.1/24,192.12.12.12 any -> any any ( ) drop; } \
{0} ]
lappend TESTS [ list evl-73 \
{tcp, with negated single port} \
{ protocol:tcp; srcip:192.168.1.1; srcport:80; } \
{ tcp 192.168.1.1/24,192.12.12.12 !79 -> any any ( ) drop; } \
{0} ]
lappend TESTS [ list evl-73-1 \
{multiple ports} \
{ protocol:tcp; srcip:192.168.1.1; srcport:80; } \
{ tcp 192.168.1.1/24,192.12.12.12 79:81 -> any any ( ) drop; } \
{0} ]
#lappend TESTS [ list evl-73-2 \
# {multiple ports, set of ports using commas is not currently allowed} \
# { protocol:tcp; srcip:192.168.1.1; srcport:80; } \
# { tcp 192.168.1.1/24,192.12.12.12 79,81 -> any any ( ) drop; } \
# {} ]
lappend TESTS [ list evl-74 \
{sameip} \
{ protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.0; } \
{ tcp 192.168.1.1/24,192.12.12.12 !79 -> any any ( sameip; ) drop; } \
{} ]
lappend TESTS [ list evl-75 \
{sameip} \
{ protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; } \
{ tcp 192.168.1.1/24,192.12.12.12 !79 -> any any ( sameip; ) drop; } \
{0} ]
lappend TESTS [ list evl-76-1 \
{var} \
"var HTTP_PORT 80\nprotocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1;" \
"var HTTP_PORT 80\ntcp 192.168.1.1 HTTP_PORT -> 192.168.1.1 any ( sameip; ) drop;" \
{0} ]
lappend TESTS [ list evl-76-2 \
{var} \
"var HTTP_PORT 80\nprotocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1;" \
"var HTTP_PORT 80\ntcp 192.168.1.1/24,192.12.12.12 !HTTP_PORT -> 0.0.0.0 any ( sameip; ) drop;" \
{} ]
lappend TESTS [ list evl-77-1 \
{basic udp} \
{protocol:udp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:3; content:abc;} \
{udp 192.168.1.1 80 -> 192.168.1.1 any ( content:"abc"; ) drop;} \
{0} ]
lappend TESTS [ list evl-77-2 \
{basic udp} \
{protocol:udp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; content:abc;} \
{udp 192.168.1.1 80 -> 0.0.0.0 any ( content:"abc"; ) drop;} \
{} ]
lappend TESTS [ list evl-77-3 \
{basic udp} \
{protocol:udp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:3; content:abc;} \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"abc"; ) drop;} \
{} ]
lappend TESTS [ list evl-78-1 \
{ip_proto} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:3; content:abc;} \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ip_proto:0; ) drop;} \
{} ]
lappend TESTS [ list evl-78-2 \
{ip_proto} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:3; content:abc;} \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ip_proto:8; ) drop;} \
{} ]
lappend TESTS [ list evl-78-3 \
{ip_proto} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:3; content:abc;} \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ip_proto:!8; ) drop;} \
{0} ]
lappend TESTS [ list evl-78-4 \
{ip_proto} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:3; content:abc;} \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ip_proto:<2; ) drop;} \
{} ]
lappend TESTS [ list evl-78-5 \
{ip_proto} \
{protocol:udp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:3; content:abc;} \
{udp 192.168.1.1 80 -> 192.168.1.1 any ( ip_proto:17; ) drop;} \
{0} ]
lappend TESTS [ list evl-78-6 \
{ip_proto} \
{protocol:udp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:3; content:abc;} \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ip_proto:16; ) drop;} \
{} ]
lappend TESTS [ list evl-79-1 \
{id} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:3; content:abc; id:0; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( id:0; ) drop;} \
{0} ]
lappend TESTS [ list evl-79-2 \
{id} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:3; content:abc; id:0; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( id:!0; ) drop;} \
{} ]
lappend TESTS [ list evl-79-3 \
{id} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:3; content:abc; id:0; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( id:>0; ) drop;} \
{} ]
lappend TESTS [ list evl-79-4 \
{id} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:3; content:abc; id:25; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( id:<100; ) drop;} \
{0} ]
lappend TESTS [ list evl-79-5 \
{id} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:3; content:abc; id:255; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( id:>255; ) drop;} \
{} ]
lappend TESTS [ list evl-80-1 \
{byte_jump} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:100; content:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000; id:255; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"0"; byte_jump:4,20:relative,align; content:"0";) drop;} \
{0} ]
lappend TESTS [ list evl-80-2 \
{byte_jump} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:100; content:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000; id:255; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"0"; byte_jump:4,20:relative,align; content:"9";) drop;} \
{} ]
lappend TESTS [ list evl-80-3 \
{byte_jump} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:100; content:100000000099900000000000000000000000000000000000000000000000000000000000000000000000000000000000000; id:255; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"0"; byte_jump:2,0,relative,align; content:"9";) drop;} \
{0} ]
lappend TESTS [ list evl-80-4 \
{byte_jump} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:100; content:100000000099900000000000000000000000000000000000000000000000000000000000000000000000000000000000000; id:255; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"0"; byte_jump:2,0,relative,align; content:"1";) drop;} \
{0} ]
lappend TESTS [ list evl-81-1 \
{byte_test} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:0123456789; id:255; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"0"; byte_test:1,>,6,2; content:"1";) drop;} \
{} ]
lappend TESTS [ list evl-81-2 \
{byte_test} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:0123456789; id:255; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"0"; byte_test:1,<,6,2; content:"1";) drop;} \
{0} ]
lappend TESTS [ list evl-81-3 \
{byte_test} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:0123456789; id:255; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"0"; byte_test:2,>,6,0; content:"1";) drop;} \
{} ]
lappend TESTS [ list evl-81-4 \
{byte_test} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:0123456789; id:255; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"0"; byte_test:1,>,6,5; ) drop;} \
{} ]
lappend TESTS [ list evl-81-5 \
{byte_test} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:0123456789; id:255; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"0"; byte_test:1,>,6,4; ) drop;} \
{} ]
lappend TESTS [ list evl-81-6 \
{byte_test} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:0123456789; id:255; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"0"; byte_test:1,>,6,6; ) drop;} \
{} ]
lappend TESTS [ list evl-81-7 \
{byte_test} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:0123456789; id:255; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"0"; byte_test:1,>,6,7; ) drop;} \
{0} ]
lappend TESTS [ list evl-81-8 \
{byte_test} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:0123456789; id:255; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"0"; byte_test:1,>,6,6; ) drop;} \
{} ]
lappend TESTS [ list evl-81-9 \
{byte_test} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:0123456789; id:255; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"0"; byte_test:1,<,5,6,relative; ) drop;} \
{} ]
lappend TESTS [ list evl-81-10 \
{byte_test} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:0123456789; id:255; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"01"; byte_test:1,<,6,7,relative; ) drop;} \
{} ]
lappend TESTS [ list evl-81-11 \
{byte_test} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:0123456789; id:255; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"01"; byte_test:1,=,9,7,relative; ) drop;} \
{0} ]
lappend TESTS [ list evl-81-12 \
{byte_test} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:0123456789; id:255; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"01"; byte_test:1,=,8,7; ) drop;} \
{} ]
lappend TESTS [ list evl-82 \
{comment attribute} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:0123456789; id:255; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"01"; msg:"a comment"; ) drop;} \
{0} ]
lappend TESTS [ list evl-83 \
{old parse error with space after " before ; --- content:"--use-compress-program" ;} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:100; content:--use-compress-program; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"--use-compress-program" ; ) drop;} \
{0} ]
lappend TESTS [ list evl-84-1 \
{byte_array contruct} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:abc; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"|61 62 63|"; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-84-2 \
{byte_array contruct} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:abc; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"| 61 62 |c"; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-84-3 \
{byte_array contruct} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:123abc; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"123| 61 62 |c"; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-84-4 \
{byte_array contruct: space between hex values, i.e., 6 1 not 61} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:123abc; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"123| 6 1 62 |c"; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-84-5 \
{byte_array contruct: more hex values } \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:jk; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"| 6a 6B |"; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-85-1 \
{content escape rules} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:abc"123; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"abc\"123"; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-85-2 \
{content escape rules} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:abc"123; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"abc\"123"; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-85-3 \
{content escape rules} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:10; content:a:bc"123; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"\:a\:bc\"123"; sameip; ) drop;} \
{} ]
lappend TESTS [ list evl-85-4 \
{content escape rules} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnan x\abc; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"x\\ab"; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-86-1 \
{noecase} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnan; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"adnan"; nocase; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-86-2 \
{noecase} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnan; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"ADNAN"; nocase; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-86-3 \
{noecase} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:AdNaN; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"aDNaN"; nocase; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-86-4 \
{nocase} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:AdNaN; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"aDNaN"; nocase; content:"AdN"; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-86-5 \
{nocase} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:AdNaN; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"aDNaN"; nocase; content:"Adn"; sameip; ) drop;} \
{} ]
lappend TESTS [ list evl-86-6 \
{nocase} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:AdNaN; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:"aDNaN"; sameip; ) drop;} \
{} ]
lappend TESTS [ list evl-87-1 \
{negated check} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:4; content:abcd; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:!"abcd"; sameip; ) drop;} \
{} ]
lappend TESTS [ list evl-87-2 \
{negated check} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:4; content:abcde; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:!"abcd"; sameip; ) drop;} \
{} ]
lappend TESTS [ list evl-87-3 \
{negated check} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:5; content:adnan; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:!"wxyz"; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-87-4-1 \
{negated check, string too short for automaton} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:5; content:ad; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:!"xz"; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-87-4-2 \
{negated check, string too short for automaton} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:5; content:ad; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:!"ad"; sameip; ) drop;} \
{} ]
lappend TESTS [ list evl-87-5 \
{negated check} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( content:!"xyz123"; content:"adn"; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-88-1 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; ipopts:rr; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:rr; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-88-2 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; ipopts:nop; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:nop; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-88-3 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; ipopts:ts; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:ts; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-88-4 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; ipopts:sec; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:sec; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-88-5 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; ipopts:lsrr; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:lsrr; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-88-6 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; ipopts:ssrr; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:ssrr; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-88-7 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; ipopts:satid; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:satid; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-88-8 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; ipopts:eol; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:eol; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-89-1 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:rr; sameip; ) drop;} \
{} ]
lappend TESTS [ list evl-89-2 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:nop; sameip; ) drop;} \
{} ]
lappend TESTS [ list evl-89-3 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:ts; sameip; ) drop;} \
{} ]
lappend TESTS [ list evl-89-4 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:sec; sameip; ) drop;} \
{} ]
lappend TESTS [ list evl-89-5 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:lsrr; sameip; ) drop;} \
{} ]
lappend TESTS [ list evl-89-6 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:ssrr; sameip; ) drop;} \
{} ]
lappend TESTS [ list evl-89-7 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:satid; sameip; ) drop;} \
{} ]
lappend TESTS [ list evl-89-8 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:eol; sameip; ) drop;} \
{} ]
lappend TESTS [ list evl-90-1 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; ipops:ssrr,eol,nop;} \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:lsrr; sameip; ) drop;} \
{} ]
lappend TESTS [ list evl-90-2 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; ipops:rr,eol,nop; } \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:ssrr; sameip; ) drop;} \
{} ]
lappend TESTS [ list evl-90-3 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; ipopts:rr,nop;} \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:satid; sameip; ) drop;} \
{} ]
# this test holds because we pad the empty bytes in ipopts with eol's
lappend TESTS [ list evl-90-4 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; ipopts:nop;} \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:eol; sameip; ) drop;} \
{0} ]
lappend TESTS [ list evl-90-5 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; ipops:ssrr,eol,nop,lsrr,ts,sec,rr;} \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:satid; sameip; ) drop;} \
{} ]
lappend TESTS [ list evl-90-6 \
{ip options} \
{protocol:tcp; srcip:192.168.1.1; srcport:80; destip:192.168.1.1; size:20; content:adnanxyz12; ipops:eol,nop,lsrr,ts,sec,rr,satid;} \
{tcp 192.168.1.1 80 -> 192.168.1.1 any ( ipopts:ssrr; sameip; ) drop;} \
{} ]
lappend TESTS [ list evl-91-1 \
{multiple mixed rules} \
{ protocol:tcp; srcip:192.168.1.2; } \
{ tcp 192.168.1.2 any -> any any ( ) drop;
tcp any any -> any any ( ) drop; } \
{0,1} ]
lappend TESTS [ list evl-91-2 \
{multiple mixed rules} \
{ protocol:tcp; srcip:192.168.1.2; size:10; content:"adnan"; } \
{ tcp 192.168.1.2 any -> any any ( ) drop;
tcp 192.168.1.3 any -> any any ( ) drop;
tcp 192.168.1.4 any -> any any ( ) drop;
tcp 192.168.1.5 any -> any any ( ) drop;
tcp 192.168.1.6 any -> any any ( ) drop;
tcp any any -> any any ( content:"adnan"; ) drop;
ip any any -> any any ( ) drop; } \
{0,5,6} ]
lappend TESTS [ list evl-91-3 \
{multiple mixed rules} \
{ protocol:tcp; srcip:192.168.1.2; } \
{ generic ( ) route:eth1;
icmp any any -> any any ( ) drop;
udp any any -> any any ( ) drop;
tcp any any -> any any ( ) drop; } \
{0,3} ]
# complete set of checks:
#
# byte_test:1,>,6,2
# byte_test:1,>,7,1
# byte_test:2,>,1024,0,relative,little
# byte_test:4,>,100,20,relative
# byte_test:4,>,1000,28,relative
# byte_test:4,>,1024,20,relative
# byte_test:4,>,128,20,relative
# byte_test:4,>,128,8,relative
# byte_test:4,>,512,16,relative
# byte_test:4,>,512,240,relative
# byte_test:5,>,256,0,string,dec,relative
### TEST LOOP
lappend TESTS [ list evl-92 \
{calling tcl proc as action} \
{ protocol:tcp; srcip:192.168.1.2; } \
{ tcp any any -> any any ( ) tcl-ext:dummy; } \
{0} ]
lappend TESTS [ list evl-93-1 \
{handling lengths right} \
{ protocol:tcp; srcip:192.168.1.2; size:0; content:""; } \
{ tcp any any -> any any ( content:"http"; ) tcl-ext:dummy; } \
{} ]
lappend TESTS [ list evl-93-2 \
{handling lengths right} \
{ protocol:tcp; srcip:192.168.1.2; size:0; content:""; } \
{ tcp any any -> any any ( content:"http"; nocase; content:".com"; nocase; ) tcl-ext:dummy; } \
{} ]
lappend TESTS [ list evl-94 \
{basic handling interface right for synthetic traffic} \
{ protocol:tcp; srcip:192.168.1.2; } \
{ tcp any any -> any any ( interface:"eth0"; ) tcl-ext:dummy; } \
{0} ]
lappend TESTS [ list evl-95-1 \
{basic check of sampling function} \
{ protocol:tcp; srcip:192.168.1.2; } \
{ tcp any any -> any any ( sample:0.00; ) tcl-ext:dummy; } \
{} ]
lappend TESTS [ list evl-95-2 \
{basic check of sampling function} \
{ protocol:tcp; srcip:192.168.1.2; } \
{ tcp any any -> any any ( sample:0.01; ) tcl-ext:dummy; } \
{} ]
lappend TESTS [ list evl-95-3 \
{basic check of sampling function} \
{ protocol:tcp; srcip:192.168.1.2; } \
{ tcp any any -> any any ( sample:0.99; ) tcl-ext:dummy; } \
{0} ]
lappend TESTS [ list evl-95-4 \
{basic check of sampling function} \
{ protocol:tcp; srcip:192.168.1.2; } \
{ tcp any any -> any any ( sample:1.00; ) tcl-ext:dummy; } \
{0} ]
lappend TESTS [ list evl-95-5 \
{basic check of sampling function} \
{ protocol:tcp; srcip:192.168.1.2; } \
{ tcp any any -> any any ( sample:0.50; ) tcl-ext:dummy;
tcp any any -> any any ( sample:0.51; ) tcl-ext:dummy;
tcp any any -> any any ( sample:0.51; ) tcl-ext:dummy;
tcp any any -> any any ( sample:0.49; ) tcl-ext:dummy;
tcp any any -> any any ( sample:0.9949; ) tcl-ext:dummy;
tcp any any -> any any ( sample:0.52; ) tcl-ext:dummy; } \
{0,1,4,5} ]
source $pathToTestFiles/uscript-1.tcl
lappend TESTS [ list evl-96-1 \
{calling tcl proc as action} \
{ protocol:tcp; srcip:192.168.1.2; destip:0.1.2.3; } \
{ tcp any any -> any any ( ) tcl-ext:uscript_1; } \
{0} ]
lappend TESTS [ list evl-97-1 \
{large rule set} \
{ protocol:tcp; srcip:192.168.1.1; destip:0.0.0.0; content:"Volume Serial Number COMMAND COMPLETED,uid=(apache)"; size:100; srcport:80; } \
[getFileAsText "$pathToTestFiles/manual_snort_all_2.tcl"] \
{0,1,13} ]
lappend TESTS [ list evl-97-2 \
{large rule set} \
{ protocol:tcp; srcip:0.0.0.0; destip:192.168.1.1; content:"09Volume Serial Number COMMAND COMPLETED,uid=(apache)02"; size:100; srcport:60000; destport:2140; } \
[getFileAsText "$pathToTestFiles/manual_snort_all_2.tcl"] \
{217,240} ]
lappend TESTS [ list evl-98-1 \
{nested defines, need for semicolons} \
{ protocol:tcp; srcip:0.0.0.5; destip:0.0.0.0; } \
{
var HN 0.0.0.0/32,0.0.0.1/32,0.0.0.4/255.255.255.255
var GN HN,0.0.0.2/32,0.0.0.3/32
tcp !GN any -> HN any ( ) drop
} \
{0} ]
lappend TESTS [ list evl-98-2 \
{star wildcard} \
{ protocol:tcp; srcip:0.0.0.0; destip:0.0.0.0; } \
{
var HN 0.0.0.*
tcp !HN any -> HN any ( ) drop
} \
{} ]
lappend TESTS [ list evl-99 \
{udp tcp confusion} \
{ protocol:tcp; srcip:0.0.0.0; destip:0.0.0.0; } \
{
var HN 0.0.0.*
udp HN any -> HN any ( ) drop
} \
{} ]
lappend TESTS [ list evl-100 \
{semicolon needed} \
{ protocol:tcp; srcip:0.0.0.0; destip:0.0.0.0; } \
{
var HN 0.0.0.*
udp HN any -> HN any ( ) drop;
} \
{} ]
set totalCount 0
set totalCount 0
set runCount 0
puts "Starting to run tests"
foreach aTest $TESTS {
set totalCount [expr $totalCount + 1 ]
set testId [lindex $aTest 0]
set testLabel [lindex $aTest 1]
if { 1 || [regexp {97-2} $testId ] } {
set runCount [expr $runCount + 1 ]
puts "Running $testId\t($testLabel)"
set pktText [lindex $aTest 2]
set mgrText [lindex $aTest 3]
set expectedResult [lindex $aTest 4]
set pkt [createPktFromText $pktText]
set mgr [evlBuildManagerFromText $mgrText]
# evlMgrPrintRules $mgr
test $testId $testLabel {evlComputeRuleSetForEthSTRING $mgr $pkt} $expectedResult
}
}
puts "Completed running $runCount indiv tests out of $totalCount possible tests"
}
proc printTcpPkt { pkt } {
puts "length:[pktReadLength $pkt];"
puts "srcip:[pktReadSrcIp $pkt]; destip:[pktReadDestIp $pkt];"
puts "srcport:[pktReadTcpSrcPort $pkt]; destport:[pktReadTcpDestPort $pkt];"
puts "ack:[pktReadTcpAckNum $pkt]; seq:[pktReadTcpSeqNum $pkt];"
puts "ipFlags:[pktReadIpFlags $pkt]"
puts "ttl:[pktReadTtl $pkt]"
puts "tcpflags:[pktReadTcpFlags $pkt]"
}
proc reactTests { } {
set pktText { protocol:tcp; srcip:0.0.0.0; destip:0.0.0.1; offset:0; ipflags:!MF; ipflags:!RB; ipflags:!DF; ttl:255; srcport:0; destport:1; tcpflags:!F; tcpflags:!S; tcpflags:!R; tcpflags:!P; tcpflags:!A; tcpflags:!U; tcpflags:!E; tcpflags:!C; ack:0; seq:1; }
set mgrText { tcp any any -> any any ( ) drop }
set pkt [createPktFromText $pktText]
set mgr [evlBuildManagerFromText $mgrText]
printTcpPkt $pkt
}
# here are the different test functions
indivTests
reactTests