[Oisf-devel] SigParseTest05 test and DetectPortParse()

Victor Julien victor at inliniac.net
Tue Jan 26 09:30:44 UTC 2010 

Yao-Min Chen wrote:
> Just tracing through the unit test as it was giving errors [ERRCODE: 
> SC_INVALID_ARGUMENT(12)] - PortParse error "1024:65536"
> 
>  sig = SigInit(de_ctx, "alert tcp 1.2.3.4 1024:65536 -> !1.2.3.4 any 
> (msg:\"SigParseTest05\"; sid:1;)");
> 
> Given the port range error (65536 is greater than the max port number 
> 65535), I am curious why SigInit still returned non-null and the unit 
> test passed. The return codes of DetectPortParse() and 
> DetectPortParseDo() were not checked.  I wonder whether the behavior 
> should be 1) checking the return code, and 2) halting further parsing of 
> the signature.

Actually SigInit does return NULL, but for the wrong reason. The test
was broken as well, it inits result to 1 and has no condition to set it
to 0.

Running (after a slight code change):
SC_LOG_LEVEL=Debug ./src/suricata -uUSigParseTest05


[5710] 26/1/2010 -- 10:22:24 - (detect-parse.c:606) <Debug> (SigInit) --
Entering ... >>

[5710] 26/1/2010 -- 10:22:24 - (detect-parse.c:516) <Debug> (SigParse)
-- Entering ... >>

[5710] 26/1/2010 -- 10:22:24 - (detect-engine-proto.c:83) <Debug>
(DetectProtoParse) -- TCP protocol detected

[5710] 26/1/2010 -- 10:22:24 - (detect-parse.c:319) <Debug>
(SigParseAddress) -- Address Group "1.2.3.4" to be parsed now

[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:1215) <Debug>
(DetectAddressParse) -- gh 0x8f51c38, str 1.2.3.4

[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:929) <Debug>
(DetectAddressParse2) -- s 1.2.3.4 negate false

[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:823) <Debug>
(DetectAddressSetup) -- gh 0x8f51c38, s 1.2.3.4
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:785) <Debug>
(DetectAddressParseSingle) -- str 1.2.3.4
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:609) <Debug>
(DetectAddressParseString) -- str 1.2.3.4
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:860) <Debug>
(DetectAddressSetup) -- r 1
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:1230) <Debug>
(DetectAddressParse) -- gh->ipv4_head 0x8f51d60, ghn->ipv4_head (nil)
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:1075) <Debug>
(DetectAddressMergeNot) -- gh->ipv4_head 0x8f51d60, ghn->ipv4_head (nil)
[5710] 26/1/2010 -- 10:22:24 - (detect-parse.c:319) <Debug>
(SigParseAddress) -- Address Group "!1.2.3.4" to be parsed now
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:1215) <Debug>
(DetectAddressParse) -- gh 0x8f51c44, str !1.2.3.4
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:929) <Debug>
(DetectAddressParse2) -- s !1.2.3.4 negate false
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:823) <Debug>
(DetectAddressSetup) -- gh 0x8f51d50, s 1.2.3.4
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:785) <Debug>
(DetectAddressParseSingle) -- str 1.2.3.4
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:609) <Debug>
(DetectAddressParseString) -- str 1.2.3.4
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:860) <Debug>
(DetectAddressSetup) -- r 1
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:1230) <Debug>
(DetectAddressParse) -- gh->ipv4_head (nil), ghn->ipv4_head 0x8f51db0
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:1075) <Debug>
(DetectAddressMergeNot) -- gh->ipv4_head (nil), ghn->ipv4_head 0x8f51db0
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:823) <Debug>
(DetectAddressSetup) -- gh 0x8f51c44, s 0.0.0.0/0
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:785) <Debug>
(DetectAddressParseSingle) -- str 0.0.0.0/0
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:609) <Debug>
(DetectAddressParseString) -- str 0.0.0.0/0
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:860) <Debug>
(DetectAddressSetup) -- r 1
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address-ipv4.c:49) <Debug>
(DetectAddressCmpIPv4) -- ADDRESS_ES
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address-ipv4.c:52) <Debug>
(DetectAddressCmpIPv4) -- ADDRESS_EB
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address-ipv4.c:346)
<Debug> (DetectAddressCutIPv4) -- DetectAddressCutIPv4: r == ADDRESS_EB
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address-ipv4.c:397)
<Debug> (DetectAddressCutIPv4) -- DetectAddressCutIPv4: 3
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:89) <Debug>
(DetectAddressFree) -- ag 0x8f51e70, sh (nil)
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:100) <Debug>
(DetectAddressFree) -- - ag 0x8f51e70 dst_gh (nil)
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address-ipv4.c:64) <Debug>
(DetectAddressCmpIPv4) -- ADDRESS_GT
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address-ipv4.c:64) <Debug>
(DetectAddressCmpIPv4) -- ADDRESS_GT
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address-ipv4.c:64) <Debug>
(DetectAddressCmpIPv4) -- ADDRESS_GT
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:1137) <Debug>
(DetectAddressMergeNot) -- ag 0x8f51db0
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:1473) <Debug>
(DetectAddressPrint) -- 1.2.3.4/1.2.3.4
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:1141) <Debug>
(DetectAddressMergeNot) -- ag2 0x8f51df0
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:1473) <Debug>
(DetectAddressPrint) -- 0.0.0.0/1.2.3.3
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address-ipv4.c:64) <Debug>
(DetectAddressCmpIPv4) -- ADDRESS_GT
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:1141) <Debug>
(DetectAddressMergeNot) -- ag2 0x8f51e30
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:1473) <Debug>
(DetectAddressPrint) -- 1.2.3.4/1.2.3.4
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address-ipv4.c:46) <Debug>
(DetectAddressCmpIPv4) -- ADDRESS_EQ
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:89) <Debug>
(DetectAddressFree) -- ag 0x8f51e30, sh (nil)
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:100) <Debug>
(DetectAddressFree) -- - ag 0x8f51e30 dst_gh (nil)
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:1141) <Debug>
(DetectAddressMergeNot) -- ag2 0x8f51eb0
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:1473) <Debug>
(DetectAddressPrint) -- 1.2.3.5/255.255.255.255
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address-ipv4.c:58) <Debug>
(DetectAddressCmpIPv4) -- ADDRESS_LT
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:89) <Debug>
(DetectAddressFree) -- ag 0x8f51db0, sh (nil)
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:100) <Debug>
(DetectAddressFree) -- - ag 0x8f51db0 dst_gh (nil)
[5710] 26/1/2010 -- 10:22:24 - (detect-parse.c:391) <Debug>
(SigParsePort) -- Port group "1024:65536" to be parsed
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-port.c:1253) <Debug>
(DetectPortParse) -- Port string to be parsed - str 1024:65536
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-port.c:995) <Debug>
(DetectPortParseDo) -- head 0x8f51c74, *head (nil), negate 0
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-port.c:1072) <Debug>
(DetectPortParseDo) -- 1024:65536
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-port.c:902) <Debug>
(DetectPortParseInsertString) -- head 0x8f51c74, *head (nil), s 1024:65536
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-port.c:907) <Error>
(DetectPortParseInsertString) -- [ERRCODE: SC_INVALID_ARGUMENT(12)] -
PortParse error "1024:65536"
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-port.c:953) <Error>
(DetectPortParseInsertString) -- [ERRCODE:
SC_PORT_PARSE_INSERT_STRING_ERR(34)] - DetectPortParseInsertString error
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-port.c:1262) <Debug>
(DetectPortParse) -- head 0x8f51c74 (nil), nhead (nil)
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-port.c:1230) <Error>
(DetectPortParseMergeNotPorts) -- [ERRCODE:
SC_NO_PORTS_LEFT_AFTER_MERGE(32)] - no ports left after merging ports
with negated ports
[5710] 26/1/2010 -- 10:22:24 - (detect-parse.c:523) <Debug> (SigParse)
-- Returning: -1 ... <<
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:89) <Debug>
(DetectAddressFree) -- ag 0x8f51d60, sh (nil)
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:100) <Debug>
(DetectAddressFree) -- - ag 0x8f51d60 dst_gh (nil)
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:89) <Debug>
(DetectAddressFree) -- ag 0x8f51df0, sh (nil)
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:100) <Debug>
(DetectAddressFree) -- - ag 0x8f51df0 dst_gh (nil)
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:89) <Debug>
(DetectAddressFree) -- ag 0x8f51eb0, sh (nil)
[5710] 26/1/2010 -- 10:22:24 - (detect-engine-address.c:100) <Debug>
(DetectAddressFree) -- - ag 0x8f51eb0 dst_gh (nil)
[5710] 26/1/2010 -- 10:22:24 - (detect-parse.c:698) <Debug> (SigInit) --
Returning pointer (nil) of type Signature ... <<

I fixed up the missing return value checking. Should be in the next
master. Thanks Yao-Min!

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list