1 /* Copyright (C) 2014 Trend Micro Inc.
4 * This program is a free software; you can redistribute it
5 * and/or modify it under the terms of the GNU General Public
6 * License (version 2) as published by the FSF - Free Software
12 #include "../os_regex/os_regex.h"
13 #include "../os_regex/os_regex_internal.h"
15 Suite *test_suite(void);
17 START_TEST(test_success_match1)
21 const char *tests[][3] = {
27 {"test", "testa", ""},
28 {"test", "testest", ""},
29 {"lalaila", "lalalalaila", ""},
30 {"abc|cde", "cde", ""},
31 {"^aa|ee|ii|oo|uu", "dfgdsii", ""},
36 {"a|E", "abcdef", ""},
37 {"daniel", "daniel", ""},
38 {"DANIeL", "daNIel", ""},
39 {"^abc ", "abc ", ""},
40 {"ddd|eee|fff|ggg|ggg|hhh|iii", "iii", ""},
41 {"kwo|fe|fw|wfW|edW|dwDF|WdW|dw|d|^la", "la", ""},
45 {"c$", "lalalalac", ""},
46 {"^bin$|^shell$", "bin", ""},
47 {"^bin$|^shell$", "shell", ""},
48 {"^bin$|^shell$|^ftp$", "shell", ""},
49 {"^bin$|^shell$|^ftp$", "ftp", ""},
53 for(i=0; tests[i][0] != NULL ; i++) {
54 ck_assert_msg(OS_Match2(tests[i][0],tests[i][1]),
55 "%s should have OS_Match2 true with %s: Ref: %s",
56 tests[i][0], tests[i][1], tests[i][1]);
61 START_TEST(test_fail_match1)
65 const char *tests[][3] = {
71 {"abbbbbbbb", "abbbbbbb", ""},
72 {"a|b|c| ", "def", ""},
73 {"lala$", "lalalalalal", ""},
75 {"zzzz$", "zzzzzzzzzzzz ", ""},
76 {"^bin$|^shell$", "bina", ""},
77 {"^bin$|^shell$", "shella", ""},
78 {"^bin$|^shell$", "ashell", ""},
82 for(i=0; tests[i][0] != NULL ; i++) {
83 ck_assert_msg(!OS_Match2(tests[i][0],tests[i][1]),
84 "%s should have OS_Match2 false with %s: Ref: %s",
85 tests[i][0], tests[i][1], tests[i][2]);
90 START_TEST(test_success_regex1)
95 * Please note that all strings are \ escaped
97 const char *tests[][3] = {
103 {"test", "testa", ""},
104 {"test", "testest", ""},
105 {"lalaila", "lalalalaila", ""},
106 {"abc|cde", "cde", ""},
107 {"^aa|ee|ii|oo|uu", "dfgdsii", ""},
112 {"a|E", "abcdef", ""},
113 {"daniel", "daniel", ""},
114 {"DANIeL", "daNIel", ""},
115 {"^abc ", "abc ", ""},
116 {"ddd|eee|fff|ggg|ggg|hhh|iii", "iii", ""},
117 {"kwo|fe|fw|wfW|edW|dwDF|WdW|dw|d|^la", "la", ""},
121 {"c$", "lalalalac", ""},
122 {"^bin$|^shell$", "bin", ""},
123 {"^bin$|^shell$", "shell", ""},
124 {"^bin$|^shell$|^ftp$", "shell", ""},
125 {"^bin$|^shell$|^ftp$", "ftp", ""},
126 {"\\s+123", " 123", ""},
127 {"\\s*123", "123", ""},
128 {"\\s123", " 123", ""},
129 {"\\w+\\s+\\w+", "a 1", ""},
130 {"\\w+\\d+\\w+\\s+", "ab12fb12fd12 ", ""},
131 {"^\\s*\\w\\s*\\w+", "a l a a", ""},
132 {"\\w+\\s+\\w+\\d+\\s$", "a aa11 ", ""},
133 {"^su\\S*: BAD su", "su: BAD SU dcid to root on /dev/ttyp0", ""},
134 {"^su\\s*: BAD su", "su: BAD SU dcid to root on /dev/ttyp0", ""},
135 {"^abc\\sabc", "abc abcd", ""},
136 {"^abc\\s\\s*abc", "abc abcd", ""},
137 {"^\\s+\\sl", " lala", ""},
138 {"^\\s*\\sl", " lala", ""},
139 {"^\\s\\s+l", " lala", ""},
140 {"^\\s+\\s l", " lala", ""},
141 {"^\\s*\\s lal\\w$", " lala", ""},
142 {"test123test\\d+$", "test123test123", ""},
143 {"^kernel: \\S+ \\.+ SRC=\\S+ DST=\\S+ \\.+ PROTO=\\w+ SPT=\\d+ DPT=\\d+ ", "kernel: IPTABLE IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:03:93:db:2e:b4:08:00 SRC=10.4.11.40 DST=255.255.255.255 LEN=180 TOS=0x00 PREC=0x00 TTL=64 ID=4753 PROTO=UDP SPT=49320 DPT=2222 LEN=160", ""},
144 {"test (\\w+)la", "test abclala", ""},
145 {"(\\w+) (\\w+)", "wofl wofl", ""},
146 {"^\\S+ [(\\d+:\\d+:\\d+)] \\.+ (\\d+.\\d+.\\d+.\\d+)\\p*\\d* -> (\\d+.\\d+.\\d+.\\d+)\\p*", "snort: [1:469:3] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.4.12.26 -> 10.4.10.231", ""},
147 {"^\\S+ [(\\d+:\\d+:\\d+)] \\.+ (\\d+.\\d+.\\d+.\\d+)\\p*\\d* -> (\\d+.\\d+.\\d+.\\d+)\\p*", "snort: [1:408:5] ICMP Echo Reply [Classification: Misc Activity] [Priority: 3]: {ICMP} 10.4.10.231 -> 10.4.12.26", ""},
148 {"^\\S+ [(\\d+:\\d+:\\d+)] \\.+ (\\d+.\\d+.\\d+.\\d+)\\p*\\d* -> (\\d+.\\d+.\\d+.\\d+)\\p*", "snort: [1:1420:11] SNMP trap tcp [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 10.4.12.26:37020 -> 10.4.10.231:162", ""},
149 {"^\\S+ [(\\d+:\\d+:\\d+)] \\.+ (\\d+.\\d+.\\d+.\\d+)\\p*\\d* -> (\\d+.\\d+.\\d+.\\d+)\\p*", "snort: [1:1420:11] SNMP trap tcp [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 10.4.12.26:37021 -> 10.4.10.231:162", ""},
150 {"^\\S+ [(\\d+:\\d+:\\d+)] \\.+ (\\d+.\\d+.\\d+.\\d+)\\p*\\d* -> (\\d+.\\d+.\\d+.\\d+)\\p*", "snort: [1:590:12] RPC portmap ypserv request UDP [Classification: Decode of an RPC Query] [Priority: 2]: {UDP} 10.4.11.94:669 -> 10.4.3.20:111", ""},
151 {"^\\S+ [(\\d+:\\d+:\\d+)] \\.+ (\\d+.\\d+.\\d+.\\d+)\\p*\\d* -> (\\d+.\\d+.\\d+.\\d+)\\p*", "snort: [1:590:12] RPC portmap ypserv request UDP [Classification: Decode of an RPC Query] [Priority: 2]: {UDP} 10.4.11.94:670 -> 10.4.3.20:111", ""},
152 {"^\\S+ [(\\d+:\\d+:\\d+)] \\.+ (\\d+.\\d+.\\d+.\\d+)\\p*\\d* -> (\\d+.\\d+.\\d+.\\d+)\\p*", "snort: [1:1421:11] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 10.4.12.26:37020 -> 10.4.10.231:705", ""},
156 for(i=0; tests[i][0] != NULL ; i++) {
157 ck_assert_msg(OS_Regex(tests[i][0],tests[i][1]),
158 "%s should have OS_Regex true with %s: Ref: %s",
159 tests[i][0], tests[i][1], tests[i][2]);
164 START_TEST(test_fail_regex1)
169 * Please note that all strings are \ escaped
171 const char *tests[][3] = {
177 {"abbbbbbbb", "abbbbbbb", ""},
178 {"a|b|c| ", "def", ""},
179 {"lala$", "lalalalalal", ""},
181 {"zzzz$", "zzzzzzzzzzzz ", ""},
182 {"^bin$|^shell$", "bina", ""},
183 {"^bin$|^shell$", "shella", ""},
184 {"^bin$|^shell$", "ashell", ""},
185 {"\\w+\\s+\\w+\\d+\\s$", "a aa11 ", ""},
186 {"^\\s+\\s l", " lala", ""},
187 {"test123test\\d+", "test123test", ""},
188 {"test123test\\d+$", "test123test", ""},
189 {"(lalala", "lalala", ""},
190 {"test123(\\d)", "test123a", ""},
191 {"\\(test)", "test", ""},
192 {"(\\w+)(\\d+)", "1 1", ""},
196 for(i=0; tests[i][0] != NULL ; i++) {
197 ck_assert_msg(!OS_Regex(tests[i][0],tests[i][1]),
198 "%s should have OS_Regex false with %s: Ref: %s",
199 tests[i][0], tests[i][1], tests[i][2]);
204 START_TEST(test_success_wordmatch)
209 * Please note that all strings are \ escaped
211 const char *tests[][2] = {
212 { "test", "this is a test" },
213 { "test", "thistestiswithoutspaces" },
214 { "test|not", "test" },
215 { "test|not", "not" },
216 { "^test", "test on start" },
220 for(i=0; tests[i][0] != NULL ; i++) {
221 ck_assert_msg(OS_WordMatch(tests[i][0],tests[i][1]),
222 "%s should match positive with %s by OS_WordMatch",
223 tests[i][0], tests[i][1]);
229 START_TEST(test_fail_wordmatch)
234 * Please note that all strings are \ escaped
236 const char *tests[][2] = {
237 { "-test", "this is a test" },
239 { "test|not", "negative" },
241 { "^test", "starttest" },
245 for(i=0; tests[i][0] != NULL ; i++) {
246 ck_assert_msg(!OS_WordMatch(tests[i][0],tests[i][1]),
247 "%s should not match positive with %s by OS_WordMatch",
248 tests[i][0], tests[i][1]);
254 START_TEST(test_success_strisnum)
259 * Please note that all strings are \ escaped
261 const char *tests[] = {
267 for(i=0; tests[i] != NULL ; i++) {
268 ck_assert_msg(OS_StrIsNum(tests[i]),
269 "%s should match positive by OS_StrIsNum",
276 START_TEST(test_fail_strisnum)
281 * Please note that all strings are \ escaped
283 const char *tests[] = {
291 for(i=0; tests[i] != NULL ; i++) {
292 ck_assert_msg(!OS_StrIsNum(tests[i]),
293 "%s should not match positive by OS_StrIsNum",
300 START_TEST(test_strhowclosedmatch)
305 * Please note that all strings are \ escaped
307 const char *tests[][3] = {
308 { "test", "test1234", "4" },
309 { "test1234", "test", "4" },
310 { "test", "test", "4" },
316 for(i=0; tests[i][0] != NULL ; i++) {
317 ck_assert_uint_eq(OS_StrHowClosedMatch(tests[i][0],tests[i][1])
318 , (unsigned) atoi(tests[i][2]));
324 START_TEST(test_strbreak)
329 * Please note that all strings are \ escaped
331 const char *tests[][15] = {
332 { "X", "testX1234", "4", "test", "1234", NULL},
333 { "X", "XtestX1234X", "4", "", "test", "1234", "", NULL},
334 { "Y", "testX1234", "4", "testX1234", NULL},
335 { "X", "testXX1234", "4", "test", "", "1234", NULL},
336 { "X", "testX1234", "1", "testX1234", NULL},
337 { "X", "testX1234X5678", "2", "test", "1234X5678", NULL},
338 { "X", "testX1234", "0", NULL},
342 for(i=0; tests[i][0] != NULL; i++) {
343 char **result = OS_StrBreak(tests[i][0][0], tests[i][1], (unsigned) atoi(tests[i][2]));
346 if(tests[i][j] == NULL)
348 ck_assert_ptr_eq(result, NULL);
353 for(k = 0; tests[i][j] != NULL; j++, k++)
355 ck_assert_ptr_ne(result[k], NULL);
356 ck_assert_str_eq(result[k], tests[i][j]);
358 ck_assert_ptr_eq(result[k], NULL);
369 START_TEST(test_regexextraction)
374 * Please note that all strings are \ escaped
376 const char *tests[][15] = {
377 { "123(\\w+\\s+)abc", "123sdf abc", "sdf ", NULL},
378 { "123(\\w+\\s+)abc", "abc123sdf abc", "sdf ", NULL},
379 { "123 (\\d+.\\d.\\d.\\d\\d*\\d*)", "123 45.6.5.567", "45.6.5.567", NULL},
380 { "from (\\S*\\d+.\\d+.\\d+.\\d\\d*\\d*)", "sshd[21576]: Illegal user web14 from ::ffff:212.227.60.55", "::ffff:212.227.60.55", NULL},
381 { "^sshd[\\d+]: Accepted \\S+ for (\\S+) from (\\S+) port ", "sshd[21405]: Accepted password for root from 192.1.1.1 port 6023", "root", "192.1.1.1", NULL},
382 { ": \\((\\S+)@(\\S+)\\) [", "pure-ftpd: (?@enigma.lab.ossec.net) [INFO] New connection from enigma.lab.ossec.net", "?", "enigma.lab.ossec.net", NULL},
386 for(i=0; tests[i][0] != NULL; i++) {
388 ck_assert_int_eq(OSRegex_Compile(tests[i][0], ®, OS_RETURN_SUBSTRING), 1);
389 ck_assert_ptr_ne(OSRegex_Execute(tests[i][1], ®), NULL);
393 char **result = reg.sub_strings;
397 for(j = 2, k = 0; tests[i][j] != NULL; j++, k++)
399 ck_assert_ptr_ne(result[k], NULL);
400 ck_assert_str_eq(result[k], tests[i][j]);
402 ck_assert_ptr_eq(result[k], NULL);
404 OSRegex_FreePattern(®);
409 START_TEST(test_hostnamemap)
411 unsigned char test = 0;
415 if((test >= 48 && test <= 57) // 0-9
416 || (test >= 65 && test <= 90) // A-Z
417 || (test >= 97 && test <= 122) // a-z
418 || test == '(' || test == ')' || test == '-'
419 || test == '.' || test == '@' || test == '/'
422 ck_assert_msg(isValidChar(test) == 1, "char %d should be a valid hostname char", test);
426 ck_assert_msg(isValidChar(test) != 1, "char %d should not be a valid hostname char", test);
441 START_TEST(test_caseinsensitivecharmap)
443 unsigned char test = 0;
447 if(test >= 65 && test <= 90) // A-Z
449 ck_assert_msg(charmap[test] == test+32, "char %d should resolve to lowercase version %d and not to %d", test, test+32, charmap[test]);
453 ck_assert_msg(charmap[test] == test, "char %d should resolve to itself and not to %d", test, charmap[test]);
468 START_TEST(test_regexmap_digit)
470 unsigned char test = 0;
474 if(test >= '0' && test <= '9')
476 ck_assert_msg(regexmap[1][test] == 1, "char %d should match", test);
480 ck_assert_msg(regexmap[1][test] != 1, "char %d should not match", test);
494 START_TEST(test_regexmap_word)
496 unsigned char test = 0;
500 if((test >= 'a' && test <= 'z')
501 || (test >= 'A' && test <= 'Z')
502 || (test >= '0' && test <= '9')
503 || test == '-' || test == '@'
506 ck_assert_msg(regexmap[2][test] == 1, "char %d should match", test);
510 ck_assert_msg(regexmap[2][test] != 1, "char %d should not match", test);
524 START_TEST(test_regexmap_space)
526 unsigned char test = 0;
532 ck_assert_msg(regexmap[3][test] == 1, "char %d should match", test);
536 ck_assert_msg(regexmap[3][test] != 1, "char %d should not match", test);
550 START_TEST(test_regexmap_punctuation)
552 unsigned char test = 0;
556 if(test == '<' || test == '>' || test == '!' || test == '?'
557 || test == '"' || test == '\'' || test == '#'
558 || test == '$' || test == '%' || test == '&'
559 || test == '(' || test == ')' || test == '+'
560 || test == '*' || test == ',' || test == '-'
561 || test == '-' || test == ':' || test == '|'
562 || test == '.' || test == ';' || test == '='
563 || test == '[' || test == ']' || test == '{'
566 ck_assert_msg(regexmap[4][test] == 1, "char %d should match", test);
570 ck_assert_msg(regexmap[4][test] != 1, "char %d should not match", test);
584 START_TEST(test_regexmap_lparenthesis)
586 unsigned char test = 0;
592 ck_assert_msg(regexmap[5][test] == 1, "char %d should match", test);
596 ck_assert_msg(regexmap[5][test] != 1, "char %d should not match", test);
610 START_TEST(test_regexmap_rparenthesis)
612 unsigned char test = 0;
618 ck_assert_msg(regexmap[6][test] == 1, "char %d should match", test);
622 ck_assert_msg(regexmap[6][test] != 1, "char %d should not match", test);
636 START_TEST(test_regexmap_backslash)
638 unsigned char test = 0;
644 ck_assert_msg(regexmap[7][test] == 1, "char %d should match", test);
648 ck_assert_msg(regexmap[7][test] != 1, "char %d should not match", test);
663 START_TEST(test_regexmap_nondigit)
665 unsigned char test = 0;
669 if(!(test >= '0' && test <= '9'))
671 ck_assert_msg(regexmap[8][test] == 1, "char %d should match", test);
675 ck_assert_msg(regexmap[8][test] != 1, "char %d should not match", test);
689 START_TEST(test_regexmap_nonword)
691 unsigned char test = 0;
695 if(!((test >= 'a' && test <= 'z')
696 || (test >= 'A' && test <= 'Z')
697 || (test >= '0' && test <= '9')
698 || test == '_' || test == 127))
700 ck_assert_msg(regexmap[9][test] == 1, "char %d should match", test);
704 ck_assert_msg(regexmap[9][test] != 1, "char %d should not match", test);
718 START_TEST(test_regexmap_nonspace)
720 unsigned char test = 0;
726 ck_assert_msg(regexmap[10][test] == 1, "char %d should match", test);
730 ck_assert_msg(regexmap[10][test] != 1, "char %d should not match", test);
744 START_TEST(test_regexmap_all)
746 unsigned char test = 0;
750 ck_assert_msg(regexmap[11][test] == 1, "char %d should match", test);
763 START_TEST(test_regexmap_tab)
765 unsigned char test = 0;
771 ck_assert_msg(regexmap[12][test] == 1, "char %d should match", test);
775 ck_assert_msg(regexmap[12][test] != 1, "char %d should not match", test);
789 START_TEST(test_regexmap_dollar)
791 unsigned char test = 0;
797 ck_assert_msg(regexmap[13][test] == 1, "char %d should match", test);
801 ck_assert_msg(regexmap[13][test] != 1, "char %d should not match", test);
815 START_TEST(test_regexmap_or)
817 unsigned char test = 0;
823 ck_assert_msg(regexmap[14][test] == 1, "char %d should match", test);
827 ck_assert_msg(regexmap[14][test] != 1, "char %d should not match", test);
841 START_TEST(test_regexmap_lt)
843 unsigned char test = 0;
849 ck_assert_msg(regexmap[15][test] == 1, "char %d should match", test);
853 ck_assert_msg(regexmap[15][test] != 1, "char %d should not match", test);
867 START_TEST(test_success_strstartswith)
872 * Please note that all strings are \ escaped
874 const char *tests[][2] = {
875 { "test1234", "test" },
882 for(i=0; tests[i][0] != NULL ; i++) {
883 ck_assert_msg(OS_StrStartsWith(tests[i][0],tests[i][1]),
884 "%s should match positive with %s by OS_StrStartsWith",
885 tests[i][0], tests[i][1]);
891 START_TEST(test_fail_strstartswith)
896 * Please note that all strings are \ escaped
898 const char *tests[][2] = {
899 { "test", "test1234" },
904 for(i=0; tests[i][0] != NULL ; i++) {
905 ck_assert_msg(!OS_StrStartsWith(tests[i][0],tests[i][1]),
906 "%s should not match positive with %s by OS_StrStartsWith",
907 tests[i][0], tests[i][1]);
913 Suite *test_suite(void)
915 Suite *s = suite_create("os_regex");
918 TCase *tc_match = tcase_create("Match");
919 TCase *tc_regex = tcase_create("Regex");
920 TCase *tc_wordmatch = tcase_create("WordMatch");
921 TCase *tc_strisnum = tcase_create("StrIsNum");
922 TCase *tc_strhowclosedmatch = tcase_create("StrHowClosedMatch");
923 TCase *tc_strbreak = tcase_create("StrBreak");
924 TCase *tc_regexextraction = tcase_create("RegexExtraction");
925 TCase *tc_hostnamemap = tcase_create("HostnameMap");
926 TCase *tc_caseinsensitivecharmap = tcase_create("CaseInsensitiveCharmap");
927 TCase *tc_regexmap = tcase_create("RegexMap");
928 TCase *tc_strstartswith = tcase_create("StrStartsWith");
930 tcase_add_test(tc_match, test_success_match1);
931 tcase_add_test(tc_match, test_fail_match1);
933 tcase_add_test(tc_regex, test_success_regex1);
934 tcase_add_test(tc_regex, test_fail_regex1);
936 tcase_add_test(tc_wordmatch, test_success_wordmatch);
937 tcase_add_test(tc_wordmatch, test_fail_wordmatch);
939 tcase_add_test(tc_strisnum, test_success_strisnum);
940 tcase_add_test(tc_strisnum, test_fail_strisnum);
942 tcase_add_test(tc_strhowclosedmatch, test_strhowclosedmatch);
944 tcase_add_test(tc_strbreak, test_strbreak);
946 tcase_add_test(tc_regexextraction, test_regexextraction);
948 tcase_add_test(tc_hostnamemap, test_hostnamemap);
950 tcase_add_test(tc_caseinsensitivecharmap, test_caseinsensitivecharmap);
952 tcase_add_test(tc_regexmap, test_regexmap_digit);
953 tcase_add_test(tc_regexmap, test_regexmap_word);
954 tcase_add_test(tc_regexmap, test_regexmap_space);
955 tcase_add_test(tc_regexmap, test_regexmap_punctuation);
956 tcase_add_test(tc_regexmap, test_regexmap_lparenthesis);
957 tcase_add_test(tc_regexmap, test_regexmap_rparenthesis);
958 tcase_add_test(tc_regexmap, test_regexmap_backslash);
959 tcase_add_test(tc_regexmap, test_regexmap_nondigit);
960 tcase_add_test(tc_regexmap, test_regexmap_nonword);
961 tcase_add_test(tc_regexmap, test_regexmap_nonspace);
962 tcase_add_test(tc_regexmap, test_regexmap_all);
963 tcase_add_test(tc_regexmap, test_regexmap_tab);
964 tcase_add_test(tc_regexmap, test_regexmap_dollar);
965 tcase_add_test(tc_regexmap, test_regexmap_or);
966 tcase_add_test(tc_regexmap, test_regexmap_lt);
968 tcase_add_test(tc_strstartswith, test_success_strstartswith);
969 tcase_add_test(tc_strstartswith, test_fail_strstartswith);
971 suite_add_tcase(s, tc_match);
972 suite_add_tcase(s, tc_regex);
973 suite_add_tcase(s, tc_wordmatch);
974 suite_add_tcase(s, tc_strisnum);
975 suite_add_tcase(s, tc_strhowclosedmatch);
976 suite_add_tcase(s, tc_strbreak);
977 suite_add_tcase(s, tc_regexextraction);
978 suite_add_tcase(s, tc_hostnamemap);
979 suite_add_tcase(s, tc_caseinsensitivecharmap);
980 suite_add_tcase(s, tc_regexmap);
981 suite_add_tcase(s, tc_strstartswith);
988 Suite *s = test_suite();
989 SRunner *sr = srunner_create(s);
990 srunner_run_all(sr, CK_NORMAL);
991 int number_failed = srunner_ntests_failed(sr);
994 return ((number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE);