open-dsi
/
clamav
mirror of https://github.com/Cisco-Talos/clamav
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
ClamAV is an open source (GPLv2) anti-virus toolkit.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10751 Commits
40 Branches
228 Tags
220 MiB
Tag: Branch: Tree: 3dff2e2f52
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3dff2e2f52'
${ noResults }
clamav/unit_tests/check_regex.c

711 lines
25 KiB
Raw Normal View History Unescape

remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
/*
* Unit tests for regular expression processing.
*
Bump copyright for 2022 Includes minor format corrections.
3 years ago
* Copyright (C) 2013-2022 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Updating and cleaning up copyright notices.
6 years ago
* Copyright (C) 2008-2013 Sourcefire, Inc.
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
*
* Authors: Török Edvin
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA.
*/
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif
#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>
#include <check.h>
CMake: Add CTest support to match Autotools checks An ENABLE_TESTS CMake option is provided so that users can disable testing if they don't want it. Instructions for how to use this included in the INSTALL.cmake.md file. If you run `ctest`, each testcase will write out a log file to the <build>/unit_tests directory. As with Autotools' make check, the test files are from test/.split and unit_tests/.split files, but for CMake these are generated at build time instead of at test time. On Posix systems, sets the LD_LIBRARY_PATH so that ClamAV-compiled libraries can be loaded when running tests. On Windows systems, CTest will identify and collect all library dependencies and assemble a temporarily install under the build/unit_tests directory so that the libraries can be loaded when running tests. The same feature is used on Windows when using CMake to install to collect all DLL dependencies so that users don't have to install them manually afterwards. Each of the CTest tests are run using a custom wrapper around Python's unittest framework, which is also responsible for finding and inserting valgrind into the valgrind tests on Posix systems. Unlike with Autotools, the CMake CTest Valgrind-tests are enabled by default, if Valgrind can be found. There's no need to set VG=1. CTest's memcheck module is NOT supported, because we use Python to orchestrate our tests. Added a bunch of Windows compatibility changes to the unit tests. These were primarily changing / to PATHSEP and making adjustments to use Win32 C headers and ifdef out the POSIX ones which aren't available on Windows. Also disabled a bunch of tests on Win32 that don't work on Windows, notably the mmap ones and FD-passing (i.e. FILEDES) ones. Add JSON_C_HAVE_INTTYPES_H definition to clamav-config.h to eliminate warnings on Windows where json.h is included after inttypes.h because json-c's inttypes replacement relies on it. This is a it of a hack and may be removed if json-c fixes their inttypes header stuff in the future. Add preprocessor definitions on Windows to disable MSVC warnings about CRT secure and nonstandard functions. While there may be a better solution, this is needed to be able to see other more serious warnings. Add missing file comment block and copyright statement for clamsubmit.c. Also change json-c/json.h include filename to json.h in clamsubmit.c. The directory name is not required. Changed the hash table data integer type from long, which is poorly defined, to size_t -- which is capable of storing a pointer. Fixed a bunch of casts regarding this variable to eliminate warnings. Fixed two bugs causing utf8 encoding unit tests to fail on Windows: - The in_size variable should be the number of bytes, not the character count. This was was causing the SHIFT_JIS (japanese codepage) to UTF8 transcoding test to only transcode half the bytes. - It turns out that the MultiByteToWideChar() API can't transcode UTF16-BE to UTF16-LE. The solution is to just iterate over the buffer and flip the bytes on each uint16_t. This but was causing the UTF16-BE to UTF8 tests to fail. I also split up the utf8 transcoding tests into separate tests so I could see all of the failures instead of just the first one. Added a flags parameter to the unit test function to open testfiles because it turns out that on Windows if a file contains the \r\n it will replace it with just \n if you opened the file as a text file instead of as binary. However, if we open the CBC files as binary, then a bunch of bytecode tests fail. So I've changed the tests to open the CBC files in the bytecode tests as text files and open all other files as binary. Ported the feature tests from shell scripts to Python using a modified version of our QA test-framework, which is largely compatible and will allow us to migrate some QA tests into this repo. I'd like to add GitHub Actions pipelines in the future so that all public PR's get some testing before anyone has to manually review them. The clamd --log option was missing from the help string, though it definitely works. I've added it in this commit. It appears that clamd.c was never clang-format'd, so this commit also reformats clamd.c. Some of the check_clamd tests expected the path returned by clamd to match character for character with original path sent to clamd. However, as we now evaluate real paths before a scan, the path returned by clamd isn't going to match the relative (and possibly symlink-ridden) path passed to clamdscan. I fixed this test by changing the test to search for the basename: <signature> FOUND within the response instead of matching the exact path. Autotools: Link check_clamd with libclamav so we can use our utility functions in check_clamd.c.
5 years ago
#include <fcntl.h>
Use OpenSSL for hashing.
11 years ago
Add CMake build tooling This patch adds experimental-quality CMake build tooling. The libmspack build required a modification to use "" instead of <> for header #includes. This will hopefully be included in the libmspack upstream project when adding CMake build tooling to libmspack. Removed use of libltdl when using CMake. Flex & Bison are now required to build. If -DMAINTAINER_MODE, then GPERF is also required, though it currently doesn't actually do anything. TODO! I found that the autotools build system was generating the lexer output but not actually compiling it, instead using previously generated (and manually renamed) lexer c source. As a consequence, changes to the .l and .y files weren't making it into the build. To resolve this, I removed generated flex/bison files and fixed the tooling to use the freshly generated files. Flex and bison are now required build tools. On Windows, this adds a dependency on the winflexbison package, which can be obtained using Chocolatey or may be manually installed. CMake tooling only has partial support for building with external LLVM library, and no support for the internal LLVM (to be removed in the future). I.e. The CMake build currently only supports the bytecode interpreter. Many files used include paths relative to the top source directory or relative to the current project, rather than relative to each build target. Modern CMake support requires including internal dependency headers the same way you would external dependency headers (albeit with "" instead of <>). This meant correcting all header includes to be relative to the build targets and not relative to the workspace. For example, ... ```c include "../libclamav/clamav.h" include "clamd/clamd_others.h" ``` ... becomes: ```c // libclamav include "clamav.h" // clamd include "clamd_others.h" ``` Fixes header name conflicts by renaming a few of the files. Converted the "shared" code into a static library, which depends on libclamav. The ironically named "shared" static library provides features common to the ClamAV apps which are not required in libclamav itself and are not intended for use by downstream projects. This change was required for correct modern CMake practices but was also required to use the automake "subdir-objects" option. This eliminates warnings when running autoreconf which, in the next version of autoconf & automake are likely to break the build. libclamav used to build in multiple stages where an earlier stage is a static library containing utils required by the "shared" code. Linking clamdscan and clamdtop with this libclamav utils static lib allowed these two apps to function without libclamav. While this is nice in theory, the practical gains are minimal and it complicates the build system. As such, the autotools and CMake tooling was simplified for improved maintainability and this feature was thrown out. clamdtop and clamdscan now require libclamav to function. Removed the nopthreads version of the autotools libclamav_internal_utils static library and added pthread linking to a couple apps that may have issues building on some platforms without it, with the intention of removing needless complexity from the source. Kept the regular version of libclamav_internal_utils.la though it is no longer used anywhere but in libclamav. Added an experimental doxygen build option which attempts to build clamav.h and libfreshclam doxygen html docs. The CMake build tooling also may build the example program(s), which isn't a feature in the Autotools build system. Changed C standard to C90+ due to inline linking issues with socket.h when linking libfreshclam.so on Linux. Generate common.rc for win32. Fix tabs/spaces in shared Makefile.am, and remove vestigial ifndef from misc.c. Add CMake files to the automake dist, so users can try the new CMake tooling w/out having to build from a git clone. clamonacc changes: - Renamed FANOTIFY macro to HAVE_SYS_FANOTIFY_H to better match other similar macros. - Added a new clamav-clamonacc.service systemd unit file, based on the work of ChadDevOps & Aaron Brighton. - Added missing clamonacc man page. Updates to clamdscan man page, add missing options. Remove vestigial CL_NOLIBCLAMAV definitions (all apps now use libclamav). Rename Windows mspack.dll to libmspack.dll so all ClamAV-built libraries have the lib-prefix with Visual Studio as with CMake.
5 years ago
// libclamav
#include "clamav.h"
#include "others.h"
#include "mbox.h"
#include "message.h"
#include "htmlnorm.h"
#include "phishcheck.h"
#include "regex_suffix.h"
#include "regex_list.h"
#include "phish_domaincheck_db.h"
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
#include "phish_allow_list.h"
Add CMake build tooling This patch adds experimental-quality CMake build tooling. The libmspack build required a modification to use "" instead of <> for header #includes. This will hopefully be included in the libmspack upstream project when adding CMake build tooling to libmspack. Removed use of libltdl when using CMake. Flex & Bison are now required to build. If -DMAINTAINER_MODE, then GPERF is also required, though it currently doesn't actually do anything. TODO! I found that the autotools build system was generating the lexer output but not actually compiling it, instead using previously generated (and manually renamed) lexer c source. As a consequence, changes to the .l and .y files weren't making it into the build. To resolve this, I removed generated flex/bison files and fixed the tooling to use the freshly generated files. Flex and bison are now required build tools. On Windows, this adds a dependency on the winflexbison package, which can be obtained using Chocolatey or may be manually installed. CMake tooling only has partial support for building with external LLVM library, and no support for the internal LLVM (to be removed in the future). I.e. The CMake build currently only supports the bytecode interpreter. Many files used include paths relative to the top source directory or relative to the current project, rather than relative to each build target. Modern CMake support requires including internal dependency headers the same way you would external dependency headers (albeit with "" instead of <>). This meant correcting all header includes to be relative to the build targets and not relative to the workspace. For example, ... ```c include "../libclamav/clamav.h" include "clamd/clamd_others.h" ``` ... becomes: ```c // libclamav include "clamav.h" // clamd include "clamd_others.h" ``` Fixes header name conflicts by renaming a few of the files. Converted the "shared" code into a static library, which depends on libclamav. The ironically named "shared" static library provides features common to the ClamAV apps which are not required in libclamav itself and are not intended for use by downstream projects. This change was required for correct modern CMake practices but was also required to use the automake "subdir-objects" option. This eliminates warnings when running autoreconf which, in the next version of autoconf & automake are likely to break the build. libclamav used to build in multiple stages where an earlier stage is a static library containing utils required by the "shared" code. Linking clamdscan and clamdtop with this libclamav utils static lib allowed these two apps to function without libclamav. While this is nice in theory, the practical gains are minimal and it complicates the build system. As such, the autotools and CMake tooling was simplified for improved maintainability and this feature was thrown out. clamdtop and clamdscan now require libclamav to function. Removed the nopthreads version of the autotools libclamav_internal_utils static library and added pthread linking to a couple apps that may have issues building on some platforms without it, with the intention of removing needless complexity from the source. Kept the regular version of libclamav_internal_utils.la though it is no longer used anywhere but in libclamav. Added an experimental doxygen build option which attempts to build clamav.h and libfreshclam doxygen html docs. The CMake build tooling also may build the example program(s), which isn't a feature in the Autotools build system. Changed C standard to C90+ due to inline linking issues with socket.h when linking libfreshclam.so on Linux. Generate common.rc for win32. Fix tabs/spaces in shared Makefile.am, and remove vestigial ifndef from misc.c. Add CMake files to the automake dist, so users can try the new CMake tooling w/out having to build from a git clone. clamonacc changes: - Renamed FANOTIFY macro to HAVE_SYS_FANOTIFY_H to better match other similar macros. - Added a new clamav-clamonacc.service systemd unit file, based on the work of ChadDevOps & Aaron Brighton. - Added missing clamonacc man page. Updates to clamdscan man page, add missing options. Remove vestigial CL_NOLIBCLAMAV definitions (all apps now use libclamav). Rename Windows mspack.dll to libmspack.dll so all ClamAV-built libraries have the lib-prefix with Visual Studio as with CMake.
5 years ago
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
#include "checks.h"
fix compiler warnings constify git-svn: trunk@4019
17 years ago
static size_t cb_called = 0;
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
Return code checking corrections to regex suffix code.
6 years ago
static cl_error_t cb_fail(void *cbdata, const char *suffix, size_t len, const struct regex_list *regex)
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
{
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
UNUSEDPARAM(cbdata);
UNUSEDPARAM(suffix);
UNUSEDPARAM(len);
UNUSEDPARAM(regex);
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_abort_msg("this pattern is not supposed to have a suffix");
Return code checking corrections to regex suffix code.
6 years ago
return CL_EMEM;
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
}
Return code checking corrections to regex suffix code.
6 years ago
static cl_error_t cb_expect_single(void *cbdata, const char *suffix, size_t len, const struct regex_list *regex)
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
{
clang-format'd using new .clang-format rules.
7 years ago
const char *expected = cbdata;
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
UNUSEDPARAM(len);
UNUSEDPARAM(regex);
clang-format'd using new .clang-format rules.
7 years ago
cb_called++;
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(suffix && strcmp(suffix, expected) == 0,
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
"suffix mismatch, was: %s, expected: %s\n", suffix, expected);
Return code checking corrections to regex suffix code.
6 years ago
return CL_SUCCESS;
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
}
static struct regex_list regex;
clang-format'd using new .clang-format rules.
7 years ago
START_TEST(empty)
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
{
clang-format'd using new .clang-format rules.
7 years ago
const char pattern[] = "";
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
cl_error_t rc;
clang-format'd using new .clang-format rules.
7 years ago
regex_t *preg;
errmsg_expected();
preg = malloc(sizeof(*regex.preg));
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!preg, "malloc");
clang-format'd using new .clang-format rules.
7 years ago
rc = cli_regex2suffix(pattern, preg, cb_fail, NULL);
free(preg);
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(rc == REG_EMPTY, "empty pattern");
ck_assert_msg(cb_called == 0, "callback shouldn't be called");
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
}
END_TEST
clang-format'd using new .clang-format rules.
7 years ago
START_TEST(one)
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
{
clang-format'd using new .clang-format rules.
7 years ago
char pattern[] = "a";
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
cl_error_t rc;
clang-format'd using new .clang-format rules.
7 years ago
regex_t *preg;
preg = malloc(sizeof(*regex.preg));
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!preg, "malloc");
clang-format'd using new .clang-format rules.
7 years ago
rc = cli_regex2suffix(pattern, preg, cb_expect_single, pattern);
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
ck_assert_msg(rc == CL_SUCCESS, "single character pattern");
clang-format'd using new .clang-format rules.
7 years ago
cli_regfree(preg);
free(preg);
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(cb_called == 1, "callback should be called once");
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
}
END_TEST
fix compiler warnings constify git-svn: trunk@4019
17 years ago
static const char *ex1[] =
clang-format'd using new .clang-format rules.
7 years ago
{"com|de", "moc", "ed", NULL};
fix compiler warnings constify git-svn: trunk@4019
17 years ago
static const char *ex2[] =
clang-format'd using new .clang-format rules.
7 years ago
{"xd|(a|e)bc", "dx", "cba", "cbe", NULL};
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
static const char **tests[] = {
clang-format'd using new .clang-format rules.
7 years ago
ex1,
ex2};
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
Return code checking corrections to regex suffix code.
6 years ago
static cl_error_t cb_expect_multi(void *cbdata, const char *suffix, size_t len, const struct regex_list *r)
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
{
clang-format'd using new .clang-format rules.
7 years ago
const char **exp = cbdata;
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
UNUSEDPARAM(r);
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!exp, "expected data");
clang-format'd using new .clang-format rules.
7 years ago
exp++;
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!*exp, "expected no suffix, got: %s\n", suffix);
DB read logic cleanup, fix some warnings The logic for parsing a logical subsignature isn't clearly identified and has been, perhaps mistakenly or out of convenience, used to when parsing NDB signatures in addition to LDB subsignatures. What this means is that you can technically use a PCRE subsignature in an NDB file and clam won't complain about it. It won't work however, because a PCRE subsignature requires another matching subsignature to trigger it, but it will parse. The same is likely true for byte-compare subsignatures. This commit restructures that logic a bit so subsignature parsing has its own function and is more organized. I also renamed the functions a little bit and added lots of comments. I fixed a few minor warnings relating to format string characters. The change in str.c:cli_ldbtokenize is to prevent a buffer under-read if you were to use the function on the start of a buffer, as is now down in this commit.
3 years ago
ck_assert_msg(!!exp[cb_called], "expected less suffixes, but already got: %zu\n", cb_called);
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(strcmp(exp[cb_called], suffix) == 0,
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
"suffix mismatch, was: %s, expected: %s\n", suffix, exp[cb_called]);
DB read logic cleanup, fix some warnings The logic for parsing a logical subsignature isn't clearly identified and has been, perhaps mistakenly or out of convenience, used to when parsing NDB signatures in addition to LDB subsignatures. What this means is that you can technically use a PCRE subsignature in an NDB file and clam won't complain about it. It won't work however, because a PCRE subsignature requires another matching subsignature to trigger it, but it will parse. The same is likely true for byte-compare subsignatures. This commit restructures that logic a bit so subsignature parsing has its own function and is more organized. I also renamed the functions a little bit and added lots of comments. I fixed a few minor warnings relating to format string characters. The change in str.c:cli_ldbtokenize is to prevent a buffer under-read if you were to use the function on the start of a buffer, as is now down in this commit.
3 years ago
ck_assert_msg(strlen(suffix) == len, "incorrect suffix len, expected: %zu, got: %zu\n", strlen(suffix), len);
clang-format'd using new .clang-format rules.
7 years ago
cb_called++;
Return code checking corrections to regex suffix code.
6 years ago
return CL_SUCCESS;
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
}
clang-format'd using new .clang-format rules.
7 years ago
START_TEST(test_suffix)
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
{
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
cl_error_t rc;
clang-format'd using new .clang-format rules.
7 years ago
regex_t *preg;
const char *pattern = tests[_i][0];
size_t n = 0;
const char **p = tests[_i];
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!pattern, "test pattern");
clang-format'd using new .clang-format rules.
7 years ago
preg = malloc(sizeof(*regex.preg));
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!preg, "malloc");
clang-format'd using new .clang-format rules.
7 years ago
rc = cli_regex2suffix(pattern, preg, cb_expect_multi, tests[_i]);
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
ck_assert_msg(rc == CL_SUCCESS, "single character pattern");
clang-format'd using new .clang-format rules.
7 years ago
cli_regfree(preg);
free(preg);
p++;
while (*p++) n++;
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(cb_called == n,
DB read logic cleanup, fix some warnings The logic for parsing a logical subsignature isn't clearly identified and has been, perhaps mistakenly or out of convenience, used to when parsing NDB signatures in addition to LDB subsignatures. What this means is that you can technically use a PCRE subsignature in an NDB file and clam won't complain about it. It won't work however, because a PCRE subsignature requires another matching subsignature to trigger it, but it will parse. The same is likely true for byte-compare subsignatures. This commit restructures that logic a bit so subsignature parsing has its own function and is more organized. I also renamed the functions a little bit and added lots of comments. I fixed a few minor warnings relating to format string characters. The change in str.c:cli_ldbtokenize is to prevent a buffer under-read if you were to use the function on the start of a buffer, as is now down in this commit.
3 years ago
"suffix number mismatch, expected: %zu, was: %zu\n", n, cb_called);
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
}
END_TEST
static void setup(void)
{
clang-format'd using new .clang-format rules.
7 years ago
cb_called = 0;
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
}
static void teardown(void)
{
}
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
static struct regex_matcher matcher;
static void rsetup(void)
{
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
cl_error_t rc;
mpool debugging s/USE_MEMPOOL/USE_MPOOL/ git-svn: trunk@4329
17 years ago
#ifdef USE_MPOOL
clang-format'd using new .clang-format rules.
7 years ago
matcher.mempool = mpool_create();
fix unit tests when mpool is activated git-svn: trunk@4323
17 years ago
#endif
clang-format'd using new .clang-format rules.
7 years ago
rc = init_regex_list(&matcher, 1);
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
ck_assert_msg(rc == CL_SUCCESS, "init_regex_list");
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
}
static void rteardown(void)
{
clang-format'd using new .clang-format rules.
7 years ago
regex_list_done(&matcher);
mpool debugging s/USE_MEMPOOL/USE_MPOOL/ git-svn: trunk@4329
17 years ago
#ifdef USE_MPOOL
clang-format'd using new .clang-format rules.
7 years ago
mpool_destroy(matcher.mempool);
fix unit tests when mpool is activated git-svn: trunk@4323
17 years ago
#endif
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
}
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
typedef enum rtest_result {
RTR_PHISH,
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
RTR_ALLOWED,
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
RTR_CLEAN,
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
RTR_BLOCKED, // if 2nd db is loaded
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
RTR_INVALID_REGEX
} rtr_t;
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
static const struct rtest {
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
const char *pattern; /* NULL if not meant for allow list testing */
clang-format'd using new .clang-format rules.
7 years ago
const char *realurl;
const char *displayurl;
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
rtr_t result;
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
} rtests[] = {
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
{NULL, "http://fake.example.com", "http://foo@key.com/", RTR_PHISH},
{NULL, "http://fake.example.com", "foo.example.com@key.com", RTR_PHISH},
{NULL, "http://fake.example.com", "foo@key.com", RTR_CLEAN},
{NULL, "http://fake.example.com", "&#61;&#61;&#61;&#61;&#61;key.com", RTR_PHISH},
{NULL, "http://key.com", "&#61;&#61;&#61;&#61;&#61;key.com", RTR_CLEAN},
{NULL, " http://key.com", "&#61;&#61;&#61;&#61;&#61;key.com", RTR_CLEAN},
{NULL, "http://key.com@fake.example.com", "key.com", RTR_PHISH},
{NULL, " http://key.com@fake.example.com", "key.com", RTR_PHISH},
{NULL, " http://key.com@fake.example.com ", "key.com", RTR_PHISH},
clang-format'd using new .clang-format rules.
7 years ago
/* entry taken from .wdb with a / appended */
{".+\\.ebayrtm\\.com([/?].*)?:.+\\.ebay\\.(de|com|co\\.uk)([/?].*)?/",
"http://srx.main.ebayrtm.com",
"pages.ebay.de",
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
RTR_ALLOWED /* should be allowed */},
clang-format'd using new .clang-format rules.
7 years ago
{".+\\.ebayrtm\\.com([/?].*)?:.+\\.ebay\\.(de|com|co\\.uk)([/?].*)?/",
"http://srx.main.ebayrtm.com.evil.example.com",
"pages.ebay.de",
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
RTR_PHISH},
clang-format'd using new .clang-format rules.
7 years ago
{".+\\.ebayrtm\\.com([/?].*)?:.+\\.ebay\\.(de|com|co\\.uk)([/?].*)?/",
"www.www.ebayrtm.com?somecgi",
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
"www.ebay.com/something", RTR_ALLOWED},
clang-format'd using new .clang-format rules.
7 years ago
{NULL,
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
"http://key.com", "go to key.com", RTR_CLEAN},
clang-format'd using new .clang-format rules.
7 years ago
{":.+\\.paypal\\.(com|de|fr|it)([/?].*)?:.+\\.ebay\\.(at|be|ca|ch|co\\.uk|de|es|fr|ie|in|it|nl|ph|pl|com(\\.(au|cn|hk|my|sg))?)([/?].*)?/",
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
"http://www.paypal.com", "pics.ebay.com", RTR_ALLOWED},
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
{NULL, "http://somefakeurl.example.com", "someotherdomain-key.com", RTR_CLEAN},
{NULL, "http://somefakeurl.example.com", "someotherdomain.key.com", RTR_PHISH},
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
{NULL, "http://malware-test.example.com/something", "test", RTR_BLOCKED},
{NULL, "http://phishing-test.example.com/something", "test", RTR_BLOCKED},
{NULL, "http://sub.malware-test.example.com/2", "test", RTR_BLOCKED},
{NULL, "http://sub.phishing-test.example.com/2", "test", RTR_BLOCKED},
{NULL, "http://user@malware-test.example.com/2", "test", RTR_BLOCKED},
{NULL, "http://user@phishing-test.example.com/2", "test", RTR_BLOCKED},
{NULL, "http://user@malware-test.example.com/2/test", "test", RTR_BLOCKED},
{NULL, "http://user@phishing-test.example.com/2/test", "test", RTR_BLOCKED},
{NULL, "http://user@malware-test.example.com/", "test", RTR_BLOCKED},
{NULL, "http://user@phishing-test.example.com/", "test", RTR_BLOCKED},
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
{NULL, "http://x.exe", "http:///x.exe", RTR_CLEAN},
clang-format'd using new .clang-format rules.
7 years ago
{".+\\.ebayrtm\\.com([/?].*)?:[^.]+\\.ebay\\.(de|com|co\\.uk)/",
"http://srx.main.ebayrtm.com",
"pages.ebay.de",
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
RTR_ALLOWED /* should be allowed */},
clang-format'd using new .clang-format rules.
7 years ago
{".+\\.ebayrtm\\.com([/?].*)?:.+[r-t]\\.ebay\\.(de|com|co\\.uk)/",
"http://srx.main.ebayrtm.com",
"pages.ebay.de",
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
RTR_ALLOWED /* should be allowed */},
clang-format'd using new .clang-format rules.
7 years ago
{".+\\.ebayrtm\\.com([/?].*)?:.+[r-t]\\.ebay\\.(de|com|co\\.uk)/",
"http://srx.main.ebayrtm.com",
"pages.ebay.de",
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
RTR_ALLOWED /* should be allowed */},
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
{"[t-", "", "", RTR_INVALID_REGEX},
{NULL, "http://co.uk", "http:// co.uk", RTR_CLEAN},
{NULL, "http://co.uk", " ", RTR_CLEAN},
{NULL, "127.0.0.1", "pages.ebay.de", RTR_CLEAN},
clang-format'd using new .clang-format rules.
7 years ago
{".+\\.ebayrtm\\.com([/?].*)?:.+\\.ebay\\.(de|com|co\\.uk)([/?].*)?/",
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
"http://pages.ebay.de@fake.example.com", "pages.ebay.de", RTR_PHISH},
{NULL, "http://key.com", "https://key.com", RTR_PHISH},
{NULL, "http://key.com%00fake.example.com", "https://key.com", RTR_PHISH},
{NULL, "http://key.com.example.com", "key.com.invalid", RTR_PHISH}};
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
clang-format'd using new .clang-format rules.
7 years ago
START_TEST(regex_list_match_test)
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
{
clang-format'd using new .clang-format rules.
7 years ago
const char *info;
const struct rtest *rtest = &rtests[_i];
char *pattern, *realurl;
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
cl_error_t rc;
clang-format'd using new .clang-format rules.
7 years ago
if (!rtest->pattern) {
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
ck_assert_msg(rtest->result != RTR_ALLOWED,
"Allow list test must have pattern set");
/* this test entry is not meant for allow_list testing */
clang-format'd using new .clang-format rules.
7 years ago
return;
}
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
ck_assert_msg(rtest->result == RTR_PHISH || rtest->result == RTR_ALLOWED || rtest->result == RTR_INVALID_REGEX,
"Allow list test result must be either RTR_PHISH or RTR_ALLOWED or RTR_INVALID_REGEX");
clang-format'd using new .clang-format rules.
7 years ago
pattern = cli_strdup(rtest->pattern);
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!pattern, "cli_strdup");
clang-format'd using new .clang-format rules.
7 years ago
rc = regex_list_add_pattern(&matcher, pattern);
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
if (rtest->result == RTR_INVALID_REGEX) {
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(rc, "regex_list_add_pattern should return error");
clang-format'd using new .clang-format rules.
7 years ago
free(pattern);
return;
} else
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
ck_assert_msg(rc == CL_SUCCESS, "regex_list_add_pattern");
clang-format'd using new .clang-format rules.
7 years ago
free(pattern);
matcher.list_loaded = 1;
rc = cli_build_regex_list(&matcher);
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
ck_assert_msg(rc == CL_SUCCESS, "cli_build_regex_list");
clang-format'd using new .clang-format rules.
7 years ago
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(is_regex_ok(&matcher), "is_regex_ok");
clang-format'd using new .clang-format rules.
7 years ago
Clang-format touchup
5 years ago
realurl = cli_strdup(rtest->realurl);
rc = regex_list_match(&matcher, realurl, rtest->displayurl, NULL, 1, &info, 1);
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(rc == rtest->result, "regex_list_match");
clang-format'd using new .clang-format rules.
7 years ago
/* regex_list_match is not supposed to modify realurl in this case */
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!strcmp(realurl, rtest->realurl), "realurl altered");
clang-format'd using new .clang-format rules.
7 years ago
free(realurl);
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
}
END_TEST
static struct cl_engine *engine;
flag for U: lines, format is one of: U:MD5 U1:MD5 U2:MD5 add unit test for md5 url match git-svn: trunk@4053
17 years ago
static int loaded_2 = 0;
static void psetup_impl(int load2)
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
{
clang-format'd using new .clang-format rules.
7 years ago
FILE *f;
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
cl_error_t rc;
clang-format'd using new .clang-format rules.
7 years ago
unsigned signo = 0;
fix make check. Buildbot didn't detect compile failure in make check. git-svn: trunk@4902
16 years ago
clang-format'd using new .clang-format rules.
7 years ago
engine = cl_engine_new();
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!engine, "cl_engine_new");
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
clang-format'd using new .clang-format rules.
7 years ago
phishing_init(engine);
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!engine->phishcheck, "phishing_init");
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
rc = init_domain_list(engine);
ck_assert_msg(rc == CL_SUCCESS, "init_domain_list");
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
XOR test files; clean up tests directory The split test files are flagged by some AV's because they look like broken executables. Instead of splitting the test files to prevent detections, we should encrypt them. This commit replaces the "reassemble testfiles" script with a basic "XOR testfiles" script that can be used to encrypt or decrypt test files. This commit also of course then replaces all the split files with xor'ed files. The test and unit_tests directories were a bit of a mess, so I reorganized them all into unit_tests with all of the test files placed under "unit_tests/input" using subdirectories for different types of files.
4 years ago
f = fdopen(open_testfile("input" PATHSEP "other_sigs" PATHSEP "daily.pdb", O_RDONLY | O_BINARY), "r");
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!f, "fopen daily.pdb");
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
rc = load_regex_matcher(engine, engine->domain_list_matcher, f, &signo, 0, 0, NULL, 1);
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
ck_assert_msg(rc == CL_SUCCESS, "load_regex_matcher");
clang-format'd using new .clang-format rules.
7 years ago
fclose(f);
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(signo == 201, "Incorrect number of signatures: %u, expected %u", signo, 201);
fix make check. Buildbot didn't detect compile failure in make check. git-svn: trunk@4902
16 years ago
clang-format'd using new .clang-format rules.
7 years ago
if (load2) {
XOR test files; clean up tests directory The split test files are flagged by some AV's because they look like broken executables. Instead of splitting the test files to prevent detections, we should encrypt them. This commit replaces the "reassemble testfiles" script with a basic "XOR testfiles" script that can be used to encrypt or decrypt test files. This commit also of course then replaces all the split files with xor'ed files. The test and unit_tests directories were a bit of a mess, so I reorganized them all into unit_tests with all of the test files placed under "unit_tests/input" using subdirectories for different types of files.
4 years ago
f = fdopen(open_testfile("input" PATHSEP "other_sigs" PATHSEP "daily.gdb", O_RDONLY | O_BINARY), "r");
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!f, "fopen daily.gdb");
flag for U: lines, format is one of: U:MD5 U1:MD5 U2:MD5 add unit test for md5 url match git-svn: trunk@4053
17 years ago
clang-format'd using new .clang-format rules.
7 years ago
signo = 0;
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
rc = load_regex_matcher(engine, engine->domain_list_matcher, f, &signo, 0, 0, NULL, 1);
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
ck_assert_msg(rc == CL_SUCCESS, "load_regex_matcher");
clang-format'd using new .clang-format rules.
7 years ago
fclose(f);
fix make check. Buildbot didn't detect compile failure in make check. git-svn: trunk@4902
16 years ago
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(signo == 4, "Incorrect number of signatures: %u, expected %u", signo, 4);
clang-format'd using new .clang-format rules.
7 years ago
}
loaded_2 = load2;
flag for U: lines, format is one of: U:MD5 U1:MD5 U2:MD5 add unit test for md5 url match git-svn: trunk@4053
17 years ago
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
rc = init_allow_list(engine);
ck_assert_msg(rc == CL_SUCCESS, "init_allow_list");
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
XOR test files; clean up tests directory The split test files are flagged by some AV's because they look like broken executables. Instead of splitting the test files to prevent detections, we should encrypt them. This commit replaces the "reassemble testfiles" script with a basic "XOR testfiles" script that can be used to encrypt or decrypt test files. This commit also of course then replaces all the split files with xor'ed files. The test and unit_tests directories were a bit of a mess, so I reorganized them all into unit_tests with all of the test files placed under "unit_tests/input" using subdirectories for different types of files.
4 years ago
f = fdopen(open_testfile("input" PATHSEP "other_sigs" PATHSEP "daily.wdb", O_RDONLY | O_BINARY), "r");
clang-format'd using new .clang-format rules.
7 years ago
signo = 0;
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
rc = load_regex_matcher(engine, engine->allow_list_matcher, f, &signo, 0, 1, NULL, 1);
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
ck_assert_msg(rc == CL_SUCCESS, "load_regex_matcher");
clang-format'd using new .clang-format rules.
7 years ago
fclose(f);
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(signo == 31, "Incorrect number of signatures: %u, expected %u", signo, 31);
fix make check. Buildbot didn't detect compile failure in make check. git-svn: trunk@4902
16 years ago
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
rc = cli_build_regex_list(engine->allow_list_matcher);
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
ck_assert_msg(rc == CL_SUCCESS, "cli_build_regex_list");
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
rc = cli_build_regex_list(engine->domain_list_matcher);
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
ck_assert_msg(rc == CL_SUCCESS, "cli_build_regex_list");
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
ck_assert_msg(is_regex_ok(engine->allow_list_matcher), "is_regex_ok");
ck_assert_msg(is_regex_ok(engine->domain_list_matcher), "is_regex_ok");
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
}
flag for U: lines, format is one of: U:MD5 U1:MD5 U2:MD5 add unit test for md5 url match git-svn: trunk@4053
17 years ago
static void psetup(void)
{
clang-format'd using new .clang-format rules.
7 years ago
psetup_impl(0);
flag for U: lines, format is one of: U:MD5 U1:MD5 U2:MD5 add unit test for md5 url match git-svn: trunk@4053
17 years ago
}
static void psetup2(void)
{
clang-format'd using new .clang-format rules.
7 years ago
psetup_impl(1);
flag for U: lines, format is one of: U:MD5 U1:MD5 U2:MD5 add unit test for md5 url match git-svn: trunk@4053
17 years ago
}
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
static void pteardown(void)
{
clang-format'd using new .clang-format rules.
7 years ago
if (engine) {
cl_engine_free(engine);
}
engine = NULL;
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
}
add more unit-tests fix matching bugs in regex_list git-svn: trunk@4020
17 years ago
static void do_phishing_test(const struct rtest *rtest)
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
{
clang-format'd using new .clang-format rules.
7 years ago
char *realurl;
cli_ctx ctx;
struct cl_scan_options options;
const char *virname = NULL;
tag_arguments_t hrefs;
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
cl_error_t rc;
clang-format'd using new .clang-format rules.
7 years ago
memset(&ctx, 0, sizeof(ctx));
memset(&options, 0, sizeof(struct cl_scan_options));
ctx.options = &options;
realurl = cli_strdup(rtest->realurl);
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!realurl, "cli_strdup");
clang-format'd using new .clang-format rules.
7 years ago
hrefs.count = 1;
hrefs.value = cli_malloc(sizeof(*hrefs.value));
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!hrefs.value, "cli_malloc");
clang-format'd using new .clang-format rules.
7 years ago
hrefs.value[0] = (unsigned char *)realurl;
hrefs.contents = cli_malloc(sizeof(*hrefs.contents));
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!hrefs.contents, "cli_malloc");
clang-format'd using new .clang-format rules.
7 years ago
hrefs.tag = cli_malloc(sizeof(*hrefs.tag));
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!hrefs.tag, "cli_malloc");
clang-format'd using new .clang-format rules.
7 years ago
hrefs.tag[0] = (unsigned char *)cli_strdup("href");
hrefs.contents[0] = (unsigned char *)cli_strdup(rtest->displayurl);
ctx.engine = engine;
ctx.virname = &virname;
rc = phishingScan(&ctx, &hrefs);
html_tag_arg_free(&hrefs);
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(rc == CL_CLEAN, "phishingScan");
clang-format'd using new .clang-format rules.
7 years ago
switch (rtest->result) {
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
case RTR_PHISH:
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(ctx.found_possibly_unwanted,
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
"this should be phishing, realURL: %s, displayURL: %s",
rtest->realurl, rtest->displayurl);
clang-format'd using new .clang-format rules.
7 years ago
break;
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
case RTR_ALLOWED:
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!ctx.found_possibly_unwanted,
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
"this should be allowed, realURL: %s, displayURL: %s",
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
rtest->realurl, rtest->displayurl);
clang-format'd using new .clang-format rules.
7 years ago
break;
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
case RTR_CLEAN:
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!ctx.found_possibly_unwanted,
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
"this should be clean, realURL: %s, displayURL: %s",
rtest->realurl, rtest->displayurl);
clang-format'd using new .clang-format rules.
7 years ago
break;
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
case RTR_BLOCKED:
clang-format'd using new .clang-format rules.
7 years ago
if (!loaded_2)
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!ctx.found_possibly_unwanted,
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
"this should be clean, realURL: %s, displayURL: %s",
rtest->realurl, rtest->displayurl);
clang-format'd using new .clang-format rules.
7 years ago
else {
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(ctx.found_possibly_unwanted,
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
"this should be blocked, realURL: %s, displayURL: %s",
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
rtest->realurl, rtest->displayurl);
if (*ctx.virname) {
Fix several coverity warnings 290424 Missing break in switch - In hash_match: Missing break statement between cases in switch statement 290414 Resource leak - In cli_scanishield_msi: Leak of memory or pointers to system resources. Memory leak in a fail case 288197 Resource leak - In decrypt_any: Leak of memory or pointers to system resources. Memory leak in a fail case 290426 Resource leak - In cli_magic_scan: Leak of memory or pointers to system resources. Leaked a file prefix when running with --save-temps 192923 Resource leak - In cli_scanrar: Leak of memory or pointers to system resources. Leaked a file descriptor if a virus was found in a RAR file comment 225146 Resource leak - In cli_scanegg: Leak of memory or pointers to system resources. Leaked a file descriptor if unable to write a comment file to disk 290425 Resource leak - In scan_common: Leak of memory or pointers to system resources. Memory leaks in various fail cases. Also changes cli_scanrar to write out the file comment only if --leave-temps is specified and scan the buffer (like what is done in cli_scanegg) instead of writing the file out, scanning that, and then deleting the file if --leave-temps is not specified. The unit tests stopped working when correcting an issue with a switch statement that determined what type of signature had matched on a Google SafeBrowsing GDB rule. Looking into the unit tests, it looks like the code had always assumed that the test cases would be detected by a malware test rule in unit_tests/input/daily.gdb, but now some of the tests get matched on the phishing test rule. I updated the test logic to be more clear, and added tests for both cases now. Fix some memory leaks in libclamav/scanners.c
5 years ago
char *phishingFound = NULL;
char *detectionName = NULL;
if (strstr(rtest->realurl, "malware-test")) {
detectionName = "Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net";
} else if (strstr(rtest->realurl, "phishing-test")) {
detectionName = "Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net";
}
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
ck_assert_msg(detectionName != NULL, "\n\t Block list test case error - malware-test or phishing-test not found in: %s\n", rtest->realurl);
Fix several coverity warnings 290424 Missing break in switch - In hash_match: Missing break statement between cases in switch statement 290414 Resource leak - In cli_scanishield_msi: Leak of memory or pointers to system resources. Memory leak in a fail case 288197 Resource leak - In decrypt_any: Leak of memory or pointers to system resources. Memory leak in a fail case 290426 Resource leak - In cli_magic_scan: Leak of memory or pointers to system resources. Leaked a file prefix when running with --save-temps 192923 Resource leak - In cli_scanrar: Leak of memory or pointers to system resources. Leaked a file descriptor if a virus was found in a RAR file comment 225146 Resource leak - In cli_scanegg: Leak of memory or pointers to system resources. Leaked a file descriptor if unable to write a comment file to disk 290425 Resource leak - In scan_common: Leak of memory or pointers to system resources. Memory leaks in various fail cases. Also changes cli_scanrar to write out the file comment only if --leave-temps is specified and scan the buffer (like what is done in cli_scanegg) instead of writing the file out, scanning that, and then deleting the file if --leave-temps is not specified. The unit tests stopped working when correcting an issue with a switch statement that determined what type of signature had matched on a Google SafeBrowsing GDB rule. Looking into the unit tests, it looks like the code had always assumed that the test cases would be detected by a malware test rule in unit_tests/input/daily.gdb, but now some of the tests get matched on the phishing test rule. I updated the test logic to be more clear, and added tests for both cases now. Fix some memory leaks in libclamav/scanners.c
5 years ago
phishingFound = strstr((const char *)*ctx.virname, detectionName);
ck_assert_msg(phishingFound != NULL, "\n\t should be: %s,\n\t but is: %s\n", detectionName, *ctx.virname);
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
}
clang-format'd using new .clang-format rules.
7 years ago
}
break;
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
case RTR_INVALID_REGEX:
/* don't worry about it, this was tested in regex_list_match_test() */
break;
clang-format'd using new .clang-format rules.
7 years ago
}
add more unit-tests fix matching bugs in regex_list git-svn: trunk@4020
17 years ago
}
add initial allscan/allmatch mode to libclamav, clamd, clamdscan, and clamscan with unit tests
13 years ago
static void do_phishing_test_allscan(const struct rtest *rtest)
{
clang-format'd using new .clang-format rules.
7 years ago
char *realurl;
cli_ctx ctx;
const char *virname = NULL;
tag_arguments_t hrefs;
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
cl_error_t rc;
Restructured scan options flags from a single bitflag field to a structure containing multiple bitflag fields. This also required adding a new function to the bytecode API to get scan options a la carte, and modifying the existing function to hand back scan options in the old/deprecated uint32_t bitflag format. Re-generated bytecode iface header files. Updated libclamav documentation detailing new scan options structure. Renamed references to 'algorithmic' detection to 'heuristic' detection. Renaming references to 'properties' to 'collect metadata'. Renamed references to 'scan all' to 'scan all match'. Renamed a couple of 'Hueristic.*' signature names as 'Heuristics.*' signatures (plural) to match majority of other heuristics.
7 years ago
struct cl_scan_options options;
add initial allscan/allmatch mode to libclamav, clamd, clamdscan, and clamscan with unit tests
13 years ago
clang-format'd using new .clang-format rules.
7 years ago
memset(&ctx, 0, sizeof(ctx));
Restructured scan options flags from a single bitflag field to a structure containing multiple bitflag fields. This also required adding a new function to the bytecode API to get scan options a la carte, and modifying the existing function to hand back scan options in the old/deprecated uint32_t bitflag format. Re-generated bytecode iface header files. Updated libclamav documentation detailing new scan options structure. Renamed references to 'algorithmic' detection to 'heuristic' detection. Renaming references to 'properties' to 'collect metadata'. Renamed references to 'scan all' to 'scan all match'. Renamed a couple of 'Hueristic.*' signature names as 'Heuristics.*' signatures (plural) to match majority of other heuristics.
7 years ago
memset(&options, 0, sizeof(struct cl_scan_options));
ctx.options = &options;
add initial allscan/allmatch mode to libclamav, clamd, clamdscan, and clamscan with unit tests
13 years ago
clang-format'd using new .clang-format rules.
7 years ago
realurl = cli_strdup(rtest->realurl);
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!realurl, "cli_strdup");
clang-format'd using new .clang-format rules.
7 years ago
hrefs.count = 1;
hrefs.value = cli_malloc(sizeof(*hrefs.value));
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!hrefs.value, "cli_malloc");
clang-format'd using new .clang-format rules.
7 years ago
hrefs.value[0] = (unsigned char *)realurl;
hrefs.contents = cli_malloc(sizeof(*hrefs.contents));
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!hrefs.contents, "cli_malloc");
clang-format'd using new .clang-format rules.
7 years ago
hrefs.tag = cli_malloc(sizeof(*hrefs.tag));
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!hrefs.tag, "cli_malloc");
clang-format'd using new .clang-format rules.
7 years ago
hrefs.tag[0] = (unsigned char *)cli_strdup("href");
hrefs.contents[0] = (unsigned char *)cli_strdup(rtest->displayurl);
ctx.engine = engine;
ctx.virname = &virname;
ctx.options->general |= CL_SCAN_GENERAL_ALLMATCHES;
rc = phishingScan(&ctx, &hrefs);
html_tag_arg_free(&hrefs);
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
if (rtest->result == RTR_PHISH || (loaded_2 != 0 && rtest->result == RTR_BLOCKED)) {
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
ck_assert_msg(rc == CL_VIRUS, "phishingScan returned \"%s\", expected \"%s\". \n\trealURL: %s \n\tdisplayURL: %s",
cl_strerror(rc),
cl_strerror(CL_VIRUS),
rtest->realurl, rtest->displayurl);
} else {
ck_assert_msg(rc == CL_CLEAN, "phishingScan returned \"%s\", expected \"%s\". \n\trealURL: %s \n\tdisplayURL: %s",
cl_strerror(rc),
cl_strerror(CL_CLEAN),
rtest->realurl, rtest->displayurl);
}
clang-format'd using new .clang-format rules.
7 years ago
switch (rtest->result) {
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
case RTR_PHISH:
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(ctx.num_viruses,
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
"this should be phishing, realURL: %s, displayURL: %s",
rtest->realurl, rtest->displayurl);
clang-format'd using new .clang-format rules.
7 years ago
break;
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
case RTR_ALLOWED:
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!ctx.num_viruses,
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
"this should be allowed, realURL: %s, displayURL: %s",
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
rtest->realurl, rtest->displayurl);
clang-format'd using new .clang-format rules.
7 years ago
break;
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
case RTR_CLEAN:
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!ctx.num_viruses,
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
"this should be clean, realURL: %s, displayURL: %s",
rtest->realurl, rtest->displayurl);
clang-format'd using new .clang-format rules.
7 years ago
break;
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
case RTR_BLOCKED:
clang-format'd using new .clang-format rules.
7 years ago
if (!loaded_2)
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!ctx.num_viruses,
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
"this should be clean, realURL: %s, displayURL: %s",
rtest->realurl, rtest->displayurl);
clang-format'd using new .clang-format rules.
7 years ago
else {
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(ctx.num_viruses,
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
"this should be blocked, realURL: %s, displayURL: %s",
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
rtest->realurl, rtest->displayurl);
if (*ctx.virname) {
Fix several coverity warnings 290424 Missing break in switch - In hash_match: Missing break statement between cases in switch statement 290414 Resource leak - In cli_scanishield_msi: Leak of memory or pointers to system resources. Memory leak in a fail case 288197 Resource leak - In decrypt_any: Leak of memory or pointers to system resources. Memory leak in a fail case 290426 Resource leak - In cli_magic_scan: Leak of memory or pointers to system resources. Leaked a file prefix when running with --save-temps 192923 Resource leak - In cli_scanrar: Leak of memory or pointers to system resources. Leaked a file descriptor if a virus was found in a RAR file comment 225146 Resource leak - In cli_scanegg: Leak of memory or pointers to system resources. Leaked a file descriptor if unable to write a comment file to disk 290425 Resource leak - In scan_common: Leak of memory or pointers to system resources. Memory leaks in various fail cases. Also changes cli_scanrar to write out the file comment only if --leave-temps is specified and scan the buffer (like what is done in cli_scanegg) instead of writing the file out, scanning that, and then deleting the file if --leave-temps is not specified. The unit tests stopped working when correcting an issue with a switch statement that determined what type of signature had matched on a Google SafeBrowsing GDB rule. Looking into the unit tests, it looks like the code had always assumed that the test cases would be detected by a malware test rule in unit_tests/input/daily.gdb, but now some of the tests get matched on the phishing test rule. I updated the test logic to be more clear, and added tests for both cases now. Fix some memory leaks in libclamav/scanners.c
5 years ago
char *phishingFound = NULL;
char *detectionName = NULL;
if (strstr(rtest->realurl, "malware-test")) {
detectionName = "Heuristics.Safebrowsing.Suspected-malware_safebrowsing.clamav.net";
} else if (strstr(rtest->realurl, "phishing-test")) {
detectionName = "Heuristics.Safebrowsing.Suspected-phishing_safebrowsing.clamav.net";
}
Blacklist & Whitelist verbiage Improvements to use modern block list and allow list verbiage. blacklist -> block list whitelist -> allow listed blacklisted -> blocked whitelisted -> allowed In the case of certificate verification, use "trust" or "verify" when something is allowed. Also changed domainlist -> domain list (or DomainList) to match.
4 years ago
ck_assert_msg(detectionName != NULL, "\n\t Block list test case error - malware-test or phishing-test not found in: %s\n", rtest->realurl);
Fix several coverity warnings 290424 Missing break in switch - In hash_match: Missing break statement between cases in switch statement 290414 Resource leak - In cli_scanishield_msi: Leak of memory or pointers to system resources. Memory leak in a fail case 288197 Resource leak - In decrypt_any: Leak of memory or pointers to system resources. Memory leak in a fail case 290426 Resource leak - In cli_magic_scan: Leak of memory or pointers to system resources. Leaked a file prefix when running with --save-temps 192923 Resource leak - In cli_scanrar: Leak of memory or pointers to system resources. Leaked a file descriptor if a virus was found in a RAR file comment 225146 Resource leak - In cli_scanegg: Leak of memory or pointers to system resources. Leaked a file descriptor if unable to write a comment file to disk 290425 Resource leak - In scan_common: Leak of memory or pointers to system resources. Memory leaks in various fail cases. Also changes cli_scanrar to write out the file comment only if --leave-temps is specified and scan the buffer (like what is done in cli_scanegg) instead of writing the file out, scanning that, and then deleting the file if --leave-temps is not specified. The unit tests stopped working when correcting an issue with a switch statement that determined what type of signature had matched on a Google SafeBrowsing GDB rule. Looking into the unit tests, it looks like the code had always assumed that the test cases would be detected by a malware test rule in unit_tests/input/daily.gdb, but now some of the tests get matched on the phishing test rule. I updated the test logic to be more clear, and added tests for both cases now. Fix some memory leaks in libclamav/scanners.c
5 years ago
phishingFound = strstr((const char *)*ctx.virname, detectionName);
ck_assert_msg(phishingFound != NULL, "\n\t should be: %s,\n\t but is: %s\n", detectionName, *ctx.virname);
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
}
clang-format'd using new .clang-format rules.
7 years ago
}
break;
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
case RTR_INVALID_REGEX:
/* don't worry about it, this was tested in regex_list_match_test() */
break;
clang-format'd using new .clang-format rules.
7 years ago
}
add initial allscan/allmatch mode to libclamav, clamd, clamdscan, and clamscan with unit tests
13 years ago
}
clang-format'd using new .clang-format rules.
7 years ago
START_TEST(phishingScan_test)
add more unit-tests fix matching bugs in regex_list git-svn: trunk@4020
17 years ago
{
clang-format'd using new .clang-format rules.
7 years ago
do_phishing_test(&rtests[_i]);
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
}
END_TEST
add initial allscan/allmatch mode to libclamav, clamd, clamdscan, and clamscan with unit tests
13 years ago
clang-format'd using new .clang-format rules.
7 years ago
START_TEST(phishingScan_test_allscan)
add initial allscan/allmatch mode to libclamav, clamd, clamdscan, and clamscan with unit tests
13 years ago
{
clang-format'd using new .clang-format rules.
7 years ago
do_phishing_test_allscan(&rtests[_i]);
add initial allscan/allmatch mode to libclamav, clamd, clamdscan, and clamscan with unit tests
13 years ago
}
END_TEST
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
use sha256 instead of md5 in phishcheck. move sha256 to libclamav. add more tests. git-svn: trunk@4822
17 years ago
static struct uc {
const char *in;
const char *host;
const char *path;
} uc[] = {
{":example/%25%32%35", "example/", "%25"},
{":example/%25%32%35%25%32%35", "example/", "%25%25"},
{":example/abc%25%32%35asd", "example/", "abc%25asd"},
clang-format'd using new .clang-format rules.
7 years ago
{":www.example.com/", "www.example.com/", ""},
{":%31%32%37%2e%30%2e%30%2e%31/%2E%73%65%63%75%72%65/%77%77%77%2e%65%78%61%6d%70%6c%65%2e%63%6f%6d/",
"127.0.0.1/", ".secure/www.example.com/"},
use sha256 instead of md5 in phishcheck. move sha256 to libclamav. add more tests. git-svn: trunk@4822
17 years ago
{":127.0.0.1/uploads/%20%20%20%20/.verify/.blah=abcd-ef=gh/",
clang-format'd using new .clang-format rules.
7 years ago
"127.0.0.1/", "uploads/%20%20%20%20/.verify/.blah=abcd-ef=gh/"},
use sha256 instead of md5 in phishcheck. move sha256 to libclamav. add more tests. git-svn: trunk@4822
17 years ago
{"http://example%23.com/%61%40%62%252B",
clang-format'd using new .clang-format rules.
7 years ago
"example%23.com/", "a@b+"},
{"http://example.com/blah/..", "example.com/", ""},
{"http://example.com/blah/../x", "example.com/", "x"},
{"http://example.com/./a", "example.com/", "a"}};
use sha256 instead of md5 in phishcheck. move sha256 to libclamav. add more tests. git-svn: trunk@4822
17 years ago
clang-format'd using new .clang-format rules.
7 years ago
START_TEST(test_url_canon)
use sha256 instead of md5 in phishcheck. move sha256 to libclamav. add more tests. git-svn: trunk@4822
17 years ago
{
clang-format'd using new .clang-format rules.
7 years ago
char urlbuff[1024 + 3];
char *host = NULL;
fix distcheck. git-svn: trunk@4836
17 years ago
const char *path = NULL;
use sha256 instead of md5 in phishcheck. move sha256 to libclamav. add more tests. git-svn: trunk@4822
17 years ago
size_t host_len, path_len;
struct uc *u = &uc[_i];
cli_url_canon(u->in, strlen(u->in), urlbuff, sizeof(urlbuff), &host, &host_len, &path, &path_len);
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!host && !!path, "null results\n");
ck_assert_msg(!strcmp(u->host, host), "host incorrect: %s\n", host);
ck_assert_msg(!strcmp(u->path, path), "path incorrect: %s\n", path);
use sha256 instead of md5 in phishcheck. move sha256 to libclamav. add more tests. git-svn: trunk@4822
17 years ago
}
END_TEST
add support for (?i). Now regular expressions that begin with (?i) will be case insensitive. (bb #1584, #1598). git-svn: trunk@5067
16 years ago
static struct regex_test {
const char *regex;
const char *text;
int match;
} rg[] = {
{"\\.exe$", "test.exe", 1},
{"\\.exe$", "test.eXe", 0},
{"(?i)\\.exe$", "test.exe", 1},
clang-format'd using new .clang-format rules.
7 years ago
{"(?i)\\.exe$", "test.eXe", 1}};
add support for (?i). Now regular expressions that begin with (?i) will be case insensitive. (bb #1584, #1598). git-svn: trunk@5067
16 years ago
clang-format'd using new .clang-format rules.
7 years ago
START_TEST(test_regexes)
add support for (?i). Now regular expressions that begin with (?i) will be case insensitive. (bb #1584, #1598). git-svn: trunk@5067
16 years ago
{
regex_t reg;
struct regex_test *tst = &rg[_i];
int match;
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(cli_regcomp(&reg, tst->regex, REG_EXTENDED | REG_NOSUB) == 0, "cli_regcomp");
add support for (?i). Now regular expressions that begin with (?i) will be case insensitive. (bb #1584, #1598). git-svn: trunk@5067
16 years ago
match = (cli_regexec(&reg, tst->text, 0, NULL, 0) == REG_NOMATCH) ? 0 : 1;
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(match == tst->match, "cli_regexec failed for %s and %s\n", tst->regex, tst->text);
add support for (?i). Now regular expressions that begin with (?i) will be case insensitive. (bb #1584, #1598). git-svn: trunk@5067
16 years ago
cli_regfree(&reg);
}
END_TEST
use sha256 instead of md5 in phishcheck. move sha256 to libclamav. add more tests. git-svn: trunk@4822
17 years ago
add more unit-tests fix matching bugs in regex_list git-svn: trunk@4020
17 years ago
START_TEST(phishing_fake_test)
{
clang-format'd using new .clang-format rules.
7 years ago
char buf[4096];
XOR test files; clean up tests directory The split test files are flagged by some AV's because they look like broken executables. Instead of splitting the test files to prevent detections, we should encrypt them. This commit replaces the "reassemble testfiles" script with a basic "XOR testfiles" script that can be used to encrypt or decrypt test files. This commit also of course then replaces all the split files with xor'ed files. The test and unit_tests directories were a bit of a mess, so I reorganized them all into unit_tests with all of the test files placed under "unit_tests/input" using subdirectories for different types of files.
4 years ago
FILE *f = fdopen(open_testfile("input" PATHSEP "other_sigs" PATHSEP "daily.pdb", O_RDONLY | O_BINARY), "r");
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!f, "fopen daily.pdb");
clang-format'd using new .clang-format rules.
7 years ago
while (fgets(buf, sizeof(buf), f)) {
struct rtest rtest;
const char *pdb = strchr(buf, ':');
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!pdb, "missing : in pdb");
clang-format'd using new .clang-format rules.
7 years ago
rtest.realurl = pdb;
rtest.displayurl = pdb;
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
rtest.result = RTR_CLEAN;
clang-format'd using new .clang-format rules.
7 years ago
do_phishing_test(&rtest);
rtest.realurl = "http://fake.example.com";
rtest.result = 0;
do_phishing_test(&rtest);
}
fclose(f);
add more unit-tests fix matching bugs in regex_list git-svn: trunk@4020
17 years ago
}
END_TEST
add initial allscan/allmatch mode to libclamav, clamd, clamdscan, and clamscan with unit tests
13 years ago
START_TEST(phishing_fake_test_allscan)
{
clang-format'd using new .clang-format rules.
7 years ago
char buf[4096];
XOR test files; clean up tests directory The split test files are flagged by some AV's because they look like broken executables. Instead of splitting the test files to prevent detections, we should encrypt them. This commit replaces the "reassemble testfiles" script with a basic "XOR testfiles" script that can be used to encrypt or decrypt test files. This commit also of course then replaces all the split files with xor'ed files. The test and unit_tests directories were a bit of a mess, so I reorganized them all into unit_tests with all of the test files placed under "unit_tests/input" using subdirectories for different types of files.
4 years ago
FILE *f = fdopen(open_testfile("input" PATHSEP "other_sigs" PATHSEP "daily.pdb", O_RDONLY | O_BINARY), "r");
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!f, "fopen daily.pdb");
clang-format'd using new .clang-format rules.
7 years ago
while (fgets(buf, sizeof(buf), f)) {
struct rtest rtest;
const char *pdb = strchr(buf, ':');
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
ck_assert_msg(!!pdb, "missing : in pdb");
clang-format'd using new .clang-format rules.
7 years ago
rtest.realurl = pdb;
rtest.displayurl = pdb;
bb12506: Fix phishing/heuristic alert verbosity Some detections, like phishing, are considered heuristic alerts because they match based on behavior more than on content. A subset of these are considered "potentially unwanted" (low-severity). These low-severity alerts include: - phishing - PDFs with obfuscated object names - bytecode signature alerts that start with "BC.Heuristics" The concept is that unless you enable "heuristic precedence" (a method of lowing the threshold to immediateley alert on low-severity detections), the scan should continue after a match in case a higher severity match is found. Only at the end will it print the low-severity match if nothing else was found. The current implementation is buggy though. Scanning of archives does not correctly bail out for the entire archive if one email contains a phishing link. Instead, it sets the "heuristic found" flag then and alerts for every subsequent file in the archive because it doesn't know if the heuristic was found in an embedded file or the target file. Because it's just a heuristic and the status is "clean", it keeps scanning. This patch corrects the behavior by checking if a low-severity alerts were found at the end of scanning the target file, instead of at the end of each embedded file. Additionally, this patch fixes an in issue with phishing alerts wherein heuristic precedence mode did not cause a scan to stop after the first alert. The above changes required restructuring to create an fmap inside of cl_scandesc_callback() so that scan_common() could be modified to require an fmap and set up so that the current *ctx->fmap pointer is never NULL when scan_common() evaluates match results. Also fixed a couple minor bugs in the phishing unit tests and cleaned up the test code for improved legitibility and type safety.
5 years ago
rtest.result = RTR_CLEAN;
clang-format'd using new .clang-format rules.
7 years ago
do_phishing_test_allscan(&rtest);
rtest.realurl = "http://fake.example.com";
rtest.result = 0;
do_phishing_test_allscan(&rtest);
}
fclose(f);
add initial allscan/allmatch mode to libclamav, clamd, clamdscan, and clamscan with unit tests
13 years ago
}
END_TEST
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
Suite *test_regex_suite(void)
{
clang-format'd using new .clang-format rules.
7 years ago
Suite *s = suite_create("regex");
TCase *tc_api, *tc_matching, *tc_phish, *tc_phish2, *tc_regex;
tc_api = tcase_create("cli_regex2suffix");
suite_add_tcase(s, tc_api);
tcase_add_checked_fixture(tc_api, setup, teardown);
tcase_add_test(tc_api, empty);
tcase_add_test(tc_api, one);
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
clang-format'd using new .clang-format rules.
7 years ago
tcase_add_loop_test(tc_api, test_suffix, 0, sizeof(tests) / sizeof(tests[0]));
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
clang-format'd using new .clang-format rules.
7 years ago
tc_matching = tcase_create("regex_list");
suite_add_tcase(s, tc_matching);
tcase_add_checked_fixture(tc_matching, rsetup, rteardown);
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
clang-format'd using new .clang-format rules.
7 years ago
tcase_add_loop_test(tc_matching, regex_list_match_test, 0, sizeof(rtests) / sizeof(rtests[0]));
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
clang-format'd using new .clang-format rules.
7 years ago
tc_phish = tcase_create("phishingScan");
suite_add_tcase(s, tc_phish);
tcase_add_unchecked_fixture(tc_phish, psetup, pteardown);
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
clang-format'd using new .clang-format rules.
7 years ago
tcase_add_loop_test(tc_phish, phishingScan_test, 0, sizeof(rtests) / sizeof(rtests[0]));
tcase_add_loop_test(tc_phish, phishingScan_test_allscan, 0, sizeof(rtests) / sizeof(rtests[0]));
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
clang-format'd using new .clang-format rules.
7 years ago
tcase_add_test(tc_phish, phishing_fake_test);
tcase_add_test(tc_phish, phishing_fake_test_allscan);
more tests for regex run unit-tests under valgrind if available. git-svn: trunk@3990
17 years ago
clang-format'd using new .clang-format rules.
7 years ago
tc_phish2 = tcase_create("phishingScan with 2 dbs");
suite_add_tcase(s, tc_phish2);
tcase_add_unchecked_fixture(tc_phish2, psetup2, pteardown);
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
clang-format'd using new .clang-format rules.
7 years ago
tcase_add_loop_test(tc_phish2, phishingScan_test, 0, sizeof(rtests) / sizeof(rtests[0]));
tcase_add_loop_test(tc_phish2, phishingScan_test_allscan, 0, sizeof(rtests) / sizeof(rtests[0]));
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
clang-format'd using new .clang-format rules.
7 years ago
tcase_add_test(tc_phish2, phishing_fake_test);
tcase_add_test(tc_phish2, phishing_fake_test_allscan);
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
clang-format'd using new .clang-format rules.
7 years ago
tcase_add_loop_test(tc_phish, test_url_canon, 0, sizeof(uc) / sizeof(uc[0]));
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
clang-format'd using new .clang-format rules.
7 years ago
tc_regex = tcase_create("cli_regcomp/execute");
suite_add_tcase(s, tc_regex);
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
clang-format'd using new .clang-format rules.
7 years ago
tcase_add_loop_test(tc_regex, test_regexes, 0, sizeof(rg) / sizeof(rg[0]));
Check test support for check 0.13 Tests in libcheck 0.13 must have {} between START_TEST and END_TEST else it will not compile. Also replaced all deprecated "fail_" macros with "ck_" macros. E.g. fail_unless() becomes ck_assert_msg() The checks_common.h header file provided a couple of macros to support versions older than 0.9.3. As these older versions are no longer relevant, I've removed those compatibility macros entirely.
5 years ago
clang-format'd using new .clang-format rules.
7 years ago
return s;
remove remaining CL_DEBUG, and add missing file git-svn: trunk@3989
17 years ago
}