]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 88adf0f)
Introduce TLS-JA4 client/server handshake tests 2510/head
authorRichard McConnell <Richard_McConnell@rapid7.com>
Wed, 29 Jan 2025 09:03:34 +0000 (09:03 +0000)
committerRichard McConnell <Richard_McConnell@rapid7.com>
Thu, 15 May 2025 08:49:18 +0000 (09:49 +0100)
This update introduces two new tests to accompany the introduction of
client/server handshake parameters and output via JSON-EVE.

- ja4-cl-handshake: client eve output test
- ja4-sv-handshake: server eve output test

tests/ja4-cl-handshake/input.pcap [new file with mode: 0644] patch | blob
tests/ja4-cl-handshake/suricata.yaml [new file with mode: 0644] patch | blob
tests/ja4-cl-handshake/test.yaml [new file with mode: 0644] patch | blob
tests/ja4-sv-handshake/input.pcap [new file with mode: 0644] patch | blob
tests/ja4-sv-handshake/suricata.yaml [new file with mode: 0644] patch | blob
tests/ja4-sv-handshake/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/ja4-cl-handshake/input.pcap b/tests/ja4-cl-handshake/input.pcap
new file mode 100644 (file)
index 0000000..77c4aa2
Binary files /dev/null and b/tests/ja4-cl-handshake/input.pcap differ
diff --git a/tests/ja4-cl-handshake/suricata.yaml b/tests/ja4-cl-handshake/suricata.yaml
new file mode 100644 (file)
index 0000000..3f8c830
--- /dev/null
+++ b/tests/ja4-cl-handshake/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - tls:
+            enabled: yes
+            custom: [client_handshake]
diff --git a/tests/ja4-cl-handshake/test.yaml b/tests/ja4-cl-handshake/test.yaml
new file mode 100644 (file)
index 0000000..51f8b45
--- /dev/null
+++ b/tests/ja4-cl-handshake/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.client_handshake.version: TLS 1.2
+        tls.client_handshake.ciphers: [49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255]
+        tls.client_handshake.exts: [0,11,10,35,22,23,13]
+        tls.client_handshake.sig_algs: [1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538]
diff --git a/tests/ja4-sv-handshake/input.pcap b/tests/ja4-sv-handshake/input.pcap
new file mode 100644 (file)
index 0000000..77c4aa2
Binary files /dev/null and b/tests/ja4-sv-handshake/input.pcap differ
diff --git a/tests/ja4-sv-handshake/suricata.yaml b/tests/ja4-sv-handshake/suricata.yaml
new file mode 100644 (file)
index 0000000..60b2f3c
--- /dev/null
+++ b/tests/ja4-sv-handshake/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - tls:
+            enabled: yes
+            custom: [server_handshake]
diff --git a/tests/ja4-sv-handshake/test.yaml b/tests/ja4-sv-handshake/test.yaml
new file mode 100644 (file)
index 0000000..d6cd8b2
--- /dev/null
+++ b/tests/ja4-sv-handshake/test.yaml
@@ -0,0 +1,11 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.server_handshake.version: TLS 1.2
+        tls.server_handshake.cipher: 49200
+        tls.server_handshake.exts: [65281,11,35,23]
Mirror of https://github.com/OISF/suricata-verify.git