ja3: adds tests for lua

author Philippe Antoine <pantoine@oisf.net>

Fri, 2 May 2025 06:51:38 +0000 (08:51 +0200)

committer Victor Julien <victor@inliniac.net>

Wed, 7 May 2025 11:59:57 +0000 (13:59 +0200)
author Philippe Antoine <pantoine@oisf.net>
Fri, 2 May 2025 06:51:38 +0000 (08:51 +0200)
committer Victor Julien <victor@inliniac.net>
Wed, 7 May 2025 11:59:57 +0000 (13:59 +0200)
diff --git a/tests/ja3-lua-rules-quic/README.md b/tests/ja3-lua-rules-quic/README.md

new file mode 100644 (file)

index 0000000..643f641
--- /dev/null
+++ b/tests/ja3-lua-rules-quic/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test JA3 lua rules with quic
+
+## Related issue
+
+https://redmine.openinfosecfoundation.org/issues/7605
+
+## PCAP
+
+Reused from another QUIC test
diff --git a/tests/ja3-lua-rules-quic/test-ja3.lua b/tests/ja3-lua-rules-quic/test-ja3.lua

new file mode 100644 (file)

index 0000000..35cd677
--- /dev/null
+++ b/tests/ja3-lua-rules-quic/test-ja3.lua
@@ -0,0 +1,20 @@
+local ja3 = require("suricata.ja3")
+
+function init (args)
+   ja3.enable_ja3()
+   local needs = {}
+   needs["ja3"] = true
+   return needs
+end
+
+function match(args)
+   local tx = ja3.get_tx()
+   local h = tx:ja3_get_hash()
+   if h == "ea0aece5703cb982b232a0684fc35b16" then
+      local s = tx:ja3_get_string()
+      if s == "771,4865-4866-4867,5-10-11-13-65281-23-16-18-43-51-57,29-23-24-25,0" then
+         return 1
+      end
+   end
+   return 0
+end
diff --git a/tests/ja3-lua-rules-quic/test.rules b/tests/ja3-lua-rules-quic/test.rules

new file mode 100644 (file)

index 0000000..551d8c6
--- /dev/null
+++ b/tests/ja3-lua-rules-quic/test.rules
@@ -0,0 +1 @@
+alert ip any any -> any any (msg:"TEST JA3 LUA"; requires: feature ja3; lua:test-ja3.lua; sid:1; rev:1;)
diff --git a/tests/ja3-lua-rules-quic/test.yaml b/tests/ja3-lua-rules-quic/test.yaml

new file mode 100644 (file)

index 0000000..dc37bfe
--- /dev/null
+++ b/tests/ja3-lua-rules-quic/test.yaml
@@ -0,0 +1,16 @@
+pcap: ../quic-v2-ja3/input.pcap
+
+requires:
+  min-version: 8
+  features:
+    - HAVE_JA3
+
+args:
+  - -k none --set default-rule-path=. --simulate-ips
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
+        pcap_cnt: 1
diff --git a/tests/tls/tls-ja3s/test-ja3s-hash.lua b/tests/tls/tls-ja3s/test-ja3s-hash.lua

index 061186f96a92ad289fef428ea10fb7bd3110ad28..5add7cb27512de54c33b1386893cc441823dcaff 100644 (file)
--- a/tests/tls/tls-ja3s/test-ja3s-hash.lua
+++ b/tests/tls/tls-ja3s/test-ja3s-hash.lua
@@ -1,10 +1,15 @@
+local ja3 = require("suricata.ja3")
+
  function init(args)
+    ja3.enable_ja3()
      local needs = {}
+    needs["ja3s"] = true
      return needs
  end
  
  function match(args)
-    hash = Ja3SGetHash()
+    local tx = ja3.get_tx()
+    local hash = tx:ja3s_get_hash()
      if hash == nil then
          return 0
      end
diff --git a/tests/tls/tls-ja3s/test-ja3s-string.lua b/tests/tls/tls-ja3s/test-ja3s-string.lua

index 7f28c5136859906628814c50f430670c786f1409..5bc70f6920d9c47979d667e9e9caca86bdb6ce2d 100644 (file)
--- a/tests/tls/tls-ja3s/test-ja3s-string.lua
+++ b/tests/tls/tls-ja3s/test-ja3s-string.lua
@@ -1,10 +1,15 @@
+local ja3 = require("suricata.ja3")
+
  function init(args)
+    ja3.enable_ja3()
      local needs = {}
+    needs["ja3s"] = true
      return needs
  end
  
  function match(args)
-    str = Ja3SGetString()
+    local tx = ja3.get_tx()
+    local str = tx:ja3s_get_string()
      if str == nil then
          return 0
      end
diff --git a/tests/tls/tls-ja3s/test.rules b/tests/tls/tls-ja3s/test.rules

index 97276aefddd14a382554ed59b55edb412a60c438..0c60fe100f24cb88052b61508a41efff1780f6fe 100644 (file)
--- a/tests/tls/tls-ja3s/test.rules
+++ b/tests/tls/tls-ja3s/test.rules
@@ -1,4 +1,5 @@
  alert tls any any -> any any (msg:"ja3s.hash test"; flow:established,to_client; ja3s.hash; content:"5d79edf64e03689ff559a54e9d9487bc"; sid:1;)
  alert tls any any -> any any (msg:"ja3s.string test"; flow:established,to_client; ja3s.string; content:"771,49199,65281-0-11-16-23"; sid:2;)
-alert tls:server_hello any any -> any any (msg:"ja3s.hash Lua test"; flow:established,to_client; lua:test-ja3s-hash.lua; sid:3;)
-alert tls:server_hello any any -> any any (msg:"ja3s.string Lua test"; flow:established,to_client; lua:test-ja3s-string.lua; sid:4;)
+# flow:established,to_client is not really needed as Suricata engine will deduce that from the needs["ja3s"] in lua
+alert tls:server_hello any any -> any any (msg:"ja3s.hash Lua test"; requires: feature ja3; flow:established,to_client; lua:test-ja3s-hash.lua; sid:3;)
+alert tls:server_hello any any -> any any (msg:"ja3s.string Lua test"; requires: feature ja3; flow:established,to_client; lua:test-ja3s-string.lua; sid:4;)
author	Philippe Antoine <pantoine@oisf.net>
	Fri, 2 May 2025 06:51:38 +0000 (08:51 +0200)
committer	Victor Julien <victor@inliniac.net>
	Wed, 7 May 2025 11:59:57 +0000 (13:59 +0200)
tests/ja3-lua-rules-quic/README.md	[new file with mode: 0644]	patch \| blob
tests/ja3-lua-rules-quic/test-ja3.lua	[new file with mode: 0644]	patch \| blob
tests/ja3-lua-rules-quic/test.rules	[new file with mode: 0644]	patch \| blob
tests/ja3-lua-rules-quic/test.yaml	[new file with mode: 0644]	patch \| blob
tests/tls/tls-ja3s/test-ja3s-hash.lua		patch \| blob \| blame \| history
tests/tls/tls-ja3s/test-ja3s-string.lua		patch \| blob \| blame \| history
tests/tls/tls-ja3s/test.rules		patch \| blob \| blame \| history