function init (args)
local needs = {}
- needs["dns.request"] = tostring(true)
return needs
end
-alert dns any any -> any any (flow:to_server; lua:dataset-dns.lua; sid:1;)
+alert dns:request_complete any any -> any any (flow:to_server; lua:dataset-dns.lua; sid:1;)
local dnp3 = require("suricata.dnp3")
function init (args)
- return {dnp3 = true}
+ return {}
end
function match(args)
-alert dnp3 any any -> any any (msg:"LUA"; dnp3_func:21; lua:rule.lua; sid:4; rev:1;)
+alert dnp3:request_started any any -> any any (msg:"LUA"; dnp3_func:21; lua:rule.lua; sid:4; rev:1;)
function init (args)
local needs = {}
- needs["dns.request"] = tostring(true)
return needs
end
function init (args)
local needs = {}
- needs["dns.response"] = tostring(true)
return needs
end
function init (args)
local needs = {}
- needs["dns.request"] = true
return needs
end
-alert dns any any -> any any (msg:"TEST DNS LUA dns.rrname"; \
+alert dns:request_complete any any -> any any (msg:"TEST DNS LUA dns.rrname"; \
lua:test-rrname.lua; sid:1; rev:1;)
-alert dns any any -> any any (msg:"TEST DNS LUA dns.request"; \
+alert dns:request_complete any any -> any any (msg:"TEST DNS LUA dns.request"; \
lua:test-request.lua; sid:2; rev:1;)
-alert dns any any -> any any (msg:"TEST DNS LUA dns.response"; \
- lua:test-response.lua; sid:3; rev:1;)
-
\ No newline at end of file
+alert dns:response_complete any any -> any any (msg:"TEST DNS LUA dns.response"; \
+ lua:test-response.lua; sid:3; rev:1;)
-alert http any any -> any any (msg: "Test HTTP Lua request.line"; lua: test-request-line.lua; sid:1;)
-alert http any any -> any any (msg: "Test HTTP Lua request.headers.raw"; lua: test-request-headers-raw.lua; flow:to_server; sid:2;)
-alert http any any -> any any (msg: "Test HTTP Lua response.body"; lua: test-response-body.lua; sid:3;)
-alert http any any -> any any (msg: "Test HTTP Lua response-headers-raw"; lua: test-response-headers-raw.lua; flow:to_client; sid:4;)
+alert http1:request_line any any -> any any (msg: "Test HTTP Lua request.line"; lua: test-request-line.lua; sid:1;)
+alert http1:request_headers any any -> any any (msg: "Test HTTP Lua request.headers.raw"; lua: test-request-headers-raw.lua; flow:to_server; sid:2;)
+alert http1:response_body any any -> any any (msg: "Test HTTP Lua response.body"; lua: test-response-body.lua; sid:3;)
+alert http1:response_headers any any -> any any (msg: "Test HTTP Lua response-headers-raw"; lua: test-response-headers-raw.lua; flow:to_client; sid:4;)
function init (args)
local needs = {}
- needs["http.request_headers.raw"] = tostring(true)
return needs
end
function init (args)
local needs = {}
- needs["http.request_line"] = tostring(true)
return needs
end
function init (args)
local needs = {}
- needs["http.response_body"] = tostring(true)
return needs
end
function init (args)
local needs = {}
- needs["http.response_headers.raw"] = tostring(true)
return needs
end
function init (args)
local needs = {}
- needs["http.request_headers"] = tostring(true)
return needs
end
-alert http any any -> any any (msg: "Test1"; flow: to_server; lua:test.lua; sid:6677001; rev:1;)
+alert http1:request_complete any any -> any any (msg: "Test1"; flow: to_server; lua:test.lua; sid:6677001; rev:1;)
requires:
features:
- HAVE_LUA
+ min-version: 8
+
args:
- --set security.lua.allow-rules=true
- --set default-rule-path=${TEST_DIR}
function init (args)
local needs = {}
- needs["http.request_headers"] = tostring(true)
needs["flowvar"] = {"TestVar"}
return needs
end
function init (args)
local needs = {}
- needs["dns.request"] = true
return needs
end
alert dns any any -> any any (msg:"TEST DNS LUA dns.rrname"; \
+ flow:to_server; \
dns.queries.rrname; content: "www.suricata-ids.org"; \
lua:rule.lua; sid:1; rev:1;)
local expected_md5 = "27170ec0609347c6a158bb5b694822a5"
function init (args)
- return {["dns.request"] = true}
+ local needs = {}
+ return needs
end
local function tohex(str)
alert dns any any -> any any (msg:"TEST DNS LUA dns.rrname"; \
+ flow:to_server; \
dns.queries.rrname; content: "www.suricata-ids.org"; \
lua:test-hashing.lua; sid:1; rev:1;)
function init (args)
local needs = {}
- needs["packet"] = true
return needs
end
function init (args)
local needs = {}
- needs["packet"] = true
return needs
end
function init (args)
local needs = {}
- needs["packet"] = true
return needs
end
function init (args)
local needs = {}
- needs["packet"] = true
return needs
end
--- /dev/null
+PCAP
+====
+
+Pcap from https://redmine.openinfosecfoundation.org/issues/2369
--- /dev/null
+alert http1:response_started any any -> any any (sid:1;)
+alert http1:response_line any any -> any any (sid:2;)
+alert http1:response_headers any any -> any any (sid:3;)
+alert http1:response_body any any -> any any (sid:4;)
+alert http1:response_trailer any any -> any any (sid:5;)
+alert http1:response_complete any any -> any any (sid:6;)
--- /dev/null
+requires:
+ min-version: 8
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: http
+ http.url: "/~regit/ids-suricata-esiea.pdf"
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1 # not started
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2 # request_line
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3 # header
+- filter:
+ count: 443
+ match:
+ event_type: alert
+ alert.signature_id: 4 # body update
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 5 # trailer
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 6 # complete
--- /dev/null
+alert tcp:flow_start any any -> any any (seq:123; sid:1;)
+alert tcp:flow_start any any -> any any (dsize:0; sid:2;)
+alert tcp:flow_start any any -> any any (sid:3;)
+alert ip:flow_start any any -> any any (sid:4;)
+alert ip:flow_start any any -> any any (flow:to_server; sid:5;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../http-body-hook-01/input.pcap
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: http
+ http.url: "/~regit/ids-suricata-esiea.pdf"
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 3
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 4
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 5
--- /dev/null
+%YAML 1.1
+---
+
+# Global stats configuration
+stats:
+ enabled: yes
+ # The interval field (in seconds) controls the interval at
+ # which stats are updated in the log.
+ interval: 8
+ # Add decode events to stats.
+ #decoder-events: true
+ # Decoder event prefix in stats. Has been 'decoder' before, but that leads
+ # to missing events in the eve.stats records. See issue #2225.
+ #decoder-events-prefix: "decoder.event"
+ # Add stream events as stats.
+ #stream-events: false
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ # payload: yes # enable dumping payload in Base64
+ # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ # payload-printable: yes # enable dumping payload in printable (lossy) format
+ # packet: yes # enable dumping of packet (without stream segments)
+ # metadata: no # enable inclusion of app layer metadata with alert. Default yes
+ # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64
+ # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
+
+ # Enable the logging of tagged packets for rules using the
+ # "tag" keyword.
+ tagged-packets: yes
+ # Enable logging the final action taken on a packet by the engine
+ # (e.g: the alert may have action 'allowed' but the verdict be
+ # 'drop' due to another alert. That's the engine's verdict)
+ # verdict: yes
+ - anomaly:
+ # Anomaly log records describe unexpected conditions such
+ # as truncated packets, packets with invalid IP/UDP/TCP
+ # length values, and other events that render the packet
+ # invalid for further processing or describe unexpected
+ # behavior on an established stream. Networks which
+ # experience high occurrences of anomalies may experience
+ # packet processing degradation.
+ #
+ # Anomalies are reported for the following:
+ # 1. Decode: Values and conditions that are detected while
+ # decoding individual packets. This includes invalid or
+ # unexpected values for low-level protocol lengths as well
+ # as stream related events (TCP 3-way handshake issues,
+ # unexpected sequence number, etc).
+ # 2. Stream: This includes stream related events (TCP
+ # 3-way handshake issues, unexpected sequence number,
+ # etc).
+ # 3. Application layer: These denote application layer
+ # specific conditions that are unexpected, invalid or are
+ # unexpected given the application monitoring state.
+ #
+ # By default, anomaly logging is enabled. When anomaly
+ # logging is enabled, applayer anomaly reporting is
+ # also enabled.
+ enabled: yes
+ #
+ # Choose one or more types of anomaly logging and whether to enable
+ # logging of the packet header for packet anomalies.
+ types:
+ # decode: no
+ # stream: no
+ # applayer: yes
+ #packethdr: no
+ - tls:
+ extended: yes # enable this for extended logging information
+ # output TLS transaction where the session is resumed using a
+ # session id
+ #session-resumption: no
+ # ja4 hashes in tls records will never be logged unless
+ # the following is set to on. (Default off)
+ # ja4: off
+ # custom controls which TLS fields that are included in eve-log
+ #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4]
+ - files:
+ force-magic: no # force logging magic on all logged files
+ # force logging of checksums, available hash functions are md5,
+ # sha1 and sha256
+ #force-hash: [md5]
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ # EXPERIMENTAL per packet output giving TCP state tracking details
+ # including internal state, flags, etc.
+ # This output is experimental, meant for debugging and subject to
+ # change in both config and output without any notice.
+ #- stream:
+ # all: false # log all TCP packets
+ # event-set: false # log packets that have a decoder/stream event
+ # state-update: false # log packets triggering a TCP state update
+ # spurious-retransmission: false # log spurious retransmission packets
--- /dev/null
+pass tls:client_hello_done any any -> any any (tls.sni; content:"www.google.com"; sid:21; alert;)
+drop tls:client_hello_done any any -> any any (sid:22;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: tls
--- /dev/null
+%YAML 1.1
+---
+
+# Global stats configuration
+stats:
+ enabled: yes
+ # The interval field (in seconds) controls the interval at
+ # which stats are updated in the log.
+ interval: 8
+ # Add decode events to stats.
+ #decoder-events: true
+ # Decoder event prefix in stats. Has been 'decoder' before, but that leads
+ # to missing events in the eve.stats records. See issue #2225.
+ #decoder-events-prefix: "decoder.event"
+ # Add stream events as stats.
+ #stream-events: false
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ # payload: yes # enable dumping payload in Base64
+ # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ # payload-printable: yes # enable dumping payload in printable (lossy) format
+ # packet: yes # enable dumping of packet (without stream segments)
+ # metadata: no # enable inclusion of app layer metadata with alert. Default yes
+ # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64
+ # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
+
+ # Enable the logging of tagged packets for rules using the
+ # "tag" keyword.
+ tagged-packets: yes
+ # Enable logging the final action taken on a packet by the engine
+ # (e.g: the alert may have action 'allowed' but the verdict be
+ # 'drop' due to another alert. That's the engine's verdict)
+ # verdict: yes
+ - anomaly:
+ # Anomaly log records describe unexpected conditions such
+ # as truncated packets, packets with invalid IP/UDP/TCP
+ # length values, and other events that render the packet
+ # invalid for further processing or describe unexpected
+ # behavior on an established stream. Networks which
+ # experience high occurrences of anomalies may experience
+ # packet processing degradation.
+ #
+ # Anomalies are reported for the following:
+ # 1. Decode: Values and conditions that are detected while
+ # decoding individual packets. This includes invalid or
+ # unexpected values for low-level protocol lengths as well
+ # as stream related events (TCP 3-way handshake issues,
+ # unexpected sequence number, etc).
+ # 2. Stream: This includes stream related events (TCP
+ # 3-way handshake issues, unexpected sequence number,
+ # etc).
+ # 3. Application layer: These denote application layer
+ # specific conditions that are unexpected, invalid or are
+ # unexpected given the application monitoring state.
+ #
+ # By default, anomaly logging is enabled. When anomaly
+ # logging is enabled, applayer anomaly reporting is
+ # also enabled.
+ enabled: yes
+ #
+ # Choose one or more types of anomaly logging and whether to enable
+ # logging of the packet header for packet anomalies.
+ types:
+ # decode: no
+ # stream: no
+ # applayer: yes
+ #packethdr: no
+ - tls:
+ extended: yes # enable this for extended logging information
+ # output TLS transaction where the session is resumed using a
+ # session id
+ #session-resumption: no
+ # ja4 hashes in tls records will never be logged unless
+ # the following is set to on. (Default off)
+ # ja4: off
+ # custom controls which TLS fields that are included in eve-log
+ #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4]
+ - files:
+ force-magic: no # force logging magic on all logged files
+ # force logging of checksums, available hash functions are md5,
+ # sha1 and sha256
+ #force-hash: [md5]
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ # EXPERIMENTAL per packet output giving TCP state tracking details
+ # including internal state, flags, etc.
+ # This output is experimental, meant for debugging and subject to
+ # change in both config and output without any notice.
+ #- stream:
+ # all: false # log all TCP packets
+ # event-set: false # log packets that have a decoder/stream event
+ # state-update: false # log packets triggering a TCP state update
+ # spurious-retransmission: false # log spurious retransmission packets
--- /dev/null
+pass tls:client_hello_done any any -> any any (tls.sni; content:"www.bing.com"; sid:21; alert;)
+drop tls:client_hello_done any any -> any any (sid:22;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+- filter:
+ count: 57
+ match:
+ event_type: drop
+- filter:
+ count: 0
+ match:
+ event_type: tls
function init(args)
local needs = {}
- needs["tls"] = tostring(true)
return needs
end
function init(args)
local needs = {}
- needs["tls"] = tostring(true)
return needs
end
function init(args)
local needs = {}
- needs["tls"] = tostring(true)
return needs
end
function init(args)
local needs = {}
- needs["tls"] = tostring(true)
return needs
end
function init(args)
local needs = {}
- needs["tls"] = tostring(true)
return needs
end
function init(args)
local needs = {}
- needs["tls"] = tostring(true)
return needs
end
alert tls any any -> any any (msg:"ja3s.hash test"; flow:established,to_client; ja3s.hash; content:"5d79edf64e03689ff559a54e9d9487bc"; sid:1;)
alert tls any any -> any any (msg:"ja3s.string test"; flow:established,to_client; ja3s.string; content:"771,49199,65281-0-11-16-23"; sid:2;)
-alert tls any any -> any any (msg:"ja3s.hash Lua test"; flow:established,to_client; lua:test-ja3s-hash.lua; sid:3;)
-alert tls any any -> any any (msg:"ja3s.string Lua test"; flow:established,to_client; lua:test-ja3s-string.lua; sid:4;)
+alert tls:server_hello any any -> any any (msg:"ja3s.hash Lua test"; flow:established,to_client; lua:test-ja3s-hash.lua; sid:3;)
+alert tls:server_hello any any -> any any (msg:"ja3s.string Lua test"; flow:established,to_client; lua:test-ja3s-string.lua; sid:4;)
features:
- HAVE_LUA
- HAVE_JA3
+ min-version: 8
args:
- -k none
projects / thirdparty / suricata-verify.git / commitdiff
