From: Victor Julien Date: Mon, 20 Jan 2025 11:47:58 +0000 (+0100) Subject: tests: update tests for hook based registration X-Git-Tag: suricata-7.0.11~107 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e6fe08238b557c9787d78003395edbd82f71ae72;p=thirdparty%2Fsuricata-verify.git tests: update tests for hook based registration --- diff --git a/tests/datasets/datasets-lua-02/dataset-dns.lua b/tests/datasets/datasets-lua-02/dataset-dns.lua index fa009e655..f68d91ea8 100644 --- a/tests/datasets/datasets-lua-02/dataset-dns.lua +++ b/tests/datasets/datasets-lua-02/dataset-dns.lua @@ -4,7 +4,6 @@ local dns = require("suricata.dns") function init (args) local needs = {} - needs["dns.request"] = tostring(true) return needs end diff --git a/tests/datasets/datasets-lua-02/dataset-lua.rules b/tests/datasets/datasets-lua-02/dataset-lua.rules index 55e60ac0f..889fb2fc6 100644 --- a/tests/datasets/datasets-lua-02/dataset-lua.rules +++ b/tests/datasets/datasets-lua-02/dataset-lua.rules @@ -1 +1 @@ -alert dns any any -> any any (flow:to_server; lua:dataset-dns.lua; sid:1;) +alert dns:request_complete any any -> any any (flow:to_server; lua:dataset-dns.lua; sid:1;) diff --git a/tests/dnp3/dnp3-lua/rule.lua b/tests/dnp3/dnp3-lua/rule.lua index 7569cfe7c..bd7ec6245 100644 --- a/tests/dnp3/dnp3-lua/rule.lua +++ b/tests/dnp3/dnp3-lua/rule.lua @@ -1,7 +1,7 @@ local dnp3 = require("suricata.dnp3") function init (args) - return {dnp3 = true} + return {} end function match(args) diff --git a/tests/dnp3/dnp3-lua/test.rules b/tests/dnp3/dnp3-lua/test.rules index 77b2c45df..63ac60d87 100644 --- a/tests/dnp3/dnp3-lua/test.rules +++ b/tests/dnp3/dnp3-lua/test.rules @@ -1 +1 @@ -alert dnp3 any any -> any any (msg:"LUA"; dnp3_func:21; lua:rule.lua; sid:4; rev:1;) +alert dnp3:request_started any any -> any any (msg:"LUA"; dnp3_func:21; lua:rule.lua; sid:4; rev:1;) diff --git a/tests/dns-lua-rules/test-request.lua b/tests/dns-lua-rules/test-request.lua index a4c6d09ea..db725593e 100644 --- a/tests/dns-lua-rules/test-request.lua +++ b/tests/dns-lua-rules/test-request.lua @@ -2,7 +2,6 @@ local dns = require("suricata.dns") function init (args) local needs = {} - needs["dns.request"] = tostring(true) return needs end diff --git a/tests/dns-lua-rules/test-response.lua b/tests/dns-lua-rules/test-response.lua index bb125d21d..e869ddab1 100644 --- a/tests/dns-lua-rules/test-response.lua +++ b/tests/dns-lua-rules/test-response.lua @@ -2,7 +2,6 @@ local dns = require("suricata.dns") function init (args) local needs = {} - needs["dns.response"] = tostring(true) return needs end diff --git a/tests/dns-lua-rules/test-rrname.lua b/tests/dns-lua-rules/test-rrname.lua index a2effa34c..d62db1d64 100644 --- a/tests/dns-lua-rules/test-rrname.lua +++ b/tests/dns-lua-rules/test-rrname.lua @@ -2,7 +2,6 @@ local dns = require("suricata.dns") function init (args) local needs = {} - needs["dns.request"] = true return needs end diff --git a/tests/dns-lua-rules/test.rules b/tests/dns-lua-rules/test.rules index 7ff3f02d9..c5ca3b6bc 100644 --- a/tests/dns-lua-rules/test.rules +++ b/tests/dns-lua-rules/test.rules @@ -1,7 +1,6 @@ -alert dns any any -> any any (msg:"TEST DNS LUA dns.rrname"; \ +alert dns:request_complete any any -> any any (msg:"TEST DNS LUA dns.rrname"; \ lua:test-rrname.lua; sid:1; rev:1;) -alert dns any any -> any any (msg:"TEST DNS LUA dns.request"; \ +alert dns:request_complete any any -> any any (msg:"TEST DNS LUA dns.request"; \ lua:test-request.lua; sid:2; rev:1;) -alert dns any any -> any any (msg:"TEST DNS LUA dns.response"; \ - lua:test-response.lua; sid:3; rev:1;) - \ No newline at end of file +alert dns:response_complete any any -> any any (msg:"TEST DNS LUA dns.response"; \ + lua:test-response.lua; sid:3; rev:1;) diff --git a/tests/lua-detect-http-01/http-lua.rules b/tests/lua-detect-http-01/http-lua.rules index 77272f005..99901ce44 100644 --- a/tests/lua-detect-http-01/http-lua.rules +++ b/tests/lua-detect-http-01/http-lua.rules @@ -1,4 +1,4 @@ -alert http any any -> any any (msg: "Test HTTP Lua request.line"; lua: test-request-line.lua; sid:1;) -alert http any any -> any any (msg: "Test HTTP Lua request.headers.raw"; lua: test-request-headers-raw.lua; flow:to_server; sid:2;) -alert http any any -> any any (msg: "Test HTTP Lua response.body"; lua: test-response-body.lua; sid:3;) -alert http any any -> any any (msg: "Test HTTP Lua response-headers-raw"; lua: test-response-headers-raw.lua; flow:to_client; sid:4;) +alert http1:request_line any any -> any any (msg: "Test HTTP Lua request.line"; lua: test-request-line.lua; sid:1;) +alert http1:request_headers any any -> any any (msg: "Test HTTP Lua request.headers.raw"; lua: test-request-headers-raw.lua; flow:to_server; sid:2;) +alert http1:response_body any any -> any any (msg: "Test HTTP Lua response.body"; lua: test-response-body.lua; sid:3;) +alert http1:response_headers any any -> any any (msg: "Test HTTP Lua response-headers-raw"; lua: test-response-headers-raw.lua; flow:to_client; sid:4;) diff --git a/tests/lua-detect-http-01/test-request-headers-raw.lua b/tests/lua-detect-http-01/test-request-headers-raw.lua index f3e47a336..76466f8f8 100644 --- a/tests/lua-detect-http-01/test-request-headers-raw.lua +++ b/tests/lua-detect-http-01/test-request-headers-raw.lua @@ -4,7 +4,6 @@ local http = require("suricata.http") function init (args) local needs = {} - needs["http.request_headers.raw"] = tostring(true) return needs end diff --git a/tests/lua-detect-http-01/test-request-line.lua b/tests/lua-detect-http-01/test-request-line.lua index ee71eba32..2a9861ce9 100644 --- a/tests/lua-detect-http-01/test-request-line.lua +++ b/tests/lua-detect-http-01/test-request-line.lua @@ -3,7 +3,6 @@ local http = require("suricata.http") function init (args) local needs = {} - needs["http.request_line"] = tostring(true) return needs end diff --git a/tests/lua-detect-http-01/test-response-body.lua b/tests/lua-detect-http-01/test-response-body.lua index 7ca6f620d..54cf2ccf1 100644 --- a/tests/lua-detect-http-01/test-response-body.lua +++ b/tests/lua-detect-http-01/test-response-body.lua @@ -3,7 +3,6 @@ local http = require("suricata.http") function init (args) local needs = {} - needs["http.response_body"] = tostring(true) return needs end diff --git a/tests/lua-detect-http-01/test-response-headers-raw.lua b/tests/lua-detect-http-01/test-response-headers-raw.lua index 625c11954..44a8741a1 100644 --- a/tests/lua-detect-http-01/test-response-headers-raw.lua +++ b/tests/lua-detect-http-01/test-response-headers-raw.lua @@ -4,7 +4,6 @@ local http = require("suricata.http") function init (args) local needs = {} - needs["http.response_headers.raw"] = tostring(true) return needs end diff --git a/tests/lua-memleak/test.lua b/tests/lua-memleak/test.lua index 141014c1b..91f7d38c6 100644 --- a/tests/lua-memleak/test.lua +++ b/tests/lua-memleak/test.lua @@ -1,6 +1,5 @@ function init (args) local needs = {} - needs["http.request_headers"] = tostring(true) return needs end diff --git a/tests/lua-memleak/test.rules b/tests/lua-memleak/test.rules index 844ac631e..2087b768e 100644 --- a/tests/lua-memleak/test.rules +++ b/tests/lua-memleak/test.rules @@ -1 +1 @@ -alert http any any -> any any (msg: "Test1"; flow: to_server; lua:test.lua; sid:6677001; rev:1;) +alert http1:request_complete any any -> any any (msg: "Test1"; flow: to_server; lua:test.lua; sid:6677001; rev:1;) diff --git a/tests/lua-memleak/test.yaml b/tests/lua-memleak/test.yaml index 83d3c4c74..9116f22bc 100644 --- a/tests/lua-memleak/test.yaml +++ b/tests/lua-memleak/test.yaml @@ -1,6 +1,8 @@ requires: features: - HAVE_LUA + min-version: 8 + args: - --set security.lua.allow-rules=true - --set default-rule-path=${TEST_DIR} diff --git a/tests/lua-scflowvarget/test.lua b/tests/lua-scflowvarget/test.lua index 38e49acdb..aaa1e0ec2 100644 --- a/tests/lua-scflowvarget/test.lua +++ b/tests/lua-scflowvarget/test.lua @@ -1,6 +1,5 @@ function init (args) local needs = {} - needs["http.request_headers"] = tostring(true) needs["flowvar"] = {"TestVar"} return needs end diff --git a/tests/lua/lua-base64/rule.lua b/tests/lua/lua-base64/rule.lua index 13489b5db..7e647546d 100644 --- a/tests/lua/lua-base64/rule.lua +++ b/tests/lua/lua-base64/rule.lua @@ -9,7 +9,6 @@ local input_base64_with_spaces = "d3 d3 Ln N1 cm lj YX Rh LW lk cy 5v cm c=" function init (args) local needs = {} - needs["dns.request"] = true return needs end diff --git a/tests/lua/lua-base64/test.rules b/tests/lua/lua-base64/test.rules index f1bf9ac73..4ee95e8ef 100644 --- a/tests/lua/lua-base64/test.rules +++ b/tests/lua/lua-base64/test.rules @@ -1,3 +1,4 @@ alert dns any any -> any any (msg:"TEST DNS LUA dns.rrname"; \ + flow:to_server; \ dns.queries.rrname; content: "www.suricata-ids.org"; \ lua:rule.lua; sid:1; rev:1;) diff --git a/tests/lua/lua-hashlib/test-hashing.lua b/tests/lua/lua-hashlib/test-hashing.lua index a7674e8d6..4d90b11be 100644 --- a/tests/lua/lua-hashlib/test-hashing.lua +++ b/tests/lua/lua-hashlib/test-hashing.lua @@ -6,7 +6,8 @@ local expected_sha1 = "00f495ffd50c8b5ef3645f61486dae496db0fe2e" local expected_md5 = "27170ec0609347c6a158bb5b694822a5" function init (args) - return {["dns.request"] = true} + local needs = {} + return needs end local function tohex(str) diff --git a/tests/lua/lua-hashlib/test.rules b/tests/lua/lua-hashlib/test.rules index bc91123e1..252c3e4d5 100644 --- a/tests/lua/lua-hashlib/test.rules +++ b/tests/lua/lua-hashlib/test.rules @@ -1,3 +1,4 @@ alert dns any any -> any any (msg:"TEST DNS LUA dns.rrname"; \ + flow:to_server; \ dns.queries.rrname; content: "www.suricata-ids.org"; \ lua:test-hashing.lua; sid:1; rev:1;) diff --git a/tests/lua/lua-packetlib-01/packet.lua b/tests/lua/lua-packetlib-01/packet.lua index 656aeff9e..5ec6c2864 100644 --- a/tests/lua/lua-packetlib-01/packet.lua +++ b/tests/lua/lua-packetlib-01/packet.lua @@ -2,7 +2,6 @@ local packet = require "suricata.packet" function init (args) local needs = {} - needs["packet"] = true return needs end diff --git a/tests/lua/lua-packetlib-02-restricted-funcs-allowed/packet.lua b/tests/lua/lua-packetlib-02-restricted-funcs-allowed/packet.lua index 656aeff9e..5ec6c2864 100644 --- a/tests/lua/lua-packetlib-02-restricted-funcs-allowed/packet.lua +++ b/tests/lua/lua-packetlib-02-restricted-funcs-allowed/packet.lua @@ -2,7 +2,6 @@ local packet = require "suricata.packet" function init (args) local needs = {} - needs["packet"] = true return needs end diff --git a/tests/lua/lua-packetlib-03/packet.lua b/tests/lua/lua-packetlib-03/packet.lua index 75458c2eb..ebf18c203 100644 --- a/tests/lua/lua-packetlib-03/packet.lua +++ b/tests/lua/lua-packetlib-03/packet.lua @@ -2,7 +2,6 @@ local packet = require "suricata.packet" function init (args) local needs = {} - needs["packet"] = true return needs end diff --git a/tests/lua/lua-packetlib-04-icmp-spdp/packet.lua b/tests/lua/lua-packetlib-04-icmp-spdp/packet.lua index 855bd6fda..7e6a062b5 100644 --- a/tests/lua/lua-packetlib-04-icmp-spdp/packet.lua +++ b/tests/lua/lua-packetlib-04-icmp-spdp/packet.lua @@ -2,7 +2,6 @@ local packet = require "suricata.packet" function init (args) local needs = {} - needs["packet"] = true return needs end diff --git a/tests/rule-hooks/http-body-hook-01/README.md b/tests/rule-hooks/http-body-hook-01/README.md new file mode 100644 index 000000000..b04d06a02 --- /dev/null +++ b/tests/rule-hooks/http-body-hook-01/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +Pcap from https://redmine.openinfosecfoundation.org/issues/2369 diff --git a/tests/rule-hooks/http-body-hook-01/input.pcap b/tests/rule-hooks/http-body-hook-01/input.pcap new file mode 100644 index 000000000..a4a7500eb Binary files /dev/null and b/tests/rule-hooks/http-body-hook-01/input.pcap differ diff --git a/tests/rule-hooks/http-body-hook-01/test.rules b/tests/rule-hooks/http-body-hook-01/test.rules new file mode 100644 index 000000000..1ae6416c5 --- /dev/null +++ b/tests/rule-hooks/http-body-hook-01/test.rules @@ -0,0 +1,6 @@ +alert http1:response_started any any -> any any (sid:1;) +alert http1:response_line any any -> any any (sid:2;) +alert http1:response_headers any any -> any any (sid:3;) +alert http1:response_body any any -> any any (sid:4;) +alert http1:response_trailer any any -> any any (sid:5;) +alert http1:response_complete any any -> any any (sid:6;) diff --git a/tests/rule-hooks/http-body-hook-01/test.yaml b/tests/rule-hooks/http-body-hook-01/test.yaml new file mode 100644 index 000000000..eefcb02c2 --- /dev/null +++ b/tests/rule-hooks/http-body-hook-01/test.yaml @@ -0,0 +1,39 @@ +requires: + min-version: 8 + +checks: +- filter: + count: 1 + match: + event_type: http + http.url: "/~regit/ids-suricata-esiea.pdf" +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 # not started +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 # request_line +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 # header +- filter: + count: 443 + match: + event_type: alert + alert.signature_id: 4 # body update +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 # trailer +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 6 # complete diff --git a/tests/rule-hooks/pkt-hook-flow-start-01/test.rules b/tests/rule-hooks/pkt-hook-flow-start-01/test.rules new file mode 100644 index 000000000..b8b5d773b --- /dev/null +++ b/tests/rule-hooks/pkt-hook-flow-start-01/test.rules @@ -0,0 +1,5 @@ +alert tcp:flow_start any any -> any any (seq:123; sid:1;) +alert tcp:flow_start any any -> any any (dsize:0; sid:2;) +alert tcp:flow_start any any -> any any (sid:3;) +alert ip:flow_start any any -> any any (sid:4;) +alert ip:flow_start any any -> any any (flow:to_server; sid:5;) diff --git a/tests/rule-hooks/pkt-hook-flow-start-01/test.yaml b/tests/rule-hooks/pkt-hook-flow-start-01/test.yaml new file mode 100644 index 000000000..e69925d56 --- /dev/null +++ b/tests/rule-hooks/pkt-hook-flow-start-01/test.yaml @@ -0,0 +1,36 @@ +requires: + min-version: 8 + +pcap: ../http-body-hook-01/input.pcap + +checks: +- filter: + count: 1 + match: + event_type: http + http.url: "/~regit/ids-suricata-esiea.pdf" +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 diff --git a/tests/rule-hooks/tls-handshake-01-ips-sni/suricata.yaml b/tests/rule-hooks/tls-handshake-01-ips-sni/suricata.yaml new file mode 100644 index 000000000..b67886b55 --- /dev/null +++ b/tests/rule-hooks/tls-handshake-01-ips-sni/suricata.yaml @@ -0,0 +1,101 @@ +%YAML 1.1 +--- + +# Global stats configuration +stats: + enabled: yes + # The interval field (in seconds) controls the interval at + # which stats are updated in the log. + interval: 8 + # Add decode events to stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + #decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + # Enable logging the final action taken on a packet by the engine + # (e.g: the alert may have action 'allowed' but the verdict be + # 'drop' due to another alert. That's the engine's verdict) + # verdict: yes + - anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is enabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # also enabled. + enabled: yes + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + types: + # decode: no + # stream: no + # applayer: yes + #packethdr: no + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # ja4 hashes in tls records will never be logged unless + # the following is set to on. (Default off) + # ja4: off + # custom controls which TLS fields that are included in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # EXPERIMENTAL per packet output giving TCP state tracking details + # including internal state, flags, etc. + # This output is experimental, meant for debugging and subject to + # change in both config and output without any notice. + #- stream: + # all: false # log all TCP packets + # event-set: false # log packets that have a decoder/stream event + # state-update: false # log packets triggering a TCP state update + # spurious-retransmission: false # log spurious retransmission packets diff --git a/tests/rule-hooks/tls-handshake-01-ips-sni/test.rules b/tests/rule-hooks/tls-handshake-01-ips-sni/test.rules new file mode 100644 index 000000000..e81e5098f --- /dev/null +++ b/tests/rule-hooks/tls-handshake-01-ips-sni/test.rules @@ -0,0 +1,2 @@ +pass tls:client_hello_done any any -> any any (tls.sni; content:"www.google.com"; sid:21; alert;) +drop tls:client_hello_done any any -> any any (sid:22;) diff --git a/tests/rule-hooks/tls-handshake-01-ips-sni/test.yaml b/tests/rule-hooks/tls-handshake-01-ips-sni/test.yaml new file mode 100644 index 000000000..d0b9cd7eb --- /dev/null +++ b/tests/rule-hooks/tls-handshake-01-ips-sni/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 8 + +pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap + +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: alert +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: tls diff --git a/tests/rule-hooks/tls-handshake-02-ips-sni-drop/suricata.yaml b/tests/rule-hooks/tls-handshake-02-ips-sni-drop/suricata.yaml new file mode 100644 index 000000000..b67886b55 --- /dev/null +++ b/tests/rule-hooks/tls-handshake-02-ips-sni-drop/suricata.yaml @@ -0,0 +1,101 @@ +%YAML 1.1 +--- + +# Global stats configuration +stats: + enabled: yes + # The interval field (in seconds) controls the interval at + # which stats are updated in the log. + interval: 8 + # Add decode events to stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + #decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + # Enable logging the final action taken on a packet by the engine + # (e.g: the alert may have action 'allowed' but the verdict be + # 'drop' due to another alert. That's the engine's verdict) + # verdict: yes + - anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is enabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # also enabled. + enabled: yes + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + types: + # decode: no + # stream: no + # applayer: yes + #packethdr: no + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # ja4 hashes in tls records will never be logged unless + # the following is set to on. (Default off) + # ja4: off + # custom controls which TLS fields that are included in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # EXPERIMENTAL per packet output giving TCP state tracking details + # including internal state, flags, etc. + # This output is experimental, meant for debugging and subject to + # change in both config and output without any notice. + #- stream: + # all: false # log all TCP packets + # event-set: false # log packets that have a decoder/stream event + # state-update: false # log packets triggering a TCP state update + # spurious-retransmission: false # log spurious retransmission packets diff --git a/tests/rule-hooks/tls-handshake-02-ips-sni-drop/test.rules b/tests/rule-hooks/tls-handshake-02-ips-sni-drop/test.rules new file mode 100644 index 000000000..fa394d168 --- /dev/null +++ b/tests/rule-hooks/tls-handshake-02-ips-sni-drop/test.rules @@ -0,0 +1,2 @@ +pass tls:client_hello_done any any -> any any (tls.sni; content:"www.bing.com"; sid:21; alert;) +drop tls:client_hello_done any any -> any any (sid:22;) diff --git a/tests/rule-hooks/tls-handshake-02-ips-sni-drop/test.yaml b/tests/rule-hooks/tls-handshake-02-ips-sni-drop/test.yaml new file mode 100644 index 000000000..fe376a9bb --- /dev/null +++ b/tests/rule-hooks/tls-handshake-02-ips-sni-drop/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 8 + +pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap + +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: alert +- filter: + count: 57 + match: + event_type: drop +- filter: + count: 0 + match: + event_type: tls diff --git a/tests/tls/tls-ja3s-requires-off/test-ja3s-hash.lua b/tests/tls/tls-ja3s-requires-off/test-ja3s-hash.lua index 791afa779..061186f96 100644 --- a/tests/tls/tls-ja3s-requires-off/test-ja3s-hash.lua +++ b/tests/tls/tls-ja3s-requires-off/test-ja3s-hash.lua @@ -1,6 +1,5 @@ function init(args) local needs = {} - needs["tls"] = tostring(true) return needs end diff --git a/tests/tls/tls-ja3s-requires-off/test-ja3s-string.lua b/tests/tls/tls-ja3s-requires-off/test-ja3s-string.lua index 2ea8b0d80..7f28c5136 100644 --- a/tests/tls/tls-ja3s-requires-off/test-ja3s-string.lua +++ b/tests/tls/tls-ja3s-requires-off/test-ja3s-string.lua @@ -1,6 +1,5 @@ function init(args) local needs = {} - needs["tls"] = tostring(true) return needs end diff --git a/tests/tls/tls-ja3s-requires/test-ja3s-hash.lua b/tests/tls/tls-ja3s-requires/test-ja3s-hash.lua index 791afa779..061186f96 100644 --- a/tests/tls/tls-ja3s-requires/test-ja3s-hash.lua +++ b/tests/tls/tls-ja3s-requires/test-ja3s-hash.lua @@ -1,6 +1,5 @@ function init(args) local needs = {} - needs["tls"] = tostring(true) return needs end diff --git a/tests/tls/tls-ja3s-requires/test-ja3s-string.lua b/tests/tls/tls-ja3s-requires/test-ja3s-string.lua index 2ea8b0d80..7f28c5136 100644 --- a/tests/tls/tls-ja3s-requires/test-ja3s-string.lua +++ b/tests/tls/tls-ja3s-requires/test-ja3s-string.lua @@ -1,6 +1,5 @@ function init(args) local needs = {} - needs["tls"] = tostring(true) return needs end diff --git a/tests/tls/tls-ja3s/test-ja3s-hash.lua b/tests/tls/tls-ja3s/test-ja3s-hash.lua index 791afa779..061186f96 100644 --- a/tests/tls/tls-ja3s/test-ja3s-hash.lua +++ b/tests/tls/tls-ja3s/test-ja3s-hash.lua @@ -1,6 +1,5 @@ function init(args) local needs = {} - needs["tls"] = tostring(true) return needs end diff --git a/tests/tls/tls-ja3s/test-ja3s-string.lua b/tests/tls/tls-ja3s/test-ja3s-string.lua index 2ea8b0d80..7f28c5136 100644 --- a/tests/tls/tls-ja3s/test-ja3s-string.lua +++ b/tests/tls/tls-ja3s/test-ja3s-string.lua @@ -1,6 +1,5 @@ function init(args) local needs = {} - needs["tls"] = tostring(true) return needs end diff --git a/tests/tls/tls-ja3s/test.rules b/tests/tls/tls-ja3s/test.rules index a5b259bc4..97276aefd 100644 --- a/tests/tls/tls-ja3s/test.rules +++ b/tests/tls/tls-ja3s/test.rules @@ -1,4 +1,4 @@ alert tls any any -> any any (msg:"ja3s.hash test"; flow:established,to_client; ja3s.hash; content:"5d79edf64e03689ff559a54e9d9487bc"; sid:1;) alert tls any any -> any any (msg:"ja3s.string test"; flow:established,to_client; ja3s.string; content:"771,49199,65281-0-11-16-23"; sid:2;) -alert tls any any -> any any (msg:"ja3s.hash Lua test"; flow:established,to_client; lua:test-ja3s-hash.lua; sid:3;) -alert tls any any -> any any (msg:"ja3s.string Lua test"; flow:established,to_client; lua:test-ja3s-string.lua; sid:4;) +alert tls:server_hello any any -> any any (msg:"ja3s.hash Lua test"; flow:established,to_client; lua:test-ja3s-hash.lua; sid:3;) +alert tls:server_hello any any -> any any (msg:"ja3s.string Lua test"; flow:established,to_client; lua:test-ja3s-string.lua; sid:4;) diff --git a/tests/tls/tls-ja3s/test.yaml b/tests/tls/tls-ja3s/test.yaml index 2cffca18b..162a5975f 100644 --- a/tests/tls/tls-ja3s/test.yaml +++ b/tests/tls/tls-ja3s/test.yaml @@ -4,6 +4,7 @@ requires: features: - HAVE_LUA - HAVE_JA3 + min-version: 8 args: - -k none