From: Shivani Bhardwaj Date: Sat, 18 May 2019 14:35:07 +0000 (+0530) Subject: Add tests for bug 28 X-Git-Tag: suricata-6.0.4~434 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F70%2Fhead;p=thirdparty%2Fsuricata-verify.git Add tests for bug 28 This patch adds tests for the long closed redmine ticket #28. --- diff --git a/tests/bug-28/input.pcap b/tests/bug-28/input.pcap new file mode 100644 index 000000000..65df5e27c Binary files /dev/null and b/tests/bug-28/input.pcap differ diff --git a/tests/bug-28/suricata.yaml b/tests/bug-28/suricata.yaml new file mode 100644 index 000000000..4bc762ca0 --- /dev/null +++ b/tests/bug-28/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + payload: no + payload-buffer-size: 4kb + payload-printable: no + packet: no + metadata: no + - http: diff --git a/tests/bug-28/test.rules b/tests/bug-28/test.rules new file mode 100644 index 000000000..0679c2e40 --- /dev/null +++ b/tests/bug-28/test.rules @@ -0,0 +1,4 @@ +alert tcp any any -> any any (msg:"ET MALWARE LocalNRD Spyware Checkin (Original Sig Fails to Fire)"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent: "adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001340; rev:9;) +alert tcp any any -> any any (msg:"ET MALWARE LocalNRD Spyware Checkin (OISF changed to content fails also)"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; content: "adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001341; rev:9;) +alert tcp any any -> any any (msg:"ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote uricontent works)"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent:"adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001342; rev:9;) +alert tcp any any -> any any (msg:"ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote content works)"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; content:"adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001343; rev:9;) diff --git a/tests/bug-28/test.yaml b/tests/bug-28/test.yaml new file mode 100644 index 000000000..9ee37cf6e --- /dev/null +++ b/tests/bug-28/test.yaml @@ -0,0 +1,98 @@ +requires: + features: + - HAVE_LIBJANSSON + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + src_ip: 192.168.2.7 + src_port: 1041 + dest_ip: 208.75.250.50 + dest_port: 80 + proto: TCP + tx_id: 0 + alert: + action: allowed + gid: 1 + signature_id: 2001340 + rev: 9 + signature: "ET MALWARE LocalNRD Spyware Checkin (Original Sig Fails to Fire)" + category: A Network Trojan was detected + severity: 1 + app_proto: http + - filter: + count: 1 + match: + event_type: alert + src_ip: 192.168.2.7 + src_port: 1041 + dest_ip: 208.75.250.50 + dest_port: 80 + proto: TCP + app_proto: http + tx_id: 0 + alert: + action: allowed + gid: 1 + signature_id: 2001341 + rev: 9 + signature: "ET MALWARE LocalNRD Spyware Checkin (OISF changed to content fails also)" + category: A Network Trojan was detected + severity: 1 + - filter: + count: 1 + match: + event_type: alert + src_ip: 192.168.2.7 + src_port: 1041 + dest_ip: 208.75.250.50 + dest_port: 80 + proto: TCP + app_proto: http + tx_id: 0 + alert: + action: allowed + gid: 1 + signature_id: 2001342 + rev: 9 + signature: "ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote uricontent works)" + category: A Network Trojan was detected + severity: 1 + - filter: + count: 1 + match: + event_type: alert + src_ip: 192.168.2.7 + src_port: 1041 + dest_ip: 208.75.250.50 + dest_port: 80 + proto: TCP + app_proto: http + tx_id: 0 + alert: + action: allowed + gid: 1 + signature_id: 2001343 + rev: 9 + signature: "ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote content works)" + category: A Network Trojan was detected + severity: 1 + - filter: + count: 1 + match: + event_type: http + src_ip: 192.168.2.7 + src_port: 1041 + dest_ip: 208.75.250.50 + dest_port: 80 + proto: TCP + tx_id: 0 + http: + hostname: btg.btgrab.com + url: "/a/Drk.syn?adcontext=ROUTINE_CHECKIN&contextpeak=0&contextcount=0&countrycodein=XX&lastAdTime=0&lastAdCode=0&cookie1=0&cookie2=0&cookie3=0&cookie4=0&InstID={2CAA09DF-35D8-471C-9979-A11DA0CC54DB}&status=1&smode=11&event=&bho=aurora.exe&NumWindows=4&PartnerId=0&BundleId=0&HN=bob7&VSN=189A97F7&PI=55274-640-1781551-23400&MA=005400123457&TM=-1" + http_user_agent: "{2CAA09DF-35D8-471C-9979-A11DA0CC54DB}|0.21.5.110"