From a253a00727b65118d0db2d18ed33ce44394c52d1 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Thu, 9 Feb 2023 16:41:17 +0100 Subject: [PATCH] tests: add test for bug 3286 --- tests/bug-3286-01-no-evasion/test.rules | 1 + tests/bug-3286-01-no-evasion/test.yaml | 25 +++++++++++ .../without_evasion.pcap | Bin 0 -> 1031 bytes tests/bug-3286-02-linux-evasion/test.rules | 2 + tests/bug-3286-02-linux-evasion/test.yaml | 41 ++++++++++++++++++ .../with_evasion_linux.pcap | Bin 0 -> 1271 bytes tests/bug-3286-03-windows-evasion/test.rules | 2 + tests/bug-3286-03-windows-evasion/test.yaml | 41 ++++++++++++++++++ .../with_evasion_windows.pcap | Bin 0 -> 1142 bytes 9 files changed, 112 insertions(+) create mode 100644 tests/bug-3286-01-no-evasion/test.rules create mode 100644 tests/bug-3286-01-no-evasion/test.yaml create mode 100644 tests/bug-3286-01-no-evasion/without_evasion.pcap create mode 100644 tests/bug-3286-02-linux-evasion/test.rules create mode 100644 tests/bug-3286-02-linux-evasion/test.yaml create mode 100644 tests/bug-3286-02-linux-evasion/with_evasion_linux.pcap create mode 100644 tests/bug-3286-03-windows-evasion/test.rules create mode 100644 tests/bug-3286-03-windows-evasion/test.yaml create mode 100644 tests/bug-3286-03-windows-evasion/with_evasion_windows.pcap diff --git a/tests/bug-3286-01-no-evasion/test.rules b/tests/bug-3286-01-no-evasion/test.rules new file mode 100644 index 000000000..a6a8ff2a0 --- /dev/null +++ b/tests/bug-3286-01-no-evasion/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (content:"THIS_IS_A_TEST"; nocase; sid:1;) diff --git a/tests/bug-3286-01-no-evasion/test.yaml b/tests/bug-3286-01-no-evasion/test.yaml new file mode 100644 index 000000000..b52cf4c3d --- /dev/null +++ b/tests/bug-3286-01-no-evasion/test.yaml @@ -0,0 +1,25 @@ +requires: + features: + - HAVE_LIBJANSSON + +args: +- --set stats.decoder-events=true +#- --set stats.stream-events=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.state: CLOSED + - filter: + count: 1 + match: + event_type: http + http.status: 200 + http.length: 14 diff --git a/tests/bug-3286-01-no-evasion/without_evasion.pcap b/tests/bug-3286-01-no-evasion/without_evasion.pcap new file mode 100644 index 0000000000000000000000000000000000000000..fbf5c09e074b956e74f77f77501596f3938c5b63 GIT binary patch literal 1031 zc-noEO-vI(6vt;vk+#yr5K$5@lW`_+`%4~Z000j&Y;wjmJHY?fiWVLQ9DTUjzxluUzt8Kho_UZL z9eiHI!PuRCedFbY9&{PztoMF;9Q}#d8RGyxniS9$&!BH!zEHU0pqle6!EjBJVQy`EBGmMn^NiM*T;DzFF_v z*~*^!H~9{b$KijxljaCI(IkIs)4U1v-rL8x?b#@hxF$8n$c)&3+=rgPld#@SetRIUW||XiSiWxD*WJDx}P(bV6a} zsT9guvU68;_gxI`l8Y>Xb*?L)B zAp8`q5UpA!{B^QiB^9Rvj{~Pvtw?w{>y#}sflI2(!|kJxSunsn`uX19a{aG*itKvS z_}W%ay@P8tnYo_-ao8h9ytd&-HK5fx5%2C1A9N&w>rdAY6ZiebVM)T%SDMe@fWN$Q z%O-oa*rsaGgOv=Sx>JPgBP>Z}aw=PZmMSRetil97-|+vh&hnhYZ6S<1QJ JErB1H$Uk8VA?*MF literal 0 Hc-jL100001 diff --git a/tests/bug-3286-02-linux-evasion/test.rules b/tests/bug-3286-02-linux-evasion/test.rules new file mode 100644 index 000000000..44a006e3b --- /dev/null +++ b/tests/bug-3286-02-linux-evasion/test.rules @@ -0,0 +1,2 @@ +alert http any any -> any any (content:"THIS_IS_A_TEST"; nocase; sid:1;) +alert tcp any any -> any any (msg:"SURICATA STREAM Packet with invalid timestamp"; stream-event:pkt_invalid_timestamp; classtype:protocol-command-decode; sid:2210044; rev:2;) diff --git a/tests/bug-3286-02-linux-evasion/test.yaml b/tests/bug-3286-02-linux-evasion/test.yaml new file mode 100644 index 000000000..499154eb8 --- /dev/null +++ b/tests/bug-3286-02-linux-evasion/test.yaml @@ -0,0 +1,41 @@ +requires: + features: + - HAVE_LIBJANSSON + +args: +- --set stats.decoder-events=true +#- --set stats.stream-events=true + +checks: + - filter: + count: 3 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2210044 + pcap_cnt: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2210044 + pcap_cnt: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.state: CLOSED + - filter: + count: 1 + match: + event_type: http + http.status: 200 + http.length: 14 diff --git a/tests/bug-3286-02-linux-evasion/with_evasion_linux.pcap b/tests/bug-3286-02-linux-evasion/with_evasion_linux.pcap new file mode 100644 index 0000000000000000000000000000000000000000..bdad7c00fee13736b4efe4232b853dccd0c28599 GIT binary patch literal 1271 zc-ozkO-vI(6vt=#A!I}SicyYp6QTP>N&^LAQ7a!}XzY^s5mT1!wB4}mF71|75)%>= z4@LtR514qsgNfm&#)C%G=)nU~F`h*s9F0gKhn{@1P(Iqq!O6VM?3$@ip zUC4vBhX*n6osB=eiXXU853H%xe7WoUsa2!nSNg1K6hWwMtbY4LJM}YecNHZ|ciiX{{8QUt7WqI9Y?2R9Dy5?+ zuwejwa{NePb(+8}795EUqr`#9|0W&+V!E8T2*ft{ZL6fd4k1c>UMNvNNvTmt=lq#s zJ}E0U?cT~{S#&!yxg)ydNy?i!Tv+{h>ED?gnBLZ17G+>%(IM|Ik1`n^Kgg`VJqjeo zpAE5`@glCfC`qljS2J>XoNo@sgMn6@84U$RUOa(2 zi8^EojiMyNl<-+CLy~4*pqoCnLsf|dG@ImYA#D%qe#NqMO;v2oG=x0$G~`RY!+PsT zyU4fr>xFt})m#K|y^4{_DJc@d#Nhg4equNWnzjx^4Ao3%Mk<6;W18j136j(moA}t% zreP43J`ln~gjk%SYop-rw^A7;LAY)sOVnJ3a2Lo(j%4jDBnNIOYMO9x*Up%F2oEcH z4qk5uWj>bH=*6ISuWom0wBRf0r|@#^+7hk$>-XhV|CRQlDWFYNBHq{_ex9pHgsQt9 z?IsrMjT=P~_nmXnU_*U5`I<#G%VOz@W^C{D5+h}&L4AOVl)JiPahM%(ITDj;fX8(2 cUXA|4kzBL8E!UPH$O$TW?$uU+e`t_@0Yc$`+5i9m literal 0 Hc-jL100001 diff --git a/tests/bug-3286-03-windows-evasion/test.rules b/tests/bug-3286-03-windows-evasion/test.rules new file mode 100644 index 000000000..44a006e3b --- /dev/null +++ b/tests/bug-3286-03-windows-evasion/test.rules @@ -0,0 +1,2 @@ +alert http any any -> any any (content:"THIS_IS_A_TEST"; nocase; sid:1;) +alert tcp any any -> any any (msg:"SURICATA STREAM Packet with invalid timestamp"; stream-event:pkt_invalid_timestamp; classtype:protocol-command-decode; sid:2210044; rev:2;) diff --git a/tests/bug-3286-03-windows-evasion/test.yaml b/tests/bug-3286-03-windows-evasion/test.yaml new file mode 100644 index 000000000..499154eb8 --- /dev/null +++ b/tests/bug-3286-03-windows-evasion/test.yaml @@ -0,0 +1,41 @@ +requires: + features: + - HAVE_LIBJANSSON + +args: +- --set stats.decoder-events=true +#- --set stats.stream-events=true + +checks: + - filter: + count: 3 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2210044 + pcap_cnt: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2210044 + pcap_cnt: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.state: CLOSED + - filter: + count: 1 + match: + event_type: http + http.status: 200 + http.length: 14 diff --git a/tests/bug-3286-03-windows-evasion/with_evasion_windows.pcap b/tests/bug-3286-03-windows-evasion/with_evasion_windows.pcap new file mode 100644 index 0000000000000000000000000000000000000000..432bf3e19d3e0b3c6c9bdf84aeceb39b548c0a74 GIT binary patch literal 1142 zc-ozk&ubGw6vt^65m(66mbi2FVY}?pN zdg)P6Pl9+55sC*7>Rmz5iy##Lfr{YCgAo)hAbuKIG6T@ToPe-Qqr)G1T_v{_7Y@A=FjgH-wg>-zv{nnZsb0-w&be zWclYO%2*CzbR&&WD6;1%6As51CK95=^_J!x;ufpQtrCZ#y`L$KQc)I|uz*@wZpG+! z2i#&Ikl!*&thD|&aX%3GdZK^m--#cbfOr6-)mQaZ-#pTc27xx%sE_UCrl5}-HGQlA z)y=jrD0Zi+3}xK~)^!kwS}ltympRJ%`k*1}AcGde2#uyxEa9}OW+g>bI5zDR{UlcU z6Qa`7Cn{pU%&`+i;t9hBu_1HbSu!n4le$G2w_h^tyt7!u7gVgsqC9{h(9<=5OZ4y- zlD!b@z@tQ;aioN-$gmYWVtS}O~;l>G;+LD z8=bWV=1$6DKi?^J23}tkB#ddcF|QdUi3=WI@Pv`^tq*u&3lq7(?*>0`PVC%D*}9WA zZ6k?|CDY|`o)j$2Cmeg)v2CK$zb5evA+DfV<^segT*K4yM9A1hqR)Fo7$RzZqti~sfzjEh869`ByqTdw?>+Oo&_DP%S^Xq^{62Wgg$!= zp{m3g5{x Z+a$+>N&f!l^lfI~Vb5rR(J$2ke*t6QN%;T( literal 0 Hc-jL100001 -- 2.47.3