From e3b28dd1ee238bcbdda95facd825df4cb061f69f Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Wed, 1 Jun 2022 14:26:55 +0200 Subject: [PATCH] Adds test about stream_size keyword --- tests/streamsize-keyword/README.md | 7 +++++++ tests/streamsize-keyword/input.pcap | Bin 0 -> 4479 bytes tests/streamsize-keyword/test.rules | 1 + tests/streamsize-keyword/test.yaml | 10 ++++++++++ 4 files changed, 18 insertions(+) create mode 100644 tests/streamsize-keyword/README.md create mode 100644 tests/streamsize-keyword/input.pcap create mode 100644 tests/streamsize-keyword/test.rules create mode 100644 tests/streamsize-keyword/test.yaml diff --git a/tests/streamsize-keyword/README.md b/tests/streamsize-keyword/README.md new file mode 100644 index 000000000..a742cd7a4 --- /dev/null +++ b/tests/streamsize-keyword/README.md @@ -0,0 +1,7 @@ +# Description + +Test stream_size keyword + +# PCAP + +The pcap is the same as smb-eicar-file test with the eicar file in it diff --git a/tests/streamsize-keyword/input.pcap b/tests/streamsize-keyword/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..e97b433c4805aa28ce91c18d15fabcf6aff5a4b0 GIT binary patch literal 4479 zc-qZadrVVT82|2VX|MHxC}?r&DsurOV0nmOETgs{oj^NU-$p57j5GM2b2=jeiSPHT zQ#U{}vt>)|9%eppBI;(0f3dkZXZ&Z;EK78{Oy^_c?mORYYkNJEEc<8o=G=4dx##@O z_xpXnb9&+X3!k@&poQm$7M9{Q@x-{^y%$G1TiWKV`TKUpRZxU=iDoBYt)L09jr!QNcz$Nf5Lm!(54&1qfEak2fu_ zgW}z!inkhZ1FrsXyRlQ@?U*9LQ-pY`!qMat&aZ);3@7dzE{+jyH|-@(U(4=_3Cq}> z(RLZ4jxL$1Lm;|rrpgk}RA<#BldH-(vC3Lu%FZ%_SmCf$Io-}uPw2IqwdZnQ`*7Vb$jb-ydYM3g71}S*<*#toRytJO2jXb z;0y+OhM%QR`~xUU4XP{!^r@#(Tt-vkieWTvU04YpUx|cXpvggatyP(Z9e@2S)Gxg8 z;O5IWuL&1r7zYWrEw}uIvnL%e?r{I~XMTKjnogIY6XN2;mf_~1Ekn#kodKV^5 z93F9RU{vy#@XaCA2FmHD0Hyryc6OP+b-#USuBM($Cx{lI)RD+O$efd4=2U zqOnO0QVkoM7KCTDP63UF$*>3(z$(0VgBR+c2CoXwqX#AE!fssxFZIGb|3H@dZ;PT+ ze?Awvc3|oUUc5rXI*8{WfOa2;r-Uh&p#!Ig7Y+!m4MJ~ogP?EG7zCj;n$-FS+V%HB zv_u>|9M1xxx4GtO+u9qZI$ncECRLsmGsD;JwHY^7dW@sKPgOzkOK@N_~hC*sz zfmvfcz4)dUTe4v+p81gbpHT84ix8L_wj7ekG-RB})gzGW9|iW1>%UUDzQZDRJVDn# zY-*vzT#4y=NmRRjRoL}Apmn8r#gS#&B_R`Nf&-_;s3kmE-5<|tW|qxR6Y~D16NanX zk~aPAJuu^UZ~k|a%D{;tc;M2*LqivIuBj~?vS4#vXTz)*Yvk!M2_ED9W7YOJI+0ZQ z#h*yqqb+)kbUe|gp5DpU$h8z2*A`aA$5#c{NE<%%f?d$6H^;H{@xOA%hL0s&aX^K$ zCvFVvrM-1zv^!4kw1^i@p*y;oa)|6Kro&qtcgQl+LBn(a=!5v#*cne2TMovNjnNcP z&0?AbF3i~kTu~0NF%8*4ahm)Rtj3nrs(i^w6z7}%B+6HNbiOW}!dUNPz6M-srg25# zIMw-*lsNS=6hU7&Ck&+07p&uO-FtAIyMu}qI(xX~#VX~}P@0DS*405=8@Q^^CQ!1`zf&ZJw!i+Ld>2O~~tBYw1kQaCs}13tnra&efF z<0#TvM&t-jN%BS<80mwjU%0th7!cKsZEJB@im{0FZN$7j57+5jT6^qZ@qV!#;3z01 zQuu;$ig%BHFbTgeTKJ2381pVB{LEuCZhkmkA3xp{8RoNaSS$rw7vEyPPTkce==NYC zcWwu6suDt}dXFStr;>OVhTR;Qsv*1aa{`pYNmU?lkbaCFadB9xW>82?jQZ$qQ>BA` zl&a!rBKBYdPBd+dbA;>FVykOr-YnOQX=C!zT(i^1+HC1#*N!Z4*sN8VZjZInZmqIs zS}Q${DUPbi?o3aK+ml)9C@&c?vMi%)6yq~vAHYIT3TF+?^cyLaS5>KO)~B{5V=5Es z*U-4pVLm=SADs-NF@9Noo{|y!0llRZj+B!FhbSekXery0ar#asWut{0|u;qXoKCllW;72i&rxYX6(l(0>RbXDp`0ob3MbNFaZ{}4j^fs2Of zefA-ZdnHW4$EOgSE;&Ptz26)r#okpZR*F+T37I$ any any (flow:established,to_server; stream_size:server,<,1111; content: "EICAR"; sid:1234;) diff --git a/tests/streamsize-keyword/test.yaml b/tests/streamsize-keyword/test.yaml new file mode 100644 index 000000000..19401dd88 --- /dev/null +++ b/tests/streamsize-keyword/test.yaml @@ -0,0 +1,10 @@ +# disables checksum verification +args: +- -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1234 -- 2.47.3