From 093b235e67cf894cc5dfa6bc5cc71fd96c2b0da5 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Sun, 17 May 2020 09:59:28 -0400 Subject: [PATCH] test:byte_jump Test from_end This commit adds test cases for the `byte_jump` `from_end` keyword. --- tests/detect-bytejump-01/input.pcap | Bin 0 -> 118 bytes tests/detect-bytejump-01/test.rules | 4 ++++ tests/detect-bytejump-01/test.yaml | 18 ++++++++++++++++++ 3 files changed, 22 insertions(+) create mode 100644 tests/detect-bytejump-01/input.pcap create mode 100644 tests/detect-bytejump-01/test.rules create mode 100644 tests/detect-bytejump-01/test.yaml diff --git a/tests/detect-bytejump-01/input.pcap b/tests/detect-bytejump-01/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..fe0da7bc915ebefe3333fe07d449f33db3c9ef47 GIT binary patch literal 118 zc-p&ic+)~A1{MYw`2U}QAr(jq+8&7G@aJRj1F}Kb6+|&IFgUQ)EU#x^U<6?X5rzPm zz5pf#h66DS41uMo#U+{fdG?0J;TfrU3gwwOISM5isR{*&c`2#6naK*Nc`5b)RBak< literal 0 Hc-jL100001 diff --git a/tests/detect-bytejump-01/test.rules b/tests/detect-bytejump-01/test.rules new file mode 100644 index 000000000..4a0c7617a --- /dev/null +++ b/tests/detect-bytejump-01/test.rules @@ -0,0 +1,4 @@ +# Jump value from payload will be 13 (dec) +# payload; `Question?13When will the pandemic end?` +alert tcp any any -> any any (msg:"Byte-jump test 1";content:"Question?"; byte_jump:2,0,relative,string,from_end,post_offset -26; content:"pandemic";distance:0; sid:1;) +alert tcp any any -> any any (msg:"Byte-jump test 2";content:"Question?"; byte_jump:0,0,relative,string,from_end,post_offset -3; content:"pandemic";distance:0; sid:2;) diff --git a/tests/detect-bytejump-01/test.yaml b/tests/detect-bytejump-01/test.yaml new file mode 100644 index 000000000..880832376 --- /dev/null +++ b/tests/detect-bytejump-01/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 6 + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 -- 2.47.2