From 87e0dca25a668ce02ff14c6a3952dd60b7660f42 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Mon, 29 Mar 2021 10:28:17 -0600 Subject: [PATCH] tests: add test for Rust template parser --- tests/app-layer-template-rust/input.pcap | Bin 0 -> 880 bytes tests/app-layer-template-rust/suricata.yaml | 17 ++++++ tests/app-layer-template-rust/test.rules | 2 + tests/app-layer-template-rust/test.yaml | 54 ++++++++++++++++++++ 4 files changed, 73 insertions(+) create mode 100644 tests/app-layer-template-rust/input.pcap create mode 100644 tests/app-layer-template-rust/suricata.yaml create mode 100644 tests/app-layer-template-rust/test.rules create mode 100644 tests/app-layer-template-rust/test.yaml diff --git a/tests/app-layer-template-rust/input.pcap b/tests/app-layer-template-rust/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..00abe264f1235e81f201c92a087de9d34c4d0e1e GIT binary patch literal 880 zc-no@JxBs!7zgm@PAjt^JtzzbwA#X;(jik2qYqjl=nGm4LIg`P2pSqAXo-fFBQFA_ zA?O1{Ar!*Nv4#kQ=u*kPoT9PkdF8OK!-MzbxZ(Hwpa0$6Tu40Vq4wy3!~3~iT09!& zVG`fz+~;;XFE8+Zm&Ob*3g9W0ec)^KibfOHg2yOVtP9EgQ!^P+K5Tl-0`U5VD?M*8 zeq8R&(05L!Ya)5o^G8Or>Q`j|l6!VYCEdCpS5~IplBf$&Va+B!)#SOvAxF9*$58g8 z>etHbEWWbLC#uW>>ZxrL6g)4Okz;vhNq#|5=xc>()TXt>k>VQ@4>Uy!6mk(oJaLfN zKj5BN4hBQE`A|5xWTydH9Plgh-!h!>bsDf`Rh5y#A$E)`xAs;C%q7kqXvi0e*8zZW zsGfh~P&~rKHcin2azj87^GqCc`!|<~Ee4=ox9_ZpV^tG&q|?;xdAHKUt%K-q`diNC zdg2EYB~8%`g_xj-d9NZ$uI74WZm`umRI8^^?Ltu&b;|0cGN~kHTy-;kvW!tx#x7Jd Mw6)0n&R8n{05#hsT>t<8 literal 0 Hc-jL100001 diff --git a/tests/app-layer-template-rust/suricata.yaml b/tests/app-layer-template-rust/suricata.yaml new file mode 100644 index 000000000..4a8c639c8 --- /dev/null +++ b/tests/app-layer-template-rust/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - template-rust + - alert + - flow + +app-layer: + protocols: + template-rust: + enabled: yes + detection-ports: + dp: 7000 diff --git a/tests/app-layer-template-rust/test.rules b/tests/app-layer-template-rust/test.rules new file mode 100644 index 000000000..6bb665081 --- /dev/null +++ b/tests/app-layer-template-rust/test.rules @@ -0,0 +1,2 @@ +alert template-rust any any -> any any (msg:"TEST"; content:"Hello"; flow:established,to_server; sid:1; rev:1;) +alert template-rust any any -> any any (msg:"TEST"; content:"Bye"; flow:established,to_client; sid:2; rev:1;) diff --git a/tests/app-layer-template-rust/test.yaml b/tests/app-layer-template-rust/test.yaml new file mode 100644 index 000000000..a92b6f2c6 --- /dev/null +++ b/tests/app-layer-template-rust/test.yaml @@ -0,0 +1,54 @@ +# *** Add configuration here *** + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dest_ip: 10.16.1.10 + dest_port: 7000 + event_type: template-rust + pcap_cnt: 7 + proto: TCP + src_ip: 10.16.1.11 + src_port: 58352 + template.request: Hello World! + template.response: Bye +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + app_proto: template-rust + dest_ip: 10.16.1.10 + dest_port: 7000 + event_type: flow + flow.age: 20 + flow.alerted: true + flow.bytes_toclient: 277 + flow.bytes_toserver: 419 + flow.pkts_toclient: 4 + flow.pkts_toserver: 6 + flow.reason: shutdown + flow.state: closed + proto: TCP + src_ip: 10.16.1.11 + src_port: 58352 + tcp.ack: true + tcp.fin: true + tcp.psh: true + tcp.state: closed + tcp.syn: true + tcp.tcp_flags: 1b + tcp.tcp_flags_tc: 1b + tcp.tcp_flags_ts: 1b -- 2.47.2