From 0b7f8c24a630910f5d6d32dbd05f7fd3997c8ad6 Mon Sep 17 00:00:00 2001 From: Mats Klepsland Date: Wed, 15 May 2019 14:57:09 +0200 Subject: [PATCH] tests/tls: add testcases for tls.certs keyword --- tests/tls-certs-alert/input.pcap | Bin 0 -> 10134 bytes tests/tls-certs-alert/suricata.yaml | 16 ++++++++++++++++ tests/tls-certs-alert/test.rules | 3 +++ tests/tls-certs-alert/test.yaml | 28 ++++++++++++++++++++++++++++ 4 files changed, 47 insertions(+) create mode 100644 tests/tls-certs-alert/input.pcap create mode 100644 tests/tls-certs-alert/suricata.yaml create mode 100644 tests/tls-certs-alert/test.rules create mode 100644 tests/tls-certs-alert/test.yaml diff --git a/tests/tls-certs-alert/input.pcap b/tests/tls-certs-alert/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..f50866f1e591ba528537c74e81a9e6e092ed7e14 GIT binary patch literal 10134 zc-p;L2{={V*FSeOPnjvMO2~9B%9wecQX-imv$&>fmSik4t2CHHAt~e)88Va%nJYs= zugpU!CGnjTdF##h{p)%9{@1gdv-dfB|9)%jwbxqv-tM})8At#P{PRHr2D$aLUKPP;=z17!VWNr)MugDFV6>VxO27~r zXSlU)xL?+-211+)q6LOK(ji?CU-h~JqroUINT>h-$egfjf%4%uQCNWCPOnXr8W@EM zg#bFB*;`Sl0!jzQpyxTorh`83FF%fcO#QZ)v%a*}&pAJO)nA-*2LMRa2-JW;TFcFr z8!dS?{58TrYR&E%Uf^WSt{NV|u7tDHbPb|&Hx2~MnPl&a_El~*a0vDtN@EBapPS|q`e5KJ(1`tj2FTKOi(W~ zBvb$n;J_lVNGuA2z#uUwGy;u8qfiJG5`{t{kVqs7ww=mZ>dh6}!XI$I>TOw>f80AJZH9(C4zRJ%i=;yzW!Zo*vk_4kLp-_M$glvmK>*25>;Dfmq+F->gpyU;q?kYuLOH98DSpKywwKNd`!i!C(@3Fc{05{?)Ry zH0?fv>I<0N5=*zDF>AlZ%}%o&{uDSBu8m+gs?Ho4dH%fx(EK-&+a+nL8Lk13>-c z$Y2BlXrJFkOuvY8C$(YSW^AU}E_L2EHl2?@x4)-=@@ckP0;3{h5lMm<-t!qxjE+iyhw?qVf%v(w6!06?B-r=~9Yd+WQ>?9t{ ztKA?MP)qwhJ=^xAzJ62xOjw;W=A(6P6ZKT=aQ&SrL3?UOxxYsSR=BJMXC3&_KKt1gBWOnEVl>aEqjD{-$biQln4wrz8C>_z%Njv zna~Wj$tRGn$l`NfjPC#J)mT)W;hb9qo;d?Qr$hUJKEeN9is0|V&p!qu8s)*;)FnedqLiBl#mFf?eK&i(2THZKTN2krw@{1v36%Dp^yLu zd>ey6pj|-%xO<}wN5}GL>OYbtF&AT1gtDOM`0<}Cd3ZM*Az_qB2ql#QSeKt-FopfE z#$chWuQ8Yf5E&T%F$R->h;Wt-1G`vxxc*=dQ1zPyKxDYow`H(|AA9_0xNp%84tDFY zZavf~DM0H&1S#Qlp@)423Bs}AG?pBi7meukMM4QK7~ulRNrVI74O}lLiz{It)-P^dV3P$5b_l1=z@p>1vAaSu-QL_InPxARkqdN_t7{gN^_h0J8zGCym;nKd5& z)PAFT1LO0Wx)835zE=T$9?$yxGI0G6&PcmK~oIn-%RV2*5Q} z4h$5HXrH@n^ASCWl=@?SZmaWz)Y|l-ctOs|0|pJE7|Pb#eJn+e_O{y9hFpCnFVxG= z@8gO$8}NMQrz)_MCrig~K)0e!=^Jsve?S^Lg8e&*>O%p($o#Q#P}=d^=GA?+FU zo?Kyf|6aBOz|2bh5S{AY8zB{yy))a3ITnmi!9dKlxwyA%$1}6AeP&f@eP%gh!Y_@2 zSh^NY_~&G$72a@gw>o1}7#xySdMWZM?$8>WoTWU6dizO zHXkT7iqomB2N~n`nGj@x8Q%+-J{av^b5mNj<__wfWy#c;w{0i)AkZc6XSTjAp7Lc` zA@ug6+viu=JanFlUW&`S7@;4+U!LQsF1W)`+`kVm!uG5nAG?@mrd6h6fd zC}@rz?Z_ZqdNrZyA&HIdO5e(wU*UjhpaGt8T$1Gavnt^(3dhbnL&sN-67{9`1q~L) zC?^-EQFryddbW6yFJC!V%P7=2LF-IipGVZTOX_iG6;HN7ar~u(@zx_$(ywdfB+Z5X zdS@C)8xyVoM61}U6=m48rRVXH>At%(H7=A-UB zu5M&=gfV0h!>`5HdQ>9?vCsvH0DjDlh;UHsyBxv`?%B*C|99N=Ur(Au&>a*{-7HcO2MnzQ$aqp9hNl;=lvzNpwFb28v+O&@J#=`SYI=X3Gla`w|HCQg5GO zhjxYSeAWm%d)=kG2RaP43QfCYhqOBJirM!96;0WcTO2yS$IMDGvGc72o*eyv7x#zu!XJt8H3h zp!ZPFd_(Ww-8wwh`Bxvwx_wr^^p~h}6Ftf7#Y}b<#t)|2@-xK`r`OzSN7dH4%YhPc z#XelqBq4H^0b6(~^H}oP8|*HEi*K74j_-LY5FI!pUURcYvOKt&m2y(-Ho#^7@s`I( zlSrQgH-$mhl^yf;;WI)CVsio6dOND6K6TZSQjX1VL>h6w{>%H8AmRPt!4hI@zJ^eW zbfOq9r%zkbSLH{N8Gq z|5|7Q_v7(+aPtHsivOkbd7lwa`}tfx7G_T{-6f(`ty?p0>^$mP?M+*~g7^^j z;)XJcGx1 z=Qakm7{}(-)?x;0=0_%csUp>HXP3Ju6ua}w6h!(cyXQWh>8Xe|k}G8&*Wk@`?Zcx7 zm+msX)h5>^xiO=8z`XQyR$Sd}p7n5L1zP?TmS{FZ7Y0N@m+yA%mYec-b}eRO*EU}h z&r_%0M!r0#eC^=jqQ#*?^m|`l(yZMqD_Z=aHG<_mk5(6JIgOhCa=zwAe3Q(VPggqX znx4_BefDzV`FPine46c5i8t4*dR~)QbY)ein2;^>#Ej}M##k-O<@T4@4xO;=?I0*b zzZEQ<^wvyEF&g1NRwKV_MvymHMb`I7!k*+;LFzZe=jMBTEtp;wj8nG~3Y3{8gf;qx zRb=;;@7I4SrH5S-8m~X9;bh6h(u2O`BO@RcbTW79HY3Bt^K-T35>6xWPLXTY<=)&! z!5a46S;GSpLuvt~CAI!ZaifWZ=z4Dvyrjp@m{p}w-6G%=4(IU9FIuqPWq6X>_ zz*qVCOn`{_)iZ(Q)VDLi!t~~u;39k`Ky179_-tdc*zss`nZ}8p3m2SUGNDii9ZCS9 zfdZHn&{BHorH`ViC&b(Aq$n%jC`7#q$$hxNb>SVYdT{qAM4&Z}t1J3I@@r_L`~77=O1gLJ(b$S<^(aFZ6_>_tzSBlZ-m}GEfbNhbR(;<1sj7_?uSGku( z6YUv{HP(VNX~e)PIOdE#=Mcxymx}DsRPGwfFDIh8&X% zk7*3adG1H{r+GVOJNM(m3JuB}h2Ss0(9|2>Cs!r?InR+k26>Lecb>xyuPcnwd6^pM zhQ@bqjgtDCC@ctxPL53!9vB5yN)D;T ze>!v=)ztBd)g^MwT?YT!q=(gCZ6xSJK%rKL!J8TV)I*KgdGAzY8K9{U2zWx?iCB?C zoV4ZRAB!HgaTK+87A#{f6ig1cX)tvyABv=zJJMXVLSodXQT7 z#;n=&$-w8!b1<<=h*&+aE?W@$%QZK!9cQ9=aaRIQ&1l1yw@d}C zLT>`z#Gu<|CNP&B?}(4r!R$;Rc0s_pY{5?Rm)V`!WcTD}cHA56ruI~j&AdKPdqhJt zJH+$;^VAq_3Ku`I2*sxp8NmTCpNkNmWMEyk;B(@a`Q&f%8Tpydfek*>(}R*pIc3GJ zYc&|51R*5T-Gu--!N%^JliFo@v4W*&pf#{c+N=QA{kj2{j;NM3KHNS1>YBQJ*jFJwaeA9Rf6xH8Efx-rE^hcDh8gFd*!29VcQ&=O=aF%Hd z!*o_w{lkwjk#%MWuH4F5=DQn|h zBB>rGNe?0Cip|D9dN#wi^G*h7lu1fm0bj1btDZTNC)|o9UqXs5TNtp&MzqsYUTOJ$ z5rZPv>ZJzd=7R7Z?S7fwJLu(;d}0gjQMLP^w=mQjZ=InzOys!cH+U)*lWL^Bc)u=W z7hirj-w~={0;y+K{1-+e>O*Dcl~;lks_R&;nhW}``tLr{V$vM1;kM*pxbWz>5*b;{ zJ`GePFIhD!M}RNAdXc~0#AAU=+VZr%=SDg9u-WohT;!08-7Vl;Cp?G@9pJrr(*vcq zv@*ggW2MoIOSW;4iYj7x3^uBj1b(P=Jk5l4TN&J!{}fEe6uaaz$=R3cZy|m4G0sHjOdFh0k z%bK0+PVMz;D&jsam6RcAImaQZyi2RxaXkJy|&1GMo|`3&yCEf z0x4uk-Lk#+dpyyOt8AXvAKQNVsob+uoq^O*i>gV{1$OV^iR1;^A24I4#F~hPVUA;x z$g!98@!OWObm-oi_8oI*kz-S;Q@v(n{^U8RjIKUdBN=(8rEc_-*%i-}2Pusgl6O;{ z#`p*4#+D+uc1p+T``(ODo%C;fen7hHismyz8Fy0lg#2i6LR7JfxDtnERn-eFkx7pe zx9^9bTn=aTr8lQ$58te7XXZH)LN~F}pg~$C-j&asqr-sjo|TDneKkCH>-s&e6(-r+ zq4pZL?<6KS3>!}<20EN`dT`7Al40pbz1h;H>6XqC+WyGvZ?%;f9#eBO1S#`A1t|zm zQq8@3s;=|PysyM&O$8EMeA)N)D)oOX>G7XFA=j)(s?6wBXyUl2l5IzOR3R4aM%A{u z5VJ(85w%14KvIi-2kU~?s~~}v5-m3BMRM}h7u?$6PX&V(dZ{?i^2C$Sw0sa8vF#L2 zJjYA9n}30D_EaNre|6|{cdMCb)+=#fq=>v#BU`M2+U>mMrcbAJ?~3N&z#YERBS|^= zL0M+fDJCb37+gA6lhvfx8OD&qA_TI#676-5{^r;(T<> zUSr{=YW1$6Twkq}MT>X^l!{Q|x$UdI4GvMxkL8~jcl!jGzG2chag`>hJc+(CT$Sf0ue(rcj#$>Hn<+S;{B-c3}R^FxZB+bh$KPP9|81dh#}zschE?#1!KFILMM zIh6J)ns=wpN{Dp6u-$`@6{RvcEA5h4;V-FM>-t28D6M-so~o<~^$0`s$r(R7x$TyyVKVUoONK7r`AZo6B_TiHHzGCqOd?H)te}DFbX4-1lTrem)R(uS4#^= ztM{6;?Qs~K?PpjuhDq?+{~=XHzLKE(LDl(hs_y?AwW;bBg@W9#rf@|87zs|{I^vrt z{2{FFS5-GMSupGE4+2y4Lsi6(p@l;?X*nAjU=l=#1XNIcm4B&9Iy4F}{JN^}b3HTw zbR+=)JaYsz^Pi}L6t%vpM+b=L=KiQ2jB@_}jX(eRAL6eK%`OVpak|$x`PadY0HcVF L{~`XO-}C<;(Qw76 literal 0 Hc-jL100001 diff --git a/tests/tls-certs-alert/suricata.yaml b/tests/tls-certs-alert/suricata.yaml new file mode 100644 index 000000000..0211a9fc1 --- /dev/null +++ b/tests/tls-certs-alert/suricata.yaml @@ -0,0 +1,16 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: no + payload-buffer-size: 4kb + payload-printable: no + packet: no + metadata: no + - tls diff --git a/tests/tls-certs-alert/test.rules b/tests/tls-certs-alert/test.rules new file mode 100644 index 000000000..98913adc9 --- /dev/null +++ b/tests/tls-certs-alert/test.rules @@ -0,0 +1,3 @@ +alert tls any any -> any any (msg:"Match first certificate"; flow:established,to_client; tls.certs; content:"|30160603550403130f|"; sid:1;) +alert tls any any -> any any (msg:"Match second certificate"; flow:established,to_client; tls.certs; content:"|30250603550403131e|"; sid:2;) +alert tls any any -> any any (msg:"Match third certificate"; flow:established,to_client; tls.certs; content:"|301e06035504031317|"; sid:3;) diff --git a/tests/tls-certs-alert/test.yaml b/tests/tls-certs-alert/test.yaml new file mode 100644 index 000000000..c97d62b40 --- /dev/null +++ b/tests/tls-certs-alert/test.yaml @@ -0,0 +1,28 @@ +requires: + min-version: 5.0.0 + features: + - HAVE_LIBJANSSON + +args: + - -k none + +checks: + # Check that we can alert on all three certs in the certificate chain + - filter: + count: 1 + match: + event_type: alert + app_proto: tls + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + app_proto: tls + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + app_proto: tls + alert.signature_id: 3 -- 2.47.2