From ab2f4cdaa9483ff98fc5967bfc4333b1af4fd1a4 Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Sat, 18 May 2019 20:05:07 +0530 Subject: [PATCH] Add tests for bug 28 This patch adds tests for the long closed redmine ticket #28. --- tests/bug-28/input.pcap | Bin 0 -> 3322 bytes tests/bug-28/suricata.yaml | 14 ++++++ tests/bug-28/test.rules | 4 ++ tests/bug-28/test.yaml | 98 +++++++++++++++++++++++++++++++++++++ 4 files changed, 116 insertions(+) create mode 100644 tests/bug-28/input.pcap create mode 100644 tests/bug-28/suricata.yaml create mode 100644 tests/bug-28/test.rules create mode 100644 tests/bug-28/test.yaml diff --git a/tests/bug-28/input.pcap b/tests/bug-28/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..65df5e27cc430974b3c4e6502f7f3084729a26e4 GIT binary patch literal 3322 zc-rleL1@!Z7{|Ysu9afJRlyyLhoFa~d2Q0PLbO@Z*-+M&nb{qLku-6uZIha$x}k#J zJPf>ga0d}Y@u0ZD26_<0n};6e!K+?8>eYkwCAAgCD4t6LkN5xb-uu1p@jLkN=1CAj zF#P&`fB>FX&m1rHx5ID&XKz4nPbD9M0&%8x3<>}={LaI@aO?5==fOy?^eYvbg{oD1 zwC8Q^1oQCXK0q)uvl|G6f*$SFv&cW1&lxZWv>Oiq%y2pGkvt+)L$l^~cLx*qJMlbx zw0xRAq*Y!i7 zv0)J9ZoAenb?cVHGelLjUDL2-9bY%!HT9O^$6}e+ER7?sTrTq{n-g-}0!LJ3o@G-U zLuMG7L|hiJEFx2BhNg){fv0H}CxmO3Ba}s+M2VuJRFjB8vFNg6*rc$A+c}^3zvtYc zsT87E3L!ccEm{sfsJUwt9=57cb*mkV#-bYb|M_Hioc|f$|F^0CN%X&t{R@?`{!jV- z52pSn(Z7rRXFiSfPx}7fPW?}!|1IqQ+Uc?WuloMCrv4|<|2ype%hFi?J>UP_)c+*< F{{tjJ)+PV| literal 0 Hc-jL100001 diff --git a/tests/bug-28/suricata.yaml b/tests/bug-28/suricata.yaml new file mode 100644 index 000000000..4bc762ca0 --- /dev/null +++ b/tests/bug-28/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + payload: no + payload-buffer-size: 4kb + payload-printable: no + packet: no + metadata: no + - http: diff --git a/tests/bug-28/test.rules b/tests/bug-28/test.rules new file mode 100644 index 000000000..0679c2e40 --- /dev/null +++ b/tests/bug-28/test.rules @@ -0,0 +1,4 @@ +alert tcp any any -> any any (msg:"ET MALWARE LocalNRD Spyware Checkin (Original Sig Fails to Fire)"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent: "adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001340; rev:9;) +alert tcp any any -> any any (msg:"ET MALWARE LocalNRD Spyware Checkin (OISF changed to content fails also)"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; content: "adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001341; rev:9;) +alert tcp any any -> any any (msg:"ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote uricontent works)"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent:"adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001342; rev:9;) +alert tcp any any -> any any (msg:"ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote content works)"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; content:"adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001343; rev:9;) diff --git a/tests/bug-28/test.yaml b/tests/bug-28/test.yaml new file mode 100644 index 000000000..9ee37cf6e --- /dev/null +++ b/tests/bug-28/test.yaml @@ -0,0 +1,98 @@ +requires: + features: + - HAVE_LIBJANSSON + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + src_ip: 192.168.2.7 + src_port: 1041 + dest_ip: 208.75.250.50 + dest_port: 80 + proto: TCP + tx_id: 0 + alert: + action: allowed + gid: 1 + signature_id: 2001340 + rev: 9 + signature: "ET MALWARE LocalNRD Spyware Checkin (Original Sig Fails to Fire)" + category: A Network Trojan was detected + severity: 1 + app_proto: http + - filter: + count: 1 + match: + event_type: alert + src_ip: 192.168.2.7 + src_port: 1041 + dest_ip: 208.75.250.50 + dest_port: 80 + proto: TCP + app_proto: http + tx_id: 0 + alert: + action: allowed + gid: 1 + signature_id: 2001341 + rev: 9 + signature: "ET MALWARE LocalNRD Spyware Checkin (OISF changed to content fails also)" + category: A Network Trojan was detected + severity: 1 + - filter: + count: 1 + match: + event_type: alert + src_ip: 192.168.2.7 + src_port: 1041 + dest_ip: 208.75.250.50 + dest_port: 80 + proto: TCP + app_proto: http + tx_id: 0 + alert: + action: allowed + gid: 1 + signature_id: 2001342 + rev: 9 + signature: "ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote uricontent works)" + category: A Network Trojan was detected + severity: 1 + - filter: + count: 1 + match: + event_type: alert + src_ip: 192.168.2.7 + src_port: 1041 + dest_ip: 208.75.250.50 + dest_port: 80 + proto: TCP + app_proto: http + tx_id: 0 + alert: + action: allowed + gid: 1 + signature_id: 2001343 + rev: 9 + signature: "ET MALWARE LocalNRD Spyware Checkin (OISF remove space between colon and quote content works)" + category: A Network Trojan was detected + severity: 1 + - filter: + count: 1 + match: + event_type: http + src_ip: 192.168.2.7 + src_port: 1041 + dest_ip: 208.75.250.50 + dest_port: 80 + proto: TCP + tx_id: 0 + http: + hostname: btg.btgrab.com + url: "/a/Drk.syn?adcontext=ROUTINE_CHECKIN&contextpeak=0&contextcount=0&countrycodein=XX&lastAdTime=0&lastAdCode=0&cookie1=0&cookie2=0&cookie3=0&cookie4=0&InstID={2CAA09DF-35D8-471C-9979-A11DA0CC54DB}&status=1&smode=11&event=&bho=aurora.exe&NumWindows=4&PartnerId=0&BundleId=0&HN=bob7&VSN=189A97F7&PI=55274-640-1781551-23400&MA=005400123457&TM=-1" + http_user_agent: "{2CAA09DF-35D8-471C-9979-A11DA0CC54DB}|0.21.5.110" -- 2.47.2