]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ffc015a)
tests: update several tests to test frames support
authorVictor Julien <victor@inliniac.net>
Thu, 9 Sep 2021 07:48:21 +0000 (09:48 +0200)
committerJuliana Fajardini <jufajardini@gmail.com>
Thu, 20 Jan 2022 15:44:18 +0000 (15:44 +0000)
14 files changed:
tests/alert-testmyids/suricata.yaml patch | blob | blame | history
tests/alert-testmyids/test.rules patch | blob | blame | history
tests/alert-testmyids/test.yaml patch | blob | blame | history
tests/http-gap-simple/suricata.yaml [new file with mode: 0644] patch | blob
tests/http-gap-simple/test.yaml patch | blob | blame | history
tests/smb-eicar-file/suricata.yaml [new file with mode: 0644] patch | blob
tests/smb-eicar-file/test.yaml patch | blob | blame | history
tests/smb-named-pipe-ascii/suricata.yaml [new file with mode: 0644] patch | blob
tests/smb-named-pipe-ascii/test.yaml patch | blob | blame | history
tests/smb2-07/test.rules [new file with mode: 0644] patch | blob
tests/smb2-07/test.yaml patch | blob | blame | history
tests/tls13-draft28/suricata.yaml patch | blob | blame | history
tests/tls13-draft28/test.rules [new file with mode: 0644] patch | blob
tests/tls13-draft28/test.yaml patch | blob | blame | history

diff --git a/tests/alert-testmyids/suricata.yaml b/tests/alert-testmyids/suricata.yaml
index c9638cf5b8ecabe81d11c3a08656083018042322..96d5f073459c993c4313c2b779ae9ef3c4266f6b 100644 (file)
--- a/tests/alert-testmyids/suricata.yaml
+++ b/tests/alert-testmyids/suricata.yaml
@@ -31,6 +31,7 @@ outputs:
       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
       filename: eve.json
       types:
+        - frame
         - alert:
             payload: yes
             payload-buffer-size: 4kb
diff --git a/tests/alert-testmyids/test.rules b/tests/alert-testmyids/test.rules
index 9f1307bdb4bf5b6d4cb660a455d8c1adb710bdcf..025811af031a56ec650773757bf4304e6418908f 100644 (file)
--- a/tests/alert-testmyids/test.rules
+++ b/tests/alert-testmyids/test.rules
@@ -1 +1,5 @@
 alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
+
+alert http any any -> any any (flow:to_server; frame:http1.request; content:"GET / HTTP/1.1|0d 0a|Host: www.testmyids.com"; startswith; bsize:81; sid:1;)
+alert http1 any any -> any any (flow:to_client; frame:response; content:"uid=0|28|root|29|"; sid:2;)
+alert http1 any any -> any any (flow:to_server; frame:request; strip_whitespace; content:"GET/HTTP/1.1Host:www.testmyids.com"; startswith; bsize:66; sid:3;)
diff --git a/tests/alert-testmyids/test.yaml b/tests/alert-testmyids/test.yaml
index b6ce41dc8c2fa3c031b7fb15fa7925995705ac66..a7b2a4bf97ef96dc0538a96f50bbfd64f1d16402 100644 (file)
--- a/tests/alert-testmyids/test.yaml
+++ b/tests/alert-testmyids/test.yaml
@@ -6,11 +6,11 @@ checks:
 
   # Check that we only have one alert event type in eve.
   - filter:
-      count: 1
+      count: 4
       match:
         event_type: alert
 
   # Check how many lines were logged to fast.log.
   - shell:
       args: cat fast.log | wc -l | xargs
-      expect: 1
+      expect: 4
diff --git a/tests/http-gap-simple/suricata.yaml b/tests/http-gap-simple/suricata.yaml
new file mode 100644 (file)
index 0000000..3bcb3d6
--- /dev/null
+++ b/tests/http-gap-simple/suricata.yaml
@@ -0,0 +1,22 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+            tagged-packets: yes
+        # app layer frames
+        - frame:
+            enabled: yes
+        - anomaly:
+            enabled: yes
+            types:
+              # decode: no
+              # stream: no
+              # applayer: yes
+            #packethdr: no
+        - http:
+            extended: yes
+        - files
diff --git a/tests/http-gap-simple/test.yaml b/tests/http-gap-simple/test.yaml
index c47eb797321c51a76264fad37d626d3d0caf21bc..8576dfb13d2f39225202438c9517684365fbe95e 100644 (file)
--- a/tests/http-gap-simple/test.yaml
+++ b/tests/http-gap-simple/test.yaml
@@ -42,3 +42,15 @@ checks:
         fileinfo.size: 70
         fileinfo.state: "TRUNCATED"
         fileinfo.gaps: true
+
+  - filter:
+      count: 1
+      match:
+        event_type: frame
+        app_proto: http
+        frame.id: 1
+        frame.stream_offset: 0
+        frame.type: request
+        frame.length: 40
+        frame.direction: toserver
+        frame.tx_id: 0
diff --git a/tests/smb-eicar-file/suricata.yaml b/tests/smb-eicar-file/suricata.yaml
new file mode 100644 (file)
index 0000000..0ee1a38
--- /dev/null
+++ b/tests/smb-eicar-file/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - smb
+        - flow
+        - frame
+        - alert
diff --git a/tests/smb-eicar-file/test.yaml b/tests/smb-eicar-file/test.yaml
index ad7a26e07fe793d670486218c34338723508dbf1..8d0257fdc4fa85d42a662c93d0f83b8dc8ee0026 100644 (file)
--- a/tests/smb-eicar-file/test.yaml
+++ b/tests/smb-eicar-file/test.yaml
@@ -22,3 +22,12 @@ checks:
       match:
         event_type: alert
         files[0].filename: "\\eicar"
+  - filter:
+      count: 1
+      match:
+        event_type: frame
+        frame.direction: toserver
+        frame.type: "smb1.data"
+        frame.stream_offset: 853
+        frame.length: 100
+        frame.payload: "Dv8AAAAAQAAAAAAAAAAAAAAAAAAARABAAAAAAABFAABYNU8hUCVAQVBbNFxQWlg1NChQXik3Q0MpN30kRUlDQVItU1RBTkRBUkQtQU5USVZJUlVTLVRFU1QtRklMRSEkSCtIKg=="
diff --git a/tests/smb-named-pipe-ascii/suricata.yaml b/tests/smb-named-pipe-ascii/suricata.yaml
new file mode 100644 (file)
index 0000000..0ee1a38
--- /dev/null
+++ b/tests/smb-named-pipe-ascii/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - smb
+        - flow
+        - frame
+        - alert
diff --git a/tests/smb-named-pipe-ascii/test.yaml b/tests/smb-named-pipe-ascii/test.yaml
index 54b53cc40b808589e26c2a2efbdb4a89cc1215fc..88eaf0537342555267031c47d46af6823f3ef9fe 100644 (file)
--- a/tests/smb-named-pipe-ascii/test.yaml
+++ b/tests/smb-named-pipe-ascii/test.yaml
@@ -13,3 +13,25 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 1
+
+  - filter:
+      count: 12
+      match:
+        event_type: frame
+        frame.type: "smb1.hdr"
+  - filter:
+      count: 1
+      match:
+        event_type: frame
+        frame.type: "smb1.hdr"
+        frame.stream_offset: 4
+        frame.length: 32
+        frame.payload: "/1NNQnIAAAAAGEPIAAAAAAAAAAAAAAAAAAD+/wAAAAA="
+  - filter:
+      count: 1
+      match:
+        event_type: frame
+        frame.type: "smb1.hdr"
+        frame.stream_offset: 1098
+        frame.length: 32
+        frame.payload: "/1NNQnEAAAAAGEPIAAAAAAAAAAAAAAAAAQhkBgAQBQA="
diff --git a/tests/smb2-07/test.rules b/tests/smb2-07/test.rules
new file mode 100644 (file)
index 0000000..2653f07
--- /dev/null
+++ b/tests/smb2-07/test.rules
@@ -0,0 +1,13 @@
+alert smb any any -> any any (flow:to_server; frame:smb2.pdu; content:"This program cannot be run in DOS mode.|0d 0d 0a|"; sid:1;)
+alert smb any any -> any any (flow:to_server; frame:smb2.pdu; content:"|C0 40 88 41|"; endswith; sid:2;)
+alert smb any any -> any any (flow:to_server; frame:smb2.data; content:"|C0 40 88 41|"; endswith; sid:11;)
+
+alert smb any any -> any any (flow:to_server; frame:smb2.pdu; content:"|FE|SMB"; startswith; sid:3;)
+alert smb any any -> any any (flow:to_server; frame:smb2.hdr; content:"|FE|SMB"; startswith; sid:4;)
+alert smb any any -> any any (flow:to_server; frame:smb2.data; content:"|FE|SMB"; startswith; sid:5;)
+alert smb any any -> any any (flow:to_server; frame:smb2.data; content:!"|FE|SMB"; startswith; sid:6;)
+
+alert smb any any -> any any (flow:to_client; frame:smb2.pdu; content:"|FE|SMB"; startswith; sid:7;)
+alert smb any any -> any any (flow:to_client; frame:smb2.hdr; content:"|FE|SMB"; startswith; sid:8;)
+alert smb any any -> any any (flow:to_client; frame:smb2.data; content:"|FE|SMB"; startswith; sid:9;)
+alert smb any any -> any any (flow:to_client; frame:smb2.data; content:!"|FE|SMB"; startswith; sid:10;)
diff --git a/tests/smb2-07/test.yaml b/tests/smb2-07/test.yaml
index 849c9dcee643bacfe8f6546ed1ddb7831c6b22dd..3444faecc0641694f8dfbc7403fcec3dc9777d57 100644 (file)
--- a/tests/smb2-07/test.yaml
+++ b/tests/smb2-07/test.yaml
@@ -74,4 +74,60 @@ checks:
         app_proto: smb
         tcp.state: closed
         flow.state: closed
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        app_proto: smb
+        alert.signature_id: 2
+        frame.type: smb2.pdu
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        app_proto: smb
+        alert.signature_id: 11
+        frame.type: smb2.data
+  - filter:
+      count: 88
+      match:
+        event_type: alert
+        app_proto: smb
+        alert.signature_id: 8
+        frame.type: smb2.hdr
+  - filter:
+      count: 88
+      match:
+        event_type: alert
+        app_proto: smb
+        alert.signature_id: 7
+        frame.type: smb2.pdu
+  - filter:
+      count: 88
+      match:
+        event_type: alert
+        app_proto: smb
+        alert.signature_id: 10
+        frame.type: smb2.data
+  - filter:
+      count: 85
+      match:
+        event_type: alert
+        app_proto: smb
+        alert.signature_id: 4
+        frame.type: smb2.hdr
+  - filter:
+      count: 85
+      match:
+        event_type: alert
+        app_proto: smb
+        alert.signature_id: 3
+        frame.type: smb2.pdu
+  - filter:
+      count: 85
+      match:
+        event_type: alert
+        app_proto: smb
+        alert.signature_id: 6
+        frame.type: smb2.data
 
diff --git a/tests/tls13-draft28/suricata.yaml b/tests/tls13-draft28/suricata.yaml
index 32557878b158b08e95d62055ca8f247fb549093a..e50ec41b0db113217cdbe5010b68f4d8fe7358f9 100644 (file)
--- a/tests/tls13-draft28/suricata.yaml
+++ b/tests/tls13-draft28/suricata.yaml
@@ -7,6 +7,8 @@ outputs:
       filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
       filename: eve.json
       types:
+        - alert
+        - frame
         - tls:
             extended: yes     # enable this for extended logging information
 
diff --git a/tests/tls13-draft28/test.rules b/tests/tls13-draft28/test.rules
new file mode 100644 (file)
index 0000000..f62d63b
--- /dev/null
+++ b/tests/tls13-draft28/test.rules
@@ -0,0 +1,2 @@
+alert tls any any -> any any (flow:to_client; frame:tls.pdu; content:"|17 03 03|"; startswith; sid:1;)
+alert tls any any -> any any (flow:to_server; frame:tls.pdu; content:"|17 03 03|"; startswith; sid:2;)
diff --git a/tests/tls13-draft28/test.yaml b/tests/tls13-draft28/test.yaml
index 7a5132f8ac368a9ac23c7fa44c199af144387f3d..26be3c32a25c4799098abf19ea98792c9e0f3369 100644 (file)
--- a/tests/tls13-draft28/test.yaml
+++ b/tests/tls13-draft28/test.yaml
@@ -26,3 +26,25 @@ checks:
         tls.version: "TLS 1.3 draft-28"
         tls.ja3.hash: "43202faa1c8c1760d6f7f4bd9adde4ab"
         tls.ja3.string: "771,4866-4867-4865-4868-49196-52393-49325-49162-49195-49324-49161-49200-52392-49172-49199-49171-157-49309-53-156-49308-47-159-52394-49311-57-158-49310-51,5-10-11-13-22-23-35-51-43-65281-0-45,23,0"
+
+  - filter:
+      count: 1
+      match:
+        event_type: frame
+        frame.type: "pdu"
+        frame.stream_offset: 737
+        frame.length: 37
+        frame.payload: "FwMDACBUkdn1rkU9Kp35Pqj6bpO9i0a20Tj7PKooNVCpa+3I0A=="
+
+  - filter:
+      count: 10
+      match:
+        event_type: alert
+        frame.type: "pdu"
+        frame.direction: "toclient"
+  - filter:
+      count: 7
+      match:
+        event_type: alert
+        frame.type: "pdu"
+        frame.direction: "toserver"
Mirror of https://github.com/OISF/suricata-verify.git