detect: add test for ldap.responses.message

Ticket: #7532

diff --git a/tests/detect-ldap-result/README.md b/tests/detect-ldap-result/README.md
index 01da0553532620d0a980c1c861291e343da14782..51c37cbe1539430931a6047b86238ec2cf7cb798 100644 (file)
--- a/tests/detect-ldap-result/README.md
+++ b/tests/detect-ldap-result/README.md
@@ -1,4 +1,4 @@
-Test ldap.responses.result_code keyword.
+Test ldap.responses.result_code and ldap.responses.message keywords.
 
 PCAP created with flowsynth.py
 

diff --git a/tests/detect-ldap-result/ldap.pcap b/tests/detect-ldap-result/ldap.pcap
index 0ac54431b54ac71321895964482e4fbb0319df19..960cb5985bf214286f39ab965e47f94fef92fb2c 100644 (file)
Binary files a/tests/detect-ldap-result/ldap.pcap and b/tests/detect-ldap-result/ldap.pcap differ

diff --git a/tests/detect-ldap-result/ldap.syn b/tests/detect-ldap-result/ldap.syn
index 734e92d113a2fc64534aa0cf406b900efc83b220..30f2b82dad92384fda12bb8b40a2d99653133898 100644 (file)
--- a/tests/detect-ldap-result/ldap.syn
+++ b/tests/detect-ldap-result/ldap.syn
@@ -1,2 +1,2 @@
 flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
-default < (content:"\x30\x1f\x02\x01\x02\x65\x1a\x0a\x01\x04\x04\x00\x04\x13\x53\x69\x7a\x65\x20\x6c\x69\x6d\x69\x74\x20\x65\x78\x63\x65\x65\x64\x65\x64";);
\ No newline at end of file
+default < (content:"\x30\x36\x02\x01\x02\x65\x31\x0a\x01\x04\x04\x00\x04\x2a\x4d\x65\x73\x73\x61\x67\x65\x3a\x20\x73\x69\x7a\x65\x20\x6c\x69\x6d\x69\x74\x20\x67\x6f\x74\x20\x65\x78\x63\x65\x65\x64\x65\x64\x20\x28\x6d\x61\x78\x20\x36\x35\x6b\x29";);
\ No newline at end of file

diff --git a/tests/detect-ldap-result/test.rules b/tests/detect-ldap-result/test.rules
index 57c767bcdc5b71d8d6f5cc6d7fec1ea1a386d920..1eaca687fdd7dc67fd983110dc2c5460bf64aaa9 100644 (file)
--- a/tests/detect-ldap-result/test.rules
+++ b/tests/detect-ldap-result/test.rules
@@ -1 +1,4 @@
 alert ldap any any -> any any (msg:"Test LDAP result code"; ldap.responses.result_code:size_limit_exceeded; sid:1;)
+alert ldap any any -> any any (msg:"Test LDAP result code at index 0"; ldap.responses.result_code:size_limit_exceeded,0; sid:2;)
+alert ldap any any -> any any (msg:"Packet has only size_limit_exceeded result code"; ldap.responses.result_code:size_limit_exceeded,all; sid:3;)
+alert ldap any any -> any any (msg:"Test LDAP error message"; ldap.responses.message; content:"Message: size limit got exceeded (max 65k)"; startswith; endswith; sid:4;)

diff --git a/tests/detect-ldap-result/test.yaml b/tests/detect-ldap-result/test.yaml
index f8c673ab386bdcedf683405aa528d54305b4598a..36fb2f719a86f00b1db1dbce7a76e924efef2465 100644 (file)
--- a/tests/detect-ldap-result/test.yaml
+++ b/tests/detect-ldap-result/test.yaml
@@ -13,3 +13,28 @@ checks:
         ldap.responses[0].operation: search_result_done
         ldap.responses[0].search_result_done.result_code: size_limit_exceeded
         alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 4
+        event_type: alert
+        ldap.responses[0].operation: search_result_done
+        ldap.responses[0].search_result_done.result_code: size_limit_exceeded
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 4
+        event_type: alert
+        ldap.responses[0].operation: search_result_done
+        ldap.responses[0].search_result_done.result_code: size_limit_exceeded
+        alert.signature_id: 3
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 4
+        event_type: alert
+        ldap.responses[0].operation: search_result_done
+        ldap.responses[0].search_result_done.message: "Message: size limit got exceeded (max 65k)"
+        alert.signature_id: 4