--- /dev/null
+# Description
+
+Test bidirection matching with a real life example
+https://redmine.openinfosecfoundation.org/issues/5665
+
+# PCAP
+
+Crafted from the rules
+Client is
+`curl -d '"goog:chromeOptions";"binary";"args":["' -X POST 127.0.0.1:8080/wd/hub/session`
+Server is server.go
--- /dev/null
+package main
+
+import (
+ "fmt"
+ "net/http"
+)
+
+func main() {
+ handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ w.Header().Set("Server", "Jetty")
+ w.WriteHeader(http.StatusInternalServerError)
+ content := "org.openqa.selenium.WebDriverException: unknown error: Chrome failed to start: exited normally."
+ content = content + `unknown error: DevToolsActivePort file doesn't exist)\n (The process started from chrome location`
+ n, err := w.Write([]byte(content))
+ fmt.Printf("lola %v %v\n", n, err)
+ })
+
+ server := &http.Server{
+ Addr: "0.0.0.0:8080",
+ Handler: handler,
+ }
+
+ fmt.Printf("Listening [0.0.0.0:8080]...\n")
+ err := server.ListenAndServe()
+ fmt.Printf("lol %s", err)
+}
--- /dev/null
+#flowbits version
+alert http any any -> any any (msg:"ET EXPLOIT Selenium Server Chrome 3.141.59 Remote Code Execution"; flow:established,to_server; flowbits:set,ET.Selenium314159.RCE; urilen:15; http.method; content:"POST"; http.uri; content:"/wd/hub/session"; fast_pattern; http.request_body; content:"|22|goog|3a|chromeOptions|22|"; content:"|22|binary|22|"; content:"|22|args|22|"; content:"|5b 22|"; within:5; reference:url,github.com/BoredHackerBlog/selenium_code_exec_notes; classtype:attempted-admin; sid:2052319; rev:2; metadata:attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_05_01, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_05_02; target:dest_ip;)
+alert http any any -> any any (msg:"ET EXPLOIT Selenium Server Grid Chrome 3.141.59 Remote Code Execution - Successful"; flow:established,to_client; flowbits:isset,ET.Selenium314159.RCE; http.stat_code; content:"500"; http.server; content:"Jetty"; startswith; file.data; content:"org|2e|openqa|2e|selenium|2e|WebDriverException|3a 20|unknown|20|error|3a 20|Chrome|20|failed|20|to|20|start|3a 20|exited|20|normally|2e|"; content:"unknown|20|error|3a 20|DevToolsActivePort|20|file|20|doesn|27|t|20|exist|29 5c|n|20 20 28|The|20|process|20|started|20|from|20|chrome|20|location"; fast_pattern; reference:url,github.com/BoredHackerBlog/selenium_code_exec_notes; classtype:successful-admin; sid:2052359; rev:1; metadata:attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_05_02, deployment Perimeter, deployment Internal, former_category EXPLOIT, confidence High, signature_severity Critical, updated_at 2024_05_02; target:src_ip;)
+
+# and now the transacational version
+alert http any any => any any (msg:"ET EXPLOIT Selenium Server Chrome 3.141.59 Remote Code Execution"; urilen:15; http.method; content:"POST"; http.uri; content:"/wd/hub/session"; fast_pattern; http.request_body; content:"|22|goog|3a|chromeOptions|22|"; content:"|22|binary|22|"; content:"|22|args|22|"; content:"|5b 22|"; within:5; http.stat_code; content:"500"; http.server; content:"Jetty"; startswith; file.data: to_client; content:"org|2e|openqa|2e|selenium|2e|WebDriverException|3a 20|unknown|20|error|3a 20|Chrome|20|failed|20|to|20|start|3a 20|exited|20|normally|2e|"; content:"unknown|20|error|3a 20|DevToolsActivePort|20|file|20|doesn|27|t|20|exist|29 5c|n|20 20 28|The|20|process|20|started|20|from|20|chrome|20|location"; reference:url,github.com/BoredHackerBlog/selenium_code_exec_notes; classtype:attempted-admin; sid:1; metadata:attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_05_01, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_05_02; target:dest_ip;)
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2052359
--- /dev/null
+# Description
+
+Test invalid rules for bidirection matching
+https://redmine.openinfosecfoundation.org/issues/5665
+
+# PCAP
+
+Reusing a pcap, but does not matter
--- /dev/null
+alert http any any => any any (msg:"matching both uri and status"; sid: 11; http.uri; content: "/download"; http.stat_code; content: "200"; flow: to_server;)
+alert http any any => any any (msg:"matching only uri"; sid: 2; http.uri; content: "/download"; )
+alert http any any => any any (msg:"matching only status"; sid: 3; http.stat_code; content: "200";)
+alert http any any => any any (msg:"matching connection, but from ambiguous direction"; sid: 4; http.uri; content: "/download"; http.stat_code; content: "200"; http.connection; content: "eep";)
+alert http any any => any any (msg:"stream rule"; sid: 5; content: "/download"; content: "200";)
+#alert http any any => any any (msg:"stream rule"; sid: 6; bidir.toserver; content: "/download"; bidir.toclient; content: "200";)
+#alert enip any any => any any (msg:"frame rule"; sid: 7; bidir.toserver; frame: enip.pdu; content: "/download"; bidir.toclient; frame: enip.pdu; content: "200";)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../http-all-headers/input.pcap
+
+args:
+ - --set app-layer.protocols.enip.enabled=yes
+
+exit-code: 1
+
+checks:
+ - shell:
+ args: grep -c 'error parsing signature' suricata.log
+ expect: 5
+ - shell:
+ args: grep -c 'rule 2 should use both directions, but does not' suricata.log
+ expect: 1
+ - shell:
+ args: grep -c 'rule 3 should use both directions, but does not' suricata.log
+ expect: 1
+ - shell:
+ args: grep -c 'rule 4 means to use both directions, cannot have keywords ambiguous about directions' suricata.log
+ expect: 1
+ - shell:
+ args: grep -c 'rule 5 should use both directions, but does not' suricata.log
+ expect: 1
+ - shell:
+ args: grep -c 'rule 11 means to use both directions, cannot specify a flow direction' suricata.log
+ expect: 1
--- /dev/null
+# Description
+
+Test bidirection matching with TLS ja3
+https://redmine.openinfosecfoundation.org/issues/5665
+
+# PCAP
+
+reused
--- /dev/null
+alert tls any any => any any (msg:"bidir ja3"; ja3s.hash; content:"5d79edf64e03689ff559a54e9d9487bc"; ja3.string; content:"771,49196-49200"; sid:1;)
+# should not match
+alert tls any any => any any (msg:"bidir ja3"; ja3s.hash; content:"6d79edf64e03689ff559a54e9d9487bc"; ja3.string; content:"771,49196-49200"; sid:2;)
+alert tls any any => any any (msg:"bidir ja3"; ja3s.hash; content:"5d79edf64e03689ff559a54e9d9487bc"; ja3.string; content:"9999999999"; sid:3;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../tls/tls-certs-alert/input.pcap
+
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ - filter:
+ count: 1
+ match:
+ event_type: alert
--- /dev/null
+# Description
+
+Test bidirection matching
+https://redmine.openinfosecfoundation.org/issues/5665
+
+# PCAP
+
+Reusing pcap from http-all-headers
--- /dev/null
+alert http any any => any any (msg:"matching both uri and status"; sid: 1; http.uri; content: "/download"; http.stat_code; content: "200";)
+alert http any any => any any (msg:"not matching both uri and status"; sid: 2; http.uri; content: "/download"; http.stat_code; content: "404";)
+alert http any any => any any (msg:"not matching both uri and status"; sid: 3; http.uri; content: "/upload"; http.stat_code; content: "200";)
+alert http any any => any any (msg:"fast_pattern on to_client side"; sid: 7; http.uri; content: "down"; http.server; content: "Apache"; fast_pattern;)
+alert http any any => any any (msg:"fast_pattern on to_client side but not matching"; sid: 8; http.uri; content: "upload"; http.server; content: "Apache"; fast_pattern;)
+alert http any any => any any (msg:"disambiguated toclient"; sid: 11; http.uri; content: "/download"; http.stat_code; content: "200"; http.connection: to_client; content: "eep";)
+alert http any any => any any (msg:"disambiguated toserver"; sid: 12; http.uri; content: "/download"; http.connection: to_server; content: "eep"; http.stat_code; content: "200";)
+alert http any any => any any (msg:"disambiguated toclient, without other toclient"; sid: 13; http.uri; content: "/download"; http.connection: to_client; content: "eep";)
+alert http any any => any any (msg:"disambiguated both sides"; sid: 14; http.connection: to_client; content: "eep"; http.connection: to_server; content: "eep";)
+alert http any any => any any (msg:"toclient, followed by http.uri implicitly toserver"; sid: 15; http.connection: to_client; content: "eep"; http.uri; content: "/download"; )
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../http-all-headers/input.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 3
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 7
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 8
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 11
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 12
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 13
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 14
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 15
projects / thirdparty / suricata-verify.git / commitdiff
