]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b7033a2)
tests: add tests for sip keywords
authorGiuseppe Longo <giuseppe@glongo.it>
Thu, 11 Jul 2019 14:19:49 +0000 (16:19 +0200)
committerVictor Julien <victor@inliniac.net>
Tue, 17 Sep 2019 14:48:54 +0000 (16:48 +0200)
22 files changed:
tests/sip-method/README.md [new file with mode: 0644] patch | blob
tests/sip-method/sip.pcap [new file with mode: 0644] patch | blob
tests/sip-method/test.rules [new file with mode: 0644] patch | blob
tests/sip-method/test.yaml [new file with mode: 0644] patch | blob
tests/sip-protocol/README.md [new file with mode: 0644] patch | blob
tests/sip-protocol/test.rules [new file with mode: 0644] patch | blob
tests/sip-protocol/test.yaml [new file with mode: 0644] patch | blob
tests/sip-request-line/README.md [new file with mode: 0644] patch | blob
tests/sip-request-line/test.rules [new file with mode: 0644] patch | blob
tests/sip-request-line/test.yaml [new file with mode: 0644] patch | blob
tests/sip-response-line/README.md [new file with mode: 0644] patch | blob
tests/sip-response-line/test.rules [new file with mode: 0644] patch | blob
tests/sip-response-line/test.yaml [new file with mode: 0644] patch | blob
tests/sip-stat-code/README.md [new file with mode: 0644] patch | blob
tests/sip-stat-code/test.rules [new file with mode: 0644] patch | blob
tests/sip-stat-code/test.yaml [new file with mode: 0644] patch | blob
tests/sip-stat-msg/README.md [new file with mode: 0644] patch | blob
tests/sip-stat-msg/test.rules [new file with mode: 0644] patch | blob
tests/sip-stat-msg/test.yaml [new file with mode: 0644] patch | blob
tests/sip-uri/README.md [new file with mode: 0644] patch | blob
tests/sip-uri/test.rules [new file with mode: 0644] patch | blob
tests/sip-uri/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/sip-method/README.md b/tests/sip-method/README.md
new file mode 100644 (file)
index 0000000..cde7c6e
--- /dev/null
+++ b/tests/sip-method/README.md
@@ -0,0 +1 @@
+Match on SIP method field.
diff --git a/tests/sip-method/sip.pcap b/tests/sip-method/sip.pcap
new file mode 100644 (file)
index 0000000..6e47833
Binary files /dev/null and b/tests/sip-method/sip.pcap differ
diff --git a/tests/sip-method/test.rules b/tests/sip-method/test.rules
new file mode 100644 (file)
index 0000000..1fd849f
--- /dev/null
+++ b/tests/sip-method/test.rules
@@ -0,0 +1 @@
+alert sip any any -> any any (flow:to_server; sip.method; content:"REGISTER"; sid:1;)
diff --git a/tests/sip-method/test.yaml b/tests/sip-method/test.yaml
new file mode 100644 (file)
index 0000000..e651825
--- /dev/null
+++ b/tests/sip-method/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+args:
+  - -k none
+
+pcap: sip.pcap
+
+checks:
+  - filter:
+      count: 36
+      match:
+        event_type: alert
diff --git a/tests/sip-protocol/README.md b/tests/sip-protocol/README.md
new file mode 100644 (file)
index 0000000..2d175aa
--- /dev/null
+++ b/tests/sip-protocol/README.md
@@ -0,0 +1 @@
+Match on SIP version field.
diff --git a/tests/sip-protocol/test.rules b/tests/sip-protocol/test.rules
new file mode 100644 (file)
index 0000000..b68e378
--- /dev/null
+++ b/tests/sip-protocol/test.rules
@@ -0,0 +1,2 @@
+alert sip any any -> any any (flow:to_server; sip.protocol; content:"SIP/2.0"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.protocol; content:"SIP/2.0"; sid:2;)
diff --git a/tests/sip-protocol/test.yaml b/tests/sip-protocol/test.yaml
new file mode 100644 (file)
index 0000000..9a6ec7d
--- /dev/null
+++ b/tests/sip-protocol/test.yaml
@@ -0,0 +1,25 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+args:
+  - -k none
+
+pcap: ../sip-method/sip.pcap
+
+checks:
+  - filter:
+      count: 81
+      match:
+        event_type: alert
+  - filter:
+      count: 47
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 34
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/sip-request-line/README.md b/tests/sip-request-line/README.md
new file mode 100644 (file)
index 0000000..7881b98
--- /dev/null
+++ b/tests/sip-request-line/README.md
@@ -0,0 +1 @@
+Match on the whole SIP request line.
diff --git a/tests/sip-request-line/test.rules b/tests/sip-request-line/test.rules
new file mode 100644 (file)
index 0000000..d525a57
--- /dev/null
+++ b/tests/sip-request-line/test.rules
@@ -0,0 +1 @@
+alert sip any any -> any any (flow:to_server; sip.request_line; content:"REGISTER sip:sip.cybercity.dk SIP/2.0"; sid:1;)
diff --git a/tests/sip-request-line/test.yaml b/tests/sip-request-line/test.yaml
new file mode 100644 (file)
index 0000000..47b981e
--- /dev/null
+++ b/tests/sip-request-line/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+args:
+  - -k none
+
+pcap: ../sip-method/sip.pcap
+
+checks:
+  - filter:
+      count: 36
+      match:
+        event_type: alert
diff --git a/tests/sip-response-line/README.md b/tests/sip-response-line/README.md
new file mode 100644 (file)
index 0000000..136ca58
--- /dev/null
+++ b/tests/sip-response-line/README.md
@@ -0,0 +1 @@
+Match on the whole SIP response line.
diff --git a/tests/sip-response-line/test.rules b/tests/sip-response-line/test.rules
new file mode 100644 (file)
index 0000000..01dfd77
--- /dev/null
+++ b/tests/sip-response-line/test.rules
@@ -0,0 +1 @@
+alert sip any any -> any any (flow:to_client; sip.response_line; content:"SIP/2.0 200 OK"; sid:1;)
diff --git a/tests/sip-response-line/test.yaml b/tests/sip-response-line/test.yaml
new file mode 100644 (file)
index 0000000..15d0118
--- /dev/null
+++ b/tests/sip-response-line/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+args:
+  - -k none
+
+pcap: ../sip-method/sip.pcap
+
+checks:
+  - filter:
+      count: 5
+      match:
+        event_type: alert
diff --git a/tests/sip-stat-code/README.md b/tests/sip-stat-code/README.md
new file mode 100644 (file)
index 0000000..e96cf40
--- /dev/null
+++ b/tests/sip-stat-code/README.md
@@ -0,0 +1 @@
+Match on SIP stat code field.
diff --git a/tests/sip-stat-code/test.rules b/tests/sip-stat-code/test.rules
new file mode 100644 (file)
index 0000000..0a2e46c
--- /dev/null
+++ b/tests/sip-stat-code/test.rules
@@ -0,0 +1 @@
+alert sip any any -> any any (flow:to_client; sip.stat_code; content:"100"; sid:1;)
diff --git a/tests/sip-stat-code/test.yaml b/tests/sip-stat-code/test.yaml
new file mode 100644 (file)
index 0000000..cba0988
--- /dev/null
+++ b/tests/sip-stat-code/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+args:
+  - -k none
+
+pcap: ../sip-method/sip.pcap
+
+checks:
+  - filter:
+      count: 7
+      match:
+        event_type: alert
diff --git a/tests/sip-stat-msg/README.md b/tests/sip-stat-msg/README.md
new file mode 100644 (file)
index 0000000..56ba3ba
--- /dev/null
+++ b/tests/sip-stat-msg/README.md
@@ -0,0 +1 @@
+Match on SIP stat msg field.
diff --git a/tests/sip-stat-msg/test.rules b/tests/sip-stat-msg/test.rules
new file mode 100644 (file)
index 0000000..81705fc
--- /dev/null
+++ b/tests/sip-stat-msg/test.rules
@@ -0,0 +1 @@
+alert sip any any -> any any (flow:to_client; sip.stat_msg; content:"Trying"; sid:1;)
diff --git a/tests/sip-stat-msg/test.yaml b/tests/sip-stat-msg/test.yaml
new file mode 100644 (file)
index 0000000..20a0de9
--- /dev/null
+++ b/tests/sip-stat-msg/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+args:
+  - -k none
+
+pcap: ../sip-method/sip.pcap
+
+checks:
+  - filter:
+      count: 6
+      match:
+        event_type: alert
diff --git a/tests/sip-uri/README.md b/tests/sip-uri/README.md
new file mode 100644 (file)
index 0000000..c1c134a
--- /dev/null
+++ b/tests/sip-uri/README.md
@@ -0,0 +1 @@
+Match on SIP URI field.
diff --git a/tests/sip-uri/test.rules b/tests/sip-uri/test.rules
new file mode 100644 (file)
index 0000000..f6ca14d
--- /dev/null
+++ b/tests/sip-uri/test.rules
@@ -0,0 +1 @@
+alert sip any any -> any any (flow:to_server; sip.uri; content:"sip:sip.cybercity.dk"; sid:1;)
diff --git a/tests/sip-uri/test.yaml b/tests/sip-uri/test.yaml
new file mode 100644 (file)
index 0000000..47b981e
--- /dev/null
+++ b/tests/sip-uri/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+args:
+  - -k none
+
+pcap: ../sip-method/sip.pcap
+
+checks:
+  - filter:
+      count: 36
+      match:
+        event_type: alert
Mirror of https://github.com/OISF/suricata-verify.git