--- /dev/null
+Description
+===========
+Test to check that the use of decoder event udp.hlen_invalid in rule issues warning.
+
+PCAP
+====
+Created with Scapy.
--- /dev/null
+alert pkthdr any any -> any any (msg:"SURICATA UDP invalid header length"; decode-event:udp.hlen_invalid; classtype:protocol-command-decode; sid:2200040; rev:2;)
--- /dev/null
+exit-code: 0
+
+command: |
+ ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/etc/classification.config" \
+ --set reference-config-file="${SRCDIR}/etc/reference.config" -l ${OUTPUT_DIR} \
+ --set threshold-file="${TEST_DIR}/threshold.config" \
+ -c "${SRCDIR}/suricata.yaml" -r ${TEST_DIR}/input.pcap -S ${TEST_DIR}/test.rules
+
+checks:
+ - shell:
+ version: 7
+ args: |-
+ grep "Warning: detect: decode-event keyword no longer supports event \"decoder.udp.hlen_invalid\"" suricata.log | wc -l
+ expect: 1
+ - shell:
+ version: 6
+ args: |-
+ grep "\[ERRCODE: SC_WARN_DEPRECATED(203)\] - decode-event keyword no longer supports event \"decoder.udp.hlen_invalid\"" suricata.log | wc -l
+ expect: 1
--- /dev/null
+Description
+===========
+Test to check that the use of decoder event udp.hlen_invalid in rule issues an error.
+
+PCAP
+====
+Created with Scapy.
--- /dev/null
+alert pkthdr any any -> any any (msg:"SURICATA UDP invalid header length"; decode-event:udp.hlen_invalid; classtype:protocol-command-decode; sid:2200040; rev:2;)
--- /dev/null
+exit-code: 0
+
+command: |
+ ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/etc/classification.config" \
+ --set reference-config-file="${SRCDIR}/etc/reference.config" -l ${OUTPUT_DIR} \
+ --set threshold-file="${TEST_DIR}/threshold.config" \
+ -c "${SRCDIR}/suricata.yaml" -r ${TEST_DIR}/input.pcap -S ${TEST_DIR}/test.rules \
+ --strict-rule-keywords=all
+
+checks:
+ - shell:
+ version: 7
+ args: |-
+ grep "Error: detect: decode-event keyword no longer supports event \"decoder.udp.hlen_invalid\"" suricata.log | wc -l
+ expect: 1
+ - shell:
+ version: 6
+ args: |-
+ grep "\[ERRCODE: SC_WARN_DEPRECATED(203)\] - decode-event keyword no longer supports event \"decoder.udp.hlen_invalid\"" suricata.log | wc -l
+ expect: 1
--- /dev/null
+Description
+===========
+Test to check that the new decoder event udp.len_invalid actually matches on network data
+that fulfill the criteria: Packet length in UDP header < 8 Bytes.
+
+PCAP
+====
+Created with Scapy and edited to fit the usecase.
--- /dev/null
+alert pkthdr any any -> any any (msg:"SURICATA UDP invalid length field in the header"; decode-event:udp.len_invalid; classtype:protocol-command-decode; sid:2200220; rev:2;)
--- /dev/null
+args:
+- -k none
+- --set stats.decoder-events=true
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.decoder.event.udp.len_invalid: 1
+
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2200220
--- /dev/null
+Description
+===========
+Given that the packet has several trailing bytes, it fails to be processed properly.
+It should ideally not match the rule and alert.
+
+PCAP
+====
+PCAP comes from the redmine ticket [5379](https://redmine.openinfosecfoundation.org/issues/5379)
--- /dev/null
+alert udp $EXTERNAL_NET :1024 <> $HOME_NET 0 (msg:"UDP Port 0"; sid:1;)
--- /dev/null
+args:
+- -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ alert.signature_id: 1
projects / thirdparty / suricata-verify.git / commitdiff
