]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3cec949)
tests: add sip with frames test 711/head
authorVictor Julien <victor@inliniac.net>
Tue, 1 Feb 2022 09:38:41 +0000 (10:38 +0100)
committerVictor Julien <victor@inliniac.net>
Wed, 2 Feb 2022 09:03:53 +0000 (10:03 +0100)
tests/sip-body-frames/README.md [new file with mode: 0644] patch | blob
tests/sip-body-frames/public-cloudshark-sip-s0.pcap [new file with mode: 0644] patch | blob
tests/sip-body-frames/sip-frames.rules [new file with mode: 0644] patch | blob
tests/sip-body-frames/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/sip-body-frames/README.md b/tests/sip-body-frames/README.md
new file mode 100644 (file)
index 0000000..8acd9b7
--- /dev/null
+++ b/tests/sip-body-frames/README.md
@@ -0,0 +1 @@
+pcap from https://www.cloudshark.org/captures/4ff29b39b8dc
diff --git a/tests/sip-body-frames/public-cloudshark-sip-s0.pcap b/tests/sip-body-frames/public-cloudshark-sip-s0.pcap
new file mode 100644 (file)
index 0000000..bca9fa2
Binary files /dev/null and b/tests/sip-body-frames/public-cloudshark-sip-s0.pcap differ
diff --git a/tests/sip-body-frames/sip-frames.rules b/tests/sip-body-frames/sip-frames.rules
new file mode 100644 (file)
index 0000000..d6e92c4
--- /dev/null
+++ b/tests/sip-body-frames/sip-frames.rules
@@ -0,0 +1,15 @@
+alert sip any any -> any any (flow:to_server; frame:pdu; content:"REGISTER"; startswith; sid:1;)
+alert sip any any -> any any (flow:to_server; frame:pdu; content:"INVITE sip"; startswith; sid:2;)
+
+alert sip any any -> any any (flow:to_client; frame:pdu; content:"SIP/2.0 200 OK|0D 0A|"; startswith; sid:11;)
+
+alert sip any any -> any any (flow:to_server; frame:request.line; content:"REGISTER"; startswith; sid:21;)
+alert sip any any -> any any (flow:to_server; frame:request.line; content:"SIP/2.0|0D 0A|"; endswith; sid:22;)
+
+alert sip any any -> any any (flow:to_server; frame:request.headers; content:"Via:"; startswith; sid:31;)
+alert sip any any -> any any (flow:to_server; frame:request.headers; content:"Via:"; startswith; content:"229|0d 0a|"; endswith; sid:32;)
+
+alert sip any any -> any any (flow:to_client; frame:response.headers; content:"Via:"; startswith; sid:41;)
+alert sip any any -> any any (flow:to_client; frame:response.headers; content:"Via:"; startswith; content:"Content-Length: 0|0d 0a|"; endswith; sid:42;)
+
+alert sip any any -> any any (flow:to_server; frame:request.body; content:"v=0"; startswith; sid:51;)
diff --git a/tests/sip-body-frames/test.yaml b/tests/sip-body-frames/test.yaml
new file mode 100644 (file)
index 0000000..dd65cd7
--- /dev/null
+++ b/tests/sip-body-frames/test.yaml
@@ -0,0 +1,50 @@
+requires:
+  min-version: 7
+
+checks:
+ - filter:
+    count: 8
+    match:
+      event_type: sip
+ - filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 2
+ - filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 22
+ - filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 31
+ - filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 32
+      frame.type: "request.headers"
+      frame.complete: true
+      frame.length: 420
+      frame.direction: toserver
+ - filter:
+    count: 5
+    match:
+      event_type: alert
+      alert.signature_id: 41
+ - filter:
+    count: 4
+    match:
+      event_type: alert
+      alert.signature_id: 42
+ - filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 51
+      frame.type: "request.body"
+      frame.complete: true
+      frame.direction: toserver
Mirror of https://github.com/OISF/suricata-verify.git