]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b02239b)
test/quic-ietf: break out ja3 dependent tests
authorJason Ish <jason.ish@oisf.net>
Tue, 25 Feb 2025 21:18:41 +0000 (15:18 -0600)
committerVictor Julien <victor@inliniac.net>
Thu, 13 Mar 2025 05:30:47 +0000 (06:30 +0100)
JA3 is a compile time option, breakout the JA3 tests to another test
that depends on HAVE_JA3.

tests/quic-ietf-ja3/README.md [new file with mode: 0644] patch | blob
tests/quic-ietf-ja3/input.pcap [new file with mode: 0644] patch | blob
tests/quic-ietf-ja3/test.rules [new file with mode: 0644] patch | blob
tests/quic-ietf-ja3/test.yaml [new file with mode: 0644] patch | blob
tests/quic-ietf/test.rules patch | blob | blame | history
tests/quic-ietf/test.yaml patch | blob | blame | history

diff --git a/tests/quic-ietf-ja3/README.md b/tests/quic-ietf-ja3/README.md
new file mode 100644 (file)
index 0000000..95cb154
--- /dev/null
+++ b/tests/quic-ietf-ja3/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test quic ietf v1 parsing
+
+# PCAP
+
+The pcap comes from https://www.bortzmeyer.org/quic.html
diff --git a/tests/quic-ietf-ja3/input.pcap b/tests/quic-ietf-ja3/input.pcap
new file mode 100644 (file)
index 0000000..266ba94
Binary files /dev/null and b/tests/quic-ietf-ja3/input.pcap differ
diff --git a/tests/quic-ietf-ja3/test.rules b/tests/quic-ietf-ja3/test.rules
new file mode 100644 (file)
index 0000000..edf16a4
--- /dev/null
+++ b/tests/quic-ietf-ja3/test.rules
@@ -0,0 +1,2 @@
+alert quic any any -> any any (msg:"QUIC JA3"; ja3s.string; content:"771,4866,43-51-41"; sid:3;)
+alert quic any any -> any any (msg:"QUIC JA3 HASH"; ja3.hash; content:"deadbeefdeadbeefdeadbeefdeadbeef"; sid:5;)
diff --git a/tests/quic-ietf-ja3/test.yaml b/tests/quic-ietf-ja3/test.yaml
new file mode 100644 (file)
index 0000000..3b06dc1
--- /dev/null
+++ b/tests/quic-ietf-ja3/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 7.0.0
+  features:
+    - HAVE_JA3
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 5
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
diff --git a/tests/quic-ietf/test.rules b/tests/quic-ietf/test.rules
index 996800ce44d5070de40be2535e4ae106bb4e3157..3b689762a9bd60b252c45569b5b8f7829dd06507 100644 (file)
--- a/tests/quic-ietf/test.rules
+++ b/tests/quic-ietf/test.rules
@@ -1,3 +1 @@
 alert quic any any -> any any (msg:"QUIC SNI"; quic.sni; content:"msquic.net"; sid:4;)
-alert quic any any -> any any (msg:"QUIC JA3"; ja3s.string; content:"771,4866,43-51-41"; sid:3;)
-alert quic any any -> any any (msg:"QUIC JA3 HASH"; ja3.hash; content:"deadbeefdeadbeefdeadbeefdeadbeef"; sid:5;)
diff --git a/tests/quic-ietf/test.yaml b/tests/quic-ietf/test.yaml
index 17d84112431ece91d73f4fc340e48a8b789f596e..ef8b9c6026b563ef915653572b8488e4bf38877a 100644 (file)
--- a/tests/quic-ietf/test.yaml
+++ b/tests/quic-ietf/test.yaml
@@ -10,13 +10,3 @@ checks:
         quic.extensions[1].values[0]: "msquic.net"
         quic.extensions[2].name: "alpn"
         quic.extensions[2].values[0]: "h3-29"
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 4
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 3
Mirror of https://github.com/OISF/suricata-verify.git