Adds test about xor transform

diff --git a/tests/detect-xor/README.md b/tests/detect-xor/README.md
new file mode 100644 (file)
index 0000000..35521e7
--- /dev/null
+++ b/tests/detect-xor/README.md
@@ -0,0 +1,13 @@
+# Description
+
+Test xor transform.
+
+# PCAP
+
+The pcap comes from running dummy HTTP1 server
+and in parallel as client(s) :
+```
+curl 127.0.0.1:8080/get?data=%7Dk%BB%8Cze%BA%9B0y%BD%8Fhx%BB%9Anx%AD%8B
+```
+
+The uri was computed with script `./xor.py password=supersecret`

diff --git a/tests/detect-xor/input.pcap b/tests/detect-xor/input.pcap
new file mode 100644 (file)
index 0000000..90b0523
Binary files /dev/null and b/tests/detect-xor/input.pcap differ

diff --git a/tests/detect-xor/test.rules b/tests/detect-xor/test.rules
new file mode 100644 (file)
index 0000000..5a97c36
--- /dev/null
+++ b/tests/detect-xor/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"HTTP with xor"; http.uri; content: "/get?data="; startswith; http.uri; pcrexform:"/get\?data=(.*)"; xor:"0d0ac8ff"; content:"password="; sid:1;)

diff --git a/tests/detect-xor/test.yaml b/tests/detect-xor/test.yaml
new file mode 100644 (file)
index 0000000..1aa28df
--- /dev/null
+++ b/tests/detect-xor/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  files:
+    - src/detect-transform-xor.c
+
+args:
+  - -k none
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1

diff --git a/tests/detect-xor/xor.py b/tests/detect-xor/xor.py
new file mode 100644 (file)
index 0000000..53b571b
--- /dev/null
+++ b/tests/detect-xor/xor.py
@@ -0,0 +1,9 @@
+import sys
+import binascii
+import urllib
+
+key = binascii.unhexlify("0d0ac8ff")
+xored = ""
+for i in range(len(sys.argv[1])):
+    xored = xored + chr(ord(sys.argv[1][i]) ^ ord(key[i%len(key)]))
+print(urllib.quote_plus(xored))