tests: add filemagic/file.magic tests

Tests for parsing, flowbit matching as well as legacy filemagic
keyword handling.

diff --git a/tests/filemagic-01/test.rules b/tests/filemagic-01/test.rules
new file mode 100755 (executable)
index 0000000..4dd6b41
--- /dev/null
+++ b/tests/filemagic-01/test.rules
@@ -0,0 +1,11 @@
+alert tcp any any -> any any (filemagic:"PDF"; sid:1;)
+alert tcp any any -> any any (filemagic:"pdf"; sid:2;)
+alert tcp any any -> any any (filemagic:"pDf"; sid:3;)
+
+alert tcp any any -> any any (filemagic:!"VERSION 1.6"; sid:4;)
+alert tcp any any -> any any (filemagic:!"version 1.6"; sid:5;)
+alert tcp any any -> any any (filemagic:!"vErSiOn 1.6"; sid:6;)
+
+alert tcp any any -> any any (filemagic:!"VERSION 1.5"; sid:7;)
+alert tcp any any -> any any (filemagic:!"version 1.5"; sid:8;)
+alert tcp any any -> any any (filemagic:!"vErSiOn 1.5"; sid:9;)

diff --git a/tests/filemagic-01/test.yaml b/tests/filemagic-01/test.yaml
new file mode 100644 (file)
index 0000000..990027f
--- /dev/null
+++ b/tests/filemagic-01/test.yaml
@@ -0,0 +1,47 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - MAGIC
+
+pcap: ../filemagic-flowbits/pdf-dl.pcap
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 5
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 6
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 7
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 8
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 9

diff --git a/tests/filemagic-flowbits-02/test.rules b/tests/filemagic-flowbits-02/test.rules
new file mode 100755 (executable)
index 0000000..4865b6f
--- /dev/null
+++ b/tests/filemagic-flowbits-02/test.rules
@@ -0,0 +1,4 @@
+alert http any any -> any any (msg:"Wget useragent";content:"wget"; nocase; startswith; http_user_agent; sid:1; rev:1; flowbits:set,wgetagent;)
+alert http any any -> any any (msg:"PDF not wget"; flowbits:isnotset,wgetagent; filemagic:"PDF"; sid:3; rev:1;)
+alert http any any -> any any (msg:"PDF not wget locked to client"; flow:to_client; flowbits:isnotset,wgetagent; filemagic:"PDF"; sid:4; rev:1;)
+

diff --git a/tests/filemagic-flowbits-02/test.yaml b/tests/filemagic-flowbits-02/test.yaml
new file mode 100644 (file)
index 0000000..b1dcb0a
--- /dev/null
+++ b/tests/filemagic-flowbits-02/test.yaml
@@ -0,0 +1,25 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - MAGIC
+  min-version: 7
+
+pcap: ../filemagic-flowbits/pdf-dl.pcap
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
+        pcap_cnt: 7
+  - filter:
+      count: 0
+      match:
+         alert.signature_id: 3
+  - filter:
+      count: 0
+      match:
+         alert.signature_id: 4

diff --git a/tests/filemagic-flowbits-03/test.rules b/tests/filemagic-flowbits-03/test.rules
new file mode 100755 (executable)
index 0000000..8b62135
--- /dev/null
+++ b/tests/filemagic-flowbits-03/test.rules
@@ -0,0 +1,4 @@
+alert http any any -> any any (msg:"Wget useragent"; http.user_agent; content:"wget"; nocase; startswith; flowbits:set,wgetagent; sid:1; rev:1;)
+alert http any any -> any any (msg:"PDF not wget"; flowbits:isnotset,wgetagent; file.magic; content:"PDF"; sid:3; rev:1;)
+alert http any any -> any any (msg:"PDF not wget locked to client"; flow:to_client; flowbits:isnotset,wgetagent; file.magic; content:"PDF"; sid:4; rev:1;)
+

diff --git a/tests/filemagic-flowbits-03/test.yaml b/tests/filemagic-flowbits-03/test.yaml
new file mode 100644 (file)
index 0000000..b1dcb0a
--- /dev/null
+++ b/tests/filemagic-flowbits-03/test.yaml
@@ -0,0 +1,25 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - MAGIC
+  min-version: 7
+
+pcap: ../filemagic-flowbits/pdf-dl.pcap
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
+        pcap_cnt: 7
+  - filter:
+      count: 0
+      match:
+         alert.signature_id: 3
+  - filter:
+      count: 0
+      match:
+         alert.signature_id: 4

diff --git a/tests/filemagic-flowbits/test.yaml b/tests/filemagic-flowbits/test.yaml
index 308821ee092000ae7d82fd37778810735b1523b9..9c7a8d71d087677218ca91fc5f64d4833085134b 100644 (file)
--- a/tests/filemagic-flowbits/test.yaml
+++ b/tests/filemagic-flowbits/test.yaml
@@ -2,6 +2,7 @@ requires:
   features:
     - HAVE_LIBJANSSON
     - MAGIC
+  min-version: 7
 
 args:
   - -k none

diff --git a/tests/rules/filemagic/test.rules b/tests/rules/filemagic/test.rules
new file mode 100644 (file)
index 0000000..6d2cc64
--- /dev/null
+++ b/tests/rules/filemagic/test.rules
@@ -0,0 +1,14 @@
+alert tcp any any -> any any (file.magic; content:"one"; sid:1;)
+alert tcp any any -> any any (file.magic; content:"one"; content:"two"; within:8; sid:2;)
+alert tcp any any -> any any (file.magic; content:"one"; within:8; sid:3;)
+alert tcp any any -> any any (file.magic; content:"one"; distance:8; sid:4;)
+alert smb any any -> any any (flow:to_server; file.magic; content:"in file magic"; pkt_data; content:"in pkt data"; sid:5;)
+alert smb any any -> any any (flow:to_server; file.magic; pcre:/one/R; sid:6;)
+alert smb any any -> any any (flow:to_server; file.magic; pcre:/one/; sid:7;)
+alert smb any any -> any any (flow:to_server; file.magic; pcre:/one/RB; sid:8;)
+alert smb any any -> any any (flow:to_server; file.magic; content:"one"; pcre:/two/R; sid:9;)
+
+alert tcp any any -> any any (filemagic:"pdf"; sid:10;)
+alert tcp any any -> any any (filemagic:!"pdf"; sid:11;)
+alert tcp any any -> any any (filemagic:"PDF"; sid:12;)
+alert tcp any any -> any any (filemagic:!"PDF"; sid:13;)

diff --git a/tests/rules/filemagic/test.yaml b/tests/rules/filemagic/test.yaml
new file mode 100644 (file)
index 0000000..047dc8c
--- /dev/null
+++ b/tests/rules/filemagic/test.yaml
@@ -0,0 +1,155 @@
+requires:
+  min-version: 7.0.0
+  pcap: false
+  features:
+    - MAGIC
+
+args:
+    - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      mpm.buffer: "file.magic"
+      mpm.pattern: "one"
+      engines[0].name: "file.magic"
+      engines[0].matches[0].name: "content"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 2
+      mpm.buffer: "file.magic"
+      mpm.pattern: "one"
+      engines[0].name: "file.magic"
+      engines[0].matches[0].name: "content"
+      engines[0].matches[0].content.relative_next: true
+      engines[0].name: "file.magic"
+      engines[0].matches[1].name: "content"
+      engines[0].matches[1].content.within: 8
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 3
+      mpm.buffer: "file.magic"
+      mpm.pattern: "one"
+      engines[0].name: "file.magic"
+      engines[0].matches[0].name: "content"
+      engines[0].matches[0].content.depth: 8
+      notes[0]: "'within' option for pattern w/o previous content was converted to 'depth'"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 4
+      mpm.buffer: "file.magic"
+      mpm.pattern: "one"
+      engines[0].name: "file.magic"
+      engines[0].matches[0].name: "content"
+      engines[0].matches[0].content.offset: 8
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 5
+      mpm.buffer: "file.magic"
+      mpm.pattern: "in|20|file|20|magic"
+      engines[0].name: "file.magic"
+      engines[0].direction: "toserver"
+      engines[0].matches[0].name: "content"
+      engines[0].matches[0].content.pattern: "in|20|file|20|magic"
+      engines[1].name: "stream"
+      engines[1].direction: "toserver"
+      engines[1].matches[0].name: "content"
+      engines[1].matches[0].content.pattern: "in|20|pkt|20|data"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 6
+      engines[0].name: "file.magic"
+      engines[0].direction: "toserver"
+      engines[0].matches[0].name: "pcre"
+      engines[0].matches[0].pcre.relative: true
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 7
+      engines[0].name: "file.magic"
+      engines[0].direction: "toserver"
+      engines[0].matches[0].name: "pcre"
+      engines[0].matches[0].pcre.relative: false
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 8
+      engines[0].name: "file.magic"
+      engines[0].direction: "toserver"
+      engines[0].matches[0].name: "pcre"
+      engines[0].matches[0].pcre.relative: true
+      notes[0]: "'/B' (rawbytes) option is a no-op and is silently ignored"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 9
+      mpm.buffer: "file.magic"
+      mpm.pattern: "one"
+      engines[0].name: "file.magic"
+      engines[0].direction: "toserver"
+      engines[0].matches[0].name: "content"
+      engines[0].matches[0].content.pattern: "one"
+      engines[0].matches[1].name: "pcre"
+      engines[0].matches[1].pcre.relative: true
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 10
+      mpm.buffer: "file.magic"
+      mpm.pattern: "pdf"
+      engines[0].name: "file.magic"
+      engines[0].matches[0].name: "content"
+      engines[0].matches[0].content.pattern: "pdf"
+      engines[0].matches[0].content.nocase: true
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 11
+      mpm.buffer: "file.magic"
+      mpm.pattern: "pdf"
+      engines[0].name: "file.magic"
+      engines[0].matches[0].name: "content"
+      engines[0].matches[0].content.pattern: "pdf"
+      engines[0].matches[0].content.negated: true
+      engines[0].matches[0].content.nocase: true
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 12
+      mpm.buffer: "file.magic"
+      mpm.pattern: "PDF"
+      engines[0].name: "file.magic"
+      engines[0].matches[0].name: "content"
+      engines[0].matches[0].content.pattern: "PDF"
+      engines[0].matches[0].content.nocase: true
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 13
+      mpm.buffer: "file.magic"
+      mpm.pattern: "PDF"
+      engines[0].name: "file.magic"
+      engines[0].matches[0].name: "content"
+      engines[0].matches[0].content.pattern: "PDF"
+      engines[0].matches[0].content.negated: true
+      engines[0].matches[0].content.nocase: true