add test for extra tls alert

author Shivani Bhardwaj <shivanib134@gmail.com>

Mon, 7 Oct 2024 08:24:16 +0000 (13:54 +0530)

committer Victor Julien <victor@inliniac.net>

Tue, 10 Dec 2024 13:54:00 +0000 (14:54 +0100)
author Shivani Bhardwaj <shivanib134@gmail.com>
Mon, 7 Oct 2024 08:24:16 +0000 (13:54 +0530)
committer Victor Julien <victor@inliniac.net>
Tue, 10 Dec 2024 13:54:00 +0000 (14:54 +0100)
diff --git a/tests/tls-extra-alert-engine-analysis/README.md b/tests/tls-extra-alert-engine-analysis/README.md

new file mode 100644 (file)

index 0000000..8ecc1cb
--- /dev/null
+++ b/tests/tls-extra-alert-engine-analysis/README.md
@@ -0,0 +1,7 @@
+# Test Description
+
+engine analysis complementary test for tls-extra-alert.
+
+## Related issues
+
+None so far. State: Trying to establish what's the issue.
diff --git a/tests/tls-extra-alert-engine-analysis/test.rules b/tests/tls-extra-alert-engine-analysis/test.rules

new file mode 100644 (file)

index 0000000..88c750a
--- /dev/null
+++ b/tests/tls-extra-alert-engine-analysis/test.rules
@@ -0,0 +1,5 @@
+alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; )
+alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; )
+alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; )
+alert tcp any any -> any 443 (flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; )
+alert tcp any 443 -> any any (flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; )
diff --git a/tests/tls-extra-alert-engine-analysis/test.yaml b/tests/tls-extra-alert-engine-analysis/test.yaml

new file mode 100644 (file)

index 0000000..f440d0b
--- /dev/null
+++ b/tests/tls-extra-alert-engine-analysis/test.yaml
@@ -0,0 +1,229 @@
+requires:
+  min-version: 8
+
+args:
+  - --simulate-ips
+  - --engine-analysis
+
+pcap: false
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      flags:
+      - src_any
+      - dst_any
+      - sp_any
+      - noalert
+      - need_packet
+      - toserver
+      id: 9901001
+      lists:
+        packet:
+          matches:
+          - name: tcp.flags
+        postmatch:
+          matches:
+          - flowbits:
+              cmd: set
+              names:
+              - tls_tracker
+            name: flowbits
+      pkt_engines:
+      - is_mpm: false
+        name: packet
+      requirements:
+      - tcp_flags_init_deinit
+      - real_pkt
+      type: pkt
+
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      flags:
+      - src_any
+      - dst_any
+      - sp_any
+      - need_packet
+      - need_stream
+      - need_flowvar
+      - toserver
+      - toclient
+      - prefilter
+      id: 9901031
+      lists:
+        packet:
+          matches:
+          - flowbits:
+              cmd: isset
+              names:
+              - tls_tracker
+            name: flowbits
+        payload:
+          matches:
+          - content:
+              depth: 6
+              ends_with: false
+              fast_pattern: false
+              is_mpm: true
+              length: 6
+              negated: false
+              no_double_inspect: false
+              nocase: false
+              pattern: '|15 03 01 00 02 02|'
+              relative_next: false
+              starts_with: true
+            name: content
+        postmatch:
+          matches:
+          - flowbits:
+              cmd: set
+              names:
+              - tls_error
+            name: flowbits
+      mpm:
+        buffer: payload
+        depth: 6
+        ends_with: false
+        fast_pattern: false
+        is_mpm: true
+        length: 6
+        negated: false
+        no_double_inspect: false
+        nocase: false
+        pattern: '|15 03 01 00 02 02|'
+        relative_next: false
+        starts_with: true
+      pkt_engines:
+      - is_mpm: true
+        name: payload
+      - is_mpm: false
+        name: packet
+      requirements:
+      - payload
+      - flow
+      type: pkt_stream
+
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      flags:
+      - src_any
+      - dst_any
+      - dp_any
+      - need_packet
+      - need_stream
+      - need_flowvar
+      - toserver
+      - toclient
+      - prefilter
+      id: 9901032
+      lists:
+        packet:
+          matches:
+          - flowbits:
+              cmd: isset
+              names:
+              - tls_tracker
+            name: flowbits
+        payload:
+          matches:
+          - content:
+              depth: 6
+              ends_with: false
+              fast_pattern: false
+              is_mpm: true
+              length: 6
+              negated: false
+              no_double_inspect: false
+              nocase: false
+              pattern: '|15 03 01 00 02 02|'
+              relative_next: false
+              starts_with: true
+            name: content
+        postmatch:
+          matches:
+          - flowbits:
+              cmd: set
+              names:
+              - tls_error
+            name: flowbits
+      mpm:
+        buffer: payload
+        depth: 6
+        ends_with: false
+        fast_pattern: false
+        is_mpm: true
+        length: 6
+        negated: false
+        no_double_inspect: false
+        nocase: false
+        pattern: '|15 03 01 00 02 02|'
+        relative_next: false
+        starts_with: true
+      pkt_engines:
+      - is_mpm: true
+        name: payload
+      - is_mpm: false
+        name: packet
+      requirements:
+      - payload
+      - flow
+      type: pkt_stream
+
+# Following is the signature of interest
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      flags:
+      - src_any
+      - dst_any
+      - sp_any
+      - need_flowvar
+      - toserver
+      id: 9901033
+      lists:
+        packet:
+          matches:
+          - flowbits:
+              cmd: isset
+              names:
+              - tls_error
+            name: flowbits
+      pkt_engines:
+      - is_mpm: false
+        name: packet
+      requirements:
+      - flow
+      type: pkt
+
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      flags:
+      - src_any
+      - dst_any
+      - dp_any
+      - need_flowvar
+      - toclient
+      id: 9901034
+      lists:
+        packet:
+          matches:
+          - flowbits:
+              cmd: isset
+              names:
+              - tls_error
+            name: flowbits
+      pkt_engines:
+      - is_mpm: false
+        name: packet
+      requirements:
+      - flow
+      type: pkt
diff --git a/tests/tls-extra-alert/README.md b/tests/tls-extra-alert/README.md

new file mode 100644 (file)

index 0000000..d913ee6
--- /dev/null
+++ b/tests/tls-extra-alert/README.md
@@ -0,0 +1,12 @@
+# Test Description
+
+This test shows that Suricata generates an additional alert for TLS
+for the given PCAP which shouldn't be there.
+
+## PCAP
+
+Internal.
+
+## Related issues
+
+None so far. State: Trying to establish what's the issue.
diff --git a/tests/tls-extra-alert/input.pcap b/tests/tls-extra-alert/input.pcap

new file mode 100644 (file)

index 0000000..01c918c

Binary files /dev/null and b/tests/tls-extra-alert/input.pcap differ
diff --git a/tests/tls-extra-alert/test.rules b/tests/tls-extra-alert/test.rules

new file mode 100644 (file)

index 0000000..88c750a
--- /dev/null
+++ b/tests/tls-extra-alert/test.rules
@@ -0,0 +1,5 @@
+alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; )
+alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; )
+alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; )
+alert tcp any any -> any 443 (flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; )
+alert tcp any 443 -> any any (flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; )
diff --git a/tests/tls-extra-alert/test.yaml b/tests/tls-extra-alert/test.yaml

new file mode 100644 (file)

index 0000000..19e0106
--- /dev/null
+++ b/tests/tls-extra-alert/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 9901033
+      pkt_src: wire/pcap
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      not-has-key: pcap_cnt
author	Shivani Bhardwaj <shivanib134@gmail.com>
	Mon, 7 Oct 2024 08:24:16 +0000 (13:54 +0530)
committer	Victor Julien <victor@inliniac.net>
	Tue, 10 Dec 2024 13:54:00 +0000 (14:54 +0100)
tests/tls-extra-alert-engine-analysis/README.md	[new file with mode: 0644]	patch \| blob
tests/tls-extra-alert-engine-analysis/test.rules	[new file with mode: 0644]	patch \| blob
tests/tls-extra-alert-engine-analysis/test.yaml	[new file with mode: 0644]	patch \| blob
tests/tls-extra-alert/README.md	[new file with mode: 0644]	patch \| blob
tests/tls-extra-alert/input.pcap	[new file with mode: 0644]	patch \| blob
tests/tls-extra-alert/test.rules	[new file with mode: 0644]	patch \| blob
tests/tls-extra-alert/test.yaml	[new file with mode: 0644]	patch \| blob