ssh-banner: add tests

Bug: 4903

diff --git a/tests/bug-4903/bug-4903-01/README.md b/tests/bug-4903/bug-4903-01/README.md
new file mode 100644 (file)
index 0000000..79da158
--- /dev/null
+++ b/tests/bug-4903/bug-4903-01/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Check SSH banner related keyword on pcap where only server sends its banner 
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/attachments/2427

diff --git a/tests/bug-4903/bug-4903-01/input.pcap b/tests/bug-4903/bug-4903-01/input.pcap
new file mode 100644 (file)
index 0000000..2669c1b
Binary files /dev/null and b/tests/bug-4903/bug-4903-01/input.pcap differ

diff --git a/tests/bug-4903/bug-4903-01/test.rules b/tests/bug-4903/bug-4903-01/test.rules
new file mode 100644 (file)
index 0000000..e579e50
--- /dev/null
+++ b/tests/bug-4903/bug-4903-01/test.rules
@@ -0,0 +1,4 @@
+alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"2.0"; classtype:bad-unknown; sid:1;)
+alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"1.99"; classtype:bad-unknown; sid:2;)
+alert ssh any any -> any any (msg:"Bad SSH software client detected !!!"; ssh.software; content:"Cisco_client"; classtype:bad-unknown; sid:3;)
+alert ssh any any -> any any (msg:"Bad SSH software server detected !!!"; ssh.software; content:"Cisco_server"; classtype:bad-unknown; sid:4;)

diff --git a/tests/bug-4903/bug-4903-01/test.yaml b/tests/bug-4903/bug-4903-01/test.yaml
new file mode 100644 (file)
index 0000000..768d4a4
--- /dev/null
+++ b/tests/bug-4903/bug-4903-01/test.yaml
@@ -0,0 +1,77 @@
+requires:
+  min-version: 6
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH proto 2 detected !!!
+      alert.signature_id: 2
+      app_proto: ssh
+      dest_ip: 192.168.100.1
+      dest_port: 10000
+      event_type: alert
+      flow.bytes_toclient: 258
+      flow.bytes_toserver: 162
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 3
+      proto: TCP
+      src_ip: 192.168.200.1
+      src_port: 22
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH software server detected !!!
+      alert.signature_id: 4
+      app_proto: ssh
+      dest_ip: 192.168.100.1
+      dest_port: 10000
+      event_type: alert
+      flow.bytes_toclient: 258
+      flow.bytes_toserver: 162
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 3
+      proto: TCP
+      src_ip: 192.168.200.1
+      src_port: 22
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.200.1
+      dest_port: 22
+      event_type: ssh
+      proto: TCP
+      src_ip: 192.168.100.1
+      src_port: 10000
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 3

diff --git a/tests/bug-4903/bug-4903-02/README.md b/tests/bug-4903/bug-4903-02/README.md
new file mode 100644 (file)
index 0000000..f6cb5fd
--- /dev/null
+++ b/tests/bug-4903/bug-4903-02/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Check SSH banner related keyword on pcaps where server sends its banner and client acks it
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/attachments/2426

diff --git a/tests/bug-4903/bug-4903-02/input.pcap b/tests/bug-4903/bug-4903-02/input.pcap
new file mode 100644 (file)
index 0000000..961779f
Binary files /dev/null and b/tests/bug-4903/bug-4903-02/input.pcap differ

diff --git a/tests/bug-4903/bug-4903-02/test.rules b/tests/bug-4903/bug-4903-02/test.rules
new file mode 100644 (file)
index 0000000..750cb0e
--- /dev/null
+++ b/tests/bug-4903/bug-4903-02/test.rules
@@ -0,0 +1,5 @@
+alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"2.0"; classtype:bad-unknown; sid:1;)
+alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"1.99"; classtype:bad-unknown; sid:2;)
+alert ssh any any -> any any (msg:"Bad SSH software client detected !!!"; ssh.software; content:"Cisco_client"; classtype:bad-unknown; sid:3;)
+alert ssh any any -> any any (msg:"Bad SSH software server detected !!!"; ssh.software; content:"Cisco_server"; classtype:bad-unknown; sid:4;)
+

diff --git a/tests/bug-4903/bug-4903-02/test.yaml b/tests/bug-4903/bug-4903-02/test.yaml
new file mode 100644 (file)
index 0000000..ad21e2c
--- /dev/null
+++ b/tests/bug-4903/bug-4903-02/test.yaml
@@ -0,0 +1,77 @@
+requires:
+  min-version: 6
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH proto 2 detected !!!
+      alert.signature_id: 2
+      app_proto: ssh
+      dest_ip: 192.168.100.1
+      dest_port: 10001
+      event_type: alert
+      flow.bytes_toclient: 258
+      flow.bytes_toserver: 216
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 4
+      proto: TCP
+      src_ip: 192.168.200.1
+      src_port: 22
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH software server detected !!!
+      alert.signature_id: 4
+      app_proto: ssh
+      dest_ip: 192.168.100.1
+      dest_port: 10001
+      event_type: alert
+      flow.bytes_toclient: 258
+      flow.bytes_toserver: 216
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 4
+      proto: TCP
+      src_ip: 192.168.200.1
+      src_port: 22
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.200.1
+      dest_port: 22
+      event_type: ssh
+      proto: TCP
+      src_ip: 192.168.100.1
+      src_port: 10001
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 3

diff --git a/tests/bug-4903/bug-4903-03/README.md b/tests/bug-4903/bug-4903-03/README.md
new file mode 100644 (file)
index 0000000..7d62156
--- /dev/null
+++ b/tests/bug-4903/bug-4903-03/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Check SSH banner related keyword on pcaps where server sends its banner and client sends its banner
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/attachments/2429

diff --git a/tests/bug-4903/bug-4903-03/input.pcap b/tests/bug-4903/bug-4903-03/input.pcap
new file mode 100644 (file)
index 0000000..7fe03a7
Binary files /dev/null and b/tests/bug-4903/bug-4903-03/input.pcap differ

diff --git a/tests/bug-4903/bug-4903-03/test.rules b/tests/bug-4903/bug-4903-03/test.rules
new file mode 100644 (file)
index 0000000..750cb0e
--- /dev/null
+++ b/tests/bug-4903/bug-4903-03/test.rules
@@ -0,0 +1,5 @@
+alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"2.0"; classtype:bad-unknown; sid:1;)
+alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"1.99"; classtype:bad-unknown; sid:2;)
+alert ssh any any -> any any (msg:"Bad SSH software client detected !!!"; ssh.software; content:"Cisco_client"; classtype:bad-unknown; sid:3;)
+alert ssh any any -> any any (msg:"Bad SSH software server detected !!!"; ssh.software; content:"Cisco_server"; classtype:bad-unknown; sid:4;)
+

diff --git a/tests/bug-4903/bug-4903-03/test.yaml b/tests/bug-4903/bug-4903-03/test.yaml
new file mode 100644 (file)
index 0000000..1f5a446
--- /dev/null
+++ b/tests/bug-4903/bug-4903-03/test.yaml
@@ -0,0 +1,125 @@
+requires:
+  min-version: 6
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH proto 2 detected !!!
+      alert.signature_id: 1
+      app_proto: ssh
+      dest_ip: 192.168.200.1
+      dest_port: 22
+      event_type: alert
+      flow.bytes_toclient: 258
+      flow.bytes_toserver: 336
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 4
+      proto: TCP
+      src_ip: 192.168.100.1
+      src_port: 10002
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH software client detected !!!
+      alert.signature_id: 3
+      app_proto: ssh
+      dest_ip: 192.168.200.1
+      dest_port: 22
+      event_type: alert
+      flow.bytes_toclient: 258
+      flow.bytes_toserver: 336
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 4
+      proto: TCP
+      src_ip: 192.168.100.1
+      src_port: 10002
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.200.1
+      dest_port: 22
+      event_type: ssh
+      proto: TCP
+      src_ip: 192.168.100.1
+      src_port: 10002
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH proto 2 detected !!!
+      alert.signature_id: 2
+      app_proto: ssh
+      dest_ip: 192.168.100.1
+      dest_port: 10002
+      event_type: alert
+      flow.bytes_toclient: 258
+      flow.bytes_toserver: 336
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 4
+      proto: TCP
+      src_ip: 192.168.200.1
+      src_port: 22
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH software server detected !!!
+      alert.signature_id: 4
+      app_proto: ssh
+      dest_ip: 192.168.100.1
+      dest_port: 10002
+      event_type: alert
+      flow.bytes_toclient: 258
+      flow.bytes_toserver: 336
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 4
+      proto: TCP
+      src_ip: 192.168.200.1
+      src_port: 22
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0

diff --git a/tests/bug-4903/bug-4903-04/README.md b/tests/bug-4903/bug-4903-04/README.md
new file mode 100644 (file)
index 0000000..cb9124a
--- /dev/null
+++ b/tests/bug-4903/bug-4903-04/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Check SSH banner related keyword on pcaps where server sends its banner, client sends its banner, and server server the client's banner
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/attachments/2428

diff --git a/tests/bug-4903/bug-4903-04/input.pcap b/tests/bug-4903/bug-4903-04/input.pcap
new file mode 100644 (file)
index 0000000..73cf1f1
Binary files /dev/null and b/tests/bug-4903/bug-4903-04/input.pcap differ

diff --git a/tests/bug-4903/bug-4903-04/test.rules b/tests/bug-4903/bug-4903-04/test.rules
new file mode 100644 (file)
index 0000000..750cb0e
--- /dev/null
+++ b/tests/bug-4903/bug-4903-04/test.rules
@@ -0,0 +1,5 @@
+alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"2.0"; classtype:bad-unknown; sid:1;)
+alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"1.99"; classtype:bad-unknown; sid:2;)
+alert ssh any any -> any any (msg:"Bad SSH software client detected !!!"; ssh.software; content:"Cisco_client"; classtype:bad-unknown; sid:3;)
+alert ssh any any -> any any (msg:"Bad SSH software server detected !!!"; ssh.software; content:"Cisco_server"; classtype:bad-unknown; sid:4;)
+

diff --git a/tests/bug-4903/bug-4903-04/test.yaml b/tests/bug-4903/bug-4903-04/test.yaml
new file mode 100644 (file)
index 0000000..ce7e992
--- /dev/null
+++ b/tests/bug-4903/bug-4903-04/test.yaml
@@ -0,0 +1,130 @@
+requires:
+  min-version: 6
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH proto 2 detected !!!
+      alert.signature_id: 2
+      app_proto: ssh
+      dest_ip: 192.168.100.1
+      dest_port: 10003
+      event_type: alert
+      flow.bytes_toclient: 312
+      flow.bytes_toserver: 282
+      flow.pkts_toclient: 3
+      flow.pkts_toserver: 3
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 192.168.200.1
+      src_port: 22
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH software server detected !!!
+      alert.signature_id: 4
+      app_proto: ssh
+      dest_ip: 192.168.100.1
+      dest_port: 10003
+      event_type: alert
+      flow.bytes_toclient: 312
+      flow.bytes_toserver: 282
+      flow.pkts_toclient: 3
+      flow.pkts_toserver: 3
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 192.168.200.1
+      src_port: 22
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 192.168.200.1
+      dest_port: 22
+      event_type: ssh
+      pcap_cnt: 6
+      proto: TCP
+      src_ip: 192.168.100.1
+      src_port: 10003
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH proto 2 detected !!!
+      alert.signature_id: 1
+      app_proto: ssh
+      dest_ip: 192.168.200.1
+      dest_port: 22
+      event_type: alert
+      flow.bytes_toclient: 312
+      flow.bytes_toserver: 336
+      flow.pkts_toclient: 3
+      flow.pkts_toserver: 4
+      pcap_cnt: 7
+      proto: TCP
+      src_ip: 192.168.100.1
+      src_port: 10003
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: Potentially Bad Traffic
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 2
+      alert.signature: Bad SSH software client detected !!!
+      alert.signature_id: 3
+      app_proto: ssh
+      dest_ip: 192.168.200.1
+      dest_port: 22
+      event_type: alert
+      flow.bytes_toclient: 312
+      flow.bytes_toserver: 336
+      flow.pkts_toclient: 3
+      flow.pkts_toserver: 4
+      pcap_cnt: 7
+      proto: TCP
+      src_ip: 192.168.100.1
+      src_port: 10003
+      ssh.client.proto_version: '2.0'
+      ssh.client.software_version: Cisco_client-1.25
+      ssh.server.proto_version: '1.99'
+      ssh.server.software_version: Cisco_server-1.24
+      tx_id: 0