tls-subjectaltname: add tests

Feature 5234

diff --git a/tests/tls/tls-glupteba-mb/README.md b/tests/tls/tls-glupteba-mb/README.md
new file mode 100644 (file)
index 0000000..9232e5d
--- /dev/null
+++ b/tests/tls/tls-glupteba-mb/README.md
@@ -0,0 +1,12 @@
+# Test Description
+
+Test to show that subjectaltname rule alerts on the subjectaltnames as
+should a multi buffer keyword.
+
+## PCAP
+
+Redmine ticket below.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/5234

diff --git a/tests/tls/tls-glupteba-mb/input.pcap b/tests/tls/tls-glupteba-mb/input.pcap
new file mode 100644 (file)
index 0000000..fa32096
Binary files /dev/null and b/tests/tls/tls-glupteba-mb/input.pcap differ

diff --git a/tests/tls/tls-glupteba-mb/test.rules b/tests/tls/tls-glupteba-mb/test.rules
new file mode 100644 (file)
index 0000000..23e3b0d
--- /dev/null
+++ b/tests/tls/tls-glupteba-mb/test.rules
@@ -0,0 +1,2 @@
+alert tls any any -> any any (msg:"Glupteba TROJAN"; flow:to_client; tls.subjectaltname; content:"server15.xn--j1ahhq.xn--p1ai"; content: "xn--j1ahhq.xn--p1ai"; sid:1;)
+

diff --git a/tests/tls/tls-glupteba-mb/test.yaml b/tests/tls/tls-glupteba-mb/test.yaml
new file mode 100644 (file)
index 0000000..b71fbc9
--- /dev/null
+++ b/tests/tls/tls-glupteba-mb/test.yaml
@@ -0,0 +1,46 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 72.16.54.30
+      dest_port: 443
+      event_type: tls
+      pcap_cnt: 9
+      proto: TCP
+      src_ip: 192.168.134.106
+      src_port: 23481
+      tls.fingerprint: e9:a0:69:50:ba:18:dc:ac:d3:a7:fe:58:22:4a:1f:42:5b:bc:96:b0
+      tls.issuerdn: C=US, O=Let's Encrypt, CN=R3
+      tls.notafter: '2023-03-01T06:47:30'
+      tls.notbefore: '2022-12-01T06:47:31'
+      tls.serial: 03:DE:23:89:7E:97:FB:86:8E:7C:C5:53:09:FE:AE:D0:AE:20
+      tls.subject: CN=xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[0]: server1.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[10]: server4.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[11]: server5.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[12]: server6.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[13]: server7.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[14]: server8.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[15]: server9.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[16]: xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[1]: server10.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[2]: server11.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[3]: server12.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[4]: server13.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[5]: server14.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[6]: server15.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[7]: server16.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[8]: server2.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[9]: server3.xn--j1ahhq.xn--p1ai
+      tls.version: TLSv1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1

diff --git a/tests/tls/tls-glupteba/README.md b/tests/tls/tls-glupteba/README.md
new file mode 100644 (file)
index 0000000..534fefd
--- /dev/null
+++ b/tests/tls/tls-glupteba/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test to show that subjectaltname rule alerts on the respective subjectaltname.
+
+## PCAP
+
+Redmine ticket below.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/5234

diff --git a/tests/tls/tls-glupteba/input.pcap b/tests/tls/tls-glupteba/input.pcap
new file mode 100644 (file)
index 0000000..fa32096
Binary files /dev/null and b/tests/tls/tls-glupteba/input.pcap differ

diff --git a/tests/tls/tls-glupteba/test.rules b/tests/tls/tls-glupteba/test.rules
new file mode 100644 (file)
index 0000000..a46dd3c
--- /dev/null
+++ b/tests/tls/tls-glupteba/test.rules
@@ -0,0 +1,2 @@
+alert tls any any -> any any (msg:"Glupteba TROJAN"; flow:to_client; tls.subjectaltname; content:"server15.xn--j1ahhq.xn--p1ai"; sid:1;)
+

diff --git a/tests/tls/tls-glupteba/test.yaml b/tests/tls/tls-glupteba/test.yaml
new file mode 100644 (file)
index 0000000..b71fbc9
--- /dev/null
+++ b/tests/tls/tls-glupteba/test.yaml
@@ -0,0 +1,46 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 72.16.54.30
+      dest_port: 443
+      event_type: tls
+      pcap_cnt: 9
+      proto: TCP
+      src_ip: 192.168.134.106
+      src_port: 23481
+      tls.fingerprint: e9:a0:69:50:ba:18:dc:ac:d3:a7:fe:58:22:4a:1f:42:5b:bc:96:b0
+      tls.issuerdn: C=US, O=Let's Encrypt, CN=R3
+      tls.notafter: '2023-03-01T06:47:30'
+      tls.notbefore: '2022-12-01T06:47:31'
+      tls.serial: 03:DE:23:89:7E:97:FB:86:8E:7C:C5:53:09:FE:AE:D0:AE:20
+      tls.subject: CN=xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[0]: server1.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[10]: server4.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[11]: server5.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[12]: server6.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[13]: server7.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[14]: server8.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[15]: server9.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[16]: xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[1]: server10.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[2]: server11.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[3]: server12.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[4]: server13.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[5]: server14.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[6]: server15.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[7]: server16.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[8]: server2.xn--j1ahhq.xn--p1ai
+      tls.subjectaltname[9]: server3.xn--j1ahhq.xn--p1ai
+      tls.version: TLSv1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1

diff --git a/tests/tls/tls-subjectaltname/README b/tests/tls/tls-subjectaltname/README
new file mode 100644 (file)
index 0000000..d69d909
--- /dev/null
+++ b/tests/tls/tls-subjectaltname/README
@@ -0,0 +1,12 @@
+Description
+===========
+Add a `tls.subjectaltname` keyword which is a sticky buffer and matches on TLS `SubjectAltName` field.
+
+
+PCAP
+====
+PCAP comes from the redmine ticket below.
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5234

diff --git a/tests/tls/tls-subjectaltname/input.pcap b/tests/tls/tls-subjectaltname/input.pcap
new file mode 100644 (file)
index 0000000..d3520d3
Binary files /dev/null and b/tests/tls/tls-subjectaltname/input.pcap differ

diff --git a/tests/tls/tls-subjectaltname/test.rules b/tests/tls/tls-subjectaltname/test.rules
new file mode 100644 (file)
index 0000000..7fef64c
--- /dev/null
+++ b/tests/tls/tls-subjectaltname/test.rules
@@ -0,0 +1,2 @@
+alert tls any any -> any any (msg:"Test tls.subjectaltname option CLIENT"; flow:to_client; tls.subjectaltname; content:"|77 77 77 2e 62 69 6e 67 2e 63 6f 6d|"; sid:1;)
+

diff --git a/tests/tls/tls-subjectaltname/test.yaml b/tests/tls/tls-subjectaltname/test.yaml
new file mode 100644 (file)
index 0000000..81fdebf
--- /dev/null
+++ b/tests/tls/tls-subjectaltname/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 4
+    match:
+      alert.signature_id: 1
+      event_type: alert