--- /dev/null
+# Test Description
+This test demonstrates that fast_pattern along with base64_data
+should fail with Suricata instead of silently passing through.
+
+## PCAP
+None
+
+## Related issues
+https://redmine.openinfosecfoundation.org/issues/5220
--- /dev/null
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; content:"something"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
--- /dev/null
+requires:
+ pcap: false
+ min-version: 8
+
+args:
+ - --engine-analysis
+
+exit-code: 1
+
+checks:
+ - shell:
+ args: grep "fast_pattern cannot be used with base64_data" suricata.log | wc -l | xargs
+ expect: 1
--- /dev/null
+# Test Description
+This test demonstrates an invalid combination of base64_data with fast_pattern even
+in case when there are multiple base64_data in a rule. The rule processing shall
+stop the moment the first fast_pattern with base64_data is encountered.
+
+## PCAP
+None
+
+## Related issues
+https://redmine.openinfosecfoundation.org/issues/5220
--- /dev/null
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; content:"something"; content:"blah"; fast_pattern; base64_decode: bytes 10; base64_data; content: "test"; classtype:bad-unknown; sid:123; rev:1;)
--- /dev/null
+requires:
+ pcap: false
+ min-version: 8
+
+args:
+ - --engine-analysis
+
+exit-code: 1
+
+checks:
+ - shell:
+ args: grep "fast_pattern cannot be used with base64_data" suricata.log | wc -l | xargs
+ expect: 1
--- /dev/null
+# Test Description
+This test demonstrates that fast_pattern along with base64_data
+should fail with Suricata instead of silently passing through even
+if it is followed by several valid base64_data buffers.
+
+## PCAP
+None
+
+## Related issues
+https://redmine.openinfosecfoundation.org/issues/5220
--- /dev/null
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; content:"something"; fast_pattern; base64_decode: bytes 10; base64_data; content:"first"; base64_decode: bytes 10; base64_data; content: "second"; classtype:bad-unknown; sid:123; rev:1;)
--- /dev/null
+requires:
+ pcap: false
+ min-version: 8
+
+args:
+ - --engine-analysis
+
+exit-code: 1
+
+checks:
+ - shell:
+ args: grep "fast_pattern cannot be used with base64_data" suricata.log | wc -l | xargs
+ expect: 1
--- /dev/null
+# Test Description
+This test demonstrates a invalid use of fast_pattern along with base64_data
+where base64_data is succeeded by a payload keyword and the content right
+after that is fast_pattern.
+
+## PCAP
+None
+
+## Related issues
+https://redmine.openinfosecfoundation.org/issues/5220
--- /dev/null
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; bsize:=21; content:"something"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
--- /dev/null
+requires:
+ pcap: false
+ min-version: 8
+
+args:
+ - --engine-analysis
+
+exit-code: 1
+
+checks:
+ - shell:
+ args: grep "fast_pattern cannot be used with base64_data" suricata.log | wc -l | xargs
+ expect: 1
--- /dev/null
+# Test Description
+This test demonstrates a valid use of fast_pattern before base64_data.
+
+## PCAP
+None
+
+## Related issues
+https://redmine.openinfosecfoundation.org/issues/5220
--- /dev/null
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; fast_pattern; http.request_body; base64_decode:bytes 28; base64_data; bsize:=21; content:"something"; classtype:bad-unknown; sid:123; rev:1;)
--- /dev/null
+requires:
+ pcap: false
+ min-version: 7
+
+args:
+ - --engine-analysis
+
+exit-code: 0
--- /dev/null
+# Test Description
+This test demonstrates base64_data w/o fast_pattern.
+
+## PCAP
+None
+
+## Related issues
+https://redmine.openinfosecfoundation.org/issues/5220
--- /dev/null
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; bsize:=21; content:"something"; classtype:bad-unknown; sid:123; rev:1;)
--- /dev/null
+requires:
+ pcap: false
+ min-version: 7
+
+args:
+ - --engine-analysis
+
+exit-code: 0
+
+checks:
+ - filter:
+ filename: patterns.json
+ count: 1
+ match:
+ buffers[0].patterns[0].pattern: "POST"
--- /dev/null
+# Test Description
+This test demonstrates a valid use of fast_pattern along with base64_data
+with the use of pkt_data to reset the detection pointer.
+
+## PCAP
+None
+
+## Related issues
+https://redmine.openinfosecfoundation.org/issues/5220
--- /dev/null
+alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; content:"something"; content: "first"; pkt_data; content: "newcontent"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
--- /dev/null
+requires:
+ pcap: false
+ min-version: 7
+
+args:
+ - --engine-analysis
+
+exit-code: 0
projects / thirdparty / suricata-verify.git / commitdiff
