detect: add test for ldap.responses.result_code

author Alice Akaki <akakialice@gmail.com>

Thu, 6 Feb 2025 06:16:40 +0000 (02:16 -0400)

committer Victor Julien <victor@inliniac.net>

Wed, 5 Mar 2025 14:59:53 +0000 (15:59 +0100)
author Alice Akaki <akakialice@gmail.com>
Thu, 6 Feb 2025 06:16:40 +0000 (02:16 -0400)
committer Victor Julien <victor@inliniac.net>
Wed, 5 Mar 2025 14:59:53 +0000 (15:59 +0100)
diff --git a/tests/detect-ldap-result/Makefile b/tests/detect-ldap-result/Makefile

new file mode 100644 (file)

index 0000000..318ba91
--- /dev/null
+++ b/tests/detect-ldap-result/Makefile
@@ -0,0 +1,3 @@
+ldap.pcap: ldap.syn
+       flowsynth.py -f pcap -w $@ $^
+
diff --git a/tests/detect-ldap-result/README.md b/tests/detect-ldap-result/README.md

new file mode 100644 (file)

index 0000000..01da055
--- /dev/null
+++ b/tests/detect-ldap-result/README.md
@@ -0,0 +1,5 @@
+Test ldap.responses.result_code keyword.
+
+PCAP created with flowsynth.py
+
+Redmine ticket: https://redmine.openinfosecfoundation.org/issues/7532
diff --git a/tests/detect-ldap-result/ldap.pcap b/tests/detect-ldap-result/ldap.pcap

new file mode 100644 (file)

index 0000000..0ac5443

Binary files /dev/null and b/tests/detect-ldap-result/ldap.pcap differ
diff --git a/tests/detect-ldap-result/ldap.syn b/tests/detect-ldap-result/ldap.syn

new file mode 100644 (file)

index 0000000..734e92d
--- /dev/null
+++ b/tests/detect-ldap-result/ldap.syn
@@ -0,0 +1,2 @@
+flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;);
+default < (content:"\x30\x1f\x02\x01\x02\x65\x1a\x0a\x01\x04\x04\x00\x04\x13\x53\x69\x7a\x65\x20\x6c\x69\x6d\x69\x74\x20\x65\x78\x63\x65\x65\x64\x65\x64";);
+\ No newline at end of file
diff --git a/tests/detect-ldap-result/test.rules b/tests/detect-ldap-result/test.rules

new file mode 100644 (file)

index 0000000..57c767b
--- /dev/null
+++ b/tests/detect-ldap-result/test.rules
@@ -0,0 +1 @@
+alert ldap any any -> any any (msg:"Test LDAP result code"; ldap.responses.result_code:size_limit_exceeded; sid:1;)
diff --git a/tests/detect-ldap-result/test.yaml b/tests/detect-ldap-result/test.yaml

new file mode 100644 (file)

index 0000000..f8c673a
--- /dev/null
+++ b/tests/detect-ldap-result/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none --set stream.inline=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 4
+        event_type: alert
+        ldap.responses[0].operation: search_result_done
+        ldap.responses[0].search_result_done.result_code: size_limit_exceeded
+        alert.signature_id: 1
author	Alice Akaki <akakialice@gmail.com>
	Thu, 6 Feb 2025 06:16:40 +0000 (02:16 -0400)
committer	Victor Julien <victor@inliniac.net>
	Wed, 5 Mar 2025 14:59:53 +0000 (15:59 +0100)
tests/detect-ldap-result/Makefile	[new file with mode: 0644]	patch \| blob
tests/detect-ldap-result/README.md	[new file with mode: 0644]	patch \| blob
tests/detect-ldap-result/ldap.pcap	[new file with mode: 0644]	patch \| blob
tests/detect-ldap-result/ldap.syn	[new file with mode: 0644]	patch \| blob
tests/detect-ldap-result/test.rules	[new file with mode: 0644]	patch \| blob
tests/detect-ldap-result/test.yaml	[new file with mode: 0644]	patch \| blob