detect-uricontent: add tests

Task: 4911

diff --git a/tests/uricontent/detect-uricontent-01/README.md b/tests/uricontent/detect-uricontent-01/README.md
new file mode 100644 (file)
index 0000000..6e1f3fa
--- /dev/null
+++ b/tests/uricontent/detect-uricontent-01/README.md
@@ -0,0 +1 @@
+Tests the signature working to alert when http_cookie is matched

diff --git a/tests/uricontent/detect-uricontent-01/input.pcap b/tests/uricontent/detect-uricontent-01/input.pcap
new file mode 100644 (file)
index 0000000..8f7a9e7
Binary files /dev/null and b/tests/uricontent/detect-uricontent-01/input.pcap differ

diff --git a/tests/uricontent/detect-uricontent-01/test.rules b/tests/uricontent/detect-uricontent-01/test.rules
new file mode 100644 (file)
index 0000000..01c5c53
--- /dev/null
+++ b/tests/uricontent/detect-uricontent-01/test.rules
@@ -0,0 +1,3 @@
+alert tcp any any -> any any (msg:"Test uricontent"; content:"foo"; http_uri; sid:1;)
+alert tcp any any -> any any (msg:"Test uricontent"; content:"one"; http_uri; sid:2;)
+alert tcp any any -> any any (msg:"Test uricontent"; content:"oisf"; http_uri; sid:3;)

diff --git a/tests/uricontent/detect-uricontent-01/test.yaml b/tests/uricontent/detect-uricontent-01/test.yaml
new file mode 100644 (file)
index 0000000..7c4d72c
--- /dev/null
+++ b/tests/uricontent/detect-uricontent-01/test.yaml
@@ -0,0 +1,31 @@
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 1
+    match:
+      event_type: http

diff --git a/tests/uricontent/detect-uricontent-01/writepcap.py b/tests/uricontent/detect-uricontent-01/writepcap.py
new file mode 100644 (file)
index 0000000..6a49a10
--- /dev/null
+++ b/tests/uricontent/detect-uricontent-01/writepcap.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"POST /one HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie: hellocatch\r\n\r\n"
+
+wrpcap('input.pcap', pkts)

diff --git a/tests/uricontent/detect-uricontent-02/README.md b/tests/uricontent/detect-uricontent-02/README.md
new file mode 100644 (file)
index 0000000..1518941
--- /dev/null
+++ b/tests/uricontent/detect-uricontent-02/README.md
@@ -0,0 +1 @@
+Tests the working of search once per packet only in applayer match

diff --git a/tests/uricontent/detect-uricontent-02/input.pcap b/tests/uricontent/detect-uricontent-02/input.pcap
new file mode 100644 (file)
index 0000000..55153fb
Binary files /dev/null and b/tests/uricontent/detect-uricontent-02/input.pcap differ

diff --git a/tests/uricontent/detect-uricontent-02/test.rules b/tests/uricontent/detect-uricontent-02/test.rules
new file mode 100644 (file)
index 0000000..33103bf
--- /dev/null
+++ b/tests/uricontent/detect-uricontent-02/test.rules
@@ -0,0 +1,3 @@
+alert tcp any any -> any any (msg:"Test uricontent"; content:"foo"; http_uri; sid:1;)
+alert tcp any any -> any any (msg:"Test uricontent"; content:"one"; http_uri; sid:2;)
+alert tcp any any -> any any (msg:"Test uricontent"; content:"self"; http_uri; sid:3;)
\ No newline at end of file

diff --git a/tests/uricontent/detect-uricontent-02/test.yaml b/tests/uricontent/detect-uricontent-02/test.yaml
new file mode 100644 (file)
index 0000000..788ea52
--- /dev/null
+++ b/tests/uricontent/detect-uricontent-02/test.yaml
@@ -0,0 +1,31 @@
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 2
+    match:
+      event_type: http

diff --git a/tests/uricontent/detect-uricontent-02/writepcap.py b/tests/uricontent/detect-uricontent-02/writepcap.py
new file mode 100644 (file)
index 0000000..92246cf
--- /dev/null
+++ b/tests/uricontent/detect-uricontent-02/writepcap.py
@@ -0,0 +1,13 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"POST /one HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie: hellocatch\r\n\r\n"
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=53, flags='P''A')/"POST /oneself HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie: hellocatch\r\n\r\n"
+
+wrpcap('input.pcap', pkts)

diff --git a/tests/uricontent/detect-uricontent-03/README.md b/tests/uricontent/detect-uricontent-03/README.md
new file mode 100644 (file)
index 0000000..3e29b8c
--- /dev/null
+++ b/tests/uricontent/detect-uricontent-03/README.md
@@ -0,0 +1 @@
+Tests the modifiers for uricontent and content match

diff --git a/tests/uricontent/detect-uricontent-03/input.pcap b/tests/uricontent/detect-uricontent-03/input.pcap
new file mode 100644 (file)
index 0000000..0d6ead7
Binary files /dev/null and b/tests/uricontent/detect-uricontent-03/input.pcap differ

diff --git a/tests/uricontent/detect-uricontent-03/test.rules b/tests/uricontent/detect-uricontent-03/test.rules
new file mode 100644 (file)
index 0000000..341ae03
--- /dev/null
+++ b/tests/uricontent/detect-uricontent-03/test.rules
@@ -0,0 +1,4 @@
+alert tcp any any -> any any (msg:"Test uricontent"; content:"foo"; http_uri; content:"bar"; sid:1;)
+alert tcp any any -> any any (msg:"Test uricontent"; content:"one"; http_uri; offset:1; depth:10; content:"one"; offset:1; depth:10; content:"two"; http_uri; distance:3; within: 4; content:"two"; distance:1; within: 4; content:"three"; http_uri; distance:1; within: 6; content:"/three"; distance:0; within: 7; sid:2;)
+alert tcp any any -> any any (msg:"Test uricontent"; content:"one"; http_uri; offset:1; depth:10; content:"two"; http_uri; distance:1; within: 4; content:"three"; http_uri; distance:1; within: 6; sid:3;)
+alert tcp any any -> any any (msg:"test"; content:"one"; http_uri; sid:4;)

diff --git a/tests/uricontent/detect-uricontent-03/test.yaml b/tests/uricontent/detect-uricontent-03/test.yaml
new file mode 100644 (file)
index 0000000..dd04841
--- /dev/null
+++ b/tests/uricontent/detect-uricontent-03/test.yaml
@@ -0,0 +1,37 @@
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 1
+    match:
+      event_type: http
+      
\ No newline at end of file

diff --git a/tests/uricontent/detect-uricontent-03/writepcap.py b/tests/uricontent/detect-uricontent-03/writepcap.py
new file mode 100644 (file)
index 0000000..aadb1ac
--- /dev/null
+++ b/tests/uricontent/detect-uricontent-03/writepcap.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, flags='P''A')/"POST /one/two/three/six HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie: hellocatch\r\n\r\n"
+
+wrpcap('input.pcap', pkts)