]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
rfb: test rfb frames
authorHaleema Khan <hsadia538@gmail.com>
Thu, 22 Dec 2022 09:01:45 +0000 (14:01 +0500)
committerJason Ish <jason.ish@oisf.net>
Fri, 12 May 2023 18:42:00 +0000 (12:42 -0600)
tests/rfb-frames/README.md [new file with mode: 0644]
tests/rfb-frames/test.rules [new file with mode: 0644]
tests/rfb-frames/test.yaml [new file with mode: 0644]

diff --git a/tests/rfb-frames/README.md b/tests/rfb-frames/README.md
new file mode 100644 (file)
index 0000000..7b16d09
--- /dev/null
@@ -0,0 +1,11 @@
+Description
+===========
+Test rfb Pdu frames.
+
+PCAP
+====
+PCAP comes from the suricata verify test[rfb-protocol-3.8]
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5717
\ No newline at end of file
diff --git a/tests/rfb-frames/test.rules b/tests/rfb-frames/test.rules
new file mode 100644 (file)
index 0000000..9739610
--- /dev/null
@@ -0,0 +1,5 @@
+alert rfb any any -> any any (msg:"RFB Frame 1"; flow:to_client; frame:pdu; content:"|01 02|"; startswith; sid:1;)
+alert rfb any any -> any any (msg:"RFB Frame 2"; flow:to_server; frame:pdu; content:"|7A 6F 36|"; offset:2; sid:2;)
+alert rfb any any -> any any (msg:"RFB Frame 3"; frame:pdu; content:"|30 30 38 0A|"; endswith; sid:3;)
+alert rfb any any -> any any (msg:"RFB Frame 4"; frame:pdu; content:"|17 0C E2|"; sid:4;)
+alert rfb any any -> any any (msg:"RFB Frame 5"; frame:pdu; content:"|00 00 54 46|"; sid:5;)
\ No newline at end of file
diff --git a/tests/rfb-frames/test.yaml b/tests/rfb-frames/test.yaml
new file mode 100644 (file)
index 0000000..81e7aa7
--- /dev/null
@@ -0,0 +1,32 @@
+pcap: ../rfb-protocol-3.8/04-vnc-openwall-3.8.pcap
+
+requires:
+  min-version: 7
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 1
+      frame.type: "pdu"
+      frame.direction: toclient
+      frame.complete: true
+- filter:
+    count: 1
+    match:
+      alert.signature_id: 2
+      frame.type: "pdu"
+      frame.direction: toserver
+      frame.complete: true
+- filter:
+    count: 2
+    match:
+      alert.signature_id: 3
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 4
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 5
\ No newline at end of file