]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 83bda40)
sip: add tests for headers sticky buffers 2053/head
authorGiuseppe Longo <giuseppe@glongo.it>
Sun, 14 Apr 2024 12:07:10 +0000 (14:07 +0200)
committerVictor Julien <victor@inliniac.net>
Sun, 22 Sep 2024 04:45:35 +0000 (06:45 +0200)
Ticket #6374

30 files changed:
tests/sip-compact-form/Makefile [new file with mode: 0644] patch | blob
tests/sip-compact-form/README.md [new file with mode: 0644] patch | blob
tests/sip-compact-form/sip_compact_form.pcap [new file with mode: 0644] patch | blob
tests/sip-compact-form/sip_compact_form.syn [new file with mode: 0644] patch | blob
tests/sip-compact-form/test.rules [new file with mode: 0644] patch | blob
tests/sip-compact-form/test.yaml [new file with mode: 0644] patch | blob
tests/sip-content-length/README.md [new file with mode: 0644] patch | blob
tests/sip-content-length/test.rules [new file with mode: 0644] patch | blob
tests/sip-content-length/test.yaml [new file with mode: 0644] patch | blob
tests/sip-content-type/README.md [new file with mode: 0644] patch | blob
tests/sip-content-type/test.rules [new file with mode: 0644] patch | blob
tests/sip-content-type/test.yaml [new file with mode: 0644] patch | blob
tests/sip-from/README.md [new file with mode: 0644] patch | blob
tests/sip-from/test.rules [new file with mode: 0644] patch | blob
tests/sip-from/test.yaml [new file with mode: 0644] patch | blob
tests/sip-header-multi-value/Makefile [new file with mode: 0644] patch | blob
tests/sip-header-multi-value/README.md [new file with mode: 0644] patch | blob
tests/sip-header-multi-value/sip_header_multi_val.pcap [new file with mode: 0644] patch | blob
tests/sip-header-multi-value/sip_header_multi_val.syn [new file with mode: 0644] patch | blob
tests/sip-header-multi-value/test.rules [new file with mode: 0644] patch | blob
tests/sip-header-multi-value/test.yaml [new file with mode: 0644] patch | blob
tests/sip-to/README.md [new file with mode: 0644] patch | blob
tests/sip-to/test.rules [new file with mode: 0644] patch | blob
tests/sip-to/test.yaml [new file with mode: 0644] patch | blob
tests/sip-user-agent/README.md [new file with mode: 0644] patch | blob
tests/sip-user-agent/test.rules [new file with mode: 0644] patch | blob
tests/sip-user-agent/test.yaml [new file with mode: 0644] patch | blob
tests/sip-via/README.md [new file with mode: 0644] patch | blob
tests/sip-via/test.rules [new file with mode: 0644] patch | blob
tests/sip-via/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/sip-compact-form/Makefile b/tests/sip-compact-form/Makefile
new file mode 100644 (file)
index 0000000..a646f1c
--- /dev/null
+++ b/tests/sip-compact-form/Makefile
@@ -0,0 +1,2 @@
+sip_compact_form.pcap: sip_compact_form.syn
+       flowsynth.py -f pcap -w $@ $^
diff --git a/tests/sip-compact-form/README.md b/tests/sip-compact-form/README.md
new file mode 100644 (file)
index 0000000..1916fc1
--- /dev/null
+++ b/tests/sip-compact-form/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that SIP headers with compact form are matched.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
diff --git a/tests/sip-compact-form/sip_compact_form.pcap b/tests/sip-compact-form/sip_compact_form.pcap
new file mode 100644 (file)
index 0000000..61ed2ff
Binary files /dev/null and b/tests/sip-compact-form/sip_compact_form.pcap differ
diff --git a/tests/sip-compact-form/sip_compact_form.syn b/tests/sip-compact-form/sip_compact_form.syn
new file mode 100644 (file)
index 0000000..836c048
--- /dev/null
+++ b/tests/sip-compact-form/sip_compact_form.syn
@@ -0,0 +1,33 @@
+flow default udp 1.1.1.1:5555 > 2.2.2.2:5060;
+default > (content:"INVITE sip:97239287044@voip.brujula.net SIP/2.0\x0d
+v: SIP/2.0/UDP 192.168.1.2:5060;branch=z9hG4bKnp104984053-44ce4a41192.168.1.2;rport\x0d
+f: \"arik\" <sip:816666@voip.brurjula.net>;tag=6433ef9\x0d
+t: <sip:97239287044@voip.brujula.net>\x0d
+Call-ID: 105090259-446faf7a@192.168.1.2\x0d
+CSeq: 1 INVITE\x0d
+User-Agent: Nero SIPPS IP Phone Version 2.0.51.16\x0d
+Expires: 120\x0d
+Accept: application/sdp\x0d
+c: application/sdp\x0d
+l: 272\x0d
+Contact: <sip:816666@192.168.1.2>\x0d
+Max-Forwards: 70\x0d
+Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, INFO\x0d
+\x0d
+v=0\x0d
+o=SIPPS 105015165 105015162 IN IP4 192.168.1.2\x0d
+s=SIP call\x0d
+i=Session Description Protocol\x0d
+u=https://www.sdp.proto\x0d
+e=j.doe@example.com (Jane Doe)\x0d
+p=+1 617 555-6011 (Jane Doe)\x0d
+c=IN IP4 192.168.1.2\x0d
+b=AS:64\x0d
+t=3034423619 3042462419\x0d
+r=604800 3600 0 90000\x0d
+z=2882844526 -1h 2898848070 0\x0d
+k=prompt\x0d
+a=sendrecv\x0d
+m=audio 30000 RTP/AVP 0 8 97 2 3\x0d
+a=rtpmap:0 pcmu/8000\x0d\x0a";);
+
diff --git a/tests/sip-compact-form/test.rules b/tests/sip-compact-form/test.rules
new file mode 100644 (file)
index 0000000..2708cc4
--- /dev/null
+++ b/tests/sip-compact-form/test.rules
@@ -0,0 +1,6 @@
+alert sip any any -> any any (sip.from; content:"arik"; sid:1;)
+alert sip any any -> any any (sip.to; content:"sip:"; sid:2;)
+alert sip any any -> any any (sip.via; content:"SIP/2.0/UDP"; sid:3;)
+alert sip any any -> any any (sip.content_type; content:"application/sdp"; sid:4;)
+alert sip any any -> any any (sip.content_length; content:"272"; sid:5;)
+
diff --git a/tests/sip-compact-form/test.yaml b/tests/sip-compact-form/test.yaml
new file mode 100644 (file)
index 0000000..0e2dfbc
--- /dev/null
+++ b/tests/sip-compact-form/test.yaml
@@ -0,0 +1,34 @@
+pcap: sip_compact_form.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
diff --git a/tests/sip-content-length/README.md b/tests/sip-content-length/README.md
new file mode 100644 (file)
index 0000000..dee6558
--- /dev/null
+++ b/tests/sip-content-length/README.md
@@ -0,0 +1 @@
+Match on SIP Content-Length header field.
diff --git a/tests/sip-content-length/test.rules b/tests/sip-content-length/test.rules
new file mode 100644 (file)
index 0000000..f556819
--- /dev/null
+++ b/tests/sip-content-length/test.rules
@@ -0,0 +1,2 @@
+alert sip any any -> any any (flow:to_server; sip.content_length; content:"270"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.content_length; content:"199"; sid:2;)
diff --git a/tests/sip-content-length/test.yaml b/tests/sip-content-length/test.yaml
new file mode 100644 (file)
index 0000000..9c55227
--- /dev/null
+++ b/tests/sip-content-length/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../sip-method/sip.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 8
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/sip-content-type/README.md b/tests/sip-content-type/README.md
new file mode 100644 (file)
index 0000000..2772653
--- /dev/null
+++ b/tests/sip-content-type/README.md
@@ -0,0 +1 @@
+Match on SIP Content-Type header field.
diff --git a/tests/sip-content-type/test.rules b/tests/sip-content-type/test.rules
new file mode 100644 (file)
index 0000000..aaeea40
--- /dev/null
+++ b/tests/sip-content-type/test.rules
@@ -0,0 +1,2 @@
+alert sip any any -> any any (flow:to_server; sip.content_type; content:"application/sdp"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.content_type; content:"application/sdp"; sid:2;)
diff --git a/tests/sip-content-type/test.yaml b/tests/sip-content-type/test.yaml
new file mode 100644 (file)
index 0000000..aed8a9c
--- /dev/null
+++ b/tests/sip-content-type/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../sip-method/sip.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 11
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/sip-from/README.md b/tests/sip-from/README.md
new file mode 100644 (file)
index 0000000..5963bd7
--- /dev/null
+++ b/tests/sip-from/README.md
@@ -0,0 +1 @@
+Match on SIP From header field.
diff --git a/tests/sip-from/test.rules b/tests/sip-from/test.rules
new file mode 100644 (file)
index 0000000..f93f259
--- /dev/null
+++ b/tests/sip-from/test.rules
@@ -0,0 +1,2 @@
+alert sip any any -> any any (flow:to_server; sip.from; content:"sip:"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.from; content:"sip:"; sid:2;)
diff --git a/tests/sip-from/test.yaml b/tests/sip-from/test.yaml
new file mode 100644 (file)
index 0000000..aef99d8
--- /dev/null
+++ b/tests/sip-from/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../sip-method/sip.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 47
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 34
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/sip-header-multi-value/Makefile b/tests/sip-header-multi-value/Makefile
new file mode 100644 (file)
index 0000000..5b46bff
--- /dev/null
+++ b/tests/sip-header-multi-value/Makefile
@@ -0,0 +1,2 @@
+sip_header_multi_val.pcap: sip_header_multi_val.syn
+       flowsynth.py -f pcap -w $@ $^
diff --git a/tests/sip-header-multi-value/README.md b/tests/sip-header-multi-value/README.md
new file mode 100644 (file)
index 0000000..c0bb998
--- /dev/null
+++ b/tests/sip-header-multi-value/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that SIP header with multiple values are matched.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
diff --git a/tests/sip-header-multi-value/sip_header_multi_val.pcap b/tests/sip-header-multi-value/sip_header_multi_val.pcap
new file mode 100644 (file)
index 0000000..61718ec
Binary files /dev/null and b/tests/sip-header-multi-value/sip_header_multi_val.pcap differ
diff --git a/tests/sip-header-multi-value/sip_header_multi_val.syn b/tests/sip-header-multi-value/sip_header_multi_val.syn
new file mode 100644 (file)
index 0000000..f82d79a
--- /dev/null
+++ b/tests/sip-header-multi-value/sip_header_multi_val.syn
@@ -0,0 +1,34 @@
+flow default udp 1.1.1.1:5555 > 2.2.2.2:5060;
+default > (content:"INVITE sip:97239287044@voip.brujula.net SIP/2.0\x0d
+v: SIP/2.0/UDP 192.168.1.2:5060;branch=z9hG4bKnp104984053-44ce4a41192.168.1.2;rport\x0d
+f: \"arik\" <sip:816666@voip.brurjula.net>;tag=6433ef9\x0d
+t: <sip:97239287044@voip.brujula.net>\x0d
+To: <sip:12345@voip.brujula.net>\x0d
+Call-ID: 105090259-446faf7a@192.168.1.2\x0d
+CSeq: 1 INVITE\x0d
+User-Agent: Nero SIPPS IP Phone Version 2.0.51.16\x0d
+Expires: 120\x0d
+Accept: application/sdp\x0d
+c: application/sdp\x0d
+l: 272\x0d
+Contact: <sip:816666@192.168.1.2>\x0d
+Max-Forwards: 70\x0d
+Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, INFO\x0d
+\x0d
+v=0\x0d
+o=SIPPS 105015165 105015162 IN IP4 192.168.1.2\x0d
+s=SIP call\x0d
+i=Session Description Protocol\x0d
+u=https://www.sdp.proto\x0d
+e=j.doe@example.com (Jane Doe)\x0d
+p=+1 617 555-6011 (Jane Doe)\x0d
+c=IN IP4 192.168.1.2\x0d
+b=AS:64\x0d
+t=3034423619 3042462419\x0d
+r=604800 3600 0 90000\x0d
+z=2882844526 -1h 2898848070 0\x0d
+k=prompt\x0d
+a=sendrecv\x0d
+m=audio 30000 RTP/AVP 0 8 97 2 3\x0d
+a=rtpmap:0 pcmu/8000\x0d\x0a";);
+
diff --git a/tests/sip-header-multi-value/test.rules b/tests/sip-header-multi-value/test.rules
new file mode 100644 (file)
index 0000000..d057ea6
--- /dev/null
+++ b/tests/sip-header-multi-value/test.rules
@@ -0,0 +1,3 @@
+alert sip any any -> any any (sip.to; content:"sip:97239287044"; sid:1;)
+alert sip any any -> any any (sip.to; content:"sip:12345"; sid:2;)
+
diff --git a/tests/sip-header-multi-value/test.yaml b/tests/sip-header-multi-value/test.yaml
new file mode 100644 (file)
index 0000000..23a1f69
--- /dev/null
+++ b/tests/sip-header-multi-value/test.yaml
@@ -0,0 +1,14 @@
+pcap: sip_header_multi_val.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/sip-to/README.md b/tests/sip-to/README.md
new file mode 100644 (file)
index 0000000..2936ff1
--- /dev/null
+++ b/tests/sip-to/README.md
@@ -0,0 +1 @@
+Match on SIP To header field.
diff --git a/tests/sip-to/test.rules b/tests/sip-to/test.rules
new file mode 100644 (file)
index 0000000..2479262
--- /dev/null
+++ b/tests/sip-to/test.rules
@@ -0,0 +1,2 @@
+alert sip any any -> any any (flow:to_server; sip.to; content:"sip:97239287044"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.to; content:"sip:97239287044"; sid:2;)
diff --git a/tests/sip-to/test.yaml b/tests/sip-to/test.yaml
new file mode 100644 (file)
index 0000000..48075ab
--- /dev/null
+++ b/tests/sip-to/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../sip-method/sip.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 15
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 3
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/sip-user-agent/README.md b/tests/sip-user-agent/README.md
new file mode 100644 (file)
index 0000000..9e66cd8
--- /dev/null
+++ b/tests/sip-user-agent/README.md
@@ -0,0 +1 @@
+Match on SIP User-Agent header field.
diff --git a/tests/sip-user-agent/test.rules b/tests/sip-user-agent/test.rules
new file mode 100644 (file)
index 0000000..a381901
--- /dev/null
+++ b/tests/sip-user-agent/test.rules
@@ -0,0 +1 @@
+alert sip any any -> any any (flow:to_server; sip.user_agent; content:"Nero"; sid:1;)
diff --git a/tests/sip-user-agent/test.yaml b/tests/sip-user-agent/test.yaml
new file mode 100644 (file)
index 0000000..125062b
--- /dev/null
+++ b/tests/sip-user-agent/test.yaml
@@ -0,0 +1,14 @@
+pcap: ../sip-method/sip.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 40
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/sip-via/README.md b/tests/sip-via/README.md
new file mode 100644 (file)
index 0000000..40e60f4
--- /dev/null
+++ b/tests/sip-via/README.md
@@ -0,0 +1 @@
+Match on SIP Via header field.
diff --git a/tests/sip-via/test.rules b/tests/sip-via/test.rules
new file mode 100644 (file)
index 0000000..cde4b43
--- /dev/null
+++ b/tests/sip-via/test.rules
@@ -0,0 +1,2 @@
+alert sip any any -> any any (flow:to_server; sip.via; content:"SIP/2.0/UDP"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.via; content:"SIP/2.0/UDP"; sid:2;)
diff --git a/tests/sip-via/test.yaml b/tests/sip-via/test.yaml
new file mode 100644 (file)
index 0000000..aef99d8
--- /dev/null
+++ b/tests/sip-via/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../sip-method/sip.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 47
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 34
+      match:
+        event_type: alert
+        alert.signature_id: 2
Mirror of https://github.com/OISF/suricata-verify.git