]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
test: Community-id tests for dhcp, rdp, smb, tftp
authorJeff Lucovsky <jeff@lucovsky.org>
Mon, 29 Jun 2020 13:42:39 +0000 (09:42 -0400)
committerVictor Julien <victor@inliniac.net>
Thu, 6 Aug 2020 06:37:27 +0000 (08:37 +0200)
This commit adds test cases that verify the community id string is
included in dhcp, rdp, smb and tftp records when configured.

13 files changed:
tests/output-eve-dhcp-01/input.pcap [new file with mode: 0644]
tests/output-eve-dhcp-01/suricata.yaml [new file with mode: 0644]
tests/output-eve-dhcp-01/test.yaml [new file with mode: 0644]
tests/output-eve-rdp-01/input.pcap [new file with mode: 0644]
tests/output-eve-rdp-01/suricata.yaml [new file with mode: 0644]
tests/output-eve-rdp-01/test.yaml [new file with mode: 0644]
tests/output-eve-smb-01/input.pcap [new file with mode: 0644]
tests/output-eve-smb-01/suricata.yaml [new file with mode: 0644]
tests/output-eve-smb-01/test.rules [new file with mode: 0644]
tests/output-eve-smb-01/test.yaml [new file with mode: 0644]
tests/output-eve-tftp-01/input.pcap [new file with mode: 0644]
tests/output-eve-tftp-01/suricata.yaml [new file with mode: 0644]
tests/output-eve-tftp-01/test.yaml [new file with mode: 0644]

diff --git a/tests/output-eve-dhcp-01/input.pcap b/tests/output-eve-dhcp-01/input.pcap
new file mode 100644 (file)
index 0000000..9361712
Binary files /dev/null and b/tests/output-eve-dhcp-01/input.pcap differ
diff --git a/tests/output-eve-dhcp-01/suricata.yaml b/tests/output-eve-dhcp-01/suricata.yaml
new file mode 100644 (file)
index 0000000..d754cd6
--- /dev/null
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: true
+      filename: eve.json
+      types:
+        - dhcp:
+            extended: true
+      community-id: true
diff --git a/tests/output-eve-dhcp-01/test.yaml b/tests/output-eve-dhcp-01/test.yaml
new file mode 100644 (file)
index 0000000..9027da0
--- /dev/null
@@ -0,0 +1,9 @@
+requires:
+  features:
+    - RUST
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: dhcp
+      has-key: community_id
diff --git a/tests/output-eve-rdp-01/input.pcap b/tests/output-eve-rdp-01/input.pcap
new file mode 100644 (file)
index 0000000..d7e8e84
Binary files /dev/null and b/tests/output-eve-rdp-01/input.pcap differ
diff --git a/tests/output-eve-rdp-01/suricata.yaml b/tests/output-eve-rdp-01/suricata.yaml
new file mode 100644 (file)
index 0000000..1f316c0
--- /dev/null
@@ -0,0 +1,16 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - rdp
+      community-id: true
+
+app-layer:
+  protocols:
+    rdp:
+      enabled: yes
diff --git a/tests/output-eve-rdp-01/test.yaml b/tests/output-eve-rdp-01/test.yaml
new file mode 100644 (file)
index 0000000..f9c80d6
--- /dev/null
@@ -0,0 +1,13 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - rust/src/rdp/parser.rs
+
+checks:
+
+  - filter:
+      count: 4
+      match:
+        event_type: rdp
+        has-key: community_id
diff --git a/tests/output-eve-smb-01/input.pcap b/tests/output-eve-smb-01/input.pcap
new file mode 100644 (file)
index 0000000..06ac59f
Binary files /dev/null and b/tests/output-eve-smb-01/input.pcap differ
diff --git a/tests/output-eve-smb-01/suricata.yaml b/tests/output-eve-smb-01/suricata.yaml
new file mode 100644 (file)
index 0000000..41febec
--- /dev/null
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - smb
+      community-id: true
diff --git a/tests/output-eve-smb-01/test.rules b/tests/output-eve-smb-01/test.rules
new file mode 100644 (file)
index 0000000..b8d6203
--- /dev/null
@@ -0,0 +1 @@
+alert smb any any -> any any (msg:"Ascii named_pipe"; flow:established; smb_named_pipe; content:"IPC$"; sid:1; rev:1;)
diff --git a/tests/output-eve-smb-01/test.yaml b/tests/output-eve-smb-01/test.yaml
new file mode 100644 (file)
index 0000000..6081c96
--- /dev/null
@@ -0,0 +1,15 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - RUST
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 5
+      match:
+        event_type: smb
+        has-key: community_id
diff --git a/tests/output-eve-tftp-01/input.pcap b/tests/output-eve-tftp-01/input.pcap
new file mode 100644 (file)
index 0000000..6c5efa8
Binary files /dev/null and b/tests/output-eve-tftp-01/input.pcap differ
diff --git a/tests/output-eve-tftp-01/suricata.yaml b/tests/output-eve-tftp-01/suricata.yaml
new file mode 100644 (file)
index 0000000..cb84c78
--- /dev/null
@@ -0,0 +1,10 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: true
+      filename: eve.json
+      types:
+        - tftp:
+      community-id: true
diff --git a/tests/output-eve-tftp-01/test.yaml b/tests/output-eve-tftp-01/test.yaml
new file mode 100644 (file)
index 0000000..4d7c5a1
--- /dev/null
@@ -0,0 +1,13 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - RUST
+
+args:
+ - -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      has-key: community_id