tests/hassh Add test cases for hassh

diff --git a/tests/ssh-banner-only/input.pcap b/tests/ssh-banner-only/input.pcap
new file mode 100644 (file)
index 0000000..89fd2bb
Binary files /dev/null and b/tests/ssh-banner-only/input.pcap differ

diff --git a/tests/ssh-banner-only/test.yaml b/tests/ssh-banner-only/test.yaml
new file mode 100644 (file)
index 0000000..e40480a
--- /dev/null
+++ b/tests/ssh-banner-only/test.yaml
@@ -0,0 +1,18 @@
+requires:
+  min-version: 6.0.0
+features:
+    - RUST
+
+args:
+ - -k none
+
+checks:
+  # Check that we have the ssh event in eve.json
+  - filter:
+      count: 1
+      match:
+        event_type: ssh
+        ssh.client.proto_version: "2.0"
+        ssh.server.proto_version: "2.0"
+        ssh.client.software_version: "OpenSSH_for_Windows_7.7"
+        ssh.server.software_version: "OpenSSH_7.4"
\ No newline at end of file

diff --git a/tests/ssh-hassh-only/input.pcap b/tests/ssh-hassh-only/input.pcap
new file mode 100644 (file)
index 0000000..98b49f7
Binary files /dev/null and b/tests/ssh-hassh-only/input.pcap differ

diff --git a/tests/ssh-hassh-only/test.rules b/tests/ssh-hassh-only/test.rules
new file mode 100644 (file)
index 0000000..15e1b52
--- /dev/null
+++ b/tests/ssh-hassh-only/test.rules
@@ -0,0 +1,4 @@
+alert ssh any any -> any any (msg:"match SSH hash"; ssh.hassh; content:"2dd6531c7e89d3c925db9214711be76a"; sid:1;)
+alert ssh any any -> any any (msg:"match SSH hash-server"; ssh.hassh.server; content:"6832f1ce43d4397c2c0a3e2f8c94334e"; sid:2;)
+alert ssh any any -> any any (msg:"match SSH hash-string"; ssh.hassh.string; content:"umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1"; sid:3;)
+alert ssh any any -> any any (msg:"match SSH hash-server-string"; ssh.hassh.server.string; content:"none,zlib@openssh.com"; sid:4;)
\ No newline at end of file

diff --git a/tests/ssh-hassh-only/test.yaml b/tests/ssh-hassh-only/test.yaml
new file mode 100644 (file)
index 0000000..81d7a84
--- /dev/null
+++ b/tests/ssh-hassh-only/test.yaml
@@ -0,0 +1,37 @@
+requires:
+  min-version: 6.0.0
+features:
+    - RUST
+
+args:
+ - -k none
+
+checks:
+  # Check that we have the following events in eve.json
+  # 4 - alert events, one per each type of data (ssh.hassh, ssh.hassh.string, ssh.hassh.server, ssh.hassh.server.string)
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: ssh
+        ssh.client.hassh: "2dd6531c7e89d3c925db9214711be76a"
+        ssh.server.hassh: "6832f1ce43d4397c2c0a3e2f8c94334e"

diff --git a/tests/ssh-hassh-reassembled/input.pcap b/tests/ssh-hassh-reassembled/input.pcap
new file mode 100644 (file)
index 0000000..b682bb8
Binary files /dev/null and b/tests/ssh-hassh-reassembled/input.pcap differ

diff --git a/tests/ssh-hassh-reassembled/test.rules b/tests/ssh-hassh-reassembled/test.rules
new file mode 100644 (file)
index 0000000..918f53e
--- /dev/null
+++ b/tests/ssh-hassh-reassembled/test.rules
@@ -0,0 +1,4 @@
+alert ssh any any -> any any (msg:"match SSH hash"; ssh.hassh; content:"3cc67862bceac0f334c62ad1b76895b4"; sid:1;)
+alert ssh any any -> any any (msg:"match SSH hash-server"; ssh.hassh.server; content:"3cc67862bceac0f334c62ad1b76895b4"; sid:2;)
+alert ssh any any -> any any (msg:"match SSH hash-string"; ssh.hassh.string; content:"diffie-hellman-group1-sha1"; sid:3;)
+alert ssh any any -> any any (msg:"match SSH hash-server-string"; ssh.hassh.server.string; content:"diffie-hellman-group1-sha1"; sid:4;)
\ No newline at end of file

diff --git a/tests/ssh-hassh-reassembled/test.yaml b/tests/ssh-hassh-reassembled/test.yaml
new file mode 100644 (file)
index 0000000..b80d558
--- /dev/null
+++ b/tests/ssh-hassh-reassembled/test.yaml
@@ -0,0 +1,38 @@
+requires:
+  min-version: 6.0.0
+features:
+    - RUST
+
+args:
+ - -k none
+
+checks:
+  # Check that we have the following events in eve.json
+  # 4 - alert events, one per each type of data (ssh.hassh, ssh.hassh.string, ssh.hassh.server, ssh.hassh.server.string)
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: ssh
+        ssh.client.hassh: "3cc67862bceac0f334c62ad1b76895b4"
+        ssh.server.hassh: "3cc67862bceac0f334c62ad1b76895b4"
+

diff --git a/tests/ssh-hassh/input.pcap b/tests/ssh-hassh/input.pcap
new file mode 100644 (file)
index 0000000..0a093f2
Binary files /dev/null and b/tests/ssh-hassh/input.pcap differ

diff --git a/tests/ssh-hassh/test.rules b/tests/ssh-hassh/test.rules
new file mode 100644 (file)
index 0000000..15e1b52
--- /dev/null
+++ b/tests/ssh-hassh/test.rules
@@ -0,0 +1,4 @@
+alert ssh any any -> any any (msg:"match SSH hash"; ssh.hassh; content:"2dd6531c7e89d3c925db9214711be76a"; sid:1;)
+alert ssh any any -> any any (msg:"match SSH hash-server"; ssh.hassh.server; content:"6832f1ce43d4397c2c0a3e2f8c94334e"; sid:2;)
+alert ssh any any -> any any (msg:"match SSH hash-string"; ssh.hassh.string; content:"umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1"; sid:3;)
+alert ssh any any -> any any (msg:"match SSH hash-server-string"; ssh.hassh.server.string; content:"none,zlib@openssh.com"; sid:4;)
\ No newline at end of file

diff --git a/tests/ssh-hassh/test.yaml b/tests/ssh-hassh/test.yaml
new file mode 100644 (file)
index 0000000..e923e1c
--- /dev/null
+++ b/tests/ssh-hassh/test.yaml
@@ -0,0 +1,37 @@
+requires:
+  min-version: 6.0.0
+features:
+    - RUST
+
+args:
+ - -k none
+
+checks:
+  # Check that we have the following events in eve.json
+  # 4 - alert events, one per each type of data (ssh.hassh, ssh.hassh.string, ssh.hassh.server, ssh.hassh.server.string)
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: ssh
+        ssh.client.hassh: "2dd6531c7e89d3c925db9214711be76a"
+        ssh.server.hassh: "6832f1ce43d4397c2c0a3e2f8c94334e"
\ No newline at end of file