]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2319b9b)
tests: add test for 7414 and 7433
authorVictor Julien <victor@inliniac.net>
Wed, 4 Dec 2024 08:27:22 +0000 (09:27 +0100)
committerVictor Julien <victor@inliniac.net>
Thu, 5 Dec 2024 09:02:25 +0000 (10:02 +0100)
tests/bug-7414-decoder-event-01/README.md [new file with mode: 0644] patch | blob
tests/bug-7414-decoder-event-01/decoder-event.rules [new file with mode: 0644] patch | blob
tests/bug-7414-decoder-event-01/ip_secopt.pcap [new file with mode: 0644] patch | blob
tests/bug-7414-decoder-event-01/suricata.yaml [new file with mode: 0644] patch | blob
tests/bug-7414-decoder-event-01/test.yaml [new file with mode: 0644] patch | blob
tests/bug-7414-decoder-event-02-ips/README.md [new file with mode: 0644] patch | blob
tests/bug-7414-decoder-event-02-ips/decoder-event.rules [new file with mode: 0644] patch | blob
tests/bug-7414-decoder-event-02-ips/suricata.yaml [new file with mode: 0644] patch | blob
tests/bug-7414-decoder-event-02-ips/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/bug-7414-decoder-event-01/README.md b/tests/bug-7414-decoder-event-01/README.md
new file mode 100644 (file)
index 0000000..25df5be
--- /dev/null
+++ b/tests/bug-7414-decoder-event-01/README.md
@@ -0,0 +1,5 @@
+PCAP
+====
+
+Pcap from https://redmine.openinfosecfoundation.org/issues/7414
+
diff --git a/tests/bug-7414-decoder-event-01/decoder-event.rules b/tests/bug-7414-decoder-event-01/decoder-event.rules
new file mode 100644 (file)
index 0000000..08c0337
--- /dev/null
+++ b/tests/bug-7414-decoder-event-01/decoder-event.rules
@@ -0,0 +1 @@
+drop pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;)
diff --git a/tests/bug-7414-decoder-event-01/ip_secopt.pcap b/tests/bug-7414-decoder-event-01/ip_secopt.pcap
new file mode 100644 (file)
index 0000000..61be167
Binary files /dev/null and b/tests/bug-7414-decoder-event-01/ip_secopt.pcap differ
diff --git a/tests/bug-7414-decoder-event-01/suricata.yaml b/tests/bug-7414-decoder-event-01/suricata.yaml
new file mode 100644 (file)
index 0000000..69c2f1c
--- /dev/null
+++ b/tests/bug-7414-decoder-event-01/suricata.yaml
@@ -0,0 +1,41 @@
+%YAML 1.1
+---
+
+# Global stats configuration
+stats:
+  enabled: yes
+  # The interval field (in seconds) controls the interval at
+  # which stats are updated in the log.
+  interval: 8
+  # Add decode events to stats.
+  #decoder-events: true
+  # Decoder event prefix in stats. Has been 'decoder' before, but that leads
+  # to missing events in the eve.stats records. See issue #2225.
+  #decoder-events-prefix: "decoder.event"
+  # Add stream events as stats.
+  #stream-events: false
+  exception-policy:
+    #per-app-proto-errors: false  # default: false. True will log errors for
+                                  # each app-proto. Warning: VERY verbose
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      ethernet: true
+      pcap-file: true
+
+      types:
+        - alert:
+            packet: yes              # enable dumping of packet (without stream segments)
+            verdict: yes
+        - anomaly:
+            enabled: yes
+            types:
+              decode: true
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
diff --git a/tests/bug-7414-decoder-event-01/test.yaml b/tests/bug-7414-decoder-event-01/test.yaml
new file mode 100644 (file)
index 0000000..4510791
--- /dev/null
+++ b/tests/bug-7414-decoder-event-01/test.yaml
@@ -0,0 +1,45 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2200005
+        pcap_cnt: 3
+        pkt_src: "wire/pcap"
+        ether.src_mac: "f6:3a:04:28:26:77"
+        ether.dest_mac: "fe:2d:cf:ad:28:54"
+        alert.action: "allowed"
+        packet: "/i3PrShU9joEKCZ3CABIAABoAAEAAEARWEoeHh4eFBQUFIIC8TUAAN6tvu+qABPEE8QASB76g3Jy/3MMn6/gl+2PaHNYfvkOoBoRYsUb5ZV3mCocwk9Xbm1VI6ZMlgQ+xZbugYD/RB0xtXrOiZQ43SvBfdo36g=="
+        verdict.action: "alert"
+        pcap_filename.__endswith: "ip_secopt.pcap"
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.decoder.invalid: 1
+
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 3
+        event_type: "anomaly"
+        pkt_src: "wire/pcap"
+        ether.src_mac: "f6:3a:04:28:26:77"
+        ether.dest_mac: "fe:2d:cf:ad:28:54"
+        anomaly.type: "decode"
+        anomaly.event: "decoder.ipv4.opt_pad_required"
+        pcap_filename.__endswith: "ip_secopt.pcap"
+  - filter:
+      count: 2
+      match:
+        pcap_cnt: 3
+        event_type: "anomaly"
+        pkt_src: "wire/pcap"
+        ether.src_mac: "f6:3a:04:28:26:77"
+        ether.dest_mac: "fe:2d:cf:ad:28:54"
+        anomaly.type: "decode"
+        anomaly.event: "decoder.ipv4.opt_invalid_len"
+        pcap_filename.__endswith: "ip_secopt.pcap"
diff --git a/tests/bug-7414-decoder-event-02-ips/README.md b/tests/bug-7414-decoder-event-02-ips/README.md
new file mode 100644 (file)
index 0000000..25df5be
--- /dev/null
+++ b/tests/bug-7414-decoder-event-02-ips/README.md
@@ -0,0 +1,5 @@
+PCAP
+====
+
+Pcap from https://redmine.openinfosecfoundation.org/issues/7414
+
diff --git a/tests/bug-7414-decoder-event-02-ips/decoder-event.rules b/tests/bug-7414-decoder-event-02-ips/decoder-event.rules
new file mode 100644 (file)
index 0000000..08c0337
--- /dev/null
+++ b/tests/bug-7414-decoder-event-02-ips/decoder-event.rules
@@ -0,0 +1 @@
+drop pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;)
diff --git a/tests/bug-7414-decoder-event-02-ips/suricata.yaml b/tests/bug-7414-decoder-event-02-ips/suricata.yaml
new file mode 100644 (file)
index 0000000..263c9fc
--- /dev/null
+++ b/tests/bug-7414-decoder-event-02-ips/suricata.yaml
@@ -0,0 +1,43 @@
+%YAML 1.1
+---
+
+# Global stats configuration
+stats:
+  enabled: yes
+  # The interval field (in seconds) controls the interval at
+  # which stats are updated in the log.
+  interval: 8
+  # Add decode events to stats.
+  #decoder-events: true
+  # Decoder event prefix in stats. Has been 'decoder' before, but that leads
+  # to missing events in the eve.stats records. See issue #2225.
+  #decoder-events-prefix: "decoder.event"
+  # Add stream events as stats.
+  #stream-events: false
+  exception-policy:
+    #per-app-proto-errors: false  # default: false. True will log errors for
+                                  # each app-proto. Warning: VERY verbose
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      ethernet: true
+      pcap-file: true
+
+      types:
+        - alert:
+            packet: yes              # enable dumping of packet (without stream segments)
+            verdict: yes
+        - anomaly:
+            enabled: yes
+            types:
+              decode: true
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+        - drop:
+            alerts: yes       # log alerts that caused drops
diff --git a/tests/bug-7414-decoder-event-02-ips/test.yaml b/tests/bug-7414-decoder-event-02-ips/test.yaml
new file mode 100644 (file)
index 0000000..1367621
--- /dev/null
+++ b/tests/bug-7414-decoder-event-02-ips/test.yaml
@@ -0,0 +1,61 @@
+pcap: ../bug-7414-decoder-event-01/ip_secopt.pcap
+
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2200005
+        pcap_cnt: 3
+        pkt_src: "wire/pcap"
+        ether.src_mac: "f6:3a:04:28:26:77"
+        ether.dest_mac: "fe:2d:cf:ad:28:54"
+        alert.action: "blocked"
+        packet: "/i3PrShU9joEKCZ3CABIAABoAAEAAEARWEoeHh4eFBQUFIIC8TUAAN6tvu+qABPEE8QASB76g3Jy/3MMn6/gl+2PaHNYfvkOoBoRYsUb5ZV3mCocwk9Xbm1VI6ZMlgQ+xZbugYD/RB0xtXrOiZQ43SvBfdo36g=="
+        verdict.action: "drop"
+        pcap_filename.__endswith: "ip_secopt.pcap"
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.decoder.invalid: 1
+        stats.ips.accepted: 2
+        stats.ips.blocked: 1
+        stats.ips.drop_reason.rules: 1
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 3
+        event_type: "anomaly"
+        pkt_src: "wire/pcap"
+        ether.src_mac: "f6:3a:04:28:26:77"
+        ether.dest_mac: "fe:2d:cf:ad:28:54"
+        anomaly.type: "decode"
+        anomaly.event: "decoder.ipv4.opt_pad_required"
+        pcap_filename.__endswith: "ip_secopt.pcap"
+  - filter:
+      count: 2
+      match:
+        pcap_cnt: 3
+        event_type: "anomaly"
+        pkt_src: "wire/pcap"
+        ether.src_mac: "f6:3a:04:28:26:77"
+        ether.dest_mac: "fe:2d:cf:ad:28:54"
+        anomaly.type: "decode"
+        anomaly.event: "decoder.ipv4.opt_invalid_len"
+        pcap_filename.__endswith: "ip_secopt.pcap"
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        alert.signature_id: 2200005
+        pcap_cnt: 3
+        pkt_src: "wire/pcap"
+        ether.src_mac: "f6:3a:04:28:26:77"
+        ether.dest_mac: "fe:2d:cf:ad:28:54"
+        alert.action: "blocked"
+        pcap_filename.__endswith: "ip_secopt.pcap"
+        drop.reason: "rules"
Mirror of https://github.com/OISF/suricata-verify.git