tests: pcrexform tests

author Jeff Lucovsky <jeff@lucovsky.org>

Mon, 24 Feb 2020 14:54:34 +0000 (09:54 -0500)

committer Victor Julien <victor@inliniac.net>

Sun, 2 Aug 2020 12:32:53 +0000 (14:32 +0200)
author Jeff Lucovsky <jeff@lucovsky.org>
Mon, 24 Feb 2020 14:54:34 +0000 (09:54 -0500)
committer Victor Julien <victor@inliniac.net>
Sun, 2 Aug 2020 12:32:53 +0000 (14:32 +0200)
diff --git a/tests/detect-pcrexform-01/input.pcap b/tests/detect-pcrexform-01/input.pcap

new file mode 100644 (file)

index 0000000..dc92bd9

Binary files /dev/null and b/tests/detect-pcrexform-01/input.pcap differ
diff --git a/tests/detect-pcrexform-01/test.rules b/tests/detect-pcrexform-01/test.rules

new file mode 100644 (file)

index 0000000..6bf7163
--- /dev/null
+++ b/tests/detect-pcrexform-01/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"HTTP with pcrexform"; http.request_line; pcrexform:"[a-zA-Z]+\s+(.*)\s+HTTP"; content:"/z4d4kWk.jpg"; sid:1;)
diff --git a/tests/detect-pcrexform-01/test.yaml b/tests/detect-pcrexform-01/test.yaml

new file mode 100644 (file)

index 0000000..19e9801
--- /dev/null
+++ b/tests/detect-pcrexform-01/test.yaml
@@ -0,0 +1,11 @@
+requires:
+
+  files:
+    - src/detect-transform-pcrexform.c
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/detect-pcrexform-02/input.pcap b/tests/detect-pcrexform-02/input.pcap

new file mode 100644 (file)

index 0000000..dc92bd9

Binary files /dev/null and b/tests/detect-pcrexform-02/input.pcap differ
diff --git a/tests/detect-pcrexform-02/test.rules b/tests/detect-pcrexform-02/test.rules

new file mode 100644 (file)

index 0000000..016a305
--- /dev/null
+++ b/tests/detect-pcrexform-02/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"HTTP with pcrexform"; http.response_line; pcrexform; content:"/dropper.php"; sid:2;)
diff --git a/tests/detect-pcrexform-02/test.yaml b/tests/detect-pcrexform-02/test.yaml

new file mode 100644 (file)

index 0000000..bedb646
--- /dev/null
+++ b/tests/detect-pcrexform-02/test.yaml
@@ -0,0 +1,11 @@
+requires:
+
+  files:
+    - src/detect-transform-pcrexform.c
+
+exit-code: 1
+
+checks:
+    - shell:
+        args: grep "invalid formatting or malformed option to pcrexform keyword" suricata.log | wc -l | xargs
+        expect: 1
diff --git a/tests/detect-pcrexform-03/input.pcap b/tests/detect-pcrexform-03/input.pcap

new file mode 100644 (file)

index 0000000..dc92bd9

Binary files /dev/null and b/tests/detect-pcrexform-03/input.pcap differ
diff --git a/tests/detect-pcrexform-03/test.rules b/tests/detect-pcrexform-03/test.rules

new file mode 100644 (file)

index 0000000..a2a0d26
--- /dev/null
+++ b/tests/detect-pcrexform-03/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"HTTP with pcrexform"; http.request_line; pcrexform:"No-match"; content:"/no-match.jpg"; sid:1;)
diff --git a/tests/detect-pcrexform-03/test.yaml b/tests/detect-pcrexform-03/test.yaml

new file mode 100644 (file)

index 0000000..7746d41
--- /dev/null
+++ b/tests/detect-pcrexform-03/test.yaml
@@ -0,0 +1,10 @@
+requires:
+
+  files:
+    - src/detect-transform-pcrexform.c
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
diff --git a/tests/detect-pcrexform-04/input.pcap b/tests/detect-pcrexform-04/input.pcap

new file mode 100644 (file)

index 0000000..dc92bd9

Binary files /dev/null and b/tests/detect-pcrexform-04/input.pcap differ
diff --git a/tests/detect-pcrexform-04/test.rules b/tests/detect-pcrexform-04/test.rules

new file mode 100644 (file)

index 0000000..cadd817
--- /dev/null
+++ b/tests/detect-pcrexform-04/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"HTTP with pcrexform"; http.request_line; pcrexform:[a-zA-Z]+\s+(.*)\s+HTTP; content:"/z4d4kWk.jpg"; sid:1;)
diff --git a/tests/detect-pcrexform-04/test.yaml b/tests/detect-pcrexform-04/test.yaml

new file mode 100644 (file)

index 0000000..a8be268
--- /dev/null
+++ b/tests/detect-pcrexform-04/test.yaml
@@ -0,0 +1,12 @@
+requires:
+
+  files:
+    - src/detect-transform-pcrexform.c
+
+exit-code: 1
+
+checks:
+
+    - shell:
+        args: grep "invalid formatting to pcrexform keyword" suricata.log | wc -l | xargs
+        expect: 1
diff --git a/tests/detect-pcrexform-05/input.pcap b/tests/detect-pcrexform-05/input.pcap

new file mode 100644 (file)

index 0000000..dc92bd9

Binary files /dev/null and b/tests/detect-pcrexform-05/input.pcap differ
diff --git a/tests/detect-pcrexform-05/test.rules b/tests/detect-pcrexform-05/test.rules

new file mode 100644 (file)

index 0000000..1b34779
--- /dev/null
+++ b/tests/detect-pcrexform-05/test.rules
@@ -0,0 +1,8 @@
+alert http any any -> any any (msg:"HTTP with pcrexform"; \
+    http.request_line; pcrexform:"[a-zA-Z]+\s+(.*)\s+HTTP"; \
+        content:"/z4d4kWk.jpg"; \
+    http.user_agent; pcrexform:"([a-zA-Z]+\/[0-9]\.54\.0)"; \
+        content:"curl/7.54.0"; \
+    http.host; pcrexform:"([a-zA-Z]\.[a-zA-Z]+\.com+)"; \
+        content:"i.imgur.com"; \
+    sid:1;)
diff --git a/tests/detect-pcrexform-05/test.yaml b/tests/detect-pcrexform-05/test.yaml

new file mode 100644 (file)

index 0000000..19e9801
--- /dev/null
+++ b/tests/detect-pcrexform-05/test.yaml
@@ -0,0 +1,11 @@
+requires:
+
+  files:
+    - src/detect-transform-pcrexform.c
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/detect-pcrexform-06/input.pcap b/tests/detect-pcrexform-06/input.pcap

new file mode 100644 (file)

index 0000000..dc92bd9

Binary files /dev/null and b/tests/detect-pcrexform-06/input.pcap differ
diff --git a/tests/detect-pcrexform-06/test.rules b/tests/detect-pcrexform-06/test.rules

new file mode 100644 (file)

index 0000000..bbd32a1
--- /dev/null
+++ b/tests/detect-pcrexform-06/test.rules
@@ -0,0 +1,8 @@
+alert http any any -> any any (msg:"HTTP with pcrexform"; \
+    http.request_line; pcrexform:"[a-zA-Z]+\s+(.*)\s+HTTP"; \
+        content:"/no-match-here"; \
+    http.user_agent; pcrexform:"([a-zA-Z]+\/[0-9]\.54\.0)"; \
+        content:"no-match-here"; \
+    http.host; pcrexform:"([a-zA-Z]\.[a-zA-Z]+\.com+)"; \
+        content:"no-match-here"; \
+    sid:1;)
diff --git a/tests/detect-pcrexform-06/test.yaml b/tests/detect-pcrexform-06/test.yaml

new file mode 100644 (file)

index 0000000..437afa2
--- /dev/null
+++ b/tests/detect-pcrexform-06/test.yaml
@@ -0,0 +1,11 @@
+requires:
+
+  files:
+    - src/detect-transform-pcrexform.c
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
author	Jeff Lucovsky <jeff@lucovsky.org>
	Mon, 24 Feb 2020 14:54:34 +0000 (09:54 -0500)
committer	Victor Julien <victor@inliniac.net>
	Sun, 2 Aug 2020 12:32:53 +0000 (14:32 +0200)
tests/detect-pcrexform-01/input.pcap	[new file with mode: 0644]	patch \| blob
tests/detect-pcrexform-01/test.rules	[new file with mode: 0644]	patch \| blob
tests/detect-pcrexform-01/test.yaml	[new file with mode: 0644]	patch \| blob
tests/detect-pcrexform-02/input.pcap	[new file with mode: 0644]	patch \| blob
tests/detect-pcrexform-02/test.rules	[new file with mode: 0644]	patch \| blob
tests/detect-pcrexform-02/test.yaml	[new file with mode: 0644]	patch \| blob
tests/detect-pcrexform-03/input.pcap	[new file with mode: 0644]	patch \| blob
tests/detect-pcrexform-03/test.rules	[new file with mode: 0644]	patch \| blob
tests/detect-pcrexform-03/test.yaml	[new file with mode: 0644]	patch \| blob
tests/detect-pcrexform-04/input.pcap	[new file with mode: 0644]	patch \| blob
tests/detect-pcrexform-04/test.rules	[new file with mode: 0644]	patch \| blob
tests/detect-pcrexform-04/test.yaml	[new file with mode: 0644]	patch \| blob
tests/detect-pcrexform-05/input.pcap	[new file with mode: 0644]	patch \| blob
tests/detect-pcrexform-05/test.rules	[new file with mode: 0644]	patch \| blob
tests/detect-pcrexform-05/test.yaml	[new file with mode: 0644]	patch \| blob
tests/detect-pcrexform-06/input.pcap	[new file with mode: 0644]	patch \| blob
tests/detect-pcrexform-06/test.rules	[new file with mode: 0644]	patch \| blob
tests/detect-pcrexform-06/test.yaml	[new file with mode: 0644]	patch \| blob