]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 875895a)
detect-dce-iface: add tests
authorModupe Falodun <falodunmodupeola@gmail.com>
Tue, 22 Feb 2022 17:19:27 +0000 (18:19 +0100)
committerShivani Bhardwaj <shivanib134@gmail.com>
Wed, 23 Feb 2022 14:16:19 +0000 (19:46 +0530)
Task: 4911

tests/dcerpc/dcerpc-dce-iface-02/README.md [new file with mode: 0644] patch | blob
tests/dcerpc/dcerpc-dce-iface-02/test.rules patch | blob | blame | history
tests/dcerpc/dcerpc-dce-iface-02/test.yaml patch | blob | blame | history
tests/dcerpc/dcerpc-dce-stub-data/README.md [new file with mode: 0644] patch | blob
tests/dcerpc/dcerpc-dce-stub-data/input.pcap [new file with mode: 0644] patch | blob
tests/dcerpc/dcerpc-dce-stub-data/test.rules [new file with mode: 0644] patch | blob
tests/dcerpc/dcerpc-dce-stub-data/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/dcerpc/dcerpc-dce-iface-02/README.md b/tests/dcerpc/dcerpc-dce-iface-02/README.md
new file mode 100644 (file)
index 0000000..7d91069
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dce-iface-02/README.md
@@ -0,0 +1 @@
+Tests the dcerpc.iface keyword
diff --git a/tests/dcerpc/dcerpc-dce-iface-02/test.rules b/tests/dcerpc/dcerpc-dce-iface-02/test.rules
index 27cccb31c09bfff41ba44f1b978ccda380198184..a9018d05d9feb3a83f9745add5e7e952c48e01e7 100644 (file)
--- a/tests/dcerpc/dcerpc-dce-iface-02/test.rules
+++ b/tests/dcerpc/dcerpc-dce-iface-02/test.rules
@@ -1 +1,5 @@
 alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dce_iface:afa8bd80-7d8a-11c9-bef4-08002b102989;sid:1;)
+alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dcerpc.iface:afa8bd80-7d8a-11c9-bef4-08002b102989,=1; sid:2;)
+alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dcerpc.iface:afa8bd80-7d8a-11c9-bef4-08002b102989,=0; sid:3;)
+alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dcerpc.iface:afa8bd80-7d8a-11c9-bef4-08002b102989,>1,any_frag; sid:4;)
+alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dcerpc.iface:afa8bd80-7d8a-11c9-bef4-08002b102989,=1,any_frag; sid:5;)
diff --git a/tests/dcerpc/dcerpc-dce-iface-02/test.yaml b/tests/dcerpc/dcerpc-dce-iface-02/test.yaml
index 7c47e217dc612bee636934e72b8851087af89c93..1e0a812e984200b2a1fca2abbc08db6674728491 100644 (file)
--- a/tests/dcerpc/dcerpc-dce-iface-02/test.yaml
+++ b/tests/dcerpc/dcerpc-dce-iface-02/test.yaml
@@ -10,3 +10,41 @@ checks:
       count: 1
       match:
         event_type: alert
+        alert.signature_id: 1
+        pcap_cnt: 10
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        pcap_cnt: 10
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
+        pcap_cnt: 10
+  - filter:
+      min-version: 6.0.0  
+      count: 1
+      match:
+        dcerpc.response: RESPONSE
+        dcerpc.res.stub_data_size: 68
+        dcerpc.res.frag_cnt: 1
+        dcerpc.rpc_version: '5.0'
+        pcap_cnt: 10
+        dcerpc.request: REQUEST
+        dcerpc.req.stub_data_size: 24
+        dcerpc.req.frag_cnt: 1
+        dcerpc.call_id: 27
+        event_type: dcerpc
diff --git a/tests/dcerpc/dcerpc-dce-stub-data/README.md b/tests/dcerpc/dcerpc-dce-stub-data/README.md
new file mode 100644 (file)
index 0000000..b3ead40
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dce-stub-data/README.md
@@ -0,0 +1,3 @@
+Tests the dce_stub_data keyword
+
+Pcap from dcerpc-dce-iface-02
diff --git a/tests/dcerpc/dcerpc-dce-stub-data/input.pcap b/tests/dcerpc/dcerpc-dce-stub-data/input.pcap
new file mode 100644 (file)
index 0000000..d6d7cb5
Binary files /dev/null and b/tests/dcerpc/dcerpc-dce-stub-data/input.pcap differ
diff --git a/tests/dcerpc/dcerpc-dce-stub-data/test.rules b/tests/dcerpc/dcerpc-dce-stub-data/test.rules
new file mode 100644 (file)
index 0000000..ba96094
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dce-stub-data/test.rules
@@ -0,0 +1,3 @@
+alert tcp any any -> any any (msg:"DCE stub data";flow:established,to_server; dcerpc.stub_data; content:"|09 00 00 00 00 01 00 00|"; sid:1;)
+alert tcp any any -> any any (msg:"DCE stub data";flow:established,to_server; dcerpc.stub_data; content:"|09 00|"; sid:2;)
+alert tcp any any -> any any (msg:"DCE stub data";flow:established,to_server; dcerpc.stub_data; content:"|01 09 00|"; sid:3;)
diff --git a/tests/dcerpc/dcerpc-dce-stub-data/test.yaml b/tests/dcerpc/dcerpc-dce-stub-data/test.yaml
new file mode 100644 (file)
index 0000000..389fbe9
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dce-stub-data/test.yaml
@@ -0,0 +1,38 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+args:
+- -k none
+
+checks:
+- filter:
+    min-version: 6.0.0  
+    count: 2
+    match:
+      event_type: dcerpc
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      pcap_cnt: 10
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+      pcap_cnt: 10
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
Mirror of https://github.com/OISF/suricata-verify.git