]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1eb1716)
quic-v2: break out ja3 tests and require HAVE_JA3
authorJason Ish <jason.ish@oisf.net>
Tue, 25 Feb 2025 21:40:03 +0000 (15:40 -0600)
committerVictor Julien <victor@inliniac.net>
Thu, 13 Mar 2025 05:30:47 +0000 (06:30 +0100)
tests/quic-v2-ja3/README.md [new file with mode: 0644] patch | blob
tests/quic-v2-ja3/input.pcap [new file with mode: 0644] patch | blob
tests/quic-v2-ja3/test.rules [new file with mode: 0644] patch | blob
tests/quic-v2-ja3/test.yaml [new file with mode: 0644] patch | blob
tests/quic-v2/test.rules patch | blob | blame | history
tests/quic-v2/test.yaml patch | blob | blame | history

diff --git a/tests/quic-v2-ja3/README.md b/tests/quic-v2-ja3/README.md
new file mode 100644 (file)
index 0000000..9f937b0
--- /dev/null
+++ b/tests/quic-v2-ja3/README.md
@@ -0,0 +1,16 @@
+# Description
+
+Test quic v2 parsing
+
+# PCAP
+
+The pcap comes from running https://github.com/quic-go/quic-go
+
+The example server is in example
+`go run main.go -bind localhost:443`
+The example client is in example/client
+`go run main.go -insecure https://127.0.0.1:443/`
+with this patch
+```
++qconf.Versions = []quic.VersionNumber{quic.VersionNumber(0x6b3343cf)}
+```
diff --git a/tests/quic-v2-ja3/input.pcap b/tests/quic-v2-ja3/input.pcap
new file mode 100644 (file)
index 0000000..49384a5
Binary files /dev/null and b/tests/quic-v2-ja3/input.pcap differ
diff --git a/tests/quic-v2-ja3/test.rules b/tests/quic-v2-ja3/test.rules
new file mode 100644 (file)
index 0000000..4ed74cc
--- /dev/null
+++ b/tests/quic-v2-ja3/test.rules
@@ -0,0 +1,2 @@
+alert quic any any -> any any (msg:"QUIC V2"; quic.version; content:"|6b 33 43 cf|"; sid:4;)
+alert quic any any -> any any (msg:"QUIC JA3"; ja3.string; content:"771,4865-4866-4867,5-10-11-13-65281-23-16-18-43-51-57,29-23-24-25,0"; sid:3;)
diff --git a/tests/quic-v2-ja3/test.yaml b/tests/quic-v2-ja3/test.yaml
new file mode 100644 (file)
index 0000000..c597f6e
--- /dev/null
+++ b/tests/quic-v2-ja3/test.yaml
@@ -0,0 +1,23 @@
+requires:
+  min-version: 7.0.0
+  features:
+    - HAVE_JA3
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: quic
+        quic.extensions[0].name: "status_request"
+        quic.extensions[6].name: "alpn"
+        quic.extensions[6].values[0]: "h3"
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
diff --git a/tests/quic-v2/test.rules b/tests/quic-v2/test.rules
index 4ed74cc10d357a52baca8ba91ea95a6f158518b9..22382dcebf45245a7f4ceab4f3def5926e022085 100644 (file)
--- a/tests/quic-v2/test.rules
+++ b/tests/quic-v2/test.rules
@@ -1,2 +1 @@
 alert quic any any -> any any (msg:"QUIC V2"; quic.version; content:"|6b 33 43 cf|"; sid:4;)
-alert quic any any -> any any (msg:"QUIC JA3"; ja3.string; content:"771,4865-4866-4867,5-10-11-13-65281-23-16-18-43-51-57,29-23-24-25,0"; sid:3;)
diff --git a/tests/quic-v2/test.yaml b/tests/quic-v2/test.yaml
index a954b26349f2d4227e204ac0de5578a659b10b9f..22c3b6cebebff54f768be8745c50de59fef6f708 100644 (file)
--- a/tests/quic-v2/test.yaml
+++ b/tests/quic-v2/test.yaml
@@ -14,8 +14,3 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 4
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 3
Mirror of https://github.com/OISF/suricata-verify.git