nfs: Add detection rules for NFS3_READDIRPLUS

author Sam Muhammed <ghostinthehive.vx@gmail.com>

Thu, 10 Feb 2022 15:20:12 +0000 (17:20 +0200)

committer Victor Julien <victor@inliniac.net>

Tue, 22 Feb 2022 14:13:35 +0000 (15:13 +0100)
author Sam Muhammed <ghostinthehive.vx@gmail.com>
Thu, 10 Feb 2022 15:20:12 +0000 (17:20 +0200)
committer Victor Julien <victor@inliniac.net>
Tue, 22 Feb 2022 14:13:35 +0000 (15:13 +0100)
diff --git a/tests/nfs3-readdirplus/test.rules b/tests/nfs3-readdirplus/test.rules

new file mode 100644 (file)

index 0000000..fc0961b
--- /dev/null
+++ b/tests/nfs3-readdirplus/test.rules
@@ -0,0 +1,2 @@
+alert nfs any any -> any any (nfs_version:3; flow:to_server; nfs_procedure:17; sid:1;)
+alert nfs any any -> any any (flow:to_client; content:"|2e 2e|"; sid:2;)
diff --git a/tests/nfs3-readdirplus/test.yaml b/tests/nfs3-readdirplus/test.yaml

index dbaefbd2b06d7b08013498966280365550d82495..17972dedc52ef81a312ba25d32d893b8a9a7b3ba 100644 (file)
--- a/tests/nfs3-readdirplus/test.yaml
+++ b/tests/nfs3-readdirplus/test.yaml
@@ -31,3 +31,15 @@ checks:
          rpc.auth_type: UNIX
          rpc.creds.uid: 1000
          rpc.creds.gid: 1000
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        app_proto: nfs
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        app_proto: nfs
+        alert.signature_id: 2
author	Sam Muhammed <ghostinthehive.vx@gmail.com>
	Thu, 10 Feb 2022 15:20:12 +0000 (17:20 +0200)
committer	Victor Julien <victor@inliniac.net>
	Tue, 22 Feb 2022 14:13:35 +0000 (15:13 +0100)
tests/nfs3-readdirplus/test.rules	[new file with mode: 0644]	patch \| blob
tests/nfs3-readdirplus/test.yaml		patch \| blob \| blame \| history