Overlaps and gaps.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes # enable dumping payload in Base64
+ payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ payload-printable: yes # enable dumping payload in printable (lossy) format
+ packet: yes # enable dumping of packet (without stream segments)
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkt1 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 5)])
+pkt2 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 5)],window=4096)
+pkt3 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=4096)
+pkt4 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='A',seq=1001,ack=2,window=4096)
+pkt5 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=4096)/"GOOD"
+pkt6 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=4096)/"EVIL"
+pkt7 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='A',ack=6,seq=1001,window=4096)
+
+# VLAN tagged packet
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+pkts += pkt4
+pkts += pkt5
+pkts += pkt6
+pkts += pkt7
+
+wrpcap('tcp-overlap.pcap', pkts)
+
+pkts = []
+
+pkt1 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 5)])
+pkt2 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 5)],window=4096)
+pkt3 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=4096)
+pkt4 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='A',seq=1001,ack=2,window=4096)
+pkt5 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=4096)/"GOOD"
+pkt6 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=3, ack=1001,window=4096)/"XXX"
+pkt7 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='A',ack=6,seq=1001,window=4096)
+
+# VLAN tagged packet
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+pkts += pkt4
+pkts += pkt5
+pkts += pkt6
+pkts += pkt7
+
+wrpcap('tcp-overlap2.pcap', pkts)
--- /dev/null
+alert tcp-stream any any -> any any (content:"EVIL"; sid:1;)
+alert tcp-stream any any -> any any (content:"GOOD"; sid:2;)
+
+alert tcp-pkt any any -> any any (content:"EVIL"; sid:3;)
+alert tcp-pkt any any -> any any (content:"GOOD"; sid:4;)
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ payload: "R09PRA=="
+ payload_printable: "GOOD"
+ pkt_src: "stream (flow timeout)"
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+ payload: "RVZJTA=="
+ payload_printable: "EVIL"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAt3QAAEVWSUw="
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 4
+ payload: "R09PRA=="
+ payload_printable: "GOOD"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAr4MAAEdPT0Q="
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes # enable dumping payload in Base64
+ payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ payload-printable: yes # enable dumping payload in printable (lossy) format
+ packet: yes # enable dumping of packet (without stream segments)
+
+host-os-policy:
+ # Make the default policy windows.
+ windows: [0.0.0.0/0]
+ bsd: []
+ bsd-right: []
+ old-linux: [2.2.2.2]
+ linux: []
+ old-solaris: []
+ solaris: []
+ hpux10: []
+ hpux11: []
+ irix: []
+ macos: []
+ vista: []
+ windows2k3: []
--- /dev/null
+alert tcp-stream any any -> any any (content:"EVIL"; sid:1;)
+alert tcp-stream any any -> any any (content:"GOOD"; sid:2;)
+
+alert tcp-pkt any any -> any any (content:"EVIL"; sid:3;)
+alert tcp-pkt any any -> any any (content:"GOOD"; sid:4;)
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ payload: "RVZJTA=="
+ payload_printable: "EVIL"
+ pkt_src: "stream (flow timeout)"
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+ payload: "RVZJTA=="
+ payload_printable: "EVIL"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAt3QAAEVWSUw="
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 4
+ payload: "R09PRA=="
+ payload_printable: "GOOD"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAr4MAAEdPT0Q="
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes # enable dumping payload in Base64
+ payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ payload-printable: yes # enable dumping payload in printable (lossy) format
+ packet: yes # enable dumping of packet (without stream segments)
--- /dev/null
+alert tcp-stream any any -> any any (content:"EVIL"; sid:1;)
+alert tcp-stream any any -> any any (content:"GOOD"; sid:2;)
+
+alert tcp-pkt any any -> any any (content:"EVIL"; sid:3;)
+alert tcp-pkt any any -> any any (content:"GOOD"; sid:4;)
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 2 # one for original, one for overlap
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ payload: "R09PRA=="
+ payload_printable: "GOOD"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAr4MAAEdPT0Q="
+ stream: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 3
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 4
+ payload: "R09PRA=="
+ payload_printable: "GOOD"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAr4MAAEdPT0Q="
+ stream: 0
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes # enable dumping payload in Base64
+ payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ payload-printable: yes # enable dumping payload in printable (lossy) format
+ packet: yes # enable dumping of packet (without stream segments)
--- /dev/null
+alert tcp-stream any any -> any any (content:"XXX"; sid:1;)
+alert tcp-stream any any -> any any (content:"GOOD"; sid:2;)
+
+alert tcp-pkt any any -> any any (content:"XXX"; sid:3;)
+alert tcp-pkt any any -> any any (content:"GOOD"; sid:4;)
--- /dev/null
+requires:
+ min-version: 8
+
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ stream: 1
+ payload: "R09PRA=="
+ payload_printable: "GOOD"
+ pkt_src: "stream (flow timeout)"
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+ stream: 0
+ payload: "WFhY"
+ payload_printable: "XXX"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAAKwABAABABnTHAQEBAQICAgIwOR+QAAAAAwAAA+lQEBAAlb4AAFhYWA=="
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 4
+ payload: "R09PRA=="
+ payload_printable: "GOOD"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAr4MAAEdPT0Q="
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes # enable dumping payload in Base64
+ payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ payload-printable: yes # enable dumping payload in printable (lossy) format
+ packet: yes # enable dumping of packet (without stream segments)
--- /dev/null
+alert tcp-stream any any -> any any (content:"VERY"; sid:1;)
+alert tcp-stream any any -> any any (content:"GOOD"; sid:2;)
+alert tcp-stream any any -> any any (content:"DATA"; sid:3;)
+
+alert tcp-pkt any any -> any any (content:"VERY"; sid:4;)
+alert tcp-pkt any any -> any any (content:"GOOD"; sid:5;)
+alert tcp-pkt any any -> any any (content:"DATA"; sid:6;)
+
+alert tcp-stream any any -> any any (content:"VERYGOODDATA"; sid:7;)
--- /dev/null
+requires:
+ min-version: 8
+
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ stream: 1
+ payload: "VkVSWVs0IGJ5dGVzIG1pc3NpbmddREFUQQ=="
+ payload_printable: "VERY[4 bytes missing]DATA"
+ pkt_src: "stream (flow timeout)"
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+ stream: 1
+ payload: "VkVSWVs0IGJ5dGVzIG1pc3NpbmddREFUQQ=="
+ payload_printable: "VERY[4 bytes missing]DATA"
+ pkt_src: "stream (flow timeout)"
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 4
+ payload: "VkVSWQ=="
+ payload_printable: "VERY"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEAQAqXgAAFZFUlk="
+ stream: 0
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 5
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 6
+ payload: "REFUQQ=="
+ payload_printable: "DATA"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAACgAAA+lQEAQAuYwAAERBVEE="
+ stream: 0
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 7
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes # enable dumping payload in Base64
+ payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ payload-printable: yes # enable dumping payload in printable (lossy) format
+ packet: yes # enable dumping of packet (without stream segments)
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkt1 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 5)])
+pkt2 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 5)],window=4096)
+pkt3 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=4096)
+pkt4 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='A',seq=1001,ack=2,window=4096)
+pkt5 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=4096)/"GOOD"
+pkt6 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=4096)/"EVIL"
+pkt7 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='A',ack=6,seq=1001,window=4096)
+
+# VLAN tagged packet
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+pkts += pkt4
+pkts += pkt5
+pkts += pkt6
+pkts += pkt7
+
+wrpcap('tcp-overlap.pcap', pkts)
+
+pkts = []
+
+pkt1 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 5)])
+pkt2 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 5)],window=4096)
+pkt3 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=4096)
+pkt4 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='A',seq=1001,ack=2,window=4096)
+pkt5 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=4096)/"GOOD"
+pkt6 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=3, ack=1001,window=4096)/"XXX"
+pkt7 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='A',ack=6,seq=1001,window=4096)
+
+# VLAN tagged packet
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+pkts += pkt4
+pkts += pkt5
+pkts += pkt6
+pkts += pkt7
+
+wrpcap('tcp-overlap2.pcap', pkts)
--- /dev/null
+alert tcp-stream any any -> any any (content:"EVIL"; sid:1;)
+alert tcp-stream any any -> any any (content:"GOOD"; sid:2;)
+
+alert tcp-pkt any any -> any any (content:"EVIL"; sid:3;)
+alert tcp-pkt any any -> any any (content:"GOOD"; sid:4;)
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ payload: "R09PRA=="
+ payload_printable: "GOOD"
+ pkt_src: "stream (flow timeout)"
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+ payload: "RVZJTA=="
+ payload_printable: "EVIL"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAt3QAAEVWSUw="
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 4
+ payload: "R09PRA=="
+ payload_printable: "GOOD"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAr4MAAEdPT0Q="
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes # enable dumping payload in Base64
+ payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ payload-printable: yes # enable dumping payload in printable (lossy) format
+ packet: yes # enable dumping of packet (without stream segments)
+
+host-os-policy:
+ # Make the default policy windows.
+ windows: [0.0.0.0/0]
+ bsd: []
+ bsd-right: []
+ old-linux: [2.2.2.2]
+ linux: []
+ old-solaris: []
+ solaris: []
+ hpux10: []
+ hpux11: []
+ irix: []
+ macos: []
+ vista: []
+ windows2k3: []
--- /dev/null
+alert tcp-stream any any -> any any (content:"EVIL"; sid:1;)
+alert tcp-stream any any -> any any (content:"GOOD"; sid:2;)
+
+alert tcp-pkt any any -> any any (content:"EVIL"; sid:3;)
+alert tcp-pkt any any -> any any (content:"GOOD"; sid:4;)
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ payload: "RVZJTA=="
+ payload_printable: "EVIL"
+ pkt_src: "stream (flow timeout)"
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+ payload: "RVZJTA=="
+ payload_printable: "EVIL"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAt3QAAEVWSUw="
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 4
+ payload: "R09PRA=="
+ payload_printable: "GOOD"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAr4MAAEdPT0Q="
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes # enable dumping payload in Base64
+ payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ payload-printable: yes # enable dumping payload in printable (lossy) format
+ packet: yes # enable dumping of packet (without stream segments)
--- /dev/null
+alert tcp-stream any any -> any any (content:"EVIL"; sid:1;)
+alert tcp-stream any any -> any any (content:"GOOD"; sid:2;)
+
+alert tcp-pkt any any -> any any (content:"EVIL"; sid:3;)
+alert tcp-pkt any any -> any any (content:"GOOD"; sid:4;)
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 2 # one for original, one for overlap
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ payload: "R09PRA=="
+ payload_printable: "GOOD"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAr4MAAEdPT0Q="
+ stream: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 3
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 4
+ payload: "R09PRA=="
+ payload_printable: "GOOD"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAr4MAAEdPT0Q="
+ stream: 0
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes # enable dumping payload in Base64
+ payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ payload-printable: yes # enable dumping payload in printable (lossy) format
+ packet: yes # enable dumping of packet (without stream segments)
--- /dev/null
+alert tcp-stream any any -> any any (content:"XXX"; sid:1;)
+alert tcp-stream any any -> any any (content:"GOOD"; sid:2;)
+
+alert tcp-pkt any any -> any any (content:"XXX"; sid:3;)
+alert tcp-pkt any any -> any any (content:"GOOD"; sid:4;)
--- /dev/null
+requires:
+ min-version: 8
+
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ stream: 1
+ payload: "R09PRA=="
+ payload_printable: "GOOD"
+ pkt_src: "stream (flow timeout)"
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+ stream: 0
+ payload: "WFhY"
+ payload_printable: "XXX"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAAKwABAABABnTHAQEBAQICAgIwOR+QAAAAAwAAA+lQEBAAlb4AAFhYWA=="
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 4
+ payload: "R09PRA=="
+ payload_printable: "GOOD"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAr4MAAEdPT0Q="
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes # enable dumping payload in Base64
+ payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ payload-printable: yes # enable dumping payload in printable (lossy) format
+ packet: yes # enable dumping of packet (without stream segments)
--- /dev/null
+alert tcp-stream any any -> any any (content:"VERY"; sid:1;)
+alert tcp-stream any any -> any any (content:"GOOD"; sid:2;)
+alert tcp-stream any any -> any any (content:"DATA"; sid:3;)
+
+alert tcp-pkt any any -> any any (content:"VERY"; sid:4;)
+alert tcp-pkt any any -> any any (content:"GOOD"; sid:5;)
+alert tcp-pkt any any -> any any (content:"DATA"; sid:6;)
+
+alert tcp-stream any any -> any any (content:"VERYGOODDATA"; sid:7;)
--- /dev/null
+requires:
+ min-version: 8
+
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ stream: 1
+ payload: "VkVSWVs0IGJ5dGVzIG1pc3NpbmddREFUQQ=="
+ payload_printable: "VERY[4 bytes missing]DATA"
+ pkt_src: "stream (flow timeout)"
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+ stream: 1
+ payload: "VkVSWVs0IGJ5dGVzIG1pc3NpbmddREFUQQ=="
+ payload_printable: "VERY[4 bytes missing]DATA"
+ pkt_src: "stream (flow timeout)"
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 4
+ payload: "VkVSWQ=="
+ payload_printable: "VERY"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEAQAqXgAAFZFUlk="
+ stream: 0
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 5
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 6
+ payload: "REFUQQ=="
+ payload_printable: "DATA"
+ packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAACgAAA+lQEAQAuYwAAERBVEE="
+ stream: 0
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 7
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes # enable dumping payload in Base64
+ payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ payload-printable: yes # enable dumping payload in printable (lossy) format
+ packet: yes # enable dumping of packet (without stream segments)
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkt1 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 5)])
+pkt2 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 5)],window=4096)
+pkt3 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=4096)
+pkt4 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='A',seq=1001,ack=2,window=4096)
+pkt5 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=6,ack=1001,window=4096)/"GOOD"
+pkt6 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=10,ack=1001,window=4096)/"DATA"
+pkt7 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='A',ack=14,seq=1001,window=4096)
+
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+pkts += pkt4
+pkts += pkt5
+pkts += pkt6
+pkts += pkt7
+
+wrpcap('tcp-leading-gap.pcap', pkts)
--- /dev/null
+alert tcp-stream any any -> any any (content:"VERY"; sid:1;)
+alert tcp-stream any any -> any any (content:"GOOD"; sid:2;)
+alert tcp-stream any any -> any any (content:"DATA"; sid:3;)
+
+alert tcp-pkt any any -> any any (content:"VERY"; sid:4;)
+alert tcp-pkt any any -> any any (content:"GOOD"; sid:5;)
+alert tcp-pkt any any -> any any (content:"DATA"; sid:6;)
+
+alert tcp-stream any any -> any any (content:"VERYGOODDATA"; sid:7;)
--- /dev/null
+requires:
+ min-version: 8
+
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ payload_printable: "[4 bytes missing]GOODDATA"
+ stream: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+ stream: 1
+ payload_printable: "[4 bytes missing]GOODDATA"
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 4
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 5
+ payload_printable: "GOOD"
+ stream: 0
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 6
+ payload_printable: "DATA"
+ stream: 0
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 7
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes # enable dumping payload in Base64
+ payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ payload-printable: yes # enable dumping payload in printable (lossy) format
+ packet: yes # enable dumping of packet (without stream segments)
--- /dev/null
+alert http any any -> any any (http.method; content:"GET"; sid:1;)
+alert http any any -> any any (http.stat_msg; content:"OK"; sid:2;)
+alert http any any -> any any (frame:http1.response; content:"AAAA"; sid:3;)
+alert http any any -> any any (content:"AAAA"; sid:4;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: ../http-gap-beyond-body/input.pcap
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ payload_printable: "GET /1 HTTP/1.0\r\nUser-Agent: Mozilla\r\n\r\n"
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ payload_printable: "GET /1 HTTP/1.0\r\nUser-Agent: Mozilla\r\n\r\nGET /2 HTTP/1.0\r\nUser-Agent: Mozilla\r\n\r\n"
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ payload_printable: "GET /1 HTTP/1.0\r\nUser-Agent: Mozilla\r\n\r\nGET /2 HTTP/1.0\r\nUser-Agent: Mozilla\r\n\r\nGET /3 HTTP/1.0\r\nUser-Agent: Mozilla\r\n\r\n"
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ payload_printable: "HTTP/1.0 200 OK\r\nDate: Mon, 31 Aug 2009 20:25:50 GMT\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: 12\r\n\r\n"
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+ payload_printable: "HTTP/1.0 200 OK\r\nDate: Mon, 31 Aug 2009 20:25:50 GMT\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: 12\r\n\r\n[127 bytes missing]AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHTTP/1.0 200 OK\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: 12\r\n\r\nHello People\r\n"
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 4
+ payload_printable: "HTTP/1.0 200 OK\r\nDate: Mon, 31 Aug 2009 20:25:50 GMT\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: 12\r\n\r\n[127 bytes missing]AAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 4
+ payload_printable: "HTTP/1.0 200 OK\r\nDate: Mon, 31 Aug 2009 20:25:50 GMT\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: 12\r\n\r\n[127 bytes missing]AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHTTP/1.0 200 OK\r\nServer: Apache\r\nConnection: close\r\nContent-Type: text/html\r\nContent-Length: 12\r\n\r\nHello People\r\n"
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
projects / thirdparty / suricata-verify.git / commitdiff
