--- /dev/null
+Test
+====
+
+Tests a case where path traversal is sent as a path string in the HTTP URL and
+normalized path string is checked.
+
+Pcap
+====
+
+Created using Scapy and based on unit test content.
--- /dev/null
+alert http any any -> any any (msg:"Former HttpUriTest01"; http.method; content:"GET"; sid:1;)
+alert tcp any any -> any any (msg:"Check hostname"; http.host; content:"www.example.com"; sid:2;)
+alert http any any -> any any (msg:"Check http.uri"; http.uri; content:"/images.gif"; sid:3;)
+alert tcp any any -> any any (msg:"Check uricontent"; uricontent:"images.gif"; sid:4;)
--- /dev/null
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+- filter:
+ count: 1
+ match:
+ event_type: http
+- filter:
+ count: 1
+ match:
+ event_type: flow
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=53, dport=80, flags='P''A')/"GET /../../images.gif HTTP/1.1\r\nHost: www.ExAmPlE.cOM\r\n\r\n"
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Test
+====
+
+Tests a case where path traversal is sent in special characters in HEX coding in
+the HTTP URL and normalized path string is checked.
+
+Pcap
+====
+
+Created using Scapy and based on unit test content.
--- /dev/null
+alert http any any -> any any (msg:"Former HttpUriTest02"; http.method; content:"GET"; sid:1;)
+alert http any any -> any any (msg:"Test http.host"; http.host; content:"www.example.com"; sid:2;)
+alert tcp any any -> any any (msg:"Test uricontent"; uricontent:"images.gif"; sid:3;)
+alert http any any -> any any (msg:"Test http.url"; http.uri; content:"images.gif"; sid:4;)
--- /dev/null
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 4
+- filter:
+ count: 1
+ match:
+ event_type: http
+- filter:
+ count: 1
+ match:
+ event_type: flow
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=53, dport=80,
+ flags='P''A')/"GET /%2e%2e/images.gif HTTP/1.1\r\nHost: www.ExAmPlE.cOM\r\n\r\n"
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Test
+====
+
+Tests a case where the NULL character is sent in HEX coding in the HTTP URL and
+normalized path string is checked.
+
+Behavior
+========
+
+The null character will lead to no http traffic being recognzied by the stream,
+and therefore no rule matching on HTTP traffic will be triggered. We have a
+single simple TCP rule to confirm that Suricata indeed sees the stream and is
+generating alerts.
+
+Pcap
+====
+
+Created using Scapy and based on unit test content.
--- /dev/null
+alert http any any -> any any (msg:"Former HttpUriTest03"; http.method; content:"GET"; sid:1;)
+alert http any any -> any any (msg:"Test http.host"; http.host; content:"www.example.com"; sid:2;)
+alert tcp any any -> any any (msg:"Test uricontent"; uricontent:"images.gif"; sid:3;)
+alert http any any -> any any (msg:"Test http.url"; http.uri; content:"images.gif"; sid:4;)
+alert tcp any any -> any any (msg:"Test uricontent"; sid:5;)
--- /dev/null
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 3
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 4
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 5
+- filter:
+ count: 0
+ match:
+ event_type: http
+- filter:
+ count: 1
+ match:
+ event_type: flow
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=53, dport=80,
+ flags='P''A')/"GET%00 /images.gif HTTP/1.1\r\nHost: www.ExAmPlE.cOM\r\n\r\n"
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Test
+====
+
+Tests a case where a self referencing directory request is sent in the HTTP URL
+and normalized path string is checked.
+
+Pcap
+====
+
+Created using Scapy and based on unit test content.
--- /dev/null
+alert http any any -> any any (msg:"Former HttpUriTest02"; http.method; content:"GET"; sid:1;)
+alert http any any -> any any (msg:"Test http.host"; http.host; content:"www.example.com"; sid:2;)
+alert tcp any any -> any any (msg:"Test uricontent"; uricontent:"images.gif"; sid:3;)
+alert http any any -> any any (msg:"Test http.url"; http.uri; content:"images.gif"; sid:4;)
--- /dev/null
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 4
+- filter:
+ count: 1
+ match:
+ event_type: http
+- filter:
+ count: 1
+ match:
+ event_type: flow
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=53, dport=80,
+ flags='P''A')/"GET /./././images.gif HTTP/1.1\r\nHost: www.ExAmPlE.cOM\r\n\r\n"
+
+wrpcap('input.pcap', pkts)
projects / thirdparty / suricata-verify.git / commitdiff
