]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f2de32f)
Add tests for smb/dcerpc missing alert
authorShivani Bhardwaj <shivanib134@gmail.com>
Fri, 25 Mar 2022 10:29:09 +0000 (15:59 +0530)
committerVictor Julien <victor@inliniac.net>
Mon, 13 Jun 2022 06:12:24 +0000 (08:12 +0200)
tests/dcerpc-smb-fail/README.md [new file with mode: 0644] patch | blob
tests/dcerpc-smb-fail/input.pcap [new file with mode: 0644] patch | blob
tests/dcerpc-smb-fail/test.rules [new file with mode: 0644] patch | blob
tests/dcerpc-smb-fail/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/dcerpc-smb-fail/README.md b/tests/dcerpc-smb-fail/README.md
new file mode 100644 (file)
index 0000000..d8a3e55
--- /dev/null
+++ b/tests/dcerpc-smb-fail/README.md
@@ -0,0 +1,12 @@
+Description
+===========
+Out of the 3 rules present in the test, only sid:1 alerts on all versions,
+sid:2 alerts on master and master-6.0.x, sid:3 does not alert on any branch.
+
+PCAP
+====
+PCAP comes from https://redmine.openinfosecfoundation.org/issues/5162
+
+Reporter
+========
+Brandon Murphy @ ET Labs
diff --git a/tests/dcerpc-smb-fail/input.pcap b/tests/dcerpc-smb-fail/input.pcap
new file mode 100644 (file)
index 0000000..9da7d7f
Binary files /dev/null and b/tests/dcerpc-smb-fail/input.pcap differ
diff --git a/tests/dcerpc-smb-fail/test.rules b/tests/dcerpc-smb-fail/test.rules
new file mode 100644 (file)
index 0000000..50b526d
--- /dev/null
+++ b/tests/dcerpc-smb-fail/test.rules
@@ -0,0 +1,4 @@
+alert tcp any any -> any 445 (flow:established,to_server; content:"|fe|SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00 00 00 00 00 15 00 00 00|"; within:32; pcre:"/^(?:[A-Z]\x00){20}\x00\x00/R"; content:"|15 00 00 00 00 00 00 00 15 00 00 00|"; distance:6; within:12; pcre:"/^(?:[A-Z]\x00){20}\x00\x00/R"; content:"|03 00 00 00|"; distance:10; within:4; sid:1;)
+alert smb any any -> any any (msg:"test"; dcerpc.iface:367abb81-9844-35f1-ad32-98f038001003; dcerpc.opnum:12; dcerpc.stub_data; content:"|15 00 00 00 00 00 00 00 15 00 00 00|"; within:32; pcre:"/^(?:[A-Z]\x00){20}\x00\x00/R"; content:"|15 00 00 00 00 00 00 00 15 00 00 00|"; distance:6; within:12; pcre:"/^(?:[A-Z]\x00){20}\x00\x00/R"; content:"|03 00 00 00|"; distance:10; within:4; sid:2;)
+# sid:3 Should fire but doesn't acc to https://redmine.openinfosecfoundation.org/issues/5208
+alert dcerpc any any -> any any (msg:"ET POLICY DCERPC  SVCCTL OpenSCManagerW Request"; flow:established,to_server; dcerpc.iface:367abb81-9844-35f1-ad32-98f038001003; dcerpc.opnum:15; classtype:bad-unknown; sid:3; rev:1;)
diff --git a/tests/dcerpc-smb-fail/test.yaml b/tests/dcerpc-smb-fail/test.yaml
new file mode 100644 (file)
index 0000000..ef1c917
--- /dev/null
+++ b/tests/dcerpc-smb-fail/test.yaml
@@ -0,0 +1,39 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1445
+    match:
+      event_type: dcerpc
+- filter:
+    count: 22
+    match:
+      event_type: smb
+- filter:
+    count: 4
+    match:
+      event_type: dns
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 11
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
Mirror of https://github.com/OISF/suricata-verify.git