Bring previously Suricata unit tests as suricata-verify tests.
Conversions mapping:
- detect-pcre-01: DetectPcreModifPTest04
- detect-pcre-02: DetectPcreModifPTest05
- detect-pcre-03: DetectPcreTestSig01-03
- detect-pcre-04: DetectPcreTestSig09-16
- detect-pcre-05: DetectPcreFlowvarCapture01- 03
Task #6147
--- /dev/null
+# Test
+
+Test the pcre modifier P (match with L7 to http body data).
+
+## Ticket
+
+Redmine ticket https://redmine.openinfosecfoundation.org/issues/6147
+
+## Pcap
+
+Crafted using Scapy based on buffers from the original unit tests.
+
--- /dev/null
+alert http any any -> any any (msg:"Pcre modifier P"; pcre:"/DOCTYPE/P"; sid:1;)
+alert http any any -> any any (msg:"Pcre modifier P - no match"; pcre:"/blah/P"; sid:2;)
--- /dev/null
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: flow
+- filter:
+ count: 1
+ match:
+ event_type: stats
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+load_layer("http")
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IPv6(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/HTTP()/HTTPRequest(Method='GET', Path=' / ', Http_Version='HTTP/1.1', Host='www.emergingthreats.net', User_Agent='Mozilla/1.0', Content_Type='text/html; charset=utf-8\r\n\r\n15\r\n<!DOCTYPE html PUBLIC')
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+# Test
+
+Test the pcre modifier P (match with L7 to http body data) over fragmented
+chunks (DOCTYPE fragmented).
+
+## Ticket
+
+Redmine ticket https://redmine.openinfosecfoundation.org/issues/6147
+
+## Pcap
+
+Crafted based on the original unittest being converted to SV test, using
+the [htptopcap.py](https://github.com/OISF/suricata-verify/blob/master/tests/engine-state/htptopcap.py)
+libhtp script to convert the writepcap.t script into a pcap.
--- /dev/null
+alert http any any -> any any (msg:"Pcre modifier P"; pcre:"/DOC/P"; sid:1;)
+alert http any any -> any any (msg:"Pcre modifier P"; pcre:"/DOCTYPE/P"; sid:2;)
--- /dev/null
+args:
+- --set stream.midstream=true
+- -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: flow
+- filter:
+ count: 1
+ match:
+ event_type: stats
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
--- /dev/null
+>>>
+GET / HTTP/1.1
+Host: www.emergingthreats.net
+User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13
+Content-Type: text/html; charset=utf-8
+Content-Length: 21
+
+<!DOC
+
+>>>
+<!DOCTYPE html PUBLIC
+
+<<<
--- /dev/null
+# Tests
+
+Tests pcre modifiers, originally from Suricata unit tests, converted to SV.
+
+Signature 3 - Real negation test ! outside of "" this sig should not match.
+
+## Ticket
+
+Redmine ticket https://redmine.openinfosecfoundation.org/issues/6147
+
+## Pcap
+
+Crafted with scapy, based on buffers from the unit test.
--- /dev/null
+alert tcp any any -> any any (msg:"HTTP TEST"; pcre:"/^gEt/i"; pcre:"/\/two\//U"; pcre:"/GET \/two\//"; pcre:"/\s+HTTP/R"; sid:1;)
+alert tcp any any -> any any (msg:"HTTP TEST"; pcre:"/two/O"; sid:2;)
+alert tcp any any -> any any (msg:"HTTP TEST. Negated pcre - no match"; content:"GET"; pcre:!"/two/"; sid:3;)
--- /dev/null
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: flow
+- filter:
+ count: 1
+ match:
+ event_type: stats
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 3
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"GET /one/ HTTP/1.1\r\nHost: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n"
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+# Test
+
+Check that Suricata properly matches on signatures with method or cookie
+modifiers passed to pcre, including cases with negated pcre and relative
+modifiers.
+
+This test is based on Suricata unit tests adapted to SV.
+
+## Ticket
+
+Redmine ticket https://redmine.openinfosecfoundation.org/issues/6147
+
+## Pcap
+
+Crafted with Scapy based on buffers present in the original unit tests.
--- /dev/null
+alert http any any -> any any (msg:"HTTP cookie"; pcre:"/dummy/C"; sid:1;)
+alert http any any -> any any (msg:"HTTP cookie"; pcre:!"/dummy/C"; sid:2;)
+alert http any any -> any any (msg:"HTTP method"; pcre:"/POST/M"; sid:3;)
+alert http any any -> any any (msg:"HTTP method"; pcre:!"/POST/M"; sid:4;)
+alert http any any -> any any (msg:"pcre relative HTTP cookie"; content:"dummy"; http_cookie; pcre:"/1234/RC"; sid:5;)
+alert http any any -> any any (msg:"pcre relative HTTP method"; content:"PO"; http_method; pcre:"/ST/RM"; sid:6;)
+alert http any any -> any any (msg:"HTTP header"; pcre:"/User[-_]Agent[:]?\sMozilla/H"; sid:7;)
+alert http any any -> any any (msg:"HTTP header"; pcre:"/User-Agent[:]?\s+Mozilla/H"; sid:8;)
+alert http any any -> any any (msg:"HTTP header"; pcre:!"/User[-_]Agent[:]?\sIEXPLORER/H"; sid:9;)
+alert http any any -> any any (msg:"HTTP header - no match"; pcre:!"/User[-_]Agent[:]?\sMozil/H"; sid:10;)
--- /dev/null
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+ count: 2
+ match:
+ event_type: flow
+- filter:
+ count: 1
+ match:
+ event_type: stats
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 4
+ http.http_method: "GET"
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 5
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 6
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 7
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 8
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 9
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 10
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+load_layer("http")
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IPv6(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/HTTP()/HTTPRequest(Method='POST', Path=' / ', Http_Version='HTTP/1.0', User_Agent='Mozilla', Cookie='dummy 1234')
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IPv6(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=93, flags='P''A')/HTTP()/HTTPRequest(Method='GET', Path=' / ', Http_Version='HTTP/1.0', User_Agent='Mozilla', Cookie='dummoOOooooO')
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+# Test
+
+Test flowvar capture on http buffer, based on a Suricata unit test and adapted
+to SV.
+
+## Ticket
+
+Redmine ticket https://redmine.openinfosecfoundation.org/issues/6147
+
+## Pcap
+
+Crafted with Scapy with buffers based on the ones from the unit tests.
--- /dev/null
+alert http any any -> any any (content:"User-Agent: "; http_header; pcre:"/(?P<flow_ua>.*)\r\n/HR"; priority:1; sid:1;)
+alert http any any -> any any (content:"User-Agent: "; http_header; pcre:"/(?P<flow_ua>.*)\r\n/HR"; sid:2;)
+alert http any any -> any any (content:"Server: "; http_header; pcre:"/(?P<flow_ua>.*)\r\n/HR"; priority:3; sid:3;)
+# Shouldn't match
+alert http any any -> any any (msg:"pcre flowvar http header, user-agent, no match"; content:"User-Agent: "; http_header; pcre:"/(?P<flow_ua>.*)\r\n/HR"; content:"xyz"; http_header; priority:1; sid:4;)
+alert http any any -> any any (msg:"pcre flowvar http header, server, no match"; content:"Server: "; http_header; pcre:"/(?P<flow_ua>.*)\r\n/HR"; content:"xyz"; http_header; priority:3; sid:5;)
--- /dev/null
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+ count: 2
+ match:
+ event_type: flow
+- filter:
+ count: 1
+ match:
+ event_type: stats
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 4
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 5
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+load_layer("http")
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IPv6(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/HTTP()/HTTPRequest(Method='GET', Path=' / ', Http_Version='HTTP/1.1', Host='www.emergingthreats.net', User_Agent='Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13', Accept='text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8', Accept_Language='es-es,es;q=0.8,en-us;q=0.5,en;q=0.3', Accept_Encoding='gzip,deflate', Accept_Charset='ISO-8859-1,utf-8;q=0.7,*;q=0.7', Content_Type='Apache<!DOCTYPE html PUBLIC')
+
+wrpcap('input.pcap', pkts)
projects / thirdparty / suricata-verify.git / commitdiff
