tests: add stream_size prefilter tests

author Victor Julien <victor@inliniac.net>

Fri, 7 Jun 2024 12:44:29 +0000 (14:44 +0200)

committer Victor Julien <victor@inliniac.net>

Tue, 18 Jun 2024 19:09:00 +0000 (21:09 +0200)
author Victor Julien <victor@inliniac.net>
Fri, 7 Jun 2024 12:44:29 +0000 (14:44 +0200)
committer Victor Julien <victor@inliniac.net>
Tue, 18 Jun 2024 19:09:00 +0000 (21:09 +0200)
diff --git a/tests/streamsize-keyword-02-prefilter/README.md b/tests/streamsize-keyword-02-prefilter/README.md

new file mode 100644 (file)

index 0000000..223cab4
--- /dev/null
+++ b/tests/streamsize-keyword-02-prefilter/README.md
@@ -0,0 +1,3 @@
+# Description
+
+Test stream_size keyword as prefilter.
diff --git a/tests/streamsize-keyword-02-prefilter/test.rules b/tests/streamsize-keyword-02-prefilter/test.rules

new file mode 100644 (file)

index 0000000..32f6728
--- /dev/null
+++ b/tests/streamsize-keyword-02-prefilter/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (flow:established,to_server; stream_size:server,<,1111; prefilter; content: "EICAR"; sid:1234;)
diff --git a/tests/streamsize-keyword-02-prefilter/test.yaml b/tests/streamsize-keyword-02-prefilter/test.yaml

new file mode 100644 (file)

index 0000000..51198b2
--- /dev/null
+++ b/tests/streamsize-keyword-02-prefilter/test.yaml
@@ -0,0 +1,15 @@
+pcap: ../smb-eicar-file/input.pcap
+
+requires:
+  min-version: 7
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1234
diff --git a/tests/streamsize-keyword-03-prefilter-pseudo/README.md b/tests/streamsize-keyword-03-prefilter-pseudo/README.md

new file mode 100644 (file)

index 0000000..cf3748a
--- /dev/null
+++ b/tests/streamsize-keyword-03-prefilter-pseudo/README.md
@@ -0,0 +1,4 @@
+# Description
+
+Test stream_size keyword as prefilter on timeout packet
+
diff --git a/tests/streamsize-keyword-03-prefilter-pseudo/test.rules b/tests/streamsize-keyword-03-prefilter-pseudo/test.rules

new file mode 100644 (file)

index 0000000..222bc95
--- /dev/null
+++ b/tests/streamsize-keyword-03-prefilter-pseudo/test.rules
@@ -0,0 +1,2 @@
+alert tls any any -> any any (msg:"SERVER HELLO DATA - to_client"; flow:established,to_client; tls.random; content:"|54 b8 f7 73|"; bsize:>1; stream_size:server,>,1111; prefilter; sid:1234;)
+
diff --git a/tests/streamsize-keyword-03-prefilter-pseudo/test.yaml b/tests/streamsize-keyword-03-prefilter-pseudo/test.yaml

new file mode 100644 (file)

index 0000000..64fdc1d
--- /dev/null
+++ b/tests/streamsize-keyword-03-prefilter-pseudo/test.yaml
@@ -0,0 +1,14 @@
+pcap: ../tls/tls-random-6989/input.pcap
+
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1234
author	Victor Julien <victor@inliniac.net>
	Fri, 7 Jun 2024 12:44:29 +0000 (14:44 +0200)
committer	Victor Julien <victor@inliniac.net>
	Tue, 18 Jun 2024 19:09:00 +0000 (21:09 +0200)
tests/streamsize-keyword-02-prefilter/README.md	[new file with mode: 0644]	patch \| blob
tests/streamsize-keyword-02-prefilter/test.rules	[new file with mode: 0644]	patch \| blob
tests/streamsize-keyword-02-prefilter/test.yaml	[new file with mode: 0644]	patch \| blob
tests/streamsize-keyword-03-prefilter-pseudo/README.md	[new file with mode: 0644]	patch \| blob
tests/streamsize-keyword-03-prefilter-pseudo/test.rules	[new file with mode: 0644]	patch \| blob
tests/streamsize-keyword-03-prefilter-pseudo/test.yaml	[new file with mode: 0644]	patch \| blob