tests/reference; Tests for reference inclusion

Issue: 4974

Positive and negative tests for reference inclusion in alerts.

Additionally, reference-04 tests that a scheme provided with
a reference is used in place of the key.

diff --git a/tests/reference-01/suricata.yaml b/tests/reference-01/suricata.yaml
new file mode 100644 (file)
index 0000000..d965bfe
--- /dev/null
+++ b/tests/reference-01/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            metadata:
+              rule:
+                reference: yes

diff --git a/tests/reference-01/test.rules b/tests/reference-01/test.rules
new file mode 100644 (file)
index 0000000..65f476f
--- /dev/null
+++ b/tests/reference-01/test.rules
@@ -0,0 +1,2 @@
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Attempt"; flow:established,to_server; dcerpc.opnum:26; content:"|00 00 00 00 00 00 00 00 ff ff 2f 21|"; endswith; reference:url,github.com/corelight/zerologon; classtype:attempted-admin; sid:20166330; rev:2;)
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Password Reset"; flow:established,to_server; dcerpc.opnum:30; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; reference:url,github.com/corelight/zerologon; classtype:attempted-admin; sid:20166331; rev:2;)

diff --git a/tests/reference-01/test.yaml b/tests/reference-01/test.yaml
new file mode 100644 (file)
index 0000000..8745bce
--- /dev/null
+++ b/tests/reference-01/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 8
+
+args:
+ - -k none
+
+pcap: ../dcerpc/zerologon/input.pcap
+
+checks:
+  - filter:
+      count: 21
+      match:
+        event_type: alert
+        alert.signature_id: 20166330
+        alert.references: ["https://github.com/corelight/zerologon"]
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 20166331
+        alert.references: ["https://github.com/corelight/zerologon"]

diff --git a/tests/reference-02/suricata.yaml b/tests/reference-02/suricata.yaml
new file mode 100644 (file)
index 0000000..5aaf02a
--- /dev/null
+++ b/tests/reference-02/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            reference: no

diff --git a/tests/reference-02/test.rules b/tests/reference-02/test.rules
new file mode 100644 (file)
index 0000000..65f476f
--- /dev/null
+++ b/tests/reference-02/test.rules
@@ -0,0 +1,2 @@
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Attempt"; flow:established,to_server; dcerpc.opnum:26; content:"|00 00 00 00 00 00 00 00 ff ff 2f 21|"; endswith; reference:url,github.com/corelight/zerologon; classtype:attempted-admin; sid:20166330; rev:2;)
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Password Reset"; flow:established,to_server; dcerpc.opnum:30; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; reference:url,github.com/corelight/zerologon; classtype:attempted-admin; sid:20166331; rev:2;)

diff --git a/tests/reference-02/test.yaml b/tests/reference-02/test.yaml
new file mode 100644 (file)
index 0000000..8d90376
--- /dev/null
+++ b/tests/reference-02/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 8
+
+pcap: ../dcerpc/zerologon/input.pcap
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 21
+      match:
+        event_type: alert
+        alert.signature_id: 20166330
+        not-has-key: alert.references
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 20166331
+        not-has-key: alert.references

diff --git a/tests/reference-03/suricata.yaml b/tests/reference-03/suricata.yaml
new file mode 100644 (file)
index 0000000..d965bfe
--- /dev/null
+++ b/tests/reference-03/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            metadata:
+              rule:
+                reference: yes

diff --git a/tests/reference-03/test.rules b/tests/reference-03/test.rules
new file mode 100644 (file)
index 0000000..addef56
--- /dev/null
+++ b/tests/reference-03/test.rules
@@ -0,0 +1,2 @@
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Attempt"; flow:established,to_server; dcerpc.opnum:26; content:"|00 00 00 00 00 00 00 00 ff ff 2f 21|"; endswith; reference:cve,2014-0160; reference:url,github.com/corelight/zerologon; classtype:attempted-admin; sid:20166330; rev:2;)
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Password Reset"; flow:established,to_server; dcerpc.opnum:30; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith;reference:cve,2014-0160; reference:url,github.com/corelight/zerologon; classtype:attempted-admin; sid:20166331; rev:2;)

diff --git a/tests/reference-03/test.yaml b/tests/reference-03/test.yaml
new file mode 100644 (file)
index 0000000..0789700
--- /dev/null
+++ b/tests/reference-03/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 8
+
+args:
+ - -k none
+
+pcap: ../dcerpc/zerologon/input.pcap
+
+checks:
+  - filter:
+      count: 21
+      match:
+        event_type: alert
+        alert.signature_id: 20166330
+        alert.references: ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0160","https://github.com/corelight/zerologon"]
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 20166331
+        alert.references: ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0160","https://github.com/corelight/zerologon"]

diff --git a/tests/reference-04/suricata.yaml b/tests/reference-04/suricata.yaml
new file mode 100644 (file)
index 0000000..d965bfe
--- /dev/null
+++ b/tests/reference-04/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            metadata:
+              rule:
+                reference: yes

diff --git a/tests/reference-04/test.rules b/tests/reference-04/test.rules
new file mode 100644 (file)
index 0000000..f0a9b1c
--- /dev/null
+++ b/tests/reference-04/test.rules
@@ -0,0 +1,2 @@
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Attempt"; flow:established,to_server; dcerpc.opnum:26; content:"|00 00 00 00 00 00 00 00 ff ff 2f 21|"; endswith; reference:url,foobar://github.com/corelight/zerologon; classtype:attempted-admin; sid:20166330; rev:2;)
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Password Reset"; flow:established,to_server; dcerpc.opnum:30; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; reference:url,foobar://github.com/corelight/zerologon; classtype:attempted-admin; sid:20166331; rev:2;)

diff --git a/tests/reference-04/test.yaml b/tests/reference-04/test.yaml
new file mode 100644 (file)
index 0000000..60fbfc4
--- /dev/null
+++ b/tests/reference-04/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 8
+
+args:
+ - -k none
+
+pcap: ../dcerpc/zerologon/input.pcap
+
+checks:
+  - filter:
+      count: 21
+      match:
+        event_type: alert
+        alert.signature_id: 20166330
+        alert.references: ["foobar://github.com/corelight/zerologon"]
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 20166331
+        alert.references: ["foobar://github.com/corelight/zerologon"]