tests: add test for bug 5197

author Shivani Bhardwaj <shivanib134@gmail.com>

Mon, 21 Mar 2022 13:33:02 +0000 (19:03 +0530)

committer Victor Julien <victor@inliniac.net>

Fri, 29 Jul 2022 11:23:14 +0000 (13:23 +0200)
author Shivani Bhardwaj <shivanib134@gmail.com>
Mon, 21 Mar 2022 13:33:02 +0000 (19:03 +0530)
committer Victor Julien <victor@inliniac.net>
Fri, 29 Jul 2022 11:23:14 +0000 (13:23 +0200)
diff --git a/tests/bug-5197/README.md b/tests/bug-5197/README.md

new file mode 100644 (file)

index 0000000..082e66e
--- /dev/null
+++ b/tests/bug-5197/README.md
@@ -0,0 +1,12 @@
+Description
+===========
+This test is to demonstrate Redmine bug 5197.
+`fast_pattern` assignment of specific content results in false negatives.
+For the PCAP used in this test, sid:1 and sid:2 are the exact same rules except for an explicit
+`fast_pattern` keyword in sid:2. But, only sid:1 fires.
+Another issue that can be seen is that changing the position of `fast_pattern` can also result
+in some false negatives. sid:3 and sid:6 are such examples. Only sid:6 fires in this case.
+
+PCAP
+====
+PCAP comes from the Redmine ticket https://redmine.openinfosecfoundation.org/issues/5197
diff --git a/tests/bug-5197/input.pcap b/tests/bug-5197/input.pcap

new file mode 100644 (file)

index 0000000..2ef665c

Binary files /dev/null and b/tests/bug-5197/input.pcap differ
diff --git a/tests/bug-5197/test.rules b/tests/bug-5197/test.rules

new file mode 100644 (file)

index 0000000..9ffb84e
--- /dev/null
+++ b/tests/bug-5197/test.rules
@@ -0,0 +1,7 @@
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"1"; distance:1; within:1; content:"|00 00 10 00 01|"; distance:0; content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; content:"1"; distance:3; within:1; content:"456789"; distance:2; within:6; sid:1;)
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"1"; distance:1; within:1; content:"|00 00 10 00 01|"; distance:0; content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; content:"1"; distance:3; within:1; content:"456789"; distance:2; within:6; fast_pattern; sid:2;)
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"1"; distance:1; within:1; content:"|00 00 10 00 01|"; distance:0; content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; content:"1"; distance:3; within:1; fast_pattern; content:"456789"; distance:2; within:6; sid:3;)
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"1"; distance:1; within:1; content:"|00 00 10 00 01|"; distance:0; content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; fast_pattern; content:"1"; distance:3; within:1; content:"456789"; distance:2; within:6; sid:4;)
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"1"; distance:1; within:1; content:"|00 00 10 00 01|"; distance:0; fast_pattern; content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; content:"1"; distance:3; within:1; content:"456789"; distance:2; within:6; sid:5;)
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; content:"1"; distance:1; within:1; fast_pattern; content:"|00 00 10 00 01|"; distance:0;  content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; content:"1"; distance:3; within:1; content:"456789"; distance:2; within:6; sid:6;)
+alert dns any any -> $HOME_NET any (content:"|00 01 00 01 00 00 00 00|"; offset:4; depth:8; fast_pattern; content:"1"; distance:1; within:1; content:"|00 00 10 00 01|"; distance:0;  content:"|00 10 00 01 00 00 00 01|"; distance:2; within:8; content:"1"; distance:3; within:1; content:"456789"; distance:2; within:6; sid:7;)
diff --git a/tests/bug-5197/test.yaml b/tests/bug-5197/test.yaml

new file mode 100644 (file)

index 0000000..f194e77
--- /dev/null
+++ b/tests/bug-5197/test.yaml
@@ -0,0 +1,49 @@
+args:
+- -k none
+- --set mpm-algo=ac
+- --set spm-algo=bm
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: dns
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 5
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 7
+- filter:
+    count: 1
+    match:
+      event_type: flow
author	Shivani Bhardwaj <shivanib134@gmail.com>
	Mon, 21 Mar 2022 13:33:02 +0000 (19:03 +0530)
committer	Victor Julien <victor@inliniac.net>
	Fri, 29 Jul 2022 11:23:14 +0000 (13:23 +0200)
tests/bug-5197/README.md	[new file with mode: 0644]	patch \| blob
tests/bug-5197/input.pcap	[new file with mode: 0644]	patch \| blob
tests/bug-5197/test.rules	[new file with mode: 0644]	patch \| blob
tests/bug-5197/test.yaml	[new file with mode: 0644]	patch \| blob