detect-bytetest: add tests

Task: 4911

diff --git a/tests/detect-bytetest-01/test.yaml b/tests/detect-bytetest-01/test.yaml
index 2f5c8ec25854fe01b390d86dc677d591d7ba6765..15c83aecb07913d7c8f18221c3a06ed7a988aa30 100644 (file)
--- a/tests/detect-bytetest-01/test.yaml
+++ b/tests/detect-bytetest-01/test.yaml
@@ -1,5 +1,5 @@
 requires:
-    version: 6.0.0
+  min-version: 6.0
 
 args:
  - -k none

diff --git a/tests/detect-bytetest-02/README.md b/tests/detect-bytetest-02/README.md
new file mode 100644 (file)
index 0000000..bfcdcef
--- /dev/null
+++ b/tests/detect-bytetest-02/README.md
@@ -0,0 +1,3 @@
+Test the byte_test signature matching with operators 
+
+Test to check matches of byte_test and byte_test relative works based on the previous keyword

diff --git a/tests/detect-bytetest-02/input.pcap b/tests/detect-bytetest-02/input.pcap
new file mode 100644 (file)
index 0000000..c5e52dd
Binary files /dev/null and b/tests/detect-bytetest-02/input.pcap differ

diff --git a/tests/detect-bytetest-02/test.rules b/tests/detect-bytetest-02/test.rules
new file mode 100644 (file)
index 0000000..547dbc4
--- /dev/null
+++ b/tests/detect-bytetest-02/test.rules
@@ -0,0 +1,5 @@
+alert tcp any any -> any any (msg:"pcre + byte_test + relative"; pcre:"/AllWorkAndNoPlayMakesWillADullBoy/"; byte_test:1,=,1,6,relative,string,dec; sid:1; rev:1;)
+alert tcp any any -> any any (msg:"content + byte_test + relative"; byte_jump:1,44,string,dec; byte_test:1,=,0,0,relative,string,dec; sid:2; rev:1;)
+alert tcp any any -> any any (msg:"content + byte_test"; byte_test:1,=,65,214748364; sid:3; rev:1;)
+alert tcp any any -> any any (msg:"content + byte_test + relative"; content:"GET "; depth:4; content:"HTTP/1."; byte_test:1,<=,0,0,relative,string,dec; sid:4; rev:1;)
+alert tcp any any -> any any (msg:"content + byte_test + relative"; content:"GET "; depth:4; content:"HTTP/1."; byte_test:1,>=,0,0,relative,string,dec; sid:5; rev:1;)

diff --git a/tests/detect-bytetest-02/test.yaml b/tests/detect-bytetest-02/test.yaml
new file mode 100644 (file)
index 0000000..2a965f1
--- /dev/null
+++ b/tests/detect-bytetest-02/test.yaml
@@ -0,0 +1,37 @@
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 5

diff --git a/tests/detect-bytetest-02/writepcap.py b/tests/detect-bytetest-02/writepcap.py
new file mode 100644 (file)
index 0000000..1b4e9bc
--- /dev/null
+++ b/tests/detect-bytetest-02/writepcap.py
@@ -0,0 +1,11 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+load_layer("http")
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IPv6(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/HTTP()/HTTPRequest(Method='GET', Path='/AllWorkAndNoPlayMakesWillADullBoy', Http_Version='HTTP/1.0', User_Agent='Wget/1.11.4', Accept='*/*', Host='www.google.com', Connection='Keep-Alive', Date='Mon, 04 Jan 2010 17:29:39 GMT')
+
+wrpcap('input.pcap', pkts)

diff --git a/tests/detect-bytetest-03/README.md b/tests/detect-bytetest-03/README.md
new file mode 100644 (file)
index 0000000..d3840a2
--- /dev/null
+++ b/tests/detect-bytetest-03/README.md
@@ -0,0 +1 @@
+Simple dns match on first byte

diff --git a/tests/detect-bytetest-03/input.pcap b/tests/detect-bytetest-03/input.pcap
new file mode 100644 (file)
index 0000000..186aebd
Binary files /dev/null and b/tests/detect-bytetest-03/input.pcap differ

diff --git a/tests/detect-bytetest-03/test.rules b/tests/detect-bytetest-03/test.rules
new file mode 100644 (file)
index 0000000..2cb555b
--- /dev/null
+++ b/tests/detect-bytetest-03/test.rules
@@ -0,0 +1,3 @@
+alert dns any any -> any any (msg:"Byte test against first byte"; byte_test:1,=,0x07,0,bitmask 0xF8; sid:1;)
+alert dns any any -> any any (msg:"Test dns_query option"; byte_test:1,=,0x07,0,bitmask 0xFF; sid:2;)
+alert dns any any -> any any (msg:"Test dns_query option"; byte_test:3,=,0x01,0,bitmask 0xFF; sid:3;)

diff --git a/tests/detect-bytetest-03/test.yaml b/tests/detect-bytetest-03/test.yaml
new file mode 100644 (file)
index 0000000..cacd0d2
--- /dev/null
+++ b/tests/detect-bytetest-03/test.yaml
@@ -0,0 +1,34 @@
+requires:
+  min-version: 6.0
+
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: dns
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3

diff --git a/tests/detect-bytetest-03/writepcap.py b/tests/detect-bytetest-03/writepcap.py
new file mode 100644 (file)
index 0000000..e28cb68
--- /dev/null
+++ b/tests/detect-bytetest-03/writepcap.py
@@ -0,0 +1,12 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+data = ('\x38\x35\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x01\x00')
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/UDP(dport=53)/Raw(load=data)
+
+wrpcap('input.pcap', pkts)