From: Andreas Herz Date: Mon, 1 Jul 2019 20:21:31 +0000 (+0200) Subject: tests: add mix of byte_extract tests X-Git-Tag: suricata-6.0.4~360 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=002009b8fe8e911887703146ee4d353486cd3dc2;p=thirdparty%2Fsuricata-verify.git tests: add mix of byte_extract tests --- diff --git a/tests/byte-extract-01/README.md b/tests/byte-extract-01/README.md new file mode 100644 index 000000000..4a8763f86 --- /dev/null +++ b/tests/byte-extract-01/README.md @@ -0,0 +1,4 @@ +# test byte_extract cases + +This test covers different byte_extract cases. The rules and the pcap are taken +from https://redmine.openinfosecfoundation.org/issues/3047 diff --git a/tests/byte-extract-01/input.pcap b/tests/byte-extract-01/input.pcap new file mode 100644 index 000000000..274449d64 Binary files /dev/null and b/tests/byte-extract-01/input.pcap differ diff --git a/tests/byte-extract-01/test.rules b/tests/byte-extract-01/test.rules new file mode 100644 index 000000000..c24f031a9 --- /dev/null +++ b/tests/byte-extract-01/test.rules @@ -0,0 +1,10 @@ +alert tcp-pkt any any -> any any (msg:"byte extract test 1"; byte_extract:2,0,two1,string,dec; content:"|33 34|"; offset:0; depth:two1; sid:1; rev:1;) +alert tcp-pkt any any -> any any (msg:"byte extract test 2"; byte_extract:1,2,two2,string,dec; content:"|33 34|"; offset:8; depth:two2; sid:2; rev:1;) +alert tcp-pkt any any -> any any (msg:"byte extract test 3"; byte_extract:1,2,two3,string,dec; byte_extract:1,5,eight,string,dec; content:"|33 34|"; offset:eight; depth:two3; sid:3; rev:1;) +alert tcp-pkt any any -> any any (msg:"byte extract test 4"; byte_extract:1,3,sixd1,string,dec; content:"|31 30|"; content:"|33 34|"; distance:sixd1; sid:4; rev:1;) +alert tcp-pkt any any -> any any (msg:"byte extract test 5"; byte_extract:1,2,twow,string,dec; byte_extract:1,3,sixd2,string,dec; content:"|31 30|"; content:"|33 34|"; distance:sixd2; within:twow; sid: 5; rev:1;) +alert tcp-pkt any any -> any any (msg:"byte extract test 6"; content:"|31 30|"; byte_extract:1,6,three1,relative,string,dec; content:"|36 10|"; offset:three1; depth:2; sid:6; rev:1;) +alert tcp-pkt any any -> any any (msg:"byte extract test 7"; byte_extract:1,2,dectwo1,string,dec; content:"|32|"; offset:dectwo1; depth:1; sid:7; rev:1;) +alert tcp-pkt any any -> any any (msg:"byte extract test 8"; byte_extract:1,2,dectwo2,string,dec; content:"|32|"; offset:dectwo2; sid:8; rev:1;) +alert tcp-pkt any any -> any any (msg:"byte extract test 9"; byte_extract:1,4,hexten; byte_extract:1,0,decone,string,dec; content:"|66|"; offset:hexten; depth:decone; sid:9; rev:1;) +alert tcp-pkt any any -> any any (msg:"byte extract test 10"; byte_extract:1,4,two4; content:"|31|"; depth:1; content:"|2e|"; distance:two4; within:1; sid:10; rev:1;) diff --git a/tests/byte-extract-01/test.yaml b/tests/byte-extract-01/test.yaml new file mode 100644 index 000000000..e0f207b63 --- /dev/null +++ b/tests/byte-extract-01/test.yaml @@ -0,0 +1,58 @@ +requires: + features: + - HAVE_LIBJANSSON + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 6 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 7 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 8 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 9 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 10