From: Shivani Bhardwaj Date: Wed, 27 Jul 2022 05:18:50 +0000 (+0530) Subject: tls: add test for tls.random keyword X-Git-Tag: suricata-6.0.8~32 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=03898454f4f0252822e10a7c555f44ef51fc5435;p=thirdparty%2Fsuricata-verify.git tls: add test for tls.random keyword --- diff --git a/tests/tls-random/README b/tests/tls-random/README new file mode 100644 index 000000000..c85986c63 --- /dev/null +++ b/tests/tls-random/README @@ -0,0 +1,16 @@ +Description +=========== +Add a `tls.random` keyword which is a sticky buffer and matches on 32 bytes TLS `random` field. +Add a `tls.random_time` keyword which is a sticky buffer and matches on the first 4 bytes of +the TLS `random` field. +Add a `tls.random_bytes` keyword which is a sticky buffer and matches on the last 28 bytes of +the TLS `random` field. + + +PCAP +==== +PCAP comes from an [existing TLS test](https://github.com/OISF/suricata-verify/blob/master/tests/tls/tls.pcap) + +Redmine ticket +============== +https://redmine.openinfosecfoundation.org/issues/5190 diff --git a/tests/tls-random/input.pcap b/tests/tls-random/input.pcap new file mode 100644 index 000000000..e2c6189e6 Binary files /dev/null and b/tests/tls-random/input.pcap differ diff --git a/tests/tls-random/test.rules b/tests/tls-random/test.rules new file mode 100644 index 000000000..0b82f2c07 --- /dev/null +++ b/tests/tls-random/test.rules @@ -0,0 +1,7 @@ +alert tls any any -> any any (msg:"Test tls.random option CLIENT HELLO"; tls.random; content:"|94 2d 1f ef 57 5d 77 02 07 c2 9d be 24 01 cc f0 5d cd e1 d2 a5 86 9c 4a 3e ee 38 db 55 1a d9 bc|"; sid:1;) +alert tls any any -> any any (msg:"Test tls.random option SERVER HELLO"; tls.random; content:"|54 f9 fc 15 77 e4 33 d3 2d a8 2e 9d 38 89 7d 5a 26 28 bf b0 98 51 da d9 bd 03 f8 af a2 09 a4 f0|"; sid:2;) +alert tls any any -> any any (msg:"Test tls.random_time option CLIENT HELLO"; tls.random_time; content:"|94 2d 1f ef|"; sid:3;) +alert tls any any -> any any (msg:"Test tls.random_time option SERVER HELLO"; tls.random_time; content:"|54 f9 fc 15|"; sid:4;) +alert tls any any -> any any (msg:"Test tls.random_data option CLIENT HELLO"; tls.random_bytes; content:"|57 5d 77 02 07 c2 9d be 24 01 cc f0 5d cd e1 d2 a5 86 9c 4a 3e ee 38 db 55 1a d9 bc|"; sid:5;) +alert tls any any -> any any (msg:"Test tls.random_data option SERVER HELLO"; tls.random_bytes; content:"|77 e4 33 d3 2d a8 2e 9d 38 89 7d 5a 26 28 bf b0 98 51 da d9 bd 03 f8 af a2 09 a4 f0|"; sid:6;) + diff --git a/tests/tls-random/test.yaml b/tests/tls-random/test.yaml new file mode 100644 index 000000000..f441c18e4 --- /dev/null +++ b/tests/tls-random/test.yaml @@ -0,0 +1,37 @@ +requires: + min-version: 7 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + alert.signature_id: 1 + event_type: alert +- filter: + count: 1 + match: + alert.signature_id: 2 + event_type: alert +- filter: + count: 1 + match: + alert.signature_id: 3 + event_type: alert +- filter: + count: 1 + match: + alert.signature_id: 4 + event_type: alert +- filter: + count: 1 + match: + alert.signature_id: 5 + event_type: alert +- filter: + count: 1 + match: + alert.signature_id: 6 + event_type: alert