From: Victor Julien Date: Thu, 9 Sep 2021 07:48:21 +0000 (+0200) Subject: tests: update several tests to test frames support X-Git-Tag: suricata-6.0.5~42 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=04dbfd8431778c6f085e299f4e0f086051b2b21e;p=thirdparty%2Fsuricata-verify.git tests: update several tests to test frames support --- diff --git a/tests/alert-testmyids/suricata.yaml b/tests/alert-testmyids/suricata.yaml index c9638cf5b..96d5f0734 100644 --- a/tests/alert-testmyids/suricata.yaml +++ b/tests/alert-testmyids/suricata.yaml @@ -31,6 +31,7 @@ outputs: filetype: regular #regular|syslog|unix_dgram|unix_stream|redis filename: eve.json types: + - frame - alert: payload: yes payload-buffer-size: 4kb diff --git a/tests/alert-testmyids/test.rules b/tests/alert-testmyids/test.rules index 9f1307bdb..025811af0 100644 --- a/tests/alert-testmyids/test.rules +++ b/tests/alert-testmyids/test.rules @@ -1 +1,5 @@ alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) + +alert http any any -> any any (flow:to_server; frame:http1.request; content:"GET / HTTP/1.1|0d 0a|Host: www.testmyids.com"; startswith; bsize:81; sid:1;) +alert http1 any any -> any any (flow:to_client; frame:response; content:"uid=0|28|root|29|"; sid:2;) +alert http1 any any -> any any (flow:to_server; frame:request; strip_whitespace; content:"GET/HTTP/1.1Host:www.testmyids.com"; startswith; bsize:66; sid:3;) diff --git a/tests/alert-testmyids/test.yaml b/tests/alert-testmyids/test.yaml index b6ce41dc8..a7b2a4bf9 100644 --- a/tests/alert-testmyids/test.yaml +++ b/tests/alert-testmyids/test.yaml @@ -6,11 +6,11 @@ checks: # Check that we only have one alert event type in eve. - filter: - count: 1 + count: 4 match: event_type: alert # Check how many lines were logged to fast.log. - shell: args: cat fast.log | wc -l | xargs - expect: 1 + expect: 4 diff --git a/tests/http-gap-simple/suricata.yaml b/tests/http-gap-simple/suricata.yaml new file mode 100644 index 000000000..3bcb3d6d5 --- /dev/null +++ b/tests/http-gap-simple/suricata.yaml @@ -0,0 +1,22 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + # app layer frames + - frame: + enabled: yes + - anomaly: + enabled: yes + types: + # decode: no + # stream: no + # applayer: yes + #packethdr: no + - http: + extended: yes + - files diff --git a/tests/http-gap-simple/test.yaml b/tests/http-gap-simple/test.yaml index c47eb7973..8576dfb13 100644 --- a/tests/http-gap-simple/test.yaml +++ b/tests/http-gap-simple/test.yaml @@ -42,3 +42,15 @@ checks: fileinfo.size: 70 fileinfo.state: "TRUNCATED" fileinfo.gaps: true + + - filter: + count: 1 + match: + event_type: frame + app_proto: http + frame.id: 1 + frame.stream_offset: 0 + frame.type: request + frame.length: 40 + frame.direction: toserver + frame.tx_id: 0 diff --git a/tests/smb-eicar-file/suricata.yaml b/tests/smb-eicar-file/suricata.yaml new file mode 100644 index 000000000..0ee1a3822 --- /dev/null +++ b/tests/smb-eicar-file/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - smb + - flow + - frame + - alert diff --git a/tests/smb-eicar-file/test.yaml b/tests/smb-eicar-file/test.yaml index ad7a26e07..8d0257fdc 100644 --- a/tests/smb-eicar-file/test.yaml +++ b/tests/smb-eicar-file/test.yaml @@ -22,3 +22,12 @@ checks: match: event_type: alert files[0].filename: "\\eicar" + - filter: + count: 1 + match: + event_type: frame + frame.direction: toserver + frame.type: "smb1.data" + frame.stream_offset: 853 + frame.length: 100 + frame.payload: "Dv8AAAAAQAAAAAAAAAAAAAAAAAAARABAAAAAAABFAABYNU8hUCVAQVBbNFxQWlg1NChQXik3Q0MpN30kRUlDQVItU1RBTkRBUkQtQU5USVZJUlVTLVRFU1QtRklMRSEkSCtIKg==" diff --git a/tests/smb-named-pipe-ascii/suricata.yaml b/tests/smb-named-pipe-ascii/suricata.yaml new file mode 100644 index 000000000..0ee1a3822 --- /dev/null +++ b/tests/smb-named-pipe-ascii/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - smb + - flow + - frame + - alert diff --git a/tests/smb-named-pipe-ascii/test.yaml b/tests/smb-named-pipe-ascii/test.yaml index 54b53cc40..88eaf0537 100644 --- a/tests/smb-named-pipe-ascii/test.yaml +++ b/tests/smb-named-pipe-ascii/test.yaml @@ -13,3 +13,25 @@ checks: match: event_type: alert alert.signature_id: 1 + + - filter: + count: 12 + match: + event_type: frame + frame.type: "smb1.hdr" + - filter: + count: 1 + match: + event_type: frame + frame.type: "smb1.hdr" + frame.stream_offset: 4 + frame.length: 32 + frame.payload: "/1NNQnIAAAAAGEPIAAAAAAAAAAAAAAAAAAD+/wAAAAA=" + - filter: + count: 1 + match: + event_type: frame + frame.type: "smb1.hdr" + frame.stream_offset: 1098 + frame.length: 32 + frame.payload: "/1NNQnEAAAAAGEPIAAAAAAAAAAAAAAAAAQhkBgAQBQA=" diff --git a/tests/smb2-07/test.rules b/tests/smb2-07/test.rules new file mode 100644 index 000000000..2653f0777 --- /dev/null +++ b/tests/smb2-07/test.rules @@ -0,0 +1,13 @@ +alert smb any any -> any any (flow:to_server; frame:smb2.pdu; content:"This program cannot be run in DOS mode.|0d 0d 0a|"; sid:1;) +alert smb any any -> any any (flow:to_server; frame:smb2.pdu; content:"|C0 40 88 41|"; endswith; sid:2;) +alert smb any any -> any any (flow:to_server; frame:smb2.data; content:"|C0 40 88 41|"; endswith; sid:11;) + +alert smb any any -> any any (flow:to_server; frame:smb2.pdu; content:"|FE|SMB"; startswith; sid:3;) +alert smb any any -> any any (flow:to_server; frame:smb2.hdr; content:"|FE|SMB"; startswith; sid:4;) +alert smb any any -> any any (flow:to_server; frame:smb2.data; content:"|FE|SMB"; startswith; sid:5;) +alert smb any any -> any any (flow:to_server; frame:smb2.data; content:!"|FE|SMB"; startswith; sid:6;) + +alert smb any any -> any any (flow:to_client; frame:smb2.pdu; content:"|FE|SMB"; startswith; sid:7;) +alert smb any any -> any any (flow:to_client; frame:smb2.hdr; content:"|FE|SMB"; startswith; sid:8;) +alert smb any any -> any any (flow:to_client; frame:smb2.data; content:"|FE|SMB"; startswith; sid:9;) +alert smb any any -> any any (flow:to_client; frame:smb2.data; content:!"|FE|SMB"; startswith; sid:10;) diff --git a/tests/smb2-07/test.yaml b/tests/smb2-07/test.yaml index 849c9dcee..3444faecc 100644 --- a/tests/smb2-07/test.yaml +++ b/tests/smb2-07/test.yaml @@ -74,4 +74,60 @@ checks: app_proto: smb tcp.state: closed flow.state: closed + - filter: + count: 1 + match: + event_type: alert + app_proto: smb + alert.signature_id: 2 + frame.type: smb2.pdu + - filter: + count: 1 + match: + event_type: alert + app_proto: smb + alert.signature_id: 11 + frame.type: smb2.data + - filter: + count: 88 + match: + event_type: alert + app_proto: smb + alert.signature_id: 8 + frame.type: smb2.hdr + - filter: + count: 88 + match: + event_type: alert + app_proto: smb + alert.signature_id: 7 + frame.type: smb2.pdu + - filter: + count: 88 + match: + event_type: alert + app_proto: smb + alert.signature_id: 10 + frame.type: smb2.data + - filter: + count: 85 + match: + event_type: alert + app_proto: smb + alert.signature_id: 4 + frame.type: smb2.hdr + - filter: + count: 85 + match: + event_type: alert + app_proto: smb + alert.signature_id: 3 + frame.type: smb2.pdu + - filter: + count: 85 + match: + event_type: alert + app_proto: smb + alert.signature_id: 6 + frame.type: smb2.data diff --git a/tests/tls13-draft28/suricata.yaml b/tests/tls13-draft28/suricata.yaml index 32557878b..e50ec41b0 100644 --- a/tests/tls13-draft28/suricata.yaml +++ b/tests/tls13-draft28/suricata.yaml @@ -7,6 +7,8 @@ outputs: filetype: regular #regular|syslog|unix_dgram|unix_stream|redis filename: eve.json types: + - alert + - frame - tls: extended: yes # enable this for extended logging information diff --git a/tests/tls13-draft28/test.rules b/tests/tls13-draft28/test.rules new file mode 100644 index 000000000..f62d63b67 --- /dev/null +++ b/tests/tls13-draft28/test.rules @@ -0,0 +1,2 @@ +alert tls any any -> any any (flow:to_client; frame:tls.pdu; content:"|17 03 03|"; startswith; sid:1;) +alert tls any any -> any any (flow:to_server; frame:tls.pdu; content:"|17 03 03|"; startswith; sid:2;) diff --git a/tests/tls13-draft28/test.yaml b/tests/tls13-draft28/test.yaml index 7a5132f8a..26be3c32a 100644 --- a/tests/tls13-draft28/test.yaml +++ b/tests/tls13-draft28/test.yaml @@ -26,3 +26,25 @@ checks: tls.version: "TLS 1.3 draft-28" tls.ja3.hash: "43202faa1c8c1760d6f7f4bd9adde4ab" tls.ja3.string: "771,4866-4867-4865-4868-49196-52393-49325-49162-49195-49324-49161-49200-52392-49172-49199-49171-157-49309-53-156-49308-47-159-52394-49311-57-158-49310-51,5-10-11-13-22-23-35-51-43-65281-0-45,23,0" + + - filter: + count: 1 + match: + event_type: frame + frame.type: "pdu" + frame.stream_offset: 737 + frame.length: 37 + frame.payload: "FwMDACBUkdn1rkU9Kp35Pqj6bpO9i0a20Tj7PKooNVCpa+3I0A==" + + - filter: + count: 10 + match: + event_type: alert + frame.type: "pdu" + frame.direction: "toclient" + - filter: + count: 7 + match: + event_type: alert + frame.type: "pdu" + frame.direction: "toserver"