From: Alice Akaki Date: Fri, 14 Feb 2025 16:42:12 +0000 (-0400) Subject: detect: add test for ldap.responses.message X-Git-Tag: suricata-7.0.9~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=05fc876dc4bbdb0168afe7f11402f586c3ae9aa6;p=thirdparty%2Fsuricata-verify.git detect: add test for ldap.responses.message Ticket: #7532 --- diff --git a/tests/detect-ldap-result/README.md b/tests/detect-ldap-result/README.md index 01da05535..51c37cbe1 100644 --- a/tests/detect-ldap-result/README.md +++ b/tests/detect-ldap-result/README.md @@ -1,4 +1,4 @@ -Test ldap.responses.result_code keyword. +Test ldap.responses.result_code and ldap.responses.message keywords. PCAP created with flowsynth.py diff --git a/tests/detect-ldap-result/ldap.pcap b/tests/detect-ldap-result/ldap.pcap index 0ac54431b..960cb5985 100644 Binary files a/tests/detect-ldap-result/ldap.pcap and b/tests/detect-ldap-result/ldap.pcap differ diff --git a/tests/detect-ldap-result/ldap.syn b/tests/detect-ldap-result/ldap.syn index 734e92d11..30f2b82da 100644 --- a/tests/detect-ldap-result/ldap.syn +++ b/tests/detect-ldap-result/ldap.syn @@ -1,2 +1,2 @@ flow default tcp 1.1.1.1:5555 > 2.2.2.2:389 (tcp.initialize; mss:9000;); -default < (content:"\x30\x1f\x02\x01\x02\x65\x1a\x0a\x01\x04\x04\x00\x04\x13\x53\x69\x7a\x65\x20\x6c\x69\x6d\x69\x74\x20\x65\x78\x63\x65\x65\x64\x65\x64";); \ No newline at end of file +default < (content:"\x30\x36\x02\x01\x02\x65\x31\x0a\x01\x04\x04\x00\x04\x2a\x4d\x65\x73\x73\x61\x67\x65\x3a\x20\x73\x69\x7a\x65\x20\x6c\x69\x6d\x69\x74\x20\x67\x6f\x74\x20\x65\x78\x63\x65\x65\x64\x65\x64\x20\x28\x6d\x61\x78\x20\x36\x35\x6b\x29";); \ No newline at end of file diff --git a/tests/detect-ldap-result/test.rules b/tests/detect-ldap-result/test.rules index 57c767bcd..1eaca687f 100644 --- a/tests/detect-ldap-result/test.rules +++ b/tests/detect-ldap-result/test.rules @@ -1 +1,4 @@ alert ldap any any -> any any (msg:"Test LDAP result code"; ldap.responses.result_code:size_limit_exceeded; sid:1;) +alert ldap any any -> any any (msg:"Test LDAP result code at index 0"; ldap.responses.result_code:size_limit_exceeded,0; sid:2;) +alert ldap any any -> any any (msg:"Packet has only size_limit_exceeded result code"; ldap.responses.result_code:size_limit_exceeded,all; sid:3;) +alert ldap any any -> any any (msg:"Test LDAP error message"; ldap.responses.message; content:"Message: size limit got exceeded (max 65k)"; startswith; endswith; sid:4;) diff --git a/tests/detect-ldap-result/test.yaml b/tests/detect-ldap-result/test.yaml index f8c673ab3..36fb2f719 100644 --- a/tests/detect-ldap-result/test.yaml +++ b/tests/detect-ldap-result/test.yaml @@ -13,3 +13,28 @@ checks: ldap.responses[0].operation: search_result_done ldap.responses[0].search_result_done.result_code: size_limit_exceeded alert.signature_id: 1 + - filter: + count: 1 + match: + pcap_cnt: 4 + event_type: alert + ldap.responses[0].operation: search_result_done + ldap.responses[0].search_result_done.result_code: size_limit_exceeded + alert.signature_id: 2 + - filter: + count: 1 + match: + pcap_cnt: 4 + event_type: alert + ldap.responses[0].operation: search_result_done + ldap.responses[0].search_result_done.result_code: size_limit_exceeded + alert.signature_id: 3 +checks: + - filter: + count: 1 + match: + pcap_cnt: 4 + event_type: alert + ldap.responses[0].operation: search_result_done + ldap.responses[0].search_result_done.message: "Message: size limit got exceeded (max 65k)" + alert.signature_id: 4