From: Philippe Antoine Date: Mon, 12 Feb 2024 13:02:40 +0000 (+0100) Subject: http: adds test with chunked as a token X-Git-Tag: suricata-6.0.17~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=06e9c72266aa59ee22e11b86726f5cc19cf600da;p=thirdparty%2Fsuricata-verify.git http: adds test with chunked as a token Ticket: 6415 --- diff --git a/tests/http-chunked/README.md b/tests/http-chunked/README.md new file mode 100644 index 000000000..35e629b16 --- /dev/null +++ b/tests/http-chunked/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test that we handle Transfer-Encoding when `chunked` is one token + +## PCAP + +From https://redmine.openinfosecfoundation.org/issues/6415 + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6415 diff --git a/tests/http-chunked/input.pcap b/tests/http-chunked/input.pcap new file mode 100644 index 000000000..298d3a56d Binary files /dev/null and b/tests/http-chunked/input.pcap differ diff --git a/tests/http-chunked/test.rules b/tests/http-chunked/test.rules new file mode 100644 index 000000000..a30fa6c01 --- /dev/null +++ b/tests/http-chunked/test.rules @@ -0,0 +1,28 @@ +alert http any any -> any any (msg:"Test Usage of Unbuffered Content"; flow:established,to_server; content:"Host"; fast_pattern; classtype:web-application-attack; sid:11; rev:1;) +alert http any any -> any any (msg:"Test Usage of Unbuffered Content"; flow:established,to_server; content:"Cookie"; fast_pattern; classtype:web-application-attack; sid:12; rev:1;) +alert http any any -> any any (msg:"Test Usage of Unbuffered Content"; flow:established,to_server; content:"X-Qlik-User"; fast_pattern; classtype:web-application-attack; sid:13; rev:1;) +alert http any any -> any any (msg:"Test Usage of Unbuffered Content"; flow:established,to_server; content:"User-Agent"; fast_pattern; classtype:web-application-attack; sid:14; rev:1;) +alert http any any -> any any (msg:"Test Usage of Unbuffered Content"; flow:established,to_server; content:"Content-Length"; fast_pattern; classtype:web-application-attack; sid:15; rev:1;) +alert http any any -> any any (msg:"Test Usage of Unbuffered Content"; flow:established,to_server; content:"Transfer-Encoding"; fast_pattern; classtype:web-application-attack; sid:16; rev:1;) + +alert http any any -> any any (msg:"Test Usage of http.header"; flow:established,to_server; http.header; content:"Host"; fast_pattern; classtype:web-application-attack; sid:21; rev:1;) +# does not work cf http.cookie keyword and http.header doc expliciting this exclusion +alert http any any -> any any (msg:"Test Usage of http.header"; flow:established,to_server; http.header; content:"Cookie"; fast_pattern; classtype:web-application-attack; sid:22; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.header"; flow:established,to_server; http.header; content:"X-Qlik-User"; fast_pattern; classtype:web-application-attack; sid:23; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.header"; flow:established,to_server; http.header; content:"User-Agent"; fast_pattern; classtype:web-application-attack; sid:24; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.header"; flow:established,to_server; http.header; content:"Content-Length"; fast_pattern; classtype:web-application-attack; sid:25; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.header"; flow:established,to_server; http.header; content:"Transfer-Encoding"; fast_pattern; classtype:web-application-attack; sid:26; rev:1;) + +alert http any any -> any any (msg:"Test Usage of http.header.raw"; flow:established,to_server; http.header.raw; content:"Host"; fast_pattern; classtype:web-application-attack; sid:31; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.header.raw"; flow:established,to_server; http.header.raw; content:"Cookie"; fast_pattern; classtype:web-application-attack; sid:32; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.header.raw"; flow:established,to_server; http.header.raw; content:"X-Qlik-User"; fast_pattern; classtype:web-application-attack; sid:33; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.header.raw"; flow:established,to_server; http.header.raw; content:"User-Agent"; fast_pattern; classtype:web-application-attack; sid:34; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.header.raw"; flow:established,to_server; http.header.raw; content:"Content-Length"; fast_pattern; classtype:web-application-attack; sid:35; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.header.raw"; flow:established,to_server; http.header.raw; content:"Transfer-Encoding"; fast_pattern; classtype:web-application-attack; sid:36; rev:1;) + +alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Host"; fast_pattern; classtype:web-application-attack; sid:41; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Cookie"; fast_pattern; classtype:web-application-attack; sid:42; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"X-Qlik-User"; fast_pattern; classtype:web-application-attack; sid:43; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"User-Agent"; fast_pattern; classtype:web-application-attack; sid:44; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Content-Length"; fast_pattern; classtype:web-application-attack; sid:45; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Transfer-Encoding"; fast_pattern; classtype:web-application-attack; sid:46; rev:1;) diff --git a/tests/http-chunked/test.yaml b/tests/http-chunked/test.yaml new file mode 100644 index 000000000..c8b043e1d --- /dev/null +++ b/tests/http-chunked/test.yaml @@ -0,0 +1,122 @@ +requires: + min-version: 7 + +args: + - -k none --set packet-alert-max=32 + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 11 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 12 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 13 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 14 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 15 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 16 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 21 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 23 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 24 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 25 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 26 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 31 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 32 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 33 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 34 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 35 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 36 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 41 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 42 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 43 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 44 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 45 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 46