From: Victor Julien Date: Fri, 12 Jul 2019 18:43:16 +0000 (+0200) Subject: tests: add datasets tests X-Git-Tag: suricata-6.0.4~399 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=136dcdb6734a06bd43f2366f2bfc96f584897aa5;p=thirdparty%2Fsuricata-verify.git tests: add datasets tests --- diff --git a/tests/datarep-01/datarep.rules b/tests/datarep-01/datarep.rules new file mode 100644 index 000000000..7fc15e203 --- /dev/null +++ b/tests/datarep-01/datarep.rules @@ -0,0 +1 @@ +alert dns any any -> any any (dns.query; datarep:dns_string, >, 200, load dns_string.rep, type string; sid:1;) diff --git a/tests/datarep-01/dns_string.rep b/tests/datarep-01/dns_string.rep new file mode 100644 index 000000000..aedc6d336 --- /dev/null +++ b/tests/datarep-01/dns_string.rep @@ -0,0 +1 @@ +Z29vZ2xlLmNvbQ==,255 diff --git a/tests/datarep-01/input.pcap b/tests/datarep-01/input.pcap new file mode 100644 index 000000000..d5171ffd0 Binary files /dev/null and b/tests/datarep-01/input.pcap differ diff --git a/tests/datarep-01/test.yaml b/tests/datarep-01/test.yaml new file mode 100644 index 000000000..851e03f38 --- /dev/null +++ b/tests/datarep-01/test.yaml @@ -0,0 +1,19 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - src/datasets.c + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/datarep-01/writepcap.py b/tests/datarep-01/writepcap.py new file mode 100755 index 000000000..28605766f --- /dev/null +++ b/tests/datarep-01/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='255.255.255.255', src='192.168.0.1')/UDP(dport=53)/DNS(rd=1, qd=DNSQR(qname='google.com')) + +wrpcap('input.pcap', pkts) diff --git a/tests/datarep-02/datarep.rules b/tests/datarep-02/datarep.rules new file mode 100644 index 000000000..37b617779 --- /dev/null +++ b/tests/datarep-02/datarep.rules @@ -0,0 +1,3 @@ +alert dns any any -> any any (dns.query; to_md5; datarep:dns_md5, >, 200, load dns_md5.rep, type md5; sid:1;) +alert dns any any -> any any (dns.query; to_sha256; datarep:dns_sha256, >, 200, load dns_sha256.rep, type sha256; sid:2;) +alert dns any any -> any any (dns.query; datarep:dns_string, >, 200, load dns_string.rep, type string; sid:3;) diff --git a/tests/datarep-02/dns_md5.rep b/tests/datarep-02/dns_md5.rep new file mode 100644 index 000000000..9e1922474 --- /dev/null +++ b/tests/datarep-02/dns_md5.rep @@ -0,0 +1,2 @@ +1d5920f4b44b27a802bd77c4f0536f5a,255 +5ababd603b22780302dd8d83498e5172,100 diff --git a/tests/datarep-02/dns_sha256.rep b/tests/datarep-02/dns_sha256.rep new file mode 100644 index 000000000..f49c2ebdd --- /dev/null +++ b/tests/datarep-02/dns_sha256.rep @@ -0,0 +1,2 @@ +d4c9d9027326271a89ce51fcaf328ed673f17be33469ff979e8ab8dd501e664f,255 +a379a6f6eeafb9a55e378c118034e2751e682fab9f2d30ab13d2125586ce1947,100 diff --git a/tests/datarep-02/dns_string.rep b/tests/datarep-02/dns_string.rep new file mode 100644 index 000000000..aedc6d336 --- /dev/null +++ b/tests/datarep-02/dns_string.rep @@ -0,0 +1 @@ +Z29vZ2xlLmNvbQ==,255 diff --git a/tests/datarep-02/input.pcap b/tests/datarep-02/input.pcap new file mode 100644 index 000000000..d5171ffd0 Binary files /dev/null and b/tests/datarep-02/input.pcap differ diff --git a/tests/datarep-02/test.yaml b/tests/datarep-02/test.yaml new file mode 100644 index 000000000..af62a2a6a --- /dev/null +++ b/tests/datarep-02/test.yaml @@ -0,0 +1,30 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + files: + - src/datasets.c + +args: + - -k none + +checks: + - filter: + count: 3 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/datarep-02/writepcap.py b/tests/datarep-02/writepcap.py new file mode 100755 index 000000000..28605766f --- /dev/null +++ b/tests/datarep-02/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='255.255.255.255', src='192.168.0.1')/UDP(dport=53)/DNS(rd=1, qd=DNSQR(qname='google.com')) + +wrpcap('input.pcap', pkts) diff --git a/tests/datasets-01/check.sh b/tests/datasets-01/check.sh new file mode 100755 index 000000000..8bedbf39c --- /dev/null +++ b/tests/datasets-01/check.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +exec cmp datasets.csv ${TEST_DIR}/expected/datasets.csv diff --git a/tests/datasets-01/expected/datasets.csv b/tests/datasets-01/expected/datasets.csv new file mode 100644 index 000000000..3961eb8ac --- /dev/null +++ b/tests/datasets-01/expected/datasets.csv @@ -0,0 +1 @@ +Y3VybC83LjQzLjA= diff --git a/tests/datasets-01/input.pcap b/tests/datasets-01/input.pcap new file mode 100644 index 000000000..8fb6832de Binary files /dev/null and b/tests/datasets-01/input.pcap differ diff --git a/tests/datasets-01/test.rules b/tests/datasets-01/test.rules new file mode 100644 index 000000000..bc5e1a29a --- /dev/null +++ b/tests/datasets-01/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (http.user_agent; dataset:set,ua-seen,type string,save datasets.csv; sid:1;) diff --git a/tests/datasets-01/test.yaml b/tests/datasets-01/test.yaml new file mode 100644 index 000000000..efc170012 --- /dev/null +++ b/tests/datasets-01/test.yaml @@ -0,0 +1,9 @@ +requires: + files: + - src/datasets.c + +command: | + ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" \ + --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} \ + -c "${SRCDIR}/suricata.yaml" -r ${TEST_DIR}/input.pcap -S ${TEST_DIR}/test.rules \ + --data-dir="${OUTPUT_DIR}" diff --git a/tests/datasets-02-load/datasets.csv b/tests/datasets-02-load/datasets.csv new file mode 100644 index 000000000..3961eb8ac --- /dev/null +++ b/tests/datasets-02-load/datasets.csv @@ -0,0 +1 @@ +Y3VybC83LjQzLjA= diff --git a/tests/datasets-02-load/input.pcap b/tests/datasets-02-load/input.pcap new file mode 100644 index 000000000..8fb6832de Binary files /dev/null and b/tests/datasets-02-load/input.pcap differ diff --git a/tests/datasets-02-load/test.rules b/tests/datasets-02-load/test.rules new file mode 100644 index 000000000..7cd7d6737 --- /dev/null +++ b/tests/datasets-02-load/test.rules @@ -0,0 +1,2 @@ +alert http any any -> any any (http.user_agent; dataset:isset,ua-seen,type string,load datasets.csv; sid:1;) +alert http any any -> any any (http.user_agent; dataset:isnotset,ua-seen,type string,load datasets.csv; sid:2;) diff --git a/tests/datasets-02-load/test.yaml b/tests/datasets-02-load/test.yaml new file mode 100644 index 000000000..29765d4f1 --- /dev/null +++ b/tests/datasets-02-load/test.yaml @@ -0,0 +1,24 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - src/datasets.c + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/datasets-03-set/input.pcap b/tests/datasets-03-set/input.pcap new file mode 100644 index 000000000..790a6a155 Binary files /dev/null and b/tests/datasets-03-set/input.pcap differ diff --git a/tests/datasets-03-set/test.rules b/tests/datasets-03-set/test.rules new file mode 100644 index 000000000..1d99df9d7 --- /dev/null +++ b/tests/datasets-03-set/test.rules @@ -0,0 +1 @@ +alert dns any any -> any any (dns.query; dataset:set,dns-seen, type string; sid:1;) diff --git a/tests/datasets-03-set/test.yaml b/tests/datasets-03-set/test.yaml new file mode 100644 index 000000000..851e03f38 --- /dev/null +++ b/tests/datasets-03-set/test.yaml @@ -0,0 +1,19 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - src/datasets.c + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/datasets-03-set/writepcap.py b/tests/datasets-03-set/writepcap.py new file mode 100755 index 000000000..f5a1b7a5e --- /dev/null +++ b/tests/datasets-03-set/writepcap.py @@ -0,0 +1,16 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/UDP(dport=53)/DNS(id=1, rd=1, qd=DNSQR(qname='example.com')) +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/UDP(dport=53)/DNS(id=2, rd=1, qd=DNSQR(qname='example.com')) +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/UDP(dport=53)/DNS(id=3, rd=1, qd=DNSQR(qname='example.com')) + +wrpcap('input.pcap', pkts) diff --git a/tests/datasets-04-http-dns/input.pcap b/tests/datasets-04-http-dns/input.pcap new file mode 100644 index 000000000..9a8aaa731 Binary files /dev/null and b/tests/datasets-04-http-dns/input.pcap differ diff --git a/tests/datasets-04-http-dns/test.rules b/tests/datasets-04-http-dns/test.rules new file mode 100644 index 000000000..b5d9d1cd3 --- /dev/null +++ b/tests/datasets-04-http-dns/test.rules @@ -0,0 +1,2 @@ +alert dns any any -> any any (dns.query; dataset:set,dns-seen, type string; sid:1;) +alert http any any -> any any (http.host; dataset:set,dns-seen, type string; sid:2;) diff --git a/tests/datasets-04-http-dns/test.yaml b/tests/datasets-04-http-dns/test.yaml new file mode 100644 index 000000000..20be4139e --- /dev/null +++ b/tests/datasets-04-http-dns/test.yaml @@ -0,0 +1,24 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - src/datasets.c + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 0 diff --git a/tests/datasets-04-http-dns/writepcap.py b/tests/datasets-04-http-dns/writepcap.py new file mode 100755 index 000000000..c43f4cc49 --- /dev/null +++ b/tests/datasets-04-http-dns/writepcap.py @@ -0,0 +1,13 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/UDP(dport=53)/DNS(id=1, rd=1, qd=DNSQR(qname='example.com')) +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/datasets-05-state/check.sh b/tests/datasets-05-state/check.sh new file mode 100755 index 000000000..97d6dce7c --- /dev/null +++ b/tests/datasets-05-state/check.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +exec cmp ${OUTPUT_DIR}/state.csv ${TEST_DIR}/expected/state.csv diff --git a/tests/datasets-05-state/expected/state.csv b/tests/datasets-05-state/expected/state.csv new file mode 100644 index 000000000..de003fec2 --- /dev/null +++ b/tests/datasets-05-state/expected/state.csv @@ -0,0 +1 @@ +ZXhhbXBsZS5jb20= diff --git a/tests/datasets-05-state/input.pcap b/tests/datasets-05-state/input.pcap new file mode 100644 index 000000000..790a6a155 Binary files /dev/null and b/tests/datasets-05-state/input.pcap differ diff --git a/tests/datasets-05-state/test.rules b/tests/datasets-05-state/test.rules new file mode 100644 index 000000000..7b8d560a6 --- /dev/null +++ b/tests/datasets-05-state/test.rules @@ -0,0 +1 @@ +alert dns any any -> any any (dns.query; dataset:set,dns-seen, type string, state state.csv; sid:1;) diff --git a/tests/datasets-05-state/test.yaml b/tests/datasets-05-state/test.yaml new file mode 100644 index 000000000..dddcc0047 --- /dev/null +++ b/tests/datasets-05-state/test.yaml @@ -0,0 +1,11 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - src/datasets.c + +command: | + ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" \ + --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} \ + -c "${SRCDIR}/suricata.yaml" -r ${TEST_DIR}/input.pcap -S ${TEST_DIR}/test.rules \ + --data-dir="${OUTPUT_DIR}" diff --git a/tests/datasets-05-state/writepcap.py b/tests/datasets-05-state/writepcap.py new file mode 100755 index 000000000..f5a1b7a5e --- /dev/null +++ b/tests/datasets-05-state/writepcap.py @@ -0,0 +1,16 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/UDP(dport=53)/DNS(id=1, rd=1, qd=DNSQR(qname='example.com')) +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/UDP(dport=53)/DNS(id=2, rd=1, qd=DNSQR(qname='example.com')) +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/UDP(dport=53)/DNS(id=3, rd=1, qd=DNSQR(qname='example.com')) + +wrpcap('input.pcap', pkts)