From: Travis Green <travis@travisgreen.net>
Date: Mon, 14 Oct 2019 16:03:10 +0000 (-0700)
Subject: tests: add dcerpc test per #3109
X-Git-Tag: suricata-5.0.10~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=15fffc0569dde146b8a778c1cdd9ed2e4c010dc8;p=thirdparty%2Fsuricata-verify.git

tests: add dcerpc test per #3109
---

diff --git a/tests/dcerpc/dcerpc-3109/README b/tests/dcerpc/dcerpc-3109/README
new file mode 100644
index 000000000..7e9d7e6d7
--- /dev/null
+++ b/tests/dcerpc/dcerpc-3109/README
@@ -0,0 +1,11 @@
+Description
+===========
+This test ensures that dcerpc keywords alert as expected and that bug 3109 is no longer valid.
+
+PCAP
+====
+PCAP comes from https://redmine.openinfosecfoundation.org/issues/3109
+
+Reported by
+===========
+Travis Green <travis@travisgreen.net>
diff --git a/tests/dcerpc/dcerpc-3109/dcerpc.rules b/tests/dcerpc/dcerpc-3109/dcerpc.rules
new file mode 100644
index 000000000..946092395
--- /dev/null
+++ b/tests/dcerpc/dcerpc-3109/dcerpc.rules
@@ -0,0 +1,4 @@
+alert tcp any any -> any any (msg:"TGI LATERAL DCERPC ATSVC v1.0 Bind UUID 1ff70682-0a51-30e8-076d-740be8cee98b"; flow:established; dce_iface:1ff70682-0a51-30e8-076d-740be8cee98b,any_frag; reference:url,401trg.com/an-introduction-to-smb-for-network-security-analysts/; classtype:attempted-admin; sid:2610115; rev:1; metadata:notworking;)
+
+# example of a rule working without dcerpc:
+alert tcp any any -> any any (msg:"TGI LATERAL DCERPC ATSVC v1.0 Bind UUID"; flow:established; content:"|82 06 f7 1f 51 0a e8 30 07 6d 74 0b e8 ce e9 8b|"; reference:url,401trg.com/an-introduction-to-smb-for-network-security-analysts/; classtype:attempted-admin; sid:2610113; rev:1;)
diff --git a/tests/dcerpc/dcerpc-3109/input.pcap b/tests/dcerpc/dcerpc-3109/input.pcap
new file mode 100644
index 000000000..014c3dc29
Binary files /dev/null and b/tests/dcerpc/dcerpc-3109/input.pcap differ
diff --git a/tests/dcerpc/dcerpc-3109/test.yaml b/tests/dcerpc/dcerpc-3109/test.yaml
new file mode 100644
index 000000000..a9a5efc85
--- /dev/null
+++ b/tests/dcerpc/dcerpc-3109/test.yaml
@@ -0,0 +1,24 @@
+requires:
+  min-version: 6.0
+
+args:
+  - -k none --set stream.midstream=true
+
+checks:
+
+  - filter:
+      count: 2
+      match:
+        event_type: smb
+        smb.dcerpc.call_id: 2
+
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 2610115
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2610113