From: Giuseppe Longo Date: Thu, 11 Jul 2019 14:19:49 +0000 (+0200) Subject: tests: add tests for sip keywords X-Git-Tag: suricata-6.0.4~389 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=194e1c0c1277832981aba9c0cf009b21c3328413;p=thirdparty%2Fsuricata-verify.git tests: add tests for sip keywords --- diff --git a/tests/sip-method/README.md b/tests/sip-method/README.md new file mode 100644 index 000000000..cde7c6e96 --- /dev/null +++ b/tests/sip-method/README.md @@ -0,0 +1 @@ +Match on SIP method field. diff --git a/tests/sip-method/sip.pcap b/tests/sip-method/sip.pcap new file mode 100644 index 000000000..6e47833bd Binary files /dev/null and b/tests/sip-method/sip.pcap differ diff --git a/tests/sip-method/test.rules b/tests/sip-method/test.rules new file mode 100644 index 000000000..1fd849f78 --- /dev/null +++ b/tests/sip-method/test.rules @@ -0,0 +1 @@ +alert sip any any -> any any (flow:to_server; sip.method; content:"REGISTER"; sid:1;) diff --git a/tests/sip-method/test.yaml b/tests/sip-method/test.yaml new file mode 100644 index 000000000..e65182548 --- /dev/null +++ b/tests/sip-method/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +args: + - -k none + +pcap: sip.pcap + +checks: + - filter: + count: 36 + match: + event_type: alert diff --git a/tests/sip-protocol/README.md b/tests/sip-protocol/README.md new file mode 100644 index 000000000..2d175aa3e --- /dev/null +++ b/tests/sip-protocol/README.md @@ -0,0 +1 @@ +Match on SIP version field. diff --git a/tests/sip-protocol/test.rules b/tests/sip-protocol/test.rules new file mode 100644 index 000000000..b68e37811 --- /dev/null +++ b/tests/sip-protocol/test.rules @@ -0,0 +1,2 @@ +alert sip any any -> any any (flow:to_server; sip.protocol; content:"SIP/2.0"; sid:1;) +alert sip any any -> any any (flow:to_client; sip.protocol; content:"SIP/2.0"; sid:2;) diff --git a/tests/sip-protocol/test.yaml b/tests/sip-protocol/test.yaml new file mode 100644 index 000000000..9a6ec7d8c --- /dev/null +++ b/tests/sip-protocol/test.yaml @@ -0,0 +1,25 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +args: + - -k none + +pcap: ../sip-method/sip.pcap + +checks: + - filter: + count: 81 + match: + event_type: alert + - filter: + count: 47 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 34 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/sip-request-line/README.md b/tests/sip-request-line/README.md new file mode 100644 index 000000000..7881b9897 --- /dev/null +++ b/tests/sip-request-line/README.md @@ -0,0 +1 @@ +Match on the whole SIP request line. diff --git a/tests/sip-request-line/test.rules b/tests/sip-request-line/test.rules new file mode 100644 index 000000000..d525a5762 --- /dev/null +++ b/tests/sip-request-line/test.rules @@ -0,0 +1 @@ +alert sip any any -> any any (flow:to_server; sip.request_line; content:"REGISTER sip:sip.cybercity.dk SIP/2.0"; sid:1;) diff --git a/tests/sip-request-line/test.yaml b/tests/sip-request-line/test.yaml new file mode 100644 index 000000000..47b981e44 --- /dev/null +++ b/tests/sip-request-line/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +args: + - -k none + +pcap: ../sip-method/sip.pcap + +checks: + - filter: + count: 36 + match: + event_type: alert diff --git a/tests/sip-response-line/README.md b/tests/sip-response-line/README.md new file mode 100644 index 000000000..136ca58ae --- /dev/null +++ b/tests/sip-response-line/README.md @@ -0,0 +1 @@ +Match on the whole SIP response line. diff --git a/tests/sip-response-line/test.rules b/tests/sip-response-line/test.rules new file mode 100644 index 000000000..01dfd77ad --- /dev/null +++ b/tests/sip-response-line/test.rules @@ -0,0 +1 @@ +alert sip any any -> any any (flow:to_client; sip.response_line; content:"SIP/2.0 200 OK"; sid:1;) diff --git a/tests/sip-response-line/test.yaml b/tests/sip-response-line/test.yaml new file mode 100644 index 000000000..15d0118c7 --- /dev/null +++ b/tests/sip-response-line/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +args: + - -k none + +pcap: ../sip-method/sip.pcap + +checks: + - filter: + count: 5 + match: + event_type: alert diff --git a/tests/sip-stat-code/README.md b/tests/sip-stat-code/README.md new file mode 100644 index 000000000..e96cf40e9 --- /dev/null +++ b/tests/sip-stat-code/README.md @@ -0,0 +1 @@ +Match on SIP stat code field. diff --git a/tests/sip-stat-code/test.rules b/tests/sip-stat-code/test.rules new file mode 100644 index 000000000..0a2e46c0f --- /dev/null +++ b/tests/sip-stat-code/test.rules @@ -0,0 +1 @@ +alert sip any any -> any any (flow:to_client; sip.stat_code; content:"100"; sid:1;) diff --git a/tests/sip-stat-code/test.yaml b/tests/sip-stat-code/test.yaml new file mode 100644 index 000000000..cba09883f --- /dev/null +++ b/tests/sip-stat-code/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +args: + - -k none + +pcap: ../sip-method/sip.pcap + +checks: + - filter: + count: 7 + match: + event_type: alert diff --git a/tests/sip-stat-msg/README.md b/tests/sip-stat-msg/README.md new file mode 100644 index 000000000..56ba3ba2c --- /dev/null +++ b/tests/sip-stat-msg/README.md @@ -0,0 +1 @@ +Match on SIP stat msg field. diff --git a/tests/sip-stat-msg/test.rules b/tests/sip-stat-msg/test.rules new file mode 100644 index 000000000..81705fccc --- /dev/null +++ b/tests/sip-stat-msg/test.rules @@ -0,0 +1 @@ +alert sip any any -> any any (flow:to_client; sip.stat_msg; content:"Trying"; sid:1;) diff --git a/tests/sip-stat-msg/test.yaml b/tests/sip-stat-msg/test.yaml new file mode 100644 index 000000000..20a0de9e3 --- /dev/null +++ b/tests/sip-stat-msg/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +args: + - -k none + +pcap: ../sip-method/sip.pcap + +checks: + - filter: + count: 6 + match: + event_type: alert diff --git a/tests/sip-uri/README.md b/tests/sip-uri/README.md new file mode 100644 index 000000000..c1c134a6d --- /dev/null +++ b/tests/sip-uri/README.md @@ -0,0 +1 @@ +Match on SIP URI field. diff --git a/tests/sip-uri/test.rules b/tests/sip-uri/test.rules new file mode 100644 index 000000000..f6ca14dbf --- /dev/null +++ b/tests/sip-uri/test.rules @@ -0,0 +1 @@ +alert sip any any -> any any (flow:to_server; sip.uri; content:"sip:sip.cybercity.dk"; sid:1;) diff --git a/tests/sip-uri/test.yaml b/tests/sip-uri/test.yaml new file mode 100644 index 000000000..47b981e44 --- /dev/null +++ b/tests/sip-uri/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +args: + - -k none + +pcap: ../sip-method/sip.pcap + +checks: + - filter: + count: 36 + match: + event_type: alert