From: Shivani Bhardwaj <shivani@oisf.net>
Date: Wed, 4 Jan 2023 07:20:24 +0000 (+0530)
Subject: udp: add tests for bug 5379
X-Git-Tag: suricata-6.0.10~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1a0811499ade0969d23955c012c1599bd33bef76;p=thirdparty%2Fsuricata-verify.git

udp: add tests for bug 5379
---

diff --git a/tests/udp-5379/udp-hlen-invalid-non-strict/README.md b/tests/udp-5379/udp-hlen-invalid-non-strict/README.md
new file mode 100644
index 000000000..c71aa1d5e
--- /dev/null
+++ b/tests/udp-5379/udp-hlen-invalid-non-strict/README.md
@@ -0,0 +1,7 @@
+Description
+===========
+Test to check that the use of decoder event udp.hlen_invalid in rule issues warning.
+
+PCAP
+====
+Created with Scapy.
diff --git a/tests/udp-5379/udp-hlen-invalid-non-strict/input.pcap b/tests/udp-5379/udp-hlen-invalid-non-strict/input.pcap
new file mode 100644
index 000000000..3e9328028
Binary files /dev/null and b/tests/udp-5379/udp-hlen-invalid-non-strict/input.pcap differ
diff --git a/tests/udp-5379/udp-hlen-invalid-non-strict/test.rules b/tests/udp-5379/udp-hlen-invalid-non-strict/test.rules
new file mode 100644
index 000000000..7c21ca9a4
--- /dev/null
+++ b/tests/udp-5379/udp-hlen-invalid-non-strict/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA UDP invalid header length"; decode-event:udp.hlen_invalid; classtype:protocol-command-decode; sid:2200040; rev:2;)
diff --git a/tests/udp-5379/udp-hlen-invalid-non-strict/test.yaml b/tests/udp-5379/udp-hlen-invalid-non-strict/test.yaml
new file mode 100644
index 000000000..33e466ada
--- /dev/null
+++ b/tests/udp-5379/udp-hlen-invalid-non-strict/test.yaml
@@ -0,0 +1,19 @@
+exit-code: 0
+
+command: |
+  ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/etc/classification.config"    \
+      --set reference-config-file="${SRCDIR}/etc/reference.config" -l ${OUTPUT_DIR}         \
+      --set threshold-file="${TEST_DIR}/threshold.config"                                   \
+      -c "${SRCDIR}/suricata.yaml" -r ${TEST_DIR}/input.pcap -S ${TEST_DIR}/test.rules 
+
+checks:
+    - shell:
+        version: 7
+        args: |-
+          grep "Warning: detect: decode-event keyword no longer supports event \"decoder.udp.hlen_invalid\"" suricata.log | wc -l
+        expect: 1
+    - shell:
+        version: 6
+        args: |-
+          grep "\[ERRCODE: SC_WARN_DEPRECATED(203)\] - decode-event keyword no longer supports event \"decoder.udp.hlen_invalid\"" suricata.log | wc -l
+        expect: 1
diff --git a/tests/udp-5379/udp-hlen-invalid-strict/README.md b/tests/udp-5379/udp-hlen-invalid-strict/README.md
new file mode 100644
index 000000000..c9464890f
--- /dev/null
+++ b/tests/udp-5379/udp-hlen-invalid-strict/README.md
@@ -0,0 +1,7 @@
+Description
+===========
+Test to check that the use of decoder event udp.hlen_invalid in rule issues an error.
+
+PCAP
+====
+Created with Scapy.
diff --git a/tests/udp-5379/udp-hlen-invalid-strict/input.pcap b/tests/udp-5379/udp-hlen-invalid-strict/input.pcap
new file mode 100644
index 000000000..3e9328028
Binary files /dev/null and b/tests/udp-5379/udp-hlen-invalid-strict/input.pcap differ
diff --git a/tests/udp-5379/udp-hlen-invalid-strict/test.rules b/tests/udp-5379/udp-hlen-invalid-strict/test.rules
new file mode 100644
index 000000000..7c21ca9a4
--- /dev/null
+++ b/tests/udp-5379/udp-hlen-invalid-strict/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA UDP invalid header length"; decode-event:udp.hlen_invalid; classtype:protocol-command-decode; sid:2200040; rev:2;)
diff --git a/tests/udp-5379/udp-hlen-invalid-strict/test.yaml b/tests/udp-5379/udp-hlen-invalid-strict/test.yaml
new file mode 100644
index 000000000..7d9fbe709
--- /dev/null
+++ b/tests/udp-5379/udp-hlen-invalid-strict/test.yaml
@@ -0,0 +1,20 @@
+exit-code: 0
+
+command: |
+  ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/etc/classification.config"    \
+      --set reference-config-file="${SRCDIR}/etc/reference.config" -l ${OUTPUT_DIR}         \
+      --set threshold-file="${TEST_DIR}/threshold.config"                                   \
+      -c "${SRCDIR}/suricata.yaml" -r ${TEST_DIR}/input.pcap -S ${TEST_DIR}/test.rules      \
+      --strict-rule-keywords=all
+
+checks:
+    - shell:
+        version: 7
+        args: |-
+          grep "Error: detect: decode-event keyword no longer supports event \"decoder.udp.hlen_invalid\"" suricata.log | wc -l
+        expect: 1
+    - shell:
+        version: 6
+        args: |-
+          grep "\[ERRCODE: SC_WARN_DEPRECATED(203)\] - decode-event keyword no longer supports event \"decoder.udp.hlen_invalid\"" suricata.log | wc -l
+        expect: 1
diff --git a/tests/udp-5379/udp-len-invalid/README.md b/tests/udp-5379/udp-len-invalid/README.md
new file mode 100644
index 000000000..641e7ca50
--- /dev/null
+++ b/tests/udp-5379/udp-len-invalid/README.md
@@ -0,0 +1,8 @@
+Description
+===========
+Test to check that the new decoder event udp.len_invalid actually matches on network data
+that fulfill the criteria: Packet length in UDP header < 8 Bytes.
+
+PCAP
+====
+Created with Scapy and edited to fit the usecase.
diff --git a/tests/udp-5379/udp-len-invalid/input.pcap b/tests/udp-5379/udp-len-invalid/input.pcap
new file mode 100644
index 000000000..ec9b7557c
Binary files /dev/null and b/tests/udp-5379/udp-len-invalid/input.pcap differ
diff --git a/tests/udp-5379/udp-len-invalid/test.rules b/tests/udp-5379/udp-len-invalid/test.rules
new file mode 100644
index 000000000..23c4dab7a
--- /dev/null
+++ b/tests/udp-5379/udp-len-invalid/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA UDP invalid length field in the header"; decode-event:udp.len_invalid; classtype:protocol-command-decode; sid:2200220; rev:2;)
diff --git a/tests/udp-5379/udp-len-invalid/test.yaml b/tests/udp-5379/udp-len-invalid/test.yaml
new file mode 100644
index 000000000..9d2855031
--- /dev/null
+++ b/tests/udp-5379/udp-len-invalid/test.yaml
@@ -0,0 +1,16 @@
+args:
+- -k none
+- --set stats.decoder-events=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.decoder.event.udp.len_invalid: 1
+
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2200220
diff --git a/tests/udp-5379/udp-trailing-data/README.md b/tests/udp-5379/udp-trailing-data/README.md
new file mode 100644
index 000000000..16a169ecd
--- /dev/null
+++ b/tests/udp-5379/udp-trailing-data/README.md
@@ -0,0 +1,8 @@
+Description
+===========
+Given that the packet has several trailing bytes, it fails to be processed properly.
+It should ideally not match the rule and alert.
+
+PCAP
+====
+PCAP comes from the redmine ticket [5379](https://redmine.openinfosecfoundation.org/issues/5379)
diff --git a/tests/udp-5379/udp-trailing-data/input.pcap b/tests/udp-5379/udp-trailing-data/input.pcap
new file mode 100644
index 000000000..e996826aa
Binary files /dev/null and b/tests/udp-5379/udp-trailing-data/input.pcap differ
diff --git a/tests/udp-5379/udp-trailing-data/test.rules b/tests/udp-5379/udp-trailing-data/test.rules
new file mode 100644
index 000000000..8daf1e959
--- /dev/null
+++ b/tests/udp-5379/udp-trailing-data/test.rules
@@ -0,0 +1 @@
+alert udp $EXTERNAL_NET :1024 <> $HOME_NET 0 (msg:"UDP Port 0"; sid:1;)
diff --git a/tests/udp-5379/udp-trailing-data/test.yaml b/tests/udp-5379/udp-trailing-data/test.yaml
new file mode 100644
index 000000000..af32decbb
--- /dev/null
+++ b/tests/udp-5379/udp-trailing-data/test.yaml
@@ -0,0 +1,8 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      alert.signature_id: 1