From: Victor Julien Date: Fri, 27 Mar 2020 14:08:13 +0000 (+0100) Subject: tests: add http file blocking on sha256 tests X-Git-Tag: suricata-6.0.4~317 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1b79b96859b1ecb519712ae81a8ba6f23f36b156;p=thirdparty%2Fsuricata-verify.git tests: add http file blocking on sha256 tests --- diff --git a/tests/http-sha256-drop-02/README.md b/tests/http-sha256-drop-02/README.md new file mode 100644 index 000000000..e7a75b43e --- /dev/null +++ b/tests/http-sha256-drop-02/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +Pcap from https://forum.suricata.io/t/suricata-5-0-1-in-ips-mode/94/21 diff --git a/tests/http-sha256-drop-02/blacklist b/tests/http-sha256-drop-02/blacklist new file mode 100644 index 000000000..fd5bec0ab --- /dev/null +++ b/tests/http-sha256-drop-02/blacklist @@ -0,0 +1,5 @@ +cac5f74a1e146d6de26845e3e03732c01167e4bbb4333e76889b538c9bd30362 +537aea248165d3e82e48c4808b92e048bd1593ecbcb99d661c3c776204cd96a2 +be331893e44dcad93536b7b5cd3104abc9174ab66086ea5ad8bd4b2618222780 +3f6a4dffd4fd653b53b621349d5167d3cfa3cad926c166e7e24b88d3c9a06acf +abe7c7b40883a7b59e6493d0f9a9b4b85035f22ee6195da2b188c2072279634f diff --git a/tests/http-sha256-drop-02/input.pcap b/tests/http-sha256-drop-02/input.pcap new file mode 100644 index 000000000..8b8f94ef3 Binary files /dev/null and b/tests/http-sha256-drop-02/input.pcap differ diff --git a/tests/http-sha256-drop-02/suricata.yaml b/tests/http-sha256-drop-02/suricata.yaml new file mode 100644 index 000000000..eca382635 --- /dev/null +++ b/tests/http-sha256-drop-02/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + types: + - alert + - drop: + flows: all + alerts: yes + - files + - http + - flow diff --git a/tests/http-sha256-drop-02/test.rules b/tests/http-sha256-drop-02/test.rules new file mode 100644 index 000000000..bad32281f --- /dev/null +++ b/tests/http-sha256-drop-02/test.rules @@ -0,0 +1,4 @@ +alert http any any -> any any (msg:"File stored: EXE"; fileext:"exe"; filestore; sid:1; rev:1;) +drop http any any -> any any (msg:"Malicious file detected"; filesha256:blacklist; xbits:set, blocked_http, track ip_pair, expire 3600; sid:2; rev:2;) +drop http any any -> any any (msg:"Block 206 response for IPPair"; content:"206"; http_stat_code; xbits:isset, blocked_http, track ip_pair; priority:1; sid:3; rev:1;) +#drop http any any -> any any (msg:"Request blocked for IPPair"; content:"GET"; http_method; content:"exe"; http_uri; xbits:isset, blocked_http, track ip_pair; priority:1; sid:4; rev:2;) diff --git a/tests/http-sha256-drop-02/test.yaml b/tests/http-sha256-drop-02/test.yaml new file mode 100644 index 000000000..dbdfa31c0 --- /dev/null +++ b/tests/http-sha256-drop-02/test.yaml @@ -0,0 +1,50 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + min-version: 4.1.0 + +args: + - --simulate-ips + - --runmode=single + - --no-random + +checks: + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: drop + alert.signature_id: 2 + pcap_cnt: 103 + - filter: + count: 8 + match: + event_type: drop + flow_id: 746850855319537 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + pcap_cnt: 135 + - filter: + count: 1 + match: + event_type: drop + alert.signature_id: 3 + pcap_cnt: 135 + - filter: + count: 7 + match: + event_type: drop + flow_id: 948787333709074 diff --git a/tests/http-sha256-drop/README.md b/tests/http-sha256-drop/README.md new file mode 100644 index 000000000..3a7af36d8 --- /dev/null +++ b/tests/http-sha256-drop/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +Pcap from https://forum.suricata.io/t/suricata-5-0-1-in-ips-mode/94/14 diff --git a/tests/http-sha256-drop/blacklist b/tests/http-sha256-drop/blacklist new file mode 100644 index 000000000..fd5bec0ab --- /dev/null +++ b/tests/http-sha256-drop/blacklist @@ -0,0 +1,5 @@ +cac5f74a1e146d6de26845e3e03732c01167e4bbb4333e76889b538c9bd30362 +537aea248165d3e82e48c4808b92e048bd1593ecbcb99d661c3c776204cd96a2 +be331893e44dcad93536b7b5cd3104abc9174ab66086ea5ad8bd4b2618222780 +3f6a4dffd4fd653b53b621349d5167d3cfa3cad926c166e7e24b88d3c9a06acf +abe7c7b40883a7b59e6493d0f9a9b4b85035f22ee6195da2b188c2072279634f diff --git a/tests/http-sha256-drop/input.pcap b/tests/http-sha256-drop/input.pcap new file mode 100644 index 000000000..20a739378 Binary files /dev/null and b/tests/http-sha256-drop/input.pcap differ diff --git a/tests/http-sha256-drop/suricata.yaml b/tests/http-sha256-drop/suricata.yaml new file mode 100644 index 000000000..eca382635 --- /dev/null +++ b/tests/http-sha256-drop/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + types: + - alert + - drop: + flows: all + alerts: yes + - files + - http + - flow diff --git a/tests/http-sha256-drop/test.rules b/tests/http-sha256-drop/test.rules new file mode 100644 index 000000000..30d7dfcd4 --- /dev/null +++ b/tests/http-sha256-drop/test.rules @@ -0,0 +1,2 @@ +alert http any any -> any any (msg:"File stored: EXE"; fileext:"exe"; filestore; sid:1; rev:1;) +drop http any any -> any any (msg:"Malicious file detected"; filesha256:blacklist; sid:2; rev:2;) diff --git a/tests/http-sha256-drop/test.yaml b/tests/http-sha256-drop/test.yaml new file mode 100644 index 000000000..d450431ba --- /dev/null +++ b/tests/http-sha256-drop/test.yaml @@ -0,0 +1,29 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + min-version: 4.1.0 + +args: + - --simulate-ips + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: drop + pcap_cnt: 929 + - filter: + count: 43 + match: + event_type: drop