From: Philippe Antoine Date: Fri, 22 Oct 2021 17:48:49 +0000 (+0200) Subject: Adds test about xor transform X-Git-Tag: suricata-5.0.10~63 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=205f584e809ad464d5f0a3e7de86689ea76ff8b3;p=thirdparty%2Fsuricata-verify.git Adds test about xor transform --- diff --git a/tests/detect-xor/README.md b/tests/detect-xor/README.md new file mode 100644 index 000000000..35521e717 --- /dev/null +++ b/tests/detect-xor/README.md @@ -0,0 +1,13 @@ +# Description + +Test xor transform. + +# PCAP + +The pcap comes from running dummy HTTP1 server +and in parallel as client(s) : +``` +curl 127.0.0.1:8080/get?data=%7Dk%BB%8Cze%BA%9B0y%BD%8Fhx%BB%9Anx%AD%8B +``` + +The uri was computed with script `./xor.py password=supersecret` diff --git a/tests/detect-xor/input.pcap b/tests/detect-xor/input.pcap new file mode 100644 index 000000000..90b052356 Binary files /dev/null and b/tests/detect-xor/input.pcap differ diff --git a/tests/detect-xor/test.rules b/tests/detect-xor/test.rules new file mode 100644 index 000000000..5a97c368a --- /dev/null +++ b/tests/detect-xor/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"HTTP with xor"; http.uri; content: "/get?data="; startswith; http.uri; pcrexform:"/get\?data=(.*)"; xor:"0d0ac8ff"; content:"password="; sid:1;) diff --git a/tests/detect-xor/test.yaml b/tests/detect-xor/test.yaml new file mode 100644 index 000000000..1aa28df93 --- /dev/null +++ b/tests/detect-xor/test.yaml @@ -0,0 +1,12 @@ +requires: + files: + - src/detect-transform-xor.c + +args: + - -k none +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/detect-xor/xor.py b/tests/detect-xor/xor.py new file mode 100644 index 000000000..53b571b6b --- /dev/null +++ b/tests/detect-xor/xor.py @@ -0,0 +1,9 @@ +import sys +import binascii +import urllib + +key = binascii.unhexlify("0d0ac8ff") +xored = "" +for i in range(len(sys.argv[1])): + xored = xored + chr(ord(sys.argv[1][i]) ^ ord(key[i%len(key)])) +print(urllib.quote_plus(xored))