From: Jeff Lucovsky Date: Tue, 2 Jul 2019 19:16:31 +0000 (+0200) Subject: tests: add tcp fastopen test X-Git-Tag: suricata-6.0.4~405 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=20710b4c3d5124cad6c4f05673c53c7fee842938;p=thirdparty%2Fsuricata-verify.git tests: add tcp fastopen test --- diff --git a/tests/tcp-fastopen-01/README.md b/tests/tcp-fastopen-01/README.md new file mode 100644 index 000000000..2eaffa770 --- /dev/null +++ b/tests/tcp-fastopen-01/README.md @@ -0,0 +1,3 @@ +# PCAP + +https://redmine.openinfosecfoundation.org/issues/1203 diff --git a/tests/tcp-fastopen-01/test.rules b/tests/tcp-fastopen-01/test.rules new file mode 100644 index 000000000..80f7223cb --- /dev/null +++ b/tests/tcp-fastopen-01/test.rules @@ -0,0 +1,2 @@ +alert http any any -> any any (content:"/etc/passwd"; http_uri; sid:1;) +alert http any any -> any any (content:"/etc/passwd"; http_raw_uri; sid:2;) diff --git a/tests/tcp-fastopen-01/test.yaml b/tests/tcp-fastopen-01/test.yaml new file mode 100644 index 000000000..e02b6cd1c --- /dev/null +++ b/tests/tcp-fastopen-01/test.yaml @@ -0,0 +1,43 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 2 + match: + event_type: http + - filter: + count: 1 + match: + event_type: http + http.url: "/index.php" + http.http_user_agent: "Mozilla/5.0" + http.http_content_type: text/html + http.http_method: "GET" + http.protocol: "HTTP/1.0" + http.status: 302 + http.redirect: "/index.php?page=main.php" + http.length: 0 + - filter: + count: 1 + match: + event_type: http + http.url: "//index.php?page=../../../etc/passwd" + http.status: 200 + - filter: + count: 2 + match: + event_type: flow + proto: TCP diff --git a/tests/tcp-fastopen-01/tfo.pcap b/tests/tcp-fastopen-01/tfo.pcap new file mode 100644 index 000000000..2893440fa Binary files /dev/null and b/tests/tcp-fastopen-01/tfo.pcap differ diff --git a/tests/tcp-fastopen-02/README.md b/tests/tcp-fastopen-02/README.md new file mode 100644 index 000000000..2eaffa770 --- /dev/null +++ b/tests/tcp-fastopen-02/README.md @@ -0,0 +1,3 @@ +# PCAP + +https://redmine.openinfosecfoundation.org/issues/1203 diff --git a/tests/tcp-fastopen-02/test.rules b/tests/tcp-fastopen-02/test.rules new file mode 100644 index 000000000..80f7223cb --- /dev/null +++ b/tests/tcp-fastopen-02/test.rules @@ -0,0 +1,2 @@ +alert http any any -> any any (content:"/etc/passwd"; http_uri; sid:1;) +alert http any any -> any any (content:"/etc/passwd"; http_raw_uri; sid:2;) diff --git a/tests/tcp-fastopen-02/test.yaml b/tests/tcp-fastopen-02/test.yaml new file mode 100644 index 000000000..e8aa728ba --- /dev/null +++ b/tests/tcp-fastopen-02/test.yaml @@ -0,0 +1,46 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +args: + - --simulate-ips + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 2 + match: + event_type: http + - filter: + count: 1 + match: + event_type: http + http.url: "/index.php" + http.http_user_agent: "Mozilla/5.0" + http.http_content_type: text/html + http.http_method: "GET" + http.protocol: "HTTP/1.0" + http.status: 302 + http.redirect: "/index.php?page=main.php" + http.length: 0 + - filter: + count: 1 + match: + event_type: http + http.url: "//index.php?page=../../../etc/passwd" + http.status: 200 + - filter: + count: 2 + match: + event_type: flow + proto: TCP diff --git a/tests/tcp-fastopen-02/tfo.pcap b/tests/tcp-fastopen-02/tfo.pcap new file mode 100644 index 000000000..2893440fa Binary files /dev/null and b/tests/tcp-fastopen-02/tfo.pcap differ diff --git a/tests/tcp-fastopen-03/README.md b/tests/tcp-fastopen-03/README.md new file mode 100644 index 000000000..2eaffa770 --- /dev/null +++ b/tests/tcp-fastopen-03/README.md @@ -0,0 +1,3 @@ +# PCAP + +https://redmine.openinfosecfoundation.org/issues/1203 diff --git a/tests/tcp-fastopen-03/test.rules b/tests/tcp-fastopen-03/test.rules new file mode 100644 index 000000000..80f7223cb --- /dev/null +++ b/tests/tcp-fastopen-03/test.rules @@ -0,0 +1,2 @@ +alert http any any -> any any (content:"/etc/passwd"; http_uri; sid:1;) +alert http any any -> any any (content:"/etc/passwd"; http_raw_uri; sid:2;) diff --git a/tests/tcp-fastopen-03/test.yaml b/tests/tcp-fastopen-03/test.yaml new file mode 100644 index 000000000..5762952f3 --- /dev/null +++ b/tests/tcp-fastopen-03/test.yaml @@ -0,0 +1,46 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +args: + - --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 2 + match: + event_type: http + - filter: + count: 1 + match: + event_type: http + http.url: "/index.php" + http.http_user_agent: "Mozilla/5.0" + http.http_content_type: text/html + http.http_method: "GET" + http.protocol: "HTTP/1.0" + http.status: 302 + http.redirect: "/index.php?page=main.php" + http.length: 0 + - filter: + count: 1 + match: + event_type: http + http.url: "//index.php?page=../../../etc/passwd" + http.status: 200 + - filter: + count: 2 + match: + event_type: flow + proto: TCP diff --git a/tests/tcp-fastopen-03/tfo.pcap b/tests/tcp-fastopen-03/tfo.pcap new file mode 100644 index 000000000..006783f62 Binary files /dev/null and b/tests/tcp-fastopen-03/tfo.pcap differ diff --git a/tests/tcp-fastopen-04/test.rules b/tests/tcp-fastopen-04/test.rules new file mode 100644 index 000000000..28347d0dd --- /dev/null +++ b/tests/tcp-fastopen-04/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (content:"Hello!"; sid:1;) diff --git a/tests/tcp-fastopen-04/test.yaml b/tests/tcp-fastopen-04/test.yaml new file mode 100644 index 000000000..eccfc0c74 --- /dev/null +++ b/tests/tcp-fastopen-04/test.yaml @@ -0,0 +1,19 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +args: + - -k none + +checks: + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 2 + match: + event_type: flow + proto: TCP diff --git a/tests/tcp-fastopen-04/tfo.pcap b/tests/tcp-fastopen-04/tfo.pcap new file mode 100644 index 000000000..7d9c9b48b Binary files /dev/null and b/tests/tcp-fastopen-04/tfo.pcap differ diff --git a/tests/tcp-fastopen-05/test.rules b/tests/tcp-fastopen-05/test.rules new file mode 100644 index 000000000..28347d0dd --- /dev/null +++ b/tests/tcp-fastopen-05/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (content:"Hello!"; sid:1;) diff --git a/tests/tcp-fastopen-05/test.yaml b/tests/tcp-fastopen-05/test.yaml new file mode 100644 index 000000000..a892614ae --- /dev/null +++ b/tests/tcp-fastopen-05/test.yaml @@ -0,0 +1,19 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +args: + - -k none --simulate-ips + +checks: + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 2 + match: + event_type: flow + proto: TCP diff --git a/tests/tcp-fastopen-05/tfo.pcap b/tests/tcp-fastopen-05/tfo.pcap new file mode 100644 index 000000000..7d9c9b48b Binary files /dev/null and b/tests/tcp-fastopen-05/tfo.pcap differ