From: Victor Julien Date: Thu, 19 Mar 2020 20:28:01 +0000 (+0100) Subject: tests/tfo: add more tests X-Git-Tag: suricata-6.0.4~315 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=209a465bc76d04d2e7b70d6732aa1f13f6f64a39;p=thirdparty%2Fsuricata-verify.git tests/tfo: add more tests --- diff --git a/tests/tcp-fastopen-06/README.md b/tests/tcp-fastopen-06/README.md new file mode 100644 index 000000000..6f5f40bbe --- /dev/null +++ b/tests/tcp-fastopen-06/README.md @@ -0,0 +1 @@ +Pcap from https://redmine.openinfosecfoundation.org/issues/3522 diff --git a/tests/tcp-fastopen-06/local.rules b/tests/tcp-fastopen-06/local.rules new file mode 100644 index 000000000..d613b7f5b --- /dev/null +++ b/tests/tcp-fastopen-06/local.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"WEB-ATTACKS /etc/passwd command attempt"; content:"/etc/passwd"; classtype:web-application-attack; sid:1328; rev:6;) diff --git a/tests/tcp-fastopen-06/test.yaml b/tests/tcp-fastopen-06/test.yaml new file mode 100644 index 000000000..72e08c335 --- /dev/null +++ b/tests/tcp-fastopen-06/test.yaml @@ -0,0 +1,21 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1328 + - filter: + count: 1 + match: + event_type: http + http.length: 1158 + - filter: + count: 1 + match: + event_type: flow + tcp.state: closed diff --git a/tests/tcp-fastopen-06/tfo-s1.pcap b/tests/tcp-fastopen-06/tfo-s1.pcap new file mode 100644 index 000000000..ce1cee861 Binary files /dev/null and b/tests/tcp-fastopen-06/tfo-s1.pcap differ diff --git a/tests/tcp-fastopen-07/tcp_fastopen_segmentation.pcap b/tests/tcp-fastopen-07/tcp_fastopen_segmentation.pcap new file mode 100644 index 000000000..8e2a18996 Binary files /dev/null and b/tests/tcp-fastopen-07/tcp_fastopen_segmentation.pcap differ diff --git a/tests/tcp-fastopen-07/test.rules b/tests/tcp-fastopen-07/test.rules new file mode 100644 index 000000000..0761378bf --- /dev/null +++ b/tests/tcp-fastopen-07/test.rules @@ -0,0 +1,16 @@ +alert tcp any any -> any any (msg:"tfo test1"; content:"d2"; sid:1;) +alert tcp any any -> any any (msg:"tfo test2"; content:"d3"; sid:2;) +alert tcp-pkt any any -> any any (msg:"tfo test3"; content:"d2"; sid:3;) +alert tcp-pkt any any -> any any (msg:"tfo test4"; content:"d3"; sid:4;) +alert tcp-stream any any -> any any (msg:"tfo test5"; content:"d2"; sid:5;) +alert tcp-stream any any -> any any (msg:"tfo test6"; content:"d3"; sid:6;) +alert tcp-stream any any -> any any (msg:"tfo test7"; content:"d2d3"; sid:7;) +alert tcp any any -> any any (msg:"tfo test8"; content:"d2d3"; sid:8;) +alert tcp any any -> any any (msg:"tfo test9"; http.uri; content:"d2d3"; sid:9;) +alert tcp any any -> any any (msg:"tfo test10"; content:"GET"; sid:10;) +alert tcp any any -> any any (msg:"tfo test11"; flags:S; content:"GET"; sid:11;) +alert tcp any any -> any any (msg:"tfo test12"; http.method; content:"GET"; sid:12;) +alert http any any -> any any (msg:"tfo test13"; http.method; content:"GET"; sid:13;) +alert tcp any any -> any any (msg:"tfo test14"; http.user_agent; content:"czx"; sid:14;) +alert tcp any any -> any any (msg:"tfo test15"; http.connection; content:"Keep-Alive"; sid:15;) +alert tcp any any -> any any (msg:"tfo test16"; http.host; content:"10.0.0.61"; sid:16;) diff --git a/tests/tcp-fastopen-07/test.yaml b/tests/tcp-fastopen-07/test.yaml new file mode 100644 index 000000000..c60daccf4 --- /dev/null +++ b/tests/tcp-fastopen-07/test.yaml @@ -0,0 +1,114 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +args: +- -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 6 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 7 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 8 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 9 + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 10 + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 11 + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 12 + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 13 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 14 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 15 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 16 + - filter: + count: 2 + match: + event_type: flow + proto: TCP + - filter: + count: 1 + match: + event_type: http + proto: TCP + dest_port: 80 + tx_id: 0 + http.hostname: "10.0.0.61" + http.url: "//a1a2a3a4a5a6a7a8a9a0b1b2b3b4b5b6b7b8b9b0c1c2c3c4c5c6c7c8c9c0d1d2d3d4d5d6d7d8d9d0" + http.http_user_agent: "czxt2s" + http.http_content_type: "text/html" + http.http_method: "GET" + http.protocol: "HTTP/1.1" + http.status: 404 + http.length: 153 + - filter: + count: 2 + match: + event_type: flow + tcp.state: closed diff --git a/tests/tcp-fastopen-08/tcp_fastopen_segmentation-s1.pcap b/tests/tcp-fastopen-08/tcp_fastopen_segmentation-s1.pcap new file mode 100644 index 000000000..138e9c245 Binary files /dev/null and b/tests/tcp-fastopen-08/tcp_fastopen_segmentation-s1.pcap differ diff --git a/tests/tcp-fastopen-08/test.rules b/tests/tcp-fastopen-08/test.rules new file mode 100644 index 000000000..0761378bf --- /dev/null +++ b/tests/tcp-fastopen-08/test.rules @@ -0,0 +1,16 @@ +alert tcp any any -> any any (msg:"tfo test1"; content:"d2"; sid:1;) +alert tcp any any -> any any (msg:"tfo test2"; content:"d3"; sid:2;) +alert tcp-pkt any any -> any any (msg:"tfo test3"; content:"d2"; sid:3;) +alert tcp-pkt any any -> any any (msg:"tfo test4"; content:"d3"; sid:4;) +alert tcp-stream any any -> any any (msg:"tfo test5"; content:"d2"; sid:5;) +alert tcp-stream any any -> any any (msg:"tfo test6"; content:"d3"; sid:6;) +alert tcp-stream any any -> any any (msg:"tfo test7"; content:"d2d3"; sid:7;) +alert tcp any any -> any any (msg:"tfo test8"; content:"d2d3"; sid:8;) +alert tcp any any -> any any (msg:"tfo test9"; http.uri; content:"d2d3"; sid:9;) +alert tcp any any -> any any (msg:"tfo test10"; content:"GET"; sid:10;) +alert tcp any any -> any any (msg:"tfo test11"; flags:S; content:"GET"; sid:11;) +alert tcp any any -> any any (msg:"tfo test12"; http.method; content:"GET"; sid:12;) +alert http any any -> any any (msg:"tfo test13"; http.method; content:"GET"; sid:13;) +alert tcp any any -> any any (msg:"tfo test14"; http.user_agent; content:"czx"; sid:14;) +alert tcp any any -> any any (msg:"tfo test15"; http.connection; content:"Keep-Alive"; sid:15;) +alert tcp any any -> any any (msg:"tfo test16"; http.host; content:"10.0.0.61"; sid:16;) diff --git a/tests/tcp-fastopen-08/test.yaml b/tests/tcp-fastopen-08/test.yaml new file mode 100644 index 000000000..a4e2594e7 --- /dev/null +++ b/tests/tcp-fastopen-08/test.yaml @@ -0,0 +1,114 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +args: +- -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 6 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 7 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 8 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 9 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 10 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 11 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 12 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 13 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 14 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 15 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 16 + - filter: + count: 1 + match: + event_type: flow + proto: TCP + - filter: + count: 1 + match: + event_type: http + proto: TCP + dest_port: 80 + tx_id: 0 + http.hostname: "10.0.0.61" + http.url: "//a1a2a3a4a5a6a7a8a9a0b1b2b3b4b5b6b7b8b9b0c1c2c3c4c5c6c7c8c9c0d1d2d3d4d5d6d7d8d9d0" + http.http_user_agent: "czxt2s" + http.http_content_type: "text/html" + http.http_method: "GET" + http.protocol: "HTTP/1.1" + http.status: 404 + http.length: 153 + - filter: + count: 1 + match: + event_type: flow + tcp.state: closed