From: Modupe Falodun Date: Sat, 12 Feb 2022 09:25:30 +0000 (+0100) Subject: detect-flowbits: add tests X-Git-Tag: suricata-6.0.5~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=25b69f04ebc25a9a7762202ea8b6f86b8a2afa46;p=thirdparty%2Fsuricata-verify.git detect-flowbits: add tests Task: 4911 --- diff --git a/tests/detect-flowbits/README.md b/tests/detect-flowbits/README.md new file mode 100644 index 000000000..45750ac93 --- /dev/null +++ b/tests/detect-flowbits/README.md @@ -0,0 +1 @@ +Tests the flowbits actions/options diff --git a/tests/detect-flowbits/input.pcap b/tests/detect-flowbits/input.pcap new file mode 100644 index 000000000..49593f3d9 Binary files /dev/null and b/tests/detect-flowbits/input.pcap differ diff --git a/tests/detect-flowbits/test.rules b/tests/detect-flowbits/test.rules new file mode 100644 index 000000000..2cca92626 --- /dev/null +++ b/tests/detect-flowbits/test.rules @@ -0,0 +1,11 @@ +alert ip any any -> any any (msg:"Flowbit set"; flowbits:set,fb1; sid:1;) +alert ip any any -> any any (msg:"Flowbit set"; flowbits:set,fb2; sid:2;) +alert ip any any -> any any (msg:"Flowbit isset ored flowbits"; flowbits:isset,fb3|fb4; sid:3;) +alert ip any any -> any any (msg:"Flowbit isset ored flowbits"; flowbits:isset,fb1|fb5; sid:5;) +alert ip any any -> any any (msg:"Flowbit isnotset ored flowbits"; flowbits:isnotset, fb1|fb2 ; sid:6;) +alert ip any any -> any any (msg:"Flowbit unset"; flowbits:unset,fb1; sid:7;) +alert ip any any -> any any (msg:"Flowbit set"; flowbits:noalert; flowbits:toggle,fb1; content:"GET "; sid:8;) +alert ip any any -> any any (msg:"Flowbit isset"; flowbits:isset,fb1; sid:9;) +alert ip any any -> any any (msg:"Noalert"; flowbits:noalert; content:"GET "; sid:10;) +alert ip any any -> any any (msg:"isset option"; flowbits:isset,fbt; content:"GET "; sid:11;) +alert ip any any -> any any (msg:"Flowbit isset and flowbits"; flowbits:isset,fb1; flowbits:isset,fb2; sid:12;) diff --git a/tests/detect-flowbits/test.yaml b/tests/detect-flowbits/test.yaml new file mode 100644 index 000000000..75a653dfb --- /dev/null +++ b/tests/detect-flowbits/test.yaml @@ -0,0 +1,70 @@ +requires: + min-version: 6 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 6 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 7 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 8 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 9 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 10 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 11 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 12 diff --git a/tests/detect-flowbits/writepcap.py b/tests/detect-flowbits/writepcap.py new file mode 100644 index 000000000..fe7a0b191 --- /dev/null +++ b/tests/detect-flowbits/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"GET /one/ HTTP/1.1\r\nHost: one.example.org\r\n\r\n" + +wrpcap('input.pcap', pkts)