From: Victor Julien Date: Thu, 29 Jun 2023 13:18:05 +0000 (+0200) Subject: tests: add filemagic/file.magic tests X-Git-Tag: suricata-7.0.0~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4548ac8b9a3872f12a0d3beea193009897470eb5;p=thirdparty%2Fsuricata-verify.git tests: add filemagic/file.magic tests Tests for parsing, flowbit matching as well as legacy filemagic keyword handling. --- diff --git a/tests/filemagic-01/test.rules b/tests/filemagic-01/test.rules new file mode 100755 index 000000000..4dd6b416a --- /dev/null +++ b/tests/filemagic-01/test.rules @@ -0,0 +1,11 @@ +alert tcp any any -> any any (filemagic:"PDF"; sid:1;) +alert tcp any any -> any any (filemagic:"pdf"; sid:2;) +alert tcp any any -> any any (filemagic:"pDf"; sid:3;) + +alert tcp any any -> any any (filemagic:!"VERSION 1.6"; sid:4;) +alert tcp any any -> any any (filemagic:!"version 1.6"; sid:5;) +alert tcp any any -> any any (filemagic:!"vErSiOn 1.6"; sid:6;) + +alert tcp any any -> any any (filemagic:!"VERSION 1.5"; sid:7;) +alert tcp any any -> any any (filemagic:!"version 1.5"; sid:8;) +alert tcp any any -> any any (filemagic:!"vErSiOn 1.5"; sid:9;) diff --git a/tests/filemagic-01/test.yaml b/tests/filemagic-01/test.yaml new file mode 100644 index 000000000..990027f6f --- /dev/null +++ b/tests/filemagic-01/test.yaml @@ -0,0 +1,47 @@ +requires: + features: + - HAVE_LIBJANSSON + - MAGIC + +pcap: ../filemagic-flowbits/pdf-dl.pcap + +args: + - -k none + +checks: + - filter: + count: 1 + match: + alert.signature_id: 1 + - filter: + count: 1 + match: + alert.signature_id: 2 + - filter: + count: 1 + match: + alert.signature_id: 3 + - filter: + count: 1 + match: + alert.signature_id: 4 + - filter: + count: 1 + match: + alert.signature_id: 5 + - filter: + count: 1 + match: + alert.signature_id: 6 + - filter: + count: 0 + match: + alert.signature_id: 7 + - filter: + count: 0 + match: + alert.signature_id: 8 + - filter: + count: 0 + match: + alert.signature_id: 9 diff --git a/tests/filemagic-flowbits-02/test.rules b/tests/filemagic-flowbits-02/test.rules new file mode 100755 index 000000000..4865b6f69 --- /dev/null +++ b/tests/filemagic-flowbits-02/test.rules @@ -0,0 +1,4 @@ +alert http any any -> any any (msg:"Wget useragent";content:"wget"; nocase; startswith; http_user_agent; sid:1; rev:1; flowbits:set,wgetagent;) +alert http any any -> any any (msg:"PDF not wget"; flowbits:isnotset,wgetagent; filemagic:"PDF"; sid:3; rev:1;) +alert http any any -> any any (msg:"PDF not wget locked to client"; flow:to_client; flowbits:isnotset,wgetagent; filemagic:"PDF"; sid:4; rev:1;) + diff --git a/tests/filemagic-flowbits-02/test.yaml b/tests/filemagic-flowbits-02/test.yaml new file mode 100644 index 000000000..b1dcb0a67 --- /dev/null +++ b/tests/filemagic-flowbits-02/test.yaml @@ -0,0 +1,25 @@ +requires: + features: + - HAVE_LIBJANSSON + - MAGIC + min-version: 7 + +pcap: ../filemagic-flowbits/pdf-dl.pcap + +args: + - -k none + +checks: + - filter: + count: 1 + match: + alert.signature_id: 1 + pcap_cnt: 7 + - filter: + count: 0 + match: + alert.signature_id: 3 + - filter: + count: 0 + match: + alert.signature_id: 4 diff --git a/tests/filemagic-flowbits-03/test.rules b/tests/filemagic-flowbits-03/test.rules new file mode 100755 index 000000000..8b6213574 --- /dev/null +++ b/tests/filemagic-flowbits-03/test.rules @@ -0,0 +1,4 @@ +alert http any any -> any any (msg:"Wget useragent"; http.user_agent; content:"wget"; nocase; startswith; flowbits:set,wgetagent; sid:1; rev:1;) +alert http any any -> any any (msg:"PDF not wget"; flowbits:isnotset,wgetagent; file.magic; content:"PDF"; sid:3; rev:1;) +alert http any any -> any any (msg:"PDF not wget locked to client"; flow:to_client; flowbits:isnotset,wgetagent; file.magic; content:"PDF"; sid:4; rev:1;) + diff --git a/tests/filemagic-flowbits-03/test.yaml b/tests/filemagic-flowbits-03/test.yaml new file mode 100644 index 000000000..b1dcb0a67 --- /dev/null +++ b/tests/filemagic-flowbits-03/test.yaml @@ -0,0 +1,25 @@ +requires: + features: + - HAVE_LIBJANSSON + - MAGIC + min-version: 7 + +pcap: ../filemagic-flowbits/pdf-dl.pcap + +args: + - -k none + +checks: + - filter: + count: 1 + match: + alert.signature_id: 1 + pcap_cnt: 7 + - filter: + count: 0 + match: + alert.signature_id: 3 + - filter: + count: 0 + match: + alert.signature_id: 4 diff --git a/tests/filemagic-flowbits/test.yaml b/tests/filemagic-flowbits/test.yaml index 308821ee0..9c7a8d71d 100644 --- a/tests/filemagic-flowbits/test.yaml +++ b/tests/filemagic-flowbits/test.yaml @@ -2,6 +2,7 @@ requires: features: - HAVE_LIBJANSSON - MAGIC + min-version: 7 args: - -k none diff --git a/tests/rules/filemagic/test.rules b/tests/rules/filemagic/test.rules new file mode 100644 index 000000000..6d2cc640a --- /dev/null +++ b/tests/rules/filemagic/test.rules @@ -0,0 +1,14 @@ +alert tcp any any -> any any (file.magic; content:"one"; sid:1;) +alert tcp any any -> any any (file.magic; content:"one"; content:"two"; within:8; sid:2;) +alert tcp any any -> any any (file.magic; content:"one"; within:8; sid:3;) +alert tcp any any -> any any (file.magic; content:"one"; distance:8; sid:4;) +alert smb any any -> any any (flow:to_server; file.magic; content:"in file magic"; pkt_data; content:"in pkt data"; sid:5;) +alert smb any any -> any any (flow:to_server; file.magic; pcre:/one/R; sid:6;) +alert smb any any -> any any (flow:to_server; file.magic; pcre:/one/; sid:7;) +alert smb any any -> any any (flow:to_server; file.magic; pcre:/one/RB; sid:8;) +alert smb any any -> any any (flow:to_server; file.magic; content:"one"; pcre:/two/R; sid:9;) + +alert tcp any any -> any any (filemagic:"pdf"; sid:10;) +alert tcp any any -> any any (filemagic:!"pdf"; sid:11;) +alert tcp any any -> any any (filemagic:"PDF"; sid:12;) +alert tcp any any -> any any (filemagic:!"PDF"; sid:13;) diff --git a/tests/rules/filemagic/test.yaml b/tests/rules/filemagic/test.yaml new file mode 100644 index 000000000..047dc8c8d --- /dev/null +++ b/tests/rules/filemagic/test.yaml @@ -0,0 +1,155 @@ +requires: + min-version: 7.0.0 + pcap: false + features: + - MAGIC + +args: + - --engine-analysis + +checks: +- filter: + filename: rules.json + count: 1 + match: + id: 1 + mpm.buffer: "file.magic" + mpm.pattern: "one" + engines[0].name: "file.magic" + engines[0].matches[0].name: "content" +- filter: + filename: rules.json + count: 1 + match: + id: 2 + mpm.buffer: "file.magic" + mpm.pattern: "one" + engines[0].name: "file.magic" + engines[0].matches[0].name: "content" + engines[0].matches[0].content.relative_next: true + engines[0].name: "file.magic" + engines[0].matches[1].name: "content" + engines[0].matches[1].content.within: 8 +- filter: + filename: rules.json + count: 1 + match: + id: 3 + mpm.buffer: "file.magic" + mpm.pattern: "one" + engines[0].name: "file.magic" + engines[0].matches[0].name: "content" + engines[0].matches[0].content.depth: 8 + notes[0]: "'within' option for pattern w/o previous content was converted to 'depth'" +- filter: + filename: rules.json + count: 1 + match: + id: 4 + mpm.buffer: "file.magic" + mpm.pattern: "one" + engines[0].name: "file.magic" + engines[0].matches[0].name: "content" + engines[0].matches[0].content.offset: 8 +- filter: + filename: rules.json + count: 1 + match: + id: 5 + mpm.buffer: "file.magic" + mpm.pattern: "in|20|file|20|magic" + engines[0].name: "file.magic" + engines[0].direction: "toserver" + engines[0].matches[0].name: "content" + engines[0].matches[0].content.pattern: "in|20|file|20|magic" + engines[1].name: "stream" + engines[1].direction: "toserver" + engines[1].matches[0].name: "content" + engines[1].matches[0].content.pattern: "in|20|pkt|20|data" +- filter: + filename: rules.json + count: 1 + match: + id: 6 + engines[0].name: "file.magic" + engines[0].direction: "toserver" + engines[0].matches[0].name: "pcre" + engines[0].matches[0].pcre.relative: true +- filter: + filename: rules.json + count: 1 + match: + id: 7 + engines[0].name: "file.magic" + engines[0].direction: "toserver" + engines[0].matches[0].name: "pcre" + engines[0].matches[0].pcre.relative: false +- filter: + filename: rules.json + count: 1 + match: + id: 8 + engines[0].name: "file.magic" + engines[0].direction: "toserver" + engines[0].matches[0].name: "pcre" + engines[0].matches[0].pcre.relative: true + notes[0]: "'/B' (rawbytes) option is a no-op and is silently ignored" +- filter: + filename: rules.json + count: 1 + match: + id: 9 + mpm.buffer: "file.magic" + mpm.pattern: "one" + engines[0].name: "file.magic" + engines[0].direction: "toserver" + engines[0].matches[0].name: "content" + engines[0].matches[0].content.pattern: "one" + engines[0].matches[1].name: "pcre" + engines[0].matches[1].pcre.relative: true +- filter: + filename: rules.json + count: 1 + match: + id: 10 + mpm.buffer: "file.magic" + mpm.pattern: "pdf" + engines[0].name: "file.magic" + engines[0].matches[0].name: "content" + engines[0].matches[0].content.pattern: "pdf" + engines[0].matches[0].content.nocase: true +- filter: + filename: rules.json + count: 1 + match: + id: 11 + mpm.buffer: "file.magic" + mpm.pattern: "pdf" + engines[0].name: "file.magic" + engines[0].matches[0].name: "content" + engines[0].matches[0].content.pattern: "pdf" + engines[0].matches[0].content.negated: true + engines[0].matches[0].content.nocase: true +- filter: + filename: rules.json + count: 1 + match: + id: 12 + mpm.buffer: "file.magic" + mpm.pattern: "PDF" + engines[0].name: "file.magic" + engines[0].matches[0].name: "content" + engines[0].matches[0].content.pattern: "PDF" + engines[0].matches[0].content.nocase: true +- filter: + filename: rules.json + count: 1 + match: + id: 13 + mpm.buffer: "file.magic" + mpm.pattern: "PDF" + engines[0].name: "file.magic" + engines[0].matches[0].name: "content" + engines[0].matches[0].content.pattern: "PDF" + engines[0].matches[0].content.negated: true + engines[0].matches[0].content.nocase: true