From: Richard McConnell Date: Wed, 29 Jan 2025 09:03:34 +0000 (+0000) Subject: Introduce TLS-JA4 client/server handshake tests X-Git-Tag: suricata-7.0.11~59 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4c1aa45fc6c0810d742b4644e148eb8c4be24bca;p=thirdparty%2Fsuricata-verify.git Introduce TLS-JA4 client/server handshake tests This update introduces two new tests to accompany the introduction of client/server handshake parameters and output via JSON-EVE. - ja4-cl-handshake: client eve output test - ja4-sv-handshake: server eve output test --- diff --git a/tests/ja4-cl-handshake/input.pcap b/tests/ja4-cl-handshake/input.pcap new file mode 100644 index 000000000..77c4aa27a Binary files /dev/null and b/tests/ja4-cl-handshake/input.pcap differ diff --git a/tests/ja4-cl-handshake/suricata.yaml b/tests/ja4-cl-handshake/suricata.yaml new file mode 100644 index 000000000..3f8c8305c --- /dev/null +++ b/tests/ja4-cl-handshake/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - tls: + enabled: yes + custom: [client_handshake] diff --git a/tests/ja4-cl-handshake/test.yaml b/tests/ja4-cl-handshake/test.yaml new file mode 100644 index 000000000..51f8b45be --- /dev/null +++ b/tests/ja4-cl-handshake/test.yaml @@ -0,0 +1,12 @@ +requires: + min-version: 8 + +checks: + - filter: + count: 1 + match: + event_type: tls + tls.client_handshake.version: TLS 1.2 + tls.client_handshake.ciphers: [49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255] + tls.client_handshake.exts: [0,11,10,35,22,23,13] + tls.client_handshake.sig_algs: [1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538] diff --git a/tests/ja4-sv-handshake/input.pcap b/tests/ja4-sv-handshake/input.pcap new file mode 100644 index 000000000..77c4aa27a Binary files /dev/null and b/tests/ja4-sv-handshake/input.pcap differ diff --git a/tests/ja4-sv-handshake/suricata.yaml b/tests/ja4-sv-handshake/suricata.yaml new file mode 100644 index 000000000..60b2f3c00 --- /dev/null +++ b/tests/ja4-sv-handshake/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - tls: + enabled: yes + custom: [server_handshake] diff --git a/tests/ja4-sv-handshake/test.yaml b/tests/ja4-sv-handshake/test.yaml new file mode 100644 index 000000000..d6cd8b2d3 --- /dev/null +++ b/tests/ja4-sv-handshake/test.yaml @@ -0,0 +1,11 @@ +requires: + min-version: 8 + +checks: + - filter: + count: 1 + match: + event_type: tls + tls.server_handshake.version: TLS 1.2 + tls.server_handshake.cipher: 49200 + tls.server_handshake.exts: [65281,11,35,23]