From: Sascha Steinbiss <satta@debian.org>
Date: Tue, 25 Feb 2020 17:16:16 +0000 (+0100)
Subject: add tests for RFB parser
X-Git-Tag: suricata-6.0.4~340
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4fbb65787924a96f3b12cf7cc5381a1b7953d36e;p=thirdparty%2Fsuricata-verify.git

add tests for RFB parser
---

diff --git a/tests/rfb-protocol-3.3/06-vnc-Password-3.3.pcap b/tests/rfb-protocol-3.3/06-vnc-Password-3.3.pcap
new file mode 100644
index 000000000..f49d629d2
Binary files /dev/null and b/tests/rfb-protocol-3.3/06-vnc-Password-3.3.pcap differ
diff --git a/tests/rfb-protocol-3.3/suricata.yaml b/tests/rfb-protocol-3.3/suricata.yaml
new file mode 100644
index 000000000..4aea57de3
--- /dev/null
+++ b/tests/rfb-protocol-3.3/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - rfb
+        - flow
+
+app-layer:
+  protocols:
+    rfb:
+      enabled: yes
+      detection-ports:
+        dp: 5900
diff --git a/tests/rfb-protocol-3.3/test.yaml b/tests/rfb-protocol-3.3/test.yaml
new file mode 100644
index 000000000..5f23763d1
--- /dev/null
+++ b/tests/rfb-protocol-3.3/test.yaml
@@ -0,0 +1,40 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - rust/src/rfb/parser.rs
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        app_proto: rfb
+
+  - filter:
+      count: 1
+      match:
+        event_type: rfb
+        rfb.server_protocol_version.major: "003"
+        rfb.server_protocol_version.minor: "003"
+        rfb.client_protocol_version.major: "003"
+        rfb.client_protocol_version.minor: "003"
+        rfb.authentication.security_type: 2
+        rfb.authentication.vnc.challenge: "263cd2330c2902a68c88aae131ba552c"
+        rfb.authentication.vnc.response: "3f0526502c716d0ed6a7de026af40c5a"
+        rfb.authentication.security_result: "OK"
+        rfb.screen_shared: false
+        rfb.framebuffer.width: 800
+        rfb.framebuffer.height: 600
+        rfb.framebuffer.name: "\\xa0"
+        rfb.framebuffer.pixel_format.bits_per_pixel: 32
+        rfb.framebuffer.pixel_format.depth: 24
+        rfb.framebuffer.pixel_format.big_endian: false
+        rfb.framebuffer.pixel_format.true_color: true
+        rfb.framebuffer.pixel_format.red_max: 255
+        rfb.framebuffer.pixel_format.green_max: 255
+        rfb.framebuffer.pixel_format.blue_max: 255
+        rfb.framebuffer.pixel_format.red_shift: 16
+        rfb.framebuffer.pixel_format.green_shift: 8
+        rfb.framebuffer.pixel_format.blue_shift: 0
diff --git a/tests/rfb-protocol-3.7/00-vnc-openwall-3.7.pcap b/tests/rfb-protocol-3.7/00-vnc-openwall-3.7.pcap
new file mode 100644
index 000000000..f1e91c2d9
Binary files /dev/null and b/tests/rfb-protocol-3.7/00-vnc-openwall-3.7.pcap differ
diff --git a/tests/rfb-protocol-3.7/suricata.yaml b/tests/rfb-protocol-3.7/suricata.yaml
new file mode 100644
index 000000000..4aea57de3
--- /dev/null
+++ b/tests/rfb-protocol-3.7/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - rfb
+        - flow
+
+app-layer:
+  protocols:
+    rfb:
+      enabled: yes
+      detection-ports:
+        dp: 5900
diff --git a/tests/rfb-protocol-3.7/test.yaml b/tests/rfb-protocol-3.7/test.yaml
new file mode 100644
index 000000000..88b65befb
--- /dev/null
+++ b/tests/rfb-protocol-3.7/test.yaml
@@ -0,0 +1,40 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - rust/src/rfb/parser.rs
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        app_proto: rfb
+
+  - filter:
+      count: 1
+      match:
+        event_type: rfb
+        rfb.server_protocol_version.major: "003"
+        rfb.server_protocol_version.minor: "007"
+        rfb.client_protocol_version.major: "003"
+        rfb.client_protocol_version.minor: "007"
+        rfb.authentication.security_type: 2
+        rfb.authentication.vnc.challenge: "ea5150a99e0feb6343c045c6f95ce44c"
+        rfb.authentication.vnc.response: "c39d5ad5c8242ed6bea28a773dbd3a29"
+        rfb.authentication.security_result: "OK"
+        rfb.screen_shared: false
+        rfb.framebuffer.width: 1280
+        rfb.framebuffer.height: 800
+        rfb.framebuffer.name: "aneagles@localhost.localdomain"
+        rfb.framebuffer.pixel_format.bits_per_pixel: 32
+        rfb.framebuffer.pixel_format.depth: 24
+        rfb.framebuffer.pixel_format.big_endian: false
+        rfb.framebuffer.pixel_format.true_color: true
+        rfb.framebuffer.pixel_format.red_max: 255
+        rfb.framebuffer.pixel_format.green_max: 255
+        rfb.framebuffer.pixel_format.blue_max: 255
+        rfb.framebuffer.pixel_format.red_shift: 16
+        rfb.framebuffer.pixel_format.green_shift: 8
+        rfb.framebuffer.pixel_format.blue_shift: 0
diff --git a/tests/rfb-protocol-3.8/04-vnc-openwall-3.8.pcap b/tests/rfb-protocol-3.8/04-vnc-openwall-3.8.pcap
new file mode 100644
index 000000000..8826e5145
Binary files /dev/null and b/tests/rfb-protocol-3.8/04-vnc-openwall-3.8.pcap differ
diff --git a/tests/rfb-protocol-3.8/suricata.yaml b/tests/rfb-protocol-3.8/suricata.yaml
new file mode 100644
index 000000000..4aea57de3
--- /dev/null
+++ b/tests/rfb-protocol-3.8/suricata.yaml
@@ -0,0 +1,18 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - rfb
+        - flow
+
+app-layer:
+  protocols:
+    rfb:
+      enabled: yes
+      detection-ports:
+        dp: 5900
diff --git a/tests/rfb-protocol-3.8/test.yaml b/tests/rfb-protocol-3.8/test.yaml
new file mode 100644
index 000000000..ed75672bb
--- /dev/null
+++ b/tests/rfb-protocol-3.8/test.yaml
@@ -0,0 +1,40 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - rust/src/rfb/parser.rs
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        app_proto: rfb
+
+  - filter:
+      count: 1
+      match:
+        event_type: rfb
+        rfb.server_protocol_version.major: "003"
+        rfb.server_protocol_version.minor: "008"
+        rfb.client_protocol_version.major: "003"
+        rfb.client_protocol_version.minor: "008"
+        rfb.authentication.security_type: 2
+        rfb.authentication.vnc.challenge: "1d03c57f2dffcc72a5ae3ad559c9c3db"
+        rfb.authentication.vnc.response: "547b7a6f36a154db03a2575c6f2a4ec5"
+        rfb.authentication.security_result: "OK"
+        rfb.screen_shared: false
+        rfb.framebuffer.width: 800
+        rfb.framebuffer.height: 600
+        rfb.framebuffer.name: "\\xa0"
+        rfb.framebuffer.pixel_format.bits_per_pixel: 32
+        rfb.framebuffer.pixel_format.depth: 24
+        rfb.framebuffer.pixel_format.big_endian: false
+        rfb.framebuffer.pixel_format.true_color: true
+        rfb.framebuffer.pixel_format.red_max: 255
+        rfb.framebuffer.pixel_format.green_max: 255
+        rfb.framebuffer.pixel_format.blue_max: 255
+        rfb.framebuffer.pixel_format.red_shift: 16
+        rfb.framebuffer.pixel_format.green_shift: 8
+        rfb.framebuffer.pixel_format.blue_shift: 0
diff --git a/tests/rfb-rules/00-vnc-openwall-3.7.pcap b/tests/rfb-rules/00-vnc-openwall-3.7.pcap
new file mode 100644
index 000000000..f1e91c2d9
Binary files /dev/null and b/tests/rfb-rules/00-vnc-openwall-3.7.pcap differ
diff --git a/tests/rfb-rules/suricata.yaml b/tests/rfb-rules/suricata.yaml
new file mode 100644
index 000000000..cf76a6b43
--- /dev/null
+++ b/tests/rfb-rules/suricata.yaml
@@ -0,0 +1,17 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+
+app-layer:
+  protocols:
+    rfb:
+      enabled: yes
+      detection-ports:
+        dp: 5900
diff --git a/tests/rfb-rules/test.rules b/tests/rfb-rules/test.rules
new file mode 100644
index 000000000..382e725c5
--- /dev/null
+++ b/tests/rfb-rules/test.rules
@@ -0,0 +1,7 @@
+alert rfb any any -> any any (msg:"rfb-name1"; rfb.name; pcre:"/.*\.localdomain/"; sid:1;)
+alert rfb any any -> any any (msg:"rfb-name2"; rfb.name; pcre:"/.*\.localdoom/"; sid:2;)
+alert rfb any any -> any any (msg:"rfb-sectype1"; rfb.sectype:2; sid:3;)
+alert rfb any any -> any any (msg:"rfb-sectype2"; rfb.sectype:>3; sid:4;)
+alert rfb any any -> any any (msg:"rfb-secresult1"; rfb.secresult:ok; sid:5;)
+alert rfb any any -> any any (msg:"rfb-secresult2"; rfb.secresult:unknown; sid:6;)
+
diff --git a/tests/rfb-rules/test.yaml b/tests/rfb-rules/test.yaml
new file mode 100644
index 000000000..3db1e120b
--- /dev/null
+++ b/tests/rfb-rules/test.yaml
@@ -0,0 +1,44 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - rust/src/rfb/parser.rs
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature: "rfb-name1"
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature: "rfb-sectype1"
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature: "rfb-secresult1"
+
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature: "rfb-name2"
+
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature: "rfb-sectype2"
+
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature: "rfb-secresult2"
+