From: Modupe Falodun Date: Thu, 10 Feb 2022 13:39:40 +0000 (+0100) Subject: ssh-banner: add tests X-Git-Tag: suricata-6.0.5~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=51ac7233a8f4b34fffd8a8da7b115a6836d28608;p=thirdparty%2Fsuricata-verify.git ssh-banner: add tests Bug: 4903 --- diff --git a/tests/bug-4903/bug-4903-01/README.md b/tests/bug-4903/bug-4903-01/README.md new file mode 100644 index 000000000..79da158c2 --- /dev/null +++ b/tests/bug-4903/bug-4903-01/README.md @@ -0,0 +1,7 @@ +# Description + +Check SSH banner related keyword on pcap where only server sends its banner + +# PCAP + +The pcap comes from https://redmine.openinfosecfoundation.org/attachments/2427 diff --git a/tests/bug-4903/bug-4903-01/input.pcap b/tests/bug-4903/bug-4903-01/input.pcap new file mode 100644 index 000000000..2669c1b71 Binary files /dev/null and b/tests/bug-4903/bug-4903-01/input.pcap differ diff --git a/tests/bug-4903/bug-4903-01/test.rules b/tests/bug-4903/bug-4903-01/test.rules new file mode 100644 index 000000000..e579e5007 --- /dev/null +++ b/tests/bug-4903/bug-4903-01/test.rules @@ -0,0 +1,4 @@ +alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"2.0"; classtype:bad-unknown; sid:1;) +alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"1.99"; classtype:bad-unknown; sid:2;) +alert ssh any any -> any any (msg:"Bad SSH software client detected !!!"; ssh.software; content:"Cisco_client"; classtype:bad-unknown; sid:3;) +alert ssh any any -> any any (msg:"Bad SSH software server detected !!!"; ssh.software; content:"Cisco_server"; classtype:bad-unknown; sid:4;) diff --git a/tests/bug-4903/bug-4903-01/test.yaml b/tests/bug-4903/bug-4903-01/test.yaml new file mode 100644 index 000000000..768d4a46c --- /dev/null +++ b/tests/bug-4903/bug-4903-01/test.yaml @@ -0,0 +1,77 @@ +requires: + min-version: 6 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Potentially Bad Traffic + alert.gid: 1 + alert.rev: 0 + alert.severity: 2 + alert.signature: Bad SSH proto 2 detected !!! + alert.signature_id: 2 + app_proto: ssh + dest_ip: 192.168.100.1 + dest_port: 10000 + event_type: alert + flow.bytes_toclient: 258 + flow.bytes_toserver: 162 + flow.pkts_toclient: 2 + flow.pkts_toserver: 3 + proto: TCP + src_ip: 192.168.200.1 + src_port: 22 + ssh.server.proto_version: '1.99' + ssh.server.software_version: Cisco_server-1.24 + tx_id: 0 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Potentially Bad Traffic + alert.gid: 1 + alert.rev: 0 + alert.severity: 2 + alert.signature: Bad SSH software server detected !!! + alert.signature_id: 4 + app_proto: ssh + dest_ip: 192.168.100.1 + dest_port: 10000 + event_type: alert + flow.bytes_toclient: 258 + flow.bytes_toserver: 162 + flow.pkts_toclient: 2 + flow.pkts_toserver: 3 + proto: TCP + src_ip: 192.168.200.1 + src_port: 22 + ssh.server.proto_version: '1.99' + ssh.server.software_version: Cisco_server-1.24 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 192.168.200.1 + dest_port: 22 + event_type: ssh + proto: TCP + src_ip: 192.168.100.1 + src_port: 10000 + ssh.server.proto_version: '1.99' + ssh.server.software_version: Cisco_server-1.24 + tx_id: 0 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/bug-4903/bug-4903-02/README.md b/tests/bug-4903/bug-4903-02/README.md new file mode 100644 index 000000000..f6cb5fdf1 --- /dev/null +++ b/tests/bug-4903/bug-4903-02/README.md @@ -0,0 +1,7 @@ +# Description + +Check SSH banner related keyword on pcaps where server sends its banner and client acks it + +# PCAP + +The pcap comes from https://redmine.openinfosecfoundation.org/attachments/2426 diff --git a/tests/bug-4903/bug-4903-02/input.pcap b/tests/bug-4903/bug-4903-02/input.pcap new file mode 100644 index 000000000..961779f66 Binary files /dev/null and b/tests/bug-4903/bug-4903-02/input.pcap differ diff --git a/tests/bug-4903/bug-4903-02/test.rules b/tests/bug-4903/bug-4903-02/test.rules new file mode 100644 index 000000000..750cb0ea9 --- /dev/null +++ b/tests/bug-4903/bug-4903-02/test.rules @@ -0,0 +1,5 @@ +alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"2.0"; classtype:bad-unknown; sid:1;) +alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"1.99"; classtype:bad-unknown; sid:2;) +alert ssh any any -> any any (msg:"Bad SSH software client detected !!!"; ssh.software; content:"Cisco_client"; classtype:bad-unknown; sid:3;) +alert ssh any any -> any any (msg:"Bad SSH software server detected !!!"; ssh.software; content:"Cisco_server"; classtype:bad-unknown; sid:4;) + diff --git a/tests/bug-4903/bug-4903-02/test.yaml b/tests/bug-4903/bug-4903-02/test.yaml new file mode 100644 index 000000000..ad21e2ccd --- /dev/null +++ b/tests/bug-4903/bug-4903-02/test.yaml @@ -0,0 +1,77 @@ +requires: + min-version: 6 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Potentially Bad Traffic + alert.gid: 1 + alert.rev: 0 + alert.severity: 2 + alert.signature: Bad SSH proto 2 detected !!! + alert.signature_id: 2 + app_proto: ssh + dest_ip: 192.168.100.1 + dest_port: 10001 + event_type: alert + flow.bytes_toclient: 258 + flow.bytes_toserver: 216 + flow.pkts_toclient: 2 + flow.pkts_toserver: 4 + proto: TCP + src_ip: 192.168.200.1 + src_port: 22 + ssh.server.proto_version: '1.99' + ssh.server.software_version: Cisco_server-1.24 + tx_id: 0 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Potentially Bad Traffic + alert.gid: 1 + alert.rev: 0 + alert.severity: 2 + alert.signature: Bad SSH software server detected !!! + alert.signature_id: 4 + app_proto: ssh + dest_ip: 192.168.100.1 + dest_port: 10001 + event_type: alert + flow.bytes_toclient: 258 + flow.bytes_toserver: 216 + flow.pkts_toclient: 2 + flow.pkts_toserver: 4 + proto: TCP + src_ip: 192.168.200.1 + src_port: 22 + ssh.server.proto_version: '1.99' + ssh.server.software_version: Cisco_server-1.24 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 192.168.200.1 + dest_port: 22 + event_type: ssh + proto: TCP + src_ip: 192.168.100.1 + src_port: 10001 + ssh.server.proto_version: '1.99' + ssh.server.software_version: Cisco_server-1.24 + tx_id: 0 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/bug-4903/bug-4903-03/README.md b/tests/bug-4903/bug-4903-03/README.md new file mode 100644 index 000000000..7d6215642 --- /dev/null +++ b/tests/bug-4903/bug-4903-03/README.md @@ -0,0 +1,7 @@ +# Description + +Check SSH banner related keyword on pcaps where server sends its banner and client sends its banner + +# PCAP + +The pcap comes from https://redmine.openinfosecfoundation.org/attachments/2429 diff --git a/tests/bug-4903/bug-4903-03/input.pcap b/tests/bug-4903/bug-4903-03/input.pcap new file mode 100644 index 000000000..7fe03a777 Binary files /dev/null and b/tests/bug-4903/bug-4903-03/input.pcap differ diff --git a/tests/bug-4903/bug-4903-03/test.rules b/tests/bug-4903/bug-4903-03/test.rules new file mode 100644 index 000000000..750cb0ea9 --- /dev/null +++ b/tests/bug-4903/bug-4903-03/test.rules @@ -0,0 +1,5 @@ +alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"2.0"; classtype:bad-unknown; sid:1;) +alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"1.99"; classtype:bad-unknown; sid:2;) +alert ssh any any -> any any (msg:"Bad SSH software client detected !!!"; ssh.software; content:"Cisco_client"; classtype:bad-unknown; sid:3;) +alert ssh any any -> any any (msg:"Bad SSH software server detected !!!"; ssh.software; content:"Cisco_server"; classtype:bad-unknown; sid:4;) + diff --git a/tests/bug-4903/bug-4903-03/test.yaml b/tests/bug-4903/bug-4903-03/test.yaml new file mode 100644 index 000000000..1f5a4464f --- /dev/null +++ b/tests/bug-4903/bug-4903-03/test.yaml @@ -0,0 +1,125 @@ +requires: + min-version: 6 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Potentially Bad Traffic + alert.gid: 1 + alert.rev: 0 + alert.severity: 2 + alert.signature: Bad SSH proto 2 detected !!! + alert.signature_id: 1 + app_proto: ssh + dest_ip: 192.168.200.1 + dest_port: 22 + event_type: alert + flow.bytes_toclient: 258 + flow.bytes_toserver: 336 + flow.pkts_toclient: 2 + flow.pkts_toserver: 4 + proto: TCP + src_ip: 192.168.100.1 + src_port: 10002 + ssh.client.proto_version: '2.0' + ssh.client.software_version: Cisco_client-1.25 + ssh.server.proto_version: '1.99' + ssh.server.software_version: Cisco_server-1.24 + tx_id: 0 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Potentially Bad Traffic + alert.gid: 1 + alert.rev: 0 + alert.severity: 2 + alert.signature: Bad SSH software client detected !!! + alert.signature_id: 3 + app_proto: ssh + dest_ip: 192.168.200.1 + dest_port: 22 + event_type: alert + flow.bytes_toclient: 258 + flow.bytes_toserver: 336 + flow.pkts_toclient: 2 + flow.pkts_toserver: 4 + proto: TCP + src_ip: 192.168.100.1 + src_port: 10002 + ssh.client.proto_version: '2.0' + ssh.client.software_version: Cisco_client-1.25 + ssh.server.proto_version: '1.99' + ssh.server.software_version: Cisco_server-1.24 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 192.168.200.1 + dest_port: 22 + event_type: ssh + proto: TCP + src_ip: 192.168.100.1 + src_port: 10002 + ssh.client.proto_version: '2.0' + ssh.client.software_version: Cisco_client-1.25 + ssh.server.proto_version: '1.99' + ssh.server.software_version: Cisco_server-1.24 + tx_id: 0 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Potentially Bad Traffic + alert.gid: 1 + alert.rev: 0 + alert.severity: 2 + alert.signature: Bad SSH proto 2 detected !!! + alert.signature_id: 2 + app_proto: ssh + dest_ip: 192.168.100.1 + dest_port: 10002 + event_type: alert + flow.bytes_toclient: 258 + flow.bytes_toserver: 336 + flow.pkts_toclient: 2 + flow.pkts_toserver: 4 + proto: TCP + src_ip: 192.168.200.1 + src_port: 22 + ssh.client.proto_version: '2.0' + ssh.client.software_version: Cisco_client-1.25 + ssh.server.proto_version: '1.99' + ssh.server.software_version: Cisco_server-1.24 + tx_id: 0 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Potentially Bad Traffic + alert.gid: 1 + alert.rev: 0 + alert.severity: 2 + alert.signature: Bad SSH software server detected !!! + alert.signature_id: 4 + app_proto: ssh + dest_ip: 192.168.100.1 + dest_port: 10002 + event_type: alert + flow.bytes_toclient: 258 + flow.bytes_toserver: 336 + flow.pkts_toclient: 2 + flow.pkts_toserver: 4 + proto: TCP + src_ip: 192.168.200.1 + src_port: 22 + ssh.client.proto_version: '2.0' + ssh.client.software_version: Cisco_client-1.25 + ssh.server.proto_version: '1.99' + ssh.server.software_version: Cisco_server-1.24 + tx_id: 0 diff --git a/tests/bug-4903/bug-4903-04/README.md b/tests/bug-4903/bug-4903-04/README.md new file mode 100644 index 000000000..cb9124a03 --- /dev/null +++ b/tests/bug-4903/bug-4903-04/README.md @@ -0,0 +1,7 @@ +# Description + +Check SSH banner related keyword on pcaps where server sends its banner, client sends its banner, and server server the client's banner + +# PCAP + +The pcap comes from https://redmine.openinfosecfoundation.org/attachments/2428 diff --git a/tests/bug-4903/bug-4903-04/input.pcap b/tests/bug-4903/bug-4903-04/input.pcap new file mode 100644 index 000000000..73cf1f1c8 Binary files /dev/null and b/tests/bug-4903/bug-4903-04/input.pcap differ diff --git a/tests/bug-4903/bug-4903-04/test.rules b/tests/bug-4903/bug-4903-04/test.rules new file mode 100644 index 000000000..750cb0ea9 --- /dev/null +++ b/tests/bug-4903/bug-4903-04/test.rules @@ -0,0 +1,5 @@ +alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"2.0"; classtype:bad-unknown; sid:1;) +alert ssh any any -> any any (msg:"Bad SSH proto 2 detected !!!"; ssh.proto; content:"1.99"; classtype:bad-unknown; sid:2;) +alert ssh any any -> any any (msg:"Bad SSH software client detected !!!"; ssh.software; content:"Cisco_client"; classtype:bad-unknown; sid:3;) +alert ssh any any -> any any (msg:"Bad SSH software server detected !!!"; ssh.software; content:"Cisco_server"; classtype:bad-unknown; sid:4;) + diff --git a/tests/bug-4903/bug-4903-04/test.yaml b/tests/bug-4903/bug-4903-04/test.yaml new file mode 100644 index 000000000..ce7e992d8 --- /dev/null +++ b/tests/bug-4903/bug-4903-04/test.yaml @@ -0,0 +1,130 @@ +requires: + min-version: 6 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Potentially Bad Traffic + alert.gid: 1 + alert.rev: 0 + alert.severity: 2 + alert.signature: Bad SSH proto 2 detected !!! + alert.signature_id: 2 + app_proto: ssh + dest_ip: 192.168.100.1 + dest_port: 10003 + event_type: alert + flow.bytes_toclient: 312 + flow.bytes_toserver: 282 + flow.pkts_toclient: 3 + flow.pkts_toserver: 3 + pcap_cnt: 6 + proto: TCP + src_ip: 192.168.200.1 + src_port: 22 + ssh.client.proto_version: '2.0' + ssh.client.software_version: Cisco_client-1.25 + ssh.server.proto_version: '1.99' + ssh.server.software_version: Cisco_server-1.24 + tx_id: 0 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Potentially Bad Traffic + alert.gid: 1 + alert.rev: 0 + alert.severity: 2 + alert.signature: Bad SSH software server detected !!! + alert.signature_id: 4 + app_proto: ssh + dest_ip: 192.168.100.1 + dest_port: 10003 + event_type: alert + flow.bytes_toclient: 312 + flow.bytes_toserver: 282 + flow.pkts_toclient: 3 + flow.pkts_toserver: 3 + pcap_cnt: 6 + proto: TCP + src_ip: 192.168.200.1 + src_port: 22 + ssh.client.proto_version: '2.0' + ssh.client.software_version: Cisco_client-1.25 + ssh.server.proto_version: '1.99' + ssh.server.software_version: Cisco_server-1.24 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 192.168.200.1 + dest_port: 22 + event_type: ssh + pcap_cnt: 6 + proto: TCP + src_ip: 192.168.100.1 + src_port: 10003 + ssh.client.proto_version: '2.0' + ssh.client.software_version: Cisco_client-1.25 + ssh.server.proto_version: '1.99' + ssh.server.software_version: Cisco_server-1.24 + tx_id: 0 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Potentially Bad Traffic + alert.gid: 1 + alert.rev: 0 + alert.severity: 2 + alert.signature: Bad SSH proto 2 detected !!! + alert.signature_id: 1 + app_proto: ssh + dest_ip: 192.168.200.1 + dest_port: 22 + event_type: alert + flow.bytes_toclient: 312 + flow.bytes_toserver: 336 + flow.pkts_toclient: 3 + flow.pkts_toserver: 4 + pcap_cnt: 7 + proto: TCP + src_ip: 192.168.100.1 + src_port: 10003 + ssh.client.proto_version: '2.0' + ssh.client.software_version: Cisco_client-1.25 + ssh.server.proto_version: '1.99' + ssh.server.software_version: Cisco_server-1.24 + tx_id: 0 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Potentially Bad Traffic + alert.gid: 1 + alert.rev: 0 + alert.severity: 2 + alert.signature: Bad SSH software client detected !!! + alert.signature_id: 3 + app_proto: ssh + dest_ip: 192.168.200.1 + dest_port: 22 + event_type: alert + flow.bytes_toclient: 312 + flow.bytes_toserver: 336 + flow.pkts_toclient: 3 + flow.pkts_toserver: 4 + pcap_cnt: 7 + proto: TCP + src_ip: 192.168.100.1 + src_port: 10003 + ssh.client.proto_version: '2.0' + ssh.client.software_version: Cisco_client-1.25 + ssh.server.proto_version: '1.99' + ssh.server.software_version: Cisco_server-1.24 + tx_id: 0