From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Thu, 29 Aug 2024 10:59:11 +0000 (+0530)
Subject: dcerpc: add test for frames
X-Git-Tag: suricata-7.0.9~52
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=57b7a90adf53c87d2890383834b5743c30a7bf3f;p=thirdparty%2Fsuricata-verify.git

dcerpc: add test for frames

Feature 4904
---

diff --git a/tests/dcerpc/dcerpc-frames/README.md b/tests/dcerpc/dcerpc-frames/README.md
new file mode 100644
index 000000000..bf15e8cab
--- /dev/null
+++ b/tests/dcerpc/dcerpc-frames/README.md
@@ -0,0 +1,17 @@
+Description
+===========
+Test for DCERPC frames.
+Three types of frames exist for DCERPC:
+1. Hdr: Header
+2. Pdu: Protocol Data Unit
+3. Data: Data inside the PDU
+
+as per the generic PDU structure defined in https://pubs.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_01
+
+PCAP
+====
+PCAP comes from an existing test.
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/4904
diff --git a/tests/dcerpc/dcerpc-frames/suricata.yaml b/tests/dcerpc/dcerpc-frames/suricata.yaml
new file mode 100644
index 000000000..ba9783870
--- /dev/null
+++ b/tests/dcerpc/dcerpc-frames/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - alert
+        - dcerpc
+        - frame
diff --git a/tests/dcerpc/dcerpc-frames/test.rules b/tests/dcerpc/dcerpc-frames/test.rules
new file mode 100644
index 000000000..db4b11f43
--- /dev/null
+++ b/tests/dcerpc/dcerpc-frames/test.rules
@@ -0,0 +1,3 @@
+alert dcerpc any any -> any any (flow:established,to_server; frame:dcerpc.hdr; content:"|05 00 0b 03 10 00 00 00 74 00 00 00 1b 00 00 00|"; sid:1;)
+alert dcerpc any any -> any any (flow:established,to_server; frame:dcerpc.pdu; content:"|05 00 0b 03 10 00 00 00 74 00 00 00 1b 00 00 00 d0 16 d0 16|"; sid:2;)
+alert dcerpc any any -> any any (flow:established,to_server; frame:dcerpc.data; content:"|d0 16 d0 16|"; sid:3;)
diff --git a/tests/dcerpc/dcerpc-frames/test.yaml b/tests/dcerpc/dcerpc-frames/test.yaml
new file mode 100644
index 000000000..d9f22a393
--- /dev/null
+++ b/tests/dcerpc/dcerpc-frames/test.yaml
@@ -0,0 +1,24 @@
+requires:
+  min-version: 8
+
+pcap: ../dcerpc-dce-iface-02/input.pcap
+
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3