From: Modupe Falodun Date: Wed, 9 Feb 2022 12:14:09 +0000 (+0100) Subject: detect-uricontent: add tests X-Git-Tag: suricata-6.0.16~42 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6570a66d8f6e418bb0540303ba00cc58b9d285e9;p=thirdparty%2Fsuricata-verify.git detect-uricontent: add tests Task: 4911 --- diff --git a/tests/uricontent/detect-uricontent-01/README.md b/tests/uricontent/detect-uricontent-01/README.md new file mode 100644 index 000000000..6e1f3faf9 --- /dev/null +++ b/tests/uricontent/detect-uricontent-01/README.md @@ -0,0 +1 @@ +Tests the signature working to alert when http_cookie is matched diff --git a/tests/uricontent/detect-uricontent-01/input.pcap b/tests/uricontent/detect-uricontent-01/input.pcap new file mode 100644 index 000000000..8f7a9e756 Binary files /dev/null and b/tests/uricontent/detect-uricontent-01/input.pcap differ diff --git a/tests/uricontent/detect-uricontent-01/test.rules b/tests/uricontent/detect-uricontent-01/test.rules new file mode 100644 index 000000000..01c5c535e --- /dev/null +++ b/tests/uricontent/detect-uricontent-01/test.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any any (msg:"Test uricontent"; content:"foo"; http_uri; sid:1;) +alert tcp any any -> any any (msg:"Test uricontent"; content:"one"; http_uri; sid:2;) +alert tcp any any -> any any (msg:"Test uricontent"; content:"oisf"; http_uri; sid:3;) diff --git a/tests/uricontent/detect-uricontent-01/test.yaml b/tests/uricontent/detect-uricontent-01/test.yaml new file mode 100644 index 000000000..7c4d72c86 --- /dev/null +++ b/tests/uricontent/detect-uricontent-01/test.yaml @@ -0,0 +1,31 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: http diff --git a/tests/uricontent/detect-uricontent-01/writepcap.py b/tests/uricontent/detect-uricontent-01/writepcap.py new file mode 100644 index 000000000..6a49a10be --- /dev/null +++ b/tests/uricontent/detect-uricontent-01/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"POST /one HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie: hellocatch\r\n\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/uricontent/detect-uricontent-02/README.md b/tests/uricontent/detect-uricontent-02/README.md new file mode 100644 index 000000000..15189412d --- /dev/null +++ b/tests/uricontent/detect-uricontent-02/README.md @@ -0,0 +1 @@ +Tests the working of search once per packet only in applayer match diff --git a/tests/uricontent/detect-uricontent-02/input.pcap b/tests/uricontent/detect-uricontent-02/input.pcap new file mode 100644 index 000000000..55153fb51 Binary files /dev/null and b/tests/uricontent/detect-uricontent-02/input.pcap differ diff --git a/tests/uricontent/detect-uricontent-02/test.rules b/tests/uricontent/detect-uricontent-02/test.rules new file mode 100644 index 000000000..33103bfd2 --- /dev/null +++ b/tests/uricontent/detect-uricontent-02/test.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any any (msg:"Test uricontent"; content:"foo"; http_uri; sid:1;) +alert tcp any any -> any any (msg:"Test uricontent"; content:"one"; http_uri; sid:2;) +alert tcp any any -> any any (msg:"Test uricontent"; content:"self"; http_uri; sid:3;) \ No newline at end of file diff --git a/tests/uricontent/detect-uricontent-02/test.yaml b/tests/uricontent/detect-uricontent-02/test.yaml new file mode 100644 index 000000000..788ea52be --- /dev/null +++ b/tests/uricontent/detect-uricontent-02/test.yaml @@ -0,0 +1,31 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 2 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 2 + match: + event_type: http diff --git a/tests/uricontent/detect-uricontent-02/writepcap.py b/tests/uricontent/detect-uricontent-02/writepcap.py new file mode 100644 index 000000000..92246cfbc --- /dev/null +++ b/tests/uricontent/detect-uricontent-02/writepcap.py @@ -0,0 +1,13 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"POST /one HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie: hellocatch\r\n\r\n" +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=53, flags='P''A')/"POST /oneself HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie: hellocatch\r\n\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/uricontent/detect-uricontent-03/README.md b/tests/uricontent/detect-uricontent-03/README.md new file mode 100644 index 000000000..3e29b8cf8 --- /dev/null +++ b/tests/uricontent/detect-uricontent-03/README.md @@ -0,0 +1 @@ +Tests the modifiers for uricontent and content match diff --git a/tests/uricontent/detect-uricontent-03/input.pcap b/tests/uricontent/detect-uricontent-03/input.pcap new file mode 100644 index 000000000..0d6ead78c Binary files /dev/null and b/tests/uricontent/detect-uricontent-03/input.pcap differ diff --git a/tests/uricontent/detect-uricontent-03/test.rules b/tests/uricontent/detect-uricontent-03/test.rules new file mode 100644 index 000000000..341ae032d --- /dev/null +++ b/tests/uricontent/detect-uricontent-03/test.rules @@ -0,0 +1,4 @@ +alert tcp any any -> any any (msg:"Test uricontent"; content:"foo"; http_uri; content:"bar"; sid:1;) +alert tcp any any -> any any (msg:"Test uricontent"; content:"one"; http_uri; offset:1; depth:10; content:"one"; offset:1; depth:10; content:"two"; http_uri; distance:3; within: 4; content:"two"; distance:1; within: 4; content:"three"; http_uri; distance:1; within: 6; content:"/three"; distance:0; within: 7; sid:2;) +alert tcp any any -> any any (msg:"Test uricontent"; content:"one"; http_uri; offset:1; depth:10; content:"two"; http_uri; distance:1; within: 4; content:"three"; http_uri; distance:1; within: 6; sid:3;) +alert tcp any any -> any any (msg:"test"; content:"one"; http_uri; sid:4;) diff --git a/tests/uricontent/detect-uricontent-03/test.yaml b/tests/uricontent/detect-uricontent-03/test.yaml new file mode 100644 index 000000000..dd04841f5 --- /dev/null +++ b/tests/uricontent/detect-uricontent-03/test.yaml @@ -0,0 +1,37 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 1 + match: + event_type: http + \ No newline at end of file diff --git a/tests/uricontent/detect-uricontent-03/writepcap.py b/tests/uricontent/detect-uricontent-03/writepcap.py new file mode 100644 index 000000000..aadb1ac5d --- /dev/null +++ b/tests/uricontent/detect-uricontent-03/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, flags='P''A')/"POST /one/two/three/six HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie: hellocatch\r\n\r\n" + +wrpcap('input.pcap', pkts)