From: Emmanuel Thompson <eet6646@gmail.com>
Date: Thu, 24 Sep 2020 15:20:08 +0000 (-0400)
Subject: quic: gquic tests for cyu hash and alerts
X-Git-Tag: suricata-6.0.5~38
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=859f3f7d699e849cfefc507ab68b9ef9429feb22;p=thirdparty%2Fsuricata-verify.git

quic: gquic tests for cyu hash and alerts

pcaps taken from this redmine attachement:
https://redmine.openinfosecfoundation.org/issues/3440#note-8
---

diff --git a/tests/quic-alerts/input.pcap b/tests/quic-alerts/input.pcap
new file mode 100644
index 000000000..3b9fe3ab4
Binary files /dev/null and b/tests/quic-alerts/input.pcap differ
diff --git a/tests/quic-alerts/suricata.yaml b/tests/quic-alerts/suricata.yaml
new file mode 100644
index 000000000..2ba41b960
--- /dev/null
+++ b/tests/quic-alerts/suricata.yaml
@@ -0,0 +1,16 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - quic
+        - alert
+
+app-layer:
+  protocols:
+    quic:
+      enabled: yes
diff --git a/tests/quic-alerts/test.rules b/tests/quic-alerts/test.rules
new file mode 100644
index 000000000..03d280950
--- /dev/null
+++ b/tests/quic-alerts/test.rules
@@ -0,0 +1,3 @@
+alert quic any any -> any any (msg:"QUIC CYU HASH"; quic.cyu.hash; content:"7b3ceb1adc974ad360cfa634e8d0a730"; sid:1;)
+alert quic any any -> any any (msg:"QUIC CYU STRING"; quic.cyu.string; content:"46,PAD-SNI-VER-CCS-UAID-TCID-PDMD-SMHL-ICSL-NONP-MIDS-SCLS-CSCT-COPT-IRTT-CFCW-SFCW"; sid:2;)
+alert quic any any -> any any (msg:"QUIC VERSION"; quic.version:1362113590; sid:3;)
diff --git a/tests/quic-alerts/test.yaml b/tests/quic-alerts/test.yaml
new file mode 100644
index 000000000..a23c80466
--- /dev/null
+++ b/tests/quic-alerts/test.yaml
@@ -0,0 +1,39 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 6.0.0
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: quic
+        pcap_cnt: 1
+        quic.cyu[0].hash: "910a5e3a4d51593bd59a44611544f209"
+        quic.cyu[0].string: "46,PAD-SNI-VER-CCS-UAID-TCID-PDMD-SMHL-ICSL-NONP-MIDS-SCLS-CSCT-COPT-IRTT-CFCW-SFCW"
+
+  - filter:
+      count: 1
+      match:
+        event_type: quic
+        pcap_cnt: 5
+        quic.cyu[0].hash: "7b3ceb1adc974ad360cfa634e8d0a730"
+        quic.cyu[0].string: "46,PAD-SNI-STK-SNO-VER-CCS-NONC-AEAD-UAID-SCID-TCID-PDMD-SMHL-ICSL-NONP-PUBS-MIDS-SCLS-KEXS-XLCT-CSCT-COPT-CCRT-IRTT-CFCW-SFCW"
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature: QUIC CYU HASH
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature: QUIC CYU STRING
+
+  - filter:
+      count: 6
+      match:
+        event_type: alert
+        alert.signature: QUIC VERSION
diff --git a/tests/quic-cyu/input.pcap b/tests/quic-cyu/input.pcap
new file mode 100644
index 000000000..11f22e112
Binary files /dev/null and b/tests/quic-cyu/input.pcap differ
diff --git a/tests/quic-cyu/test.yaml b/tests/quic-cyu/test.yaml
new file mode 100644
index 000000000..7667c2bdd
--- /dev/null
+++ b/tests/quic-cyu/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 6.0.0
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: quic
+        pcap_cnt: 1
+        quic.cyu[0].hash: "a46560d4548108cf99308319b3b85346"
+        quic.cyu[0].string: "46,PAD-SNI-STK-VER-CCS-NONC-AEAD-UAID-SCID-TCID-PDMD-SMHL-ICSL-NONP-PUBS-MIDS-SCLS-KEXS-XLCT-CSCT-COPT-CCRT-IRTT-CFCW-SFCW"