From: Juliana Fajardini Date: Mon, 13 Mar 2023 11:34:54 +0000 (-0300) Subject: tests: add test for multi-eve logging X-Git-Tag: suricata-6.0.13~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=93aef06f245916ad02359dfd0e02b9182a624218;p=thirdparty%2Fsuricata-verify.git tests: add test for multi-eve logging --- diff --git a/tests/output-multi-eve/README.md b/tests/output-multi-eve/README.md new file mode 100644 index 000000000..bdb3e50c5 --- /dev/null +++ b/tests/output-multi-eve/README.md @@ -0,0 +1,10 @@ +Test +==== + +Test and exemplify multi-eve-log instances. + +Pcap +==== + +Pcap from GitHub repo for a PoC on Log4j exploit: +https://github.com/cyberxml/log4j-poc/tree/main/data diff --git a/tests/output-multi-eve/input.pcap b/tests/output-multi-eve/input.pcap new file mode 100644 index 000000000..62f6d9094 Binary files /dev/null and b/tests/output-multi-eve/input.pcap differ diff --git a/tests/output-multi-eve/suricata.yaml b/tests/output-multi-eve/suricata.yaml new file mode 100644 index 000000000..ef43d0c3d --- /dev/null +++ b/tests/output-multi-eve/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +vars: + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + EXTERNAL_NET: "!$HOME_NET" + +outputs: + - eve-log: + enabled: yes + filename: eve-ips.json + types: + - alert + - drop + + - eve-log: + enabled: yes + filename: eve-nsm.json + types: + - http + - flow + - eve-log: + enabled: yes + filename: eve-stats.json + types: + - stats + +exception-policy: ignore diff --git a/tests/output-multi-eve/test.rules b/tests/output-multi-eve/test.rules new file mode 100644 index 000000000..93366f01d --- /dev/null +++ b/tests/output-multi-eve/test.rules @@ -0,0 +1,3 @@ +alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%24)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034781; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_12_17;) +drop http $HOME_NET any -> any any (msg:"ET INFO Python SimpleHTTP ServerBanner"; flow:established; http.server; content:"SimpleHTTP/"; startswith; content:"Python/"; distance:0; reference:url,wiki.python.org/moin/BaseHttpServer; classtype:misc-activity; sid:2034636; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_12_08, deployment Perimeter, former_category INFO, signature_severity Minor, updated_at 2021_12_08;) + diff --git a/tests/output-multi-eve/test.yaml b/tests/output-multi-eve/test.yaml new file mode 100644 index 000000000..72c722fb3 --- /dev/null +++ b/tests/output-multi-eve/test.yaml @@ -0,0 +1,37 @@ +requires: + min-version: 7 + +args: +- -k none +- --simulate-ips +- --set stream.midstream=true + +checks: + - filter: + filename: eve-ips.json + count: 3 + match: + event_type: "alert" + + - filter: + filename: eve-ips.json + count: 4 + match: + event_type: "drop" + + - filter: + filename: eve-nsm.json + count: 1 + match: + event_type: "http" + - filter: + filename: eve-nsm.json + count: 7 + match: + event_type: "flow" + + - filter: + filename: eve-stats.json + count: 1 + match: + event_type: "stats"