From: Shivani Bhardwaj Date: Sun, 30 Jun 2019 06:53:07 +0000 (+0530) Subject: Add tests for #130: content + nocase issue X-Git-Tag: suricata-6.0.4~370 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a6f2303776d0c8694f3d6f67c659e1f481c7288e;p=thirdparty%2Fsuricata-verify.git Add tests for #130: content + nocase issue Closes redmine ticket #3057. --- diff --git a/tests/bug-130/input.pcap b/tests/bug-130/input.pcap new file mode 100644 index 000000000..b7e0caf75 Binary files /dev/null and b/tests/bug-130/input.pcap differ diff --git a/tests/bug-130/test.rules b/tests/bug-130/test.rules new file mode 100644 index 000000000..30e718b63 --- /dev/null +++ b/tests/bug-130/test.rules @@ -0,0 +1,3 @@ +alert tcp any 80 -> any any (msg:"no1"; flow:to_client,established; content:"WWW-Authenticate\: "; nocase; classtype:web-application-activity; sid:9000000; rev:1;) +alert tcp any 80 -> any any (msg:"ok1"; flow:to_client,established; content:"Www-Authenticate\: "; nocase; classtype:web-application-activity; sid:9000001; rev:1;) +alert tcp any 80 -> any any (msg:"ok2"; flow:to_client,established; content:"WWW-Authenticate\:"; nocase; classtype:web-application-activity; sid:9000002; rev:1;) diff --git a/tests/bug-130/test.yaml b/tests/bug-130/test.yaml new file mode 100644 index 000000000..f95b72f49 --- /dev/null +++ b/tests/bug-130/test.yaml @@ -0,0 +1,198 @@ +requires: + features: + - HAVE_LIBJANSSON + +args: + - -k none + +checks: +- filter: + count: 1 + match: + alert: + action: allowed + category: access to a potentially vulnerable web application + gid: 1 + rev: 1 + severity: 2 + signature: no1 + signature_id: 9000000 + app_proto: http + dest_ip: 10.100.0.8 + dest_port: 44270 + event_type: alert + flow: + bytes_toclient: 2295 + bytes_toserver: 1036 + pkts_toclient: 7 + pkts_toserver: 7 + start: 2009-02-23T13:23:33.331321+0000 + http: + hostname: www.abcdefghij.com + http_content_type: text/html + http_method: GET + http_refer: http://www.abcdefghij.com/abdeltat/login + http_user_agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009011912 + Firefox/3.0.6 + length: 1483 + protocol: HTTP/1.1 + status: 401 + url: /publication/pub.home/home.html + pcap_cnt: 14 + proto: TCP + src_ip: 162.2.41.200 + src_port: 80 +- filter: + count: 1 + match: + alert: + action: allowed + category: access to a potentially vulnerable web application + gid: 1 + rev: 1 + severity: 2 + signature: ok1 + signature_id: 9000001 + app_proto: http + dest_ip: 10.100.0.8 + dest_port: 44270 + event_type: alert + flow: + bytes_toclient: 2295 + bytes_toserver: 1036 + pkts_toclient: 7 + pkts_toserver: 7 + start: 2009-02-23T13:23:33.331321+0000 + http: + hostname: www.abcdefghij.com + http_content_type: text/html + http_method: GET + http_refer: http://www.abcdefghij.com/abdeltat/login + http_user_agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009011912 + Firefox/3.0.6 + length: 1483 + protocol: HTTP/1.1 + status: 401 + url: /publication/pub.home/home.html + pcap_cnt: 14 + proto: TCP + src_ip: 162.2.41.200 + src_port: 80 +- filter: + count: 1 + match: + alert: + action: allowed + category: access to a potentially vulnerable web application + gid: 1 + rev: 1 + severity: 2 + signature: ok2 + signature_id: 9000002 + app_proto: http + dest_ip: 10.100.0.8 + dest_port: 44270 + event_type: alert + flow: + bytes_toclient: 2295 + bytes_toserver: 1036 + pkts_toclient: 7 + pkts_toserver: 7 + start: 2009-02-23T13:23:33.331321+0000 + http: + hostname: www.abcdefghij.com + http_content_type: text/html + http_method: GET + http_refer: http://www.abcdefghij.com/abdeltat/login + http_user_agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009011912 + Firefox/3.0.6 + length: 1483 + protocol: HTTP/1.1 + status: 401 + url: /publication/pub.home/home.html + pcap_cnt: 14 + proto: TCP + src_ip: 162.2.41.200 + src_port: 80 +- filter: + count: 1 + match: + dest_ip: 162.2.41.200 + dest_port: 80 + event_type: http + http: + hostname: www.abcdefghij.com + http_content_type: text/html + http_method: GET + http_refer: http://www.abcdefghij.com/abdeltat/login + http_user_agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009011912 + Firefox/3.0.6 + length: 1483 + protocol: HTTP/1.1 + status: 401 + url: /publication/pub.home/home.html + pcap_cnt: 14 + proto: TCP + src_ip: 10.100.0.8 + src_port: 44270 + tx_id: 0 +- filter: + count: 1 + match: + app_proto: http + dest_ip: 10.100.0.8 + dest_port: 44270 + event_type: fileinfo + fileinfo: + filename: /publication/pub.home/home.html + gaps: false + sid: [] + size: 1483 + state: CLOSED + stored: false + tx_id: 0 + http: + hostname: www.abcdefghij.com + http_content_type: text/html + http_method: GET + http_refer: http://www.abcdefghij.com/abdeltat/login + http_user_agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.9.0.6) Gecko/2009011912 + Firefox/3.0.6 + length: 1483 + protocol: HTTP/1.1 + status: 401 + url: /publication/pub.home/home.html + pcap_cnt: 14 + proto: TCP + src_ip: 162.2.41.200 + src_port: 80 +- filter: + count: 1 + match: + app_proto: http + dest_ip: 162.2.41.200 + dest_port: 80 + event_type: flow + flow: + age: 0 + alerted: true + bytes_toclient: 2295 + bytes_toserver: 1036 + end: 2009-02-23T13:23:33.589165+0000 + pkts_toclient: 7 + pkts_toserver: 7 + reason: shutdown + start: 2009-02-23T13:23:33.331321+0000 + state: closed + proto: TCP + src_ip: 10.100.0.8 + src_port: 44270 + tcp: + ack: true + fin: true + psh: true + state: closed + syn: true + tcp_flags: 1b + tcp_flags_tc: 1b + tcp_flags_ts: 1b