From: Victor Julien Date: Wed, 4 Dec 2024 08:27:22 +0000 (+0100) Subject: tests: add test for 7414 and 7433 X-Git-Tag: suricata-7.0.8~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a8f3e14dc3768b91a05697aec11f8f6ac1e98546;p=thirdparty%2Fsuricata-verify.git tests: add test for 7414 and 7433 --- diff --git a/tests/bug-7414-decoder-event-01/README.md b/tests/bug-7414-decoder-event-01/README.md new file mode 100644 index 000000000..25df5be6d --- /dev/null +++ b/tests/bug-7414-decoder-event-01/README.md @@ -0,0 +1,5 @@ +PCAP +==== + +Pcap from https://redmine.openinfosecfoundation.org/issues/7414 + diff --git a/tests/bug-7414-decoder-event-01/decoder-event.rules b/tests/bug-7414-decoder-event-01/decoder-event.rules new file mode 100644 index 000000000..08c033724 --- /dev/null +++ b/tests/bug-7414-decoder-event-01/decoder-event.rules @@ -0,0 +1 @@ +drop pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;) diff --git a/tests/bug-7414-decoder-event-01/ip_secopt.pcap b/tests/bug-7414-decoder-event-01/ip_secopt.pcap new file mode 100644 index 000000000..61be1670f Binary files /dev/null and b/tests/bug-7414-decoder-event-01/ip_secopt.pcap differ diff --git a/tests/bug-7414-decoder-event-01/suricata.yaml b/tests/bug-7414-decoder-event-01/suricata.yaml new file mode 100644 index 000000000..69c2f1c57 --- /dev/null +++ b/tests/bug-7414-decoder-event-01/suricata.yaml @@ -0,0 +1,41 @@ +%YAML 1.1 +--- + +# Global stats configuration +stats: + enabled: yes + # The interval field (in seconds) controls the interval at + # which stats are updated in the log. + interval: 8 + # Add decode events to stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + #decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + exception-policy: + #per-app-proto-errors: false # default: false. True will log errors for + # each app-proto. Warning: VERY verbose + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + ethernet: true + pcap-file: true + + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) + verdict: yes + - anomaly: + enabled: yes + types: + decode: true + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values diff --git a/tests/bug-7414-decoder-event-01/test.yaml b/tests/bug-7414-decoder-event-01/test.yaml new file mode 100644 index 000000000..451079170 --- /dev/null +++ b/tests/bug-7414-decoder-event-01/test.yaml @@ -0,0 +1,45 @@ +requires: + min-version: 8 + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200005 + pcap_cnt: 3 + pkt_src: "wire/pcap" + ether.src_mac: "f6:3a:04:28:26:77" + ether.dest_mac: "fe:2d:cf:ad:28:54" + alert.action: "allowed" + packet: "/i3PrShU9joEKCZ3CABIAABoAAEAAEARWEoeHh4eFBQUFIIC8TUAAN6tvu+qABPEE8QASB76g3Jy/3MMn6/gl+2PaHNYfvkOoBoRYsUb5ZV3mCocwk9Xbm1VI6ZMlgQ+xZbugYD/RB0xtXrOiZQ43SvBfdo36g==" + verdict.action: "alert" + pcap_filename.__endswith: "ip_secopt.pcap" + - filter: + count: 1 + match: + event_type: stats + stats.decoder.invalid: 1 + + - filter: + count: 1 + match: + pcap_cnt: 3 + event_type: "anomaly" + pkt_src: "wire/pcap" + ether.src_mac: "f6:3a:04:28:26:77" + ether.dest_mac: "fe:2d:cf:ad:28:54" + anomaly.type: "decode" + anomaly.event: "decoder.ipv4.opt_pad_required" + pcap_filename.__endswith: "ip_secopt.pcap" + - filter: + count: 2 + match: + pcap_cnt: 3 + event_type: "anomaly" + pkt_src: "wire/pcap" + ether.src_mac: "f6:3a:04:28:26:77" + ether.dest_mac: "fe:2d:cf:ad:28:54" + anomaly.type: "decode" + anomaly.event: "decoder.ipv4.opt_invalid_len" + pcap_filename.__endswith: "ip_secopt.pcap" diff --git a/tests/bug-7414-decoder-event-02-ips/README.md b/tests/bug-7414-decoder-event-02-ips/README.md new file mode 100644 index 000000000..25df5be6d --- /dev/null +++ b/tests/bug-7414-decoder-event-02-ips/README.md @@ -0,0 +1,5 @@ +PCAP +==== + +Pcap from https://redmine.openinfosecfoundation.org/issues/7414 + diff --git a/tests/bug-7414-decoder-event-02-ips/decoder-event.rules b/tests/bug-7414-decoder-event-02-ips/decoder-event.rules new file mode 100644 index 000000000..08c033724 --- /dev/null +++ b/tests/bug-7414-decoder-event-02-ips/decoder-event.rules @@ -0,0 +1 @@ +drop pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;) diff --git a/tests/bug-7414-decoder-event-02-ips/suricata.yaml b/tests/bug-7414-decoder-event-02-ips/suricata.yaml new file mode 100644 index 000000000..263c9fca0 --- /dev/null +++ b/tests/bug-7414-decoder-event-02-ips/suricata.yaml @@ -0,0 +1,43 @@ +%YAML 1.1 +--- + +# Global stats configuration +stats: + enabled: yes + # The interval field (in seconds) controls the interval at + # which stats are updated in the log. + interval: 8 + # Add decode events to stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + #decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + exception-policy: + #per-app-proto-errors: false # default: false. True will log errors for + # each app-proto. Warning: VERY verbose + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + ethernet: true + pcap-file: true + + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) + verdict: yes + - anomaly: + enabled: yes + types: + decode: true + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + - drop: + alerts: yes # log alerts that caused drops diff --git a/tests/bug-7414-decoder-event-02-ips/test.yaml b/tests/bug-7414-decoder-event-02-ips/test.yaml new file mode 100644 index 000000000..13676210f --- /dev/null +++ b/tests/bug-7414-decoder-event-02-ips/test.yaml @@ -0,0 +1,61 @@ +pcap: ../bug-7414-decoder-event-01/ip_secopt.pcap + +requires: + min-version: 8 + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200005 + pcap_cnt: 3 + pkt_src: "wire/pcap" + ether.src_mac: "f6:3a:04:28:26:77" + ether.dest_mac: "fe:2d:cf:ad:28:54" + alert.action: "blocked" + packet: "/i3PrShU9joEKCZ3CABIAABoAAEAAEARWEoeHh4eFBQUFIIC8TUAAN6tvu+qABPEE8QASB76g3Jy/3MMn6/gl+2PaHNYfvkOoBoRYsUb5ZV3mCocwk9Xbm1VI6ZMlgQ+xZbugYD/RB0xtXrOiZQ43SvBfdo36g==" + verdict.action: "drop" + pcap_filename.__endswith: "ip_secopt.pcap" + - filter: + count: 1 + match: + event_type: stats + stats.decoder.invalid: 1 + stats.ips.accepted: 2 + stats.ips.blocked: 1 + stats.ips.drop_reason.rules: 1 + - filter: + count: 1 + match: + pcap_cnt: 3 + event_type: "anomaly" + pkt_src: "wire/pcap" + ether.src_mac: "f6:3a:04:28:26:77" + ether.dest_mac: "fe:2d:cf:ad:28:54" + anomaly.type: "decode" + anomaly.event: "decoder.ipv4.opt_pad_required" + pcap_filename.__endswith: "ip_secopt.pcap" + - filter: + count: 2 + match: + pcap_cnt: 3 + event_type: "anomaly" + pkt_src: "wire/pcap" + ether.src_mac: "f6:3a:04:28:26:77" + ether.dest_mac: "fe:2d:cf:ad:28:54" + anomaly.type: "decode" + anomaly.event: "decoder.ipv4.opt_invalid_len" + pcap_filename.__endswith: "ip_secopt.pcap" + - filter: + count: 1 + match: + event_type: drop + alert.signature_id: 2200005 + pcap_cnt: 3 + pkt_src: "wire/pcap" + ether.src_mac: "f6:3a:04:28:26:77" + ether.dest_mac: "fe:2d:cf:ad:28:54" + alert.action: "blocked" + pcap_filename.__endswith: "ip_secopt.pcap" + drop.reason: "rules"