From: Jeff Lucovsky Date: Mon, 24 Feb 2020 14:54:34 +0000 (-0500) Subject: tests: pcrexform tests X-Git-Tag: suricata-6.0.4~271 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=abccd4430f8c0b3baf535f542d9675057c382e05;p=thirdparty%2Fsuricata-verify.git tests: pcrexform tests This PR adds tests for the `pcrexform` including tests for - basic functionality: Simple PCRE - extended functionality: Multiple PCREs - Negative: PCRE that do not match anything - Negative: Missing option values --- diff --git a/tests/detect-pcrexform-01/input.pcap b/tests/detect-pcrexform-01/input.pcap new file mode 100644 index 000000000..dc92bd963 Binary files /dev/null and b/tests/detect-pcrexform-01/input.pcap differ diff --git a/tests/detect-pcrexform-01/test.rules b/tests/detect-pcrexform-01/test.rules new file mode 100644 index 000000000..6bf716309 --- /dev/null +++ b/tests/detect-pcrexform-01/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"HTTP with pcrexform"; http.request_line; pcrexform:"[a-zA-Z]+\s+(.*)\s+HTTP"; content:"/z4d4kWk.jpg"; sid:1;) diff --git a/tests/detect-pcrexform-01/test.yaml b/tests/detect-pcrexform-01/test.yaml new file mode 100644 index 000000000..19e9801d6 --- /dev/null +++ b/tests/detect-pcrexform-01/test.yaml @@ -0,0 +1,11 @@ +requires: + + files: + - src/detect-transform-pcrexform.c + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/detect-pcrexform-02/input.pcap b/tests/detect-pcrexform-02/input.pcap new file mode 100644 index 000000000..dc92bd963 Binary files /dev/null and b/tests/detect-pcrexform-02/input.pcap differ diff --git a/tests/detect-pcrexform-02/test.rules b/tests/detect-pcrexform-02/test.rules new file mode 100644 index 000000000..016a305f8 --- /dev/null +++ b/tests/detect-pcrexform-02/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"HTTP with pcrexform"; http.response_line; pcrexform; content:"/dropper.php"; sid:2;) diff --git a/tests/detect-pcrexform-02/test.yaml b/tests/detect-pcrexform-02/test.yaml new file mode 100644 index 000000000..bedb646b0 --- /dev/null +++ b/tests/detect-pcrexform-02/test.yaml @@ -0,0 +1,11 @@ +requires: + + files: + - src/detect-transform-pcrexform.c + +exit-code: 1 + +checks: + - shell: + args: grep "invalid formatting or malformed option to pcrexform keyword" suricata.log | wc -l | xargs + expect: 1 diff --git a/tests/detect-pcrexform-03/input.pcap b/tests/detect-pcrexform-03/input.pcap new file mode 100644 index 000000000..dc92bd963 Binary files /dev/null and b/tests/detect-pcrexform-03/input.pcap differ diff --git a/tests/detect-pcrexform-03/test.rules b/tests/detect-pcrexform-03/test.rules new file mode 100644 index 000000000..a2a0d2620 --- /dev/null +++ b/tests/detect-pcrexform-03/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"HTTP with pcrexform"; http.request_line; pcrexform:"No-match"; content:"/no-match.jpg"; sid:1;) diff --git a/tests/detect-pcrexform-03/test.yaml b/tests/detect-pcrexform-03/test.yaml new file mode 100644 index 000000000..7746d4135 --- /dev/null +++ b/tests/detect-pcrexform-03/test.yaml @@ -0,0 +1,10 @@ +requires: + + files: + - src/detect-transform-pcrexform.c + +checks: + - filter: + count: 0 + match: + event_type: alert diff --git a/tests/detect-pcrexform-04/input.pcap b/tests/detect-pcrexform-04/input.pcap new file mode 100644 index 000000000..dc92bd963 Binary files /dev/null and b/tests/detect-pcrexform-04/input.pcap differ diff --git a/tests/detect-pcrexform-04/test.rules b/tests/detect-pcrexform-04/test.rules new file mode 100644 index 000000000..cadd81768 --- /dev/null +++ b/tests/detect-pcrexform-04/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"HTTP with pcrexform"; http.request_line; pcrexform:[a-zA-Z]+\s+(.*)\s+HTTP; content:"/z4d4kWk.jpg"; sid:1;) diff --git a/tests/detect-pcrexform-04/test.yaml b/tests/detect-pcrexform-04/test.yaml new file mode 100644 index 000000000..a8be268ee --- /dev/null +++ b/tests/detect-pcrexform-04/test.yaml @@ -0,0 +1,12 @@ +requires: + + files: + - src/detect-transform-pcrexform.c + +exit-code: 1 + +checks: + + - shell: + args: grep "invalid formatting to pcrexform keyword" suricata.log | wc -l | xargs + expect: 1 diff --git a/tests/detect-pcrexform-05/input.pcap b/tests/detect-pcrexform-05/input.pcap new file mode 100644 index 000000000..dc92bd963 Binary files /dev/null and b/tests/detect-pcrexform-05/input.pcap differ diff --git a/tests/detect-pcrexform-05/test.rules b/tests/detect-pcrexform-05/test.rules new file mode 100644 index 000000000..1b34779fa --- /dev/null +++ b/tests/detect-pcrexform-05/test.rules @@ -0,0 +1,8 @@ +alert http any any -> any any (msg:"HTTP with pcrexform"; \ + http.request_line; pcrexform:"[a-zA-Z]+\s+(.*)\s+HTTP"; \ + content:"/z4d4kWk.jpg"; \ + http.user_agent; pcrexform:"([a-zA-Z]+\/[0-9]\.54\.0)"; \ + content:"curl/7.54.0"; \ + http.host; pcrexform:"([a-zA-Z]\.[a-zA-Z]+\.com+)"; \ + content:"i.imgur.com"; \ + sid:1;) diff --git a/tests/detect-pcrexform-05/test.yaml b/tests/detect-pcrexform-05/test.yaml new file mode 100644 index 000000000..19e9801d6 --- /dev/null +++ b/tests/detect-pcrexform-05/test.yaml @@ -0,0 +1,11 @@ +requires: + + files: + - src/detect-transform-pcrexform.c + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/detect-pcrexform-06/input.pcap b/tests/detect-pcrexform-06/input.pcap new file mode 100644 index 000000000..dc92bd963 Binary files /dev/null and b/tests/detect-pcrexform-06/input.pcap differ diff --git a/tests/detect-pcrexform-06/test.rules b/tests/detect-pcrexform-06/test.rules new file mode 100644 index 000000000..bbd32a142 --- /dev/null +++ b/tests/detect-pcrexform-06/test.rules @@ -0,0 +1,8 @@ +alert http any any -> any any (msg:"HTTP with pcrexform"; \ + http.request_line; pcrexform:"[a-zA-Z]+\s+(.*)\s+HTTP"; \ + content:"/no-match-here"; \ + http.user_agent; pcrexform:"([a-zA-Z]+\/[0-9]\.54\.0)"; \ + content:"no-match-here"; \ + http.host; pcrexform:"([a-zA-Z]\.[a-zA-Z]+\.com+)"; \ + content:"no-match-here"; \ + sid:1;) diff --git a/tests/detect-pcrexform-06/test.yaml b/tests/detect-pcrexform-06/test.yaml new file mode 100644 index 000000000..437afa285 --- /dev/null +++ b/tests/detect-pcrexform-06/test.yaml @@ -0,0 +1,11 @@ +requires: + + files: + - src/detect-transform-pcrexform.c + +checks: + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1