From: Jason Ish <ish@unx.ca>
Date: Fri, 16 Feb 2018 20:58:44 +0000 (-0600)
Subject: http/eve/alert/xff tests
X-Git-Tag: suricata-6.0.4~499
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b10d04b5f82b81c2e97958fa2cd90c080fbf5883;p=thirdparty%2Fsuricata-verify.git

http/eve/alert/xff tests
---

diff --git a/tests/http-xff-eve-forward-extra-data/README.md b/tests/http-xff-eve-forward-extra-data/README.md
new file mode 100644
index 000000000..a3f64061b
--- /dev/null
+++ b/tests/http-xff-eve-forward-extra-data/README.md
@@ -0,0 +1,28 @@
+Test eve/alert/xff/forward/extra-data output.
+
+## PCAP origin
+
+https://redmine.openinfosecfoundation.org/attachments/1424/xff-extradata.pcap
+
+### Request Headers
+
+GET /~sgtatham/putty/0.60/x86/pscp.exe HTTP/1.1
+User-Agent: Wget/1.17.1 (linux-gnu)
+Accept: */*
+Accept-Encoding: identity
+Host: the.earth.li
+Connection: Keep-Alive
+X-Forwarded-For: 10.1.23.250, 10.1.23.250
+
+### Response Headers
+
+HTTP/1.1 200 OK
+Date: Wed, 27 Sep 2017 18:58:30 GMT
+Server: Apache
+Last-Modified: Sun, 29 Apr 2007 13:02:37 GMT
+ETag: "48000-42f3ffb92f540"
+Accept-Ranges: bytes
+Content-Length: 294912
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: application/x-msdos-program
diff --git a/tests/http-xff-eve-forward-extra-data/suricata.yaml b/tests/http-xff-eve-forward-extra-data/suricata.yaml
new file mode 100644
index 000000000..435034b8c
--- /dev/null
+++ b/tests/http-xff-eve-forward-extra-data/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+include: ../../etc/suricata-4.0.3.yaml
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+            metadata: no
+            xff:
+              enabled: yes
+              mode: extra-data
+              deployment: forward
diff --git a/tests/http-xff-eve-forward-extra-data/test.pcap b/tests/http-xff-eve-forward-extra-data/test.pcap
new file mode 100644
index 000000000..29f087e38
Binary files /dev/null and b/tests/http-xff-eve-forward-extra-data/test.pcap differ
diff --git a/tests/http-xff-eve-forward-extra-data/test.rules b/tests/http-xff-eve-forward-extra-data/test.rules
new file mode 100644
index 000000000..dc6cf29e8
--- /dev/null
+++ b/tests/http-xff-eve-forward-extra-data/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"TEST RULE"; content:"uid"; http_server_body; sid:1; rev:1;)
diff --git a/tests/http-xff-eve-forward-extra-data/test.yaml b/tests/http-xff-eve-forward-extra-data/test.yaml
new file mode 100644
index 000000000..502519869
--- /dev/null
+++ b/tests/http-xff-eve-forward-extra-data/test.yaml
@@ -0,0 +1,9 @@
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        xff: 10.2.2.2
+
diff --git a/tests/http-xff-eve-forward-overwrite/README.md b/tests/http-xff-eve-forward-overwrite/README.md
new file mode 100644
index 000000000..36264c759
--- /dev/null
+++ b/tests/http-xff-eve-forward-overwrite/README.md
@@ -0,0 +1,28 @@
+Test eve/alert/xff/forward/overwrite output.
+
+## PCAP origin
+
+https://redmine.openinfosecfoundation.org/attachments/1424/xff-extradata.pcap
+
+### Request Headers
+
+GET /~sgtatham/putty/0.60/x86/pscp.exe HTTP/1.1
+User-Agent: Wget/1.17.1 (linux-gnu)
+Accept: */*
+Accept-Encoding: identity
+Host: the.earth.li
+Connection: Keep-Alive
+X-Forwarded-For: 10.1.23.250, 10.1.23.250
+
+### Response Headers
+
+HTTP/1.1 200 OK
+Date: Wed, 27 Sep 2017 18:58:30 GMT
+Server: Apache
+Last-Modified: Sun, 29 Apr 2007 13:02:37 GMT
+ETag: "48000-42f3ffb92f540"
+Accept-Ranges: bytes
+Content-Length: 294912
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: application/x-msdos-program
diff --git a/tests/http-xff-eve-forward-overwrite/suricata.yaml b/tests/http-xff-eve-forward-overwrite/suricata.yaml
new file mode 100644
index 000000000..20b8cb109
--- /dev/null
+++ b/tests/http-xff-eve-forward-overwrite/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+include: ../../etc/suricata-4.0.3.yaml
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+            metadata: no
+            xff:
+              enabled: yes
+              mode: overwrite
+              deployment: forward
diff --git a/tests/http-xff-eve-forward-overwrite/test.pcap b/tests/http-xff-eve-forward-overwrite/test.pcap
new file mode 100644
index 000000000..29f087e38
Binary files /dev/null and b/tests/http-xff-eve-forward-overwrite/test.pcap differ
diff --git a/tests/http-xff-eve-forward-overwrite/test.rules b/tests/http-xff-eve-forward-overwrite/test.rules
new file mode 100644
index 000000000..dc6cf29e8
--- /dev/null
+++ b/tests/http-xff-eve-forward-overwrite/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"TEST RULE"; content:"uid"; http_server_body; sid:1; rev:1;)
diff --git a/tests/http-xff-eve-forward-overwrite/test.yaml b/tests/http-xff-eve-forward-overwrite/test.yaml
new file mode 100644
index 000000000..7b4cb958d
--- /dev/null
+++ b/tests/http-xff-eve-forward-overwrite/test.yaml
@@ -0,0 +1,9 @@
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        dest_ip: 10.2.2.2
diff --git a/tests/http-xff-eve-reverse-extra-data/README.md b/tests/http-xff-eve-reverse-extra-data/README.md
new file mode 100644
index 000000000..08f40bf47
--- /dev/null
+++ b/tests/http-xff-eve-reverse-extra-data/README.md
@@ -0,0 +1,28 @@
+Test eve/alert/xff/reverse/extra-data output.
+
+## PCAP origin
+
+https://redmine.openinfosecfoundation.org/attachments/1424/xff-extradata.pcap
+
+### Request Headers
+
+GET /~sgtatham/putty/0.60/x86/pscp.exe HTTP/1.1
+User-Agent: Wget/1.17.1 (linux-gnu)
+Accept: */*
+Accept-Encoding: identity
+Host: the.earth.li
+Connection: Keep-Alive
+X-Forwarded-For: 10.1.23.250, 10.1.23.250
+
+### Response Headers
+
+HTTP/1.1 200 OK
+Date: Wed, 27 Sep 2017 18:58:30 GMT
+Server: Apache
+Last-Modified: Sun, 29 Apr 2007 13:02:37 GMT
+ETag: "48000-42f3ffb92f540"
+Accept-Ranges: bytes
+Content-Length: 294912
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: application/x-msdos-program
diff --git a/tests/http-xff-eve-reverse-extra-data/suricata.yaml b/tests/http-xff-eve-reverse-extra-data/suricata.yaml
new file mode 100644
index 000000000..fa7182896
--- /dev/null
+++ b/tests/http-xff-eve-reverse-extra-data/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+include: ../../etc/suricata-4.0.3.yaml
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+            metadata: no
+            xff:
+              enabled: yes
+              mode: extra-data
+              deployment: reverse
diff --git a/tests/http-xff-eve-reverse-extra-data/test.pcap b/tests/http-xff-eve-reverse-extra-data/test.pcap
new file mode 100644
index 000000000..29f087e38
Binary files /dev/null and b/tests/http-xff-eve-reverse-extra-data/test.pcap differ
diff --git a/tests/http-xff-eve-reverse-extra-data/test.rules b/tests/http-xff-eve-reverse-extra-data/test.rules
new file mode 100644
index 000000000..dc6cf29e8
--- /dev/null
+++ b/tests/http-xff-eve-reverse-extra-data/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"TEST RULE"; content:"uid"; http_server_body; sid:1; rev:1;)
diff --git a/tests/http-xff-eve-reverse-extra-data/test.yaml b/tests/http-xff-eve-reverse-extra-data/test.yaml
new file mode 100644
index 000000000..b686c73bf
--- /dev/null
+++ b/tests/http-xff-eve-reverse-extra-data/test.yaml
@@ -0,0 +1,9 @@
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        xff: 10.3.3.3
+
diff --git a/tests/http-xff-eve-reverse-overwrite/README.md b/tests/http-xff-eve-reverse-overwrite/README.md
new file mode 100644
index 000000000..2aec1e3b8
--- /dev/null
+++ b/tests/http-xff-eve-reverse-overwrite/README.md
@@ -0,0 +1,28 @@
+Test eve/alert/xff/reverse/overwrite output.
+
+## PCAP origin
+
+https://redmine.openinfosecfoundation.org/attachments/1424/xff-extradata.pcap
+
+### Request Headers
+
+GET /~sgtatham/putty/0.60/x86/pscp.exe HTTP/1.1
+User-Agent: Wget/1.17.1 (linux-gnu)
+Accept: */*
+Accept-Encoding: identity
+Host: the.earth.li
+Connection: Keep-Alive
+X-Forwarded-For: 10.1.23.250, 10.1.23.250
+
+### Response Headers
+
+HTTP/1.1 200 OK
+Date: Wed, 27 Sep 2017 18:58:30 GMT
+Server: Apache
+Last-Modified: Sun, 29 Apr 2007 13:02:37 GMT
+ETag: "48000-42f3ffb92f540"
+Accept-Ranges: bytes
+Content-Length: 294912
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: application/x-msdos-program
diff --git a/tests/http-xff-eve-reverse-overwrite/suricata.yaml b/tests/http-xff-eve-reverse-overwrite/suricata.yaml
new file mode 100644
index 000000000..dd2428ede
--- /dev/null
+++ b/tests/http-xff-eve-reverse-overwrite/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+include: ../../etc/suricata-4.0.3.yaml
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+            metadata: no
+            xff:
+              enabled: yes
+              mode: overwrite
+              deployment: reverse
diff --git a/tests/http-xff-eve-reverse-overwrite/test.pcap b/tests/http-xff-eve-reverse-overwrite/test.pcap
new file mode 100644
index 000000000..29f087e38
Binary files /dev/null and b/tests/http-xff-eve-reverse-overwrite/test.pcap differ
diff --git a/tests/http-xff-eve-reverse-overwrite/test.rules b/tests/http-xff-eve-reverse-overwrite/test.rules
new file mode 100644
index 000000000..dc6cf29e8
--- /dev/null
+++ b/tests/http-xff-eve-reverse-overwrite/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"TEST RULE"; content:"uid"; http_server_body; sid:1; rev:1;)
diff --git a/tests/http-xff-eve-reverse-overwrite/test.yaml b/tests/http-xff-eve-reverse-overwrite/test.yaml
new file mode 100644
index 000000000..f67b5b91f
--- /dev/null
+++ b/tests/http-xff-eve-reverse-overwrite/test.yaml
@@ -0,0 +1,9 @@
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        dest_ip: 10.3.3.3