From: Jason Ish <jason.ish@oisf.net>
Date: Tue, 25 Feb 2025 21:40:03 +0000 (-0600)
Subject: quic-v2: break out ja3 tests and require HAVE_JA3
X-Git-Tag: suricata-7.0.9~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7a755c9c4dd827ad8ebbea0654ee8ff4b7d14a4;p=thirdparty%2Fsuricata-verify.git

quic-v2: break out ja3 tests and require HAVE_JA3
---

diff --git a/tests/quic-v2-ja3/README.md b/tests/quic-v2-ja3/README.md
new file mode 100644
index 000000000..9f937b004
--- /dev/null
+++ b/tests/quic-v2-ja3/README.md
@@ -0,0 +1,16 @@
+# Description
+
+Test quic v2 parsing
+
+# PCAP
+
+The pcap comes from running https://github.com/quic-go/quic-go
+
+The example server is in example
+`go run main.go -bind localhost:443`
+The example client is in example/client
+`go run main.go -insecure https://127.0.0.1:443/`
+with this patch
+```
++qconf.Versions = []quic.VersionNumber{quic.VersionNumber(0x6b3343cf)}
+```
diff --git a/tests/quic-v2-ja3/input.pcap b/tests/quic-v2-ja3/input.pcap
new file mode 100644
index 000000000..49384a51d
Binary files /dev/null and b/tests/quic-v2-ja3/input.pcap differ
diff --git a/tests/quic-v2-ja3/test.rules b/tests/quic-v2-ja3/test.rules
new file mode 100644
index 000000000..4ed74cc10
--- /dev/null
+++ b/tests/quic-v2-ja3/test.rules
@@ -0,0 +1,2 @@
+alert quic any any -> any any (msg:"QUIC V2"; quic.version; content:"|6b 33 43 cf|"; sid:4;)
+alert quic any any -> any any (msg:"QUIC JA3"; ja3.string; content:"771,4865-4866-4867,5-10-11-13-65281-23-16-18-43-51-57,29-23-24-25,0"; sid:3;)
diff --git a/tests/quic-v2-ja3/test.yaml b/tests/quic-v2-ja3/test.yaml
new file mode 100644
index 000000000..c597f6ee4
--- /dev/null
+++ b/tests/quic-v2-ja3/test.yaml
@@ -0,0 +1,23 @@
+requires:
+  min-version: 7.0.0
+  features:
+    - HAVE_JA3
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: quic
+        quic.extensions[0].name: "status_request"
+        quic.extensions[6].name: "alpn"
+        quic.extensions[6].values[0]: "h3"
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
diff --git a/tests/quic-v2/test.rules b/tests/quic-v2/test.rules
index 4ed74cc10..22382dceb 100644
--- a/tests/quic-v2/test.rules
+++ b/tests/quic-v2/test.rules
@@ -1,2 +1 @@
 alert quic any any -> any any (msg:"QUIC V2"; quic.version; content:"|6b 33 43 cf|"; sid:4;)
-alert quic any any -> any any (msg:"QUIC JA3"; ja3.string; content:"771,4865-4866-4867,5-10-11-13-65281-23-16-18-43-51-57,29-23-24-25,0"; sid:3;)
diff --git a/tests/quic-v2/test.yaml b/tests/quic-v2/test.yaml
index a954b2634..22c3b6ceb 100644
--- a/tests/quic-v2/test.yaml
+++ b/tests/quic-v2/test.yaml
@@ -14,8 +14,3 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 4
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 3