From: Philippe Antoine Date: Mon, 7 Dec 2020 11:33:01 +0000 (+0100) Subject: Adds checks with http.uri keyword and HTTP2 traffic X-Git-Tag: suricata-6.0.4~126 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cbaa2a12798e1e2b998550ec91ce07e54e818b80;p=thirdparty%2Fsuricata-verify.git Adds checks with http.uri keyword and HTTP2 traffic --- diff --git a/tests/http2-basic/test.rules b/tests/http2-basic/test.rules index d0866dadd..499c11f78 100644 --- a/tests/http2-basic/test.rules +++ b/tests/http2-basic/test.rules @@ -2,3 +2,9 @@ alert http2 any any -> any any (http2.header; content:"agent: nghttp2"; sid:1; r alert http2 any any -> any any (http2.frametype:GOAWAY; sid:2; rev:1;) alert http2 any any -> any any (http2.settings:SETTINGS_HEADER_TABLE_SIZE>1000; sid:3; rev:1;) alert http2 any any -> any any (http2.window:34634; sid:4; rev:1;) + +alert http any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:10;) +alert http1 any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:11;) +alert http2 any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:12;) +alert tcp any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:13;) +alert ip any any -> any any (http.uri; content:"/doc/manual/html/index.html"; sid:14;) diff --git a/tests/http2-basic/test.yaml b/tests/http2-basic/test.yaml index 0ffbc7e6e..21b3bf559 100644 --- a/tests/http2-basic/test.yaml +++ b/tests/http2-basic/test.yaml @@ -78,3 +78,29 @@ checks: count: 0 match: event_type: anomaly + # HTTP generic keywords with HTTP2 traffic + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 10 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 11 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 12 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 13 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 14 diff --git a/tests/http2-upgrade/test.rules b/tests/http2-upgrade/test.rules new file mode 100644 index 000000000..46d4352f4 --- /dev/null +++ b/tests/http2-upgrade/test.rules @@ -0,0 +1,3 @@ +alert http1 any any -> any any (http.uri; content:"/robots.txt"; sid:10;) +alert http2 any any -> any any (http.uri; content:"/robots.txt"; sid:11;) +alert http any any -> any any (http.uri; content:"/robots.txt"; sid:12;) diff --git a/tests/http2-upgrade/test.yaml b/tests/http2-upgrade/test.yaml index 0e24fb778..26d913ee3 100644 --- a/tests/http2-upgrade/test.yaml +++ b/tests/http2-upgrade/test.yaml @@ -50,3 +50,19 @@ checks: http.http_method: "GET" http.url: "/humans.txt" http.status: 404 +# checks for http.uti keyword : 1 for HTTP1, 1 for mimicked HTTP2 response, so 2 for whole HTTP + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 10 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 11 + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 12