From: Shivani Bhardwaj Date: Thu, 9 Feb 2023 17:15:09 +0000 (+0530) Subject: tests: add test for bug 2917 X-Git-Tag: suricata-6.0.13~39 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cfb11f749010489e5a608d6924effefddc5efe6b;p=thirdparty%2Fsuricata-verify.git tests: add test for bug 2917 --- diff --git a/tests/bug-2917/README.md b/tests/bug-2917/README.md new file mode 100644 index 000000000..c87cc3f49 --- /dev/null +++ b/tests/bug-2917/README.md @@ -0,0 +1,7 @@ +# Description + +Engine analysis on the rules that cause the bug 2917 + +## PCAP + +None diff --git a/tests/bug-2917/test.rules b/tests/bug-2917/test.rules new file mode 100644 index 000000000..87463a15b --- /dev/null +++ b/tests/bug-2917/test.rules @@ -0,0 +1,17 @@ +alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"TEST 1"; flow:to_server,established; content:"GET"; http_method; flowbits:set,test; sid:1;) + +# does not work - based on the original rules +# Before commit https://github.com/oISF/suricata/commit/227d1d967a5902 which suppresses the error message +# This rule is where one would see the error "Unable to find the sm in any of the sm lists" +alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"TEST 2"; flowbits:isset,test; pcre:"/\s200\s/"; sid:2;) + +# works - removing the flowbit +alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"TEST 3"; pcre:"/\s200\s/"; sid:3;) + +# works - sub pcre with content - this validates it something with the flowbit relationship? +alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"TEST 4"; flowbits:isset,test; content:"|20|200|20|"; sid:4;) + +# works - add a buffer to the pcre +alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"TEST 5"; flowbits:isset,test; pcre:"/200/S"; sid:5;) + +alert dns any any -> any any (msg:"DNS TEST"; isdataat:129 ; app-layer-event:dns.malformed_data; sid:1371257161; rev:1;) diff --git a/tests/bug-2917/test.yaml b/tests/bug-2917/test.yaml new file mode 100644 index 000000000..e1c0fd7e3 --- /dev/null +++ b/tests/bug-2917/test.yaml @@ -0,0 +1,215 @@ +requires: + min-version: 7 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + filename: rules.json + count: 1 + match: + id: 1 + gid: 1 + rev: 0 + msg: TEST 1 + app_proto: http + requirements[0]: flow + flags[0]: sp_any + flags[1]: applayer + flags[2]: toserver + flags[3]: prefilter + pkt_engines[0].name: packet + pkt_engines[0].is_mpm: false + engines[0].name: http_method + engines[0].direction: toserver + engines[0].is_mpm: true + engines[0].app_proto: http + engines[0].progress: 1 + engines[0].matches[0].name: content + engines[0].matches[0].content.pattern: GET + engines[0].matches[0].content.length: 3 + engines[0].matches[0].content.nocase: false + engines[0].matches[0].content.negated: false + engines[0].matches[0].content.starts_with: false + engines[0].matches[0].content.ends_with: false + engines[0].matches[0].content.is_mpm: true + engines[0].matches[0].content.no_double_inspect: true + engines[0].matches[0].content.fast_pattern: false + engines[0].matches[0].content.relative_next: false + lists.packet.matches[0].name: flow + lists.postmatch.matches[0].name: flowbits + mpm.buffer: http_method + mpm.pattern: GET + mpm.length: 3 + mpm.nocase: false + mpm.negated: false + mpm.starts_with: false + mpm.ends_with: false + mpm.is_mpm: true + mpm.no_double_inspect: true + mpm.fast_pattern: false + mpm.relative_next: false + - filter: + filename: rules.json + count: 1 + match: + id: 2 + gid: 1 + rev: 0 + msg: TEST 2 + app_proto: http_any + requirements[0]: payload + requirements[1]: flow + flags[0]: dp_any + flags[1]: applayer + flags[2]: need_stream + flags[3]: need_flowvar + flags[4]: toserver + flags[5]: toclient + pkt_engines[0].name: payload + pkt_engines[0].is_mpm: false + pkt_engines[1].name: packet + pkt_engines[1].is_mpm: false + lists.packet.matches[0].name: flowbits + lists.payload.matches[0].name: pcre + lists.payload.matches[0].pcre.relative: false + lists.payload.matches[0].pcre.relative_next: false + lists.payload.matches[0].pcre.nocase: false + lists.payload.matches[0].pcre.negated: false + - filter: + filename: rules.json + count: 1 + match: + id: 4 + gid: 1 + rev: 0 + msg: TEST 4 + app_proto: http_any + requirements[0]: payload + requirements[1]: flow + flags[0]: dp_any + flags[1]: applayer + flags[2]: need_stream + flags[3]: need_flowvar + flags[4]: toserver + flags[5]: toclient + flags[6]: prefilter + pkt_engines[0].name: payload + pkt_engines[0].is_mpm: true + pkt_engines[1].name: packet + pkt_engines[1].is_mpm: false + lists.packet.matches[0].name: flowbits + lists.payload.matches[0].name: content + lists.payload.matches[0].content.pattern: '|20|200|20|' + lists.payload.matches[0].content.length: 5 + lists.payload.matches[0].content.nocase: false + lists.payload.matches[0].content.negated: false + lists.payload.matches[0].content.starts_with: false + lists.payload.matches[0].content.ends_with: false + lists.payload.matches[0].content.is_mpm: true + lists.payload.matches[0].content.no_double_inspect: true + lists.payload.matches[0].content.fast_pattern: false + lists.payload.matches[0].content.relative_next: false + mpm.buffer: payload + mpm.pattern: '|20|200|20|' + mpm.length: 5 + mpm.nocase: false + mpm.negated: false + mpm.starts_with: false + mpm.ends_with: false + mpm.is_mpm: true + mpm.no_double_inspect: true + mpm.fast_pattern: false + mpm.relative_next: false + - filter: + filename: rules.json + count: 1 + match: + id: 5 + gid: 1 + rev: 0 + msg: TEST 5 + app_proto: http + requirements[0]: flow + flags[0]: dp_any + flags[1]: applayer + flags[2]: need_flowvar + flags[3]: toclient + pkt_engines[0].name: packet + pkt_engines[0].is_mpm: false + engines[0].name: http_stat_code + engines[0].direction: toclient + engines[0].is_mpm: false + engines[0].app_proto: http + engines[0].progress: 1 + engines[0].matches[0].name: pcre + engines[0].matches[0].pcre.relative: false + engines[0].matches[0].pcre.relative_next: false + engines[0].matches[0].pcre.nocase: false + engines[0].matches[0].pcre.negated: false + lists.packet.matches[0].name: flowbits + - filter: + filename: rules.json + count: 1 + match: + id: 3 + gid: 1 + rev: 0 + msg: TEST 3 + app_proto: http_any + requirements[0]: payload + requirements[1]: flow + flags[0]: dp_any + flags[1]: applayer + flags[2]: need_stream + flags[3]: toserver + flags[4]: toclient + pkt_engines[0].name: payload + pkt_engines[0].is_mpm: false + lists.payload.matches[0].name: pcre + lists.payload.matches[0].pcre.relative: false + lists.payload.matches[0].pcre.relative_next: false + lists.payload.matches[0].pcre.nocase: false + lists.payload.matches[0].pcre.negated: false + - filter: + filename: rules.json + count: 1 + match: + id: 1371257161 + gid: 1 + rev: 1 + msg: DNS TEST + app_proto: dns + requirements[0]: payload + requirements[1]: flow + flags[0]: src_any + flags[1]: dst_any + flags[2]: sp_any + flags[3]: dp_any + flags[4]: applayer + flags[5]: need_stream + flags[6]: toserver + flags[7]: toclient + engines[0].name: app-layer-events + engines[0].direction: toserver + engines[0].is_mpm: false + engines[0].progress: 0 + engines[0].matches[0].name: app-layer-event + engines[1].name: app-layer-events + engines[1].direction: toclient + engines[1].is_mpm: false + engines[1].progress: 0 + engines[1].matches[0].name: app-layer-event + engines[2].name: stream + engines[2].direction: toserver + engines[2].is_mpm: false + engines[2].progress: 0 + engines[2].matches[0].name: isdataat + engines[3].name: stream + engines[3].direction: toclient + engines[3].is_mpm: false + engines[3].progress: 0 + engines[3].matches[0].name: isdataat