From: Shivani Bhardwaj Date: Tue, 21 Apr 2020 07:23:24 +0000 (+0530) Subject: Add tests for DCERPC X-Git-Tag: suricata-6.0.4~295 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df1d6fb11c17b6eaa5546ce89cc19714931625aa;p=thirdparty%2Fsuricata-verify.git Add tests for DCERPC --- diff --git a/tests/dcerpc/dcerpc-dce-iface-02/input.pcap b/tests/dcerpc/dcerpc-dce-iface-02/input.pcap new file mode 100644 index 000000000..d6d7cb50a Binary files /dev/null and b/tests/dcerpc/dcerpc-dce-iface-02/input.pcap differ diff --git a/tests/dcerpc/dcerpc-dce-iface-02/test.rules b/tests/dcerpc/dcerpc-dce-iface-02/test.rules new file mode 100644 index 000000000..27cccb31c --- /dev/null +++ b/tests/dcerpc/dcerpc-dce-iface-02/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dce_iface:afa8bd80-7d8a-11c9-bef4-08002b102989;sid:1;) diff --git a/tests/dcerpc/dcerpc-dce-iface-02/test.yaml b/tests/dcerpc/dcerpc-dce-iface-02/test.yaml new file mode 100644 index 000000000..7c47e217d --- /dev/null +++ b/tests/dcerpc/dcerpc-dce-iface-02/test.yaml @@ -0,0 +1,12 @@ +requires: + features: + - HAVE_LIBJANSSON + +args: +- -k none + +checks: + - filter: + count: 1 + match: + event_type: alert diff --git a/tests/dcerpc/dcerpc-dce-iface-03/input.pcap b/tests/dcerpc/dcerpc-dce-iface-03/input.pcap new file mode 100644 index 000000000..d6d7cb50a Binary files /dev/null and b/tests/dcerpc/dcerpc-dce-iface-03/input.pcap differ diff --git a/tests/dcerpc/dcerpc-dce-iface-03/test.rules b/tests/dcerpc/dcerpc-dce-iface-03/test.rules new file mode 100644 index 000000000..5f24a9c2f --- /dev/null +++ b/tests/dcerpc/dcerpc-dce-iface-03/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dce_iface:afa8bd80-7d8a-11c9-bef4-08002b102989,=1;sid:1;) diff --git a/tests/dcerpc/dcerpc-dce-iface-03/test.yaml b/tests/dcerpc/dcerpc-dce-iface-03/test.yaml new file mode 100644 index 000000000..7c47e217d --- /dev/null +++ b/tests/dcerpc/dcerpc-dce-iface-03/test.yaml @@ -0,0 +1,12 @@ +requires: + features: + - HAVE_LIBJANSSON + +args: +- -k none + +checks: + - filter: + count: 1 + match: + event_type: alert diff --git a/tests/dcerpc/dcerpc-dce-iface-04/input.pcap b/tests/dcerpc/dcerpc-dce-iface-04/input.pcap new file mode 100644 index 000000000..d6d7cb50a Binary files /dev/null and b/tests/dcerpc/dcerpc-dce-iface-04/input.pcap differ diff --git a/tests/dcerpc/dcerpc-dce-iface-04/test.rules b/tests/dcerpc/dcerpc-dce-iface-04/test.rules new file mode 100644 index 000000000..2e0250bad --- /dev/null +++ b/tests/dcerpc/dcerpc-dce-iface-04/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dce_iface:afa8bd80-7d8a-11c9-bef4-08002b102989,<1;sid:1;) diff --git a/tests/dcerpc/dcerpc-dce-iface-04/test.yaml b/tests/dcerpc/dcerpc-dce-iface-04/test.yaml new file mode 100644 index 000000000..817f3763b --- /dev/null +++ b/tests/dcerpc/dcerpc-dce-iface-04/test.yaml @@ -0,0 +1,12 @@ +requires: + features: + - HAVE_LIBJANSSON + +args: +- -k none + +checks: + - filter: + count: 0 + match: + event_type: alert diff --git a/tests/dcerpc/dcerpc-dce-opnum/input.pcap b/tests/dcerpc/dcerpc-dce-opnum/input.pcap new file mode 100644 index 000000000..d6d7cb50a Binary files /dev/null and b/tests/dcerpc/dcerpc-dce-opnum/input.pcap differ diff --git a/tests/dcerpc/dcerpc-dce-opnum/test.rules b/tests/dcerpc/dcerpc-dce-opnum/test.rules new file mode 100644 index 000000000..947427ffa --- /dev/null +++ b/tests/dcerpc/dcerpc-dce-opnum/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dce_iface:afa8bd80-7d8a-11c9-bef4-08002b102989;dce_opnum:4;sid:1;) diff --git a/tests/dcerpc/dcerpc-dce-opnum/test.yaml b/tests/dcerpc/dcerpc-dce-opnum/test.yaml new file mode 100644 index 000000000..7c47e217d --- /dev/null +++ b/tests/dcerpc/dcerpc-dce-opnum/test.yaml @@ -0,0 +1,12 @@ +requires: + features: + - HAVE_LIBJANSSON + +args: +- -k none + +checks: + - filter: + count: 1 + match: + event_type: alert diff --git a/tests/dcerpc/dcerpc-dcepayload/input.pcap b/tests/dcerpc/dcerpc-dcepayload/input.pcap new file mode 100644 index 000000000..d6d7cb50a Binary files /dev/null and b/tests/dcerpc/dcerpc-dcepayload/input.pcap differ diff --git a/tests/dcerpc/dcerpc-dcepayload/test.rules b/tests/dcerpc/dcerpc-dcepayload/test.rules new file mode 100644 index 000000000..450b51230 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"DCE Response stub data"; flow:established,to_client; dce_stub_data; content:"no"; offset:22; content:"12DOM"; within:13; content:"REDHAT"; distance:5; sid:1;) diff --git a/tests/dcerpc/dcerpc-dcepayload/test.yaml b/tests/dcerpc/dcerpc-dcepayload/test.yaml new file mode 100644 index 000000000..7ee3ea39a --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload/test.yaml @@ -0,0 +1,13 @@ +requires: + features: + - HAVE_LIBJANSSON + +args: +- -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1