From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Wed, 19 Feb 2020 14:19:42 +0000 (-0500)
Subject: tests/pcre: Add test to check sticky buffer
X-Git-Tag: suricata-6.0.4~345
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df3dd3ec426d98ac3c7ab47cf466248f58591de0;p=thirdparty%2Fsuricata-verify.git

tests/pcre: Add test to check sticky buffer

This commit adds test support to ensure that modifiers to pcre have the
proper content.
---

diff --git a/tests/pcre-invalid-rule-01/.test.rules.swp b/tests/pcre-invalid-rule-01/.test.rules.swp
new file mode 100644
index 000000000..6258592bc
Binary files /dev/null and b/tests/pcre-invalid-rule-01/.test.rules.swp differ
diff --git a/tests/pcre-invalid-rule-01/.test.yaml.swp b/tests/pcre-invalid-rule-01/.test.yaml.swp
new file mode 100644
index 000000000..e9f65157e
Binary files /dev/null and b/tests/pcre-invalid-rule-01/.test.yaml.swp differ
diff --git a/tests/pcre-invalid-rule-01/README.md b/tests/pcre-invalid-rule-01/README.md
new file mode 100644
index 000000000..eabbda582
--- /dev/null
+++ b/tests/pcre-invalid-rule-01/README.md
@@ -0,0 +1 @@
+Ensure that PCRE buffer requirements are met
diff --git a/tests/pcre-invalid-rule-01/input.pcap b/tests/pcre-invalid-rule-01/input.pcap
new file mode 100644
index 000000000..bc6ba8ff9
Binary files /dev/null and b/tests/pcre-invalid-rule-01/input.pcap differ
diff --git a/tests/pcre-invalid-rule-01/test.rules b/tests/pcre-invalid-rule-01/test.rules
new file mode 100644
index 000000000..8bf448758
--- /dev/null
+++ b/tests/pcre-invalid-rule-01/test.rules
@@ -0,0 +1,233 @@
+# failure cases
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    pcre:"/^(?:[A-F0-9]{2}){200,}$/P"; \
+    sid:1; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.uri; pcre:"/^(?:[A-F0-9]{2}){200,}$/P"; \
+    sid:2; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/I"; \
+    sid:3; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/Q"; \
+    sid:4; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/D"; \
+    sid:5; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/H"; \
+    sid:6; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/M"; \
+    sid:7; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/C"; \
+    sid:8; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/S"; \
+    sid:9; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_client; \
+    http.method; content:"GET"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/Y"; \
+    sid:10; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/V"; \
+    sid:11; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.request_body; pcre:"/^(?:[a-f0-9]{2}){200,}$/W"; \
+    sid:12; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/M"; \
+    sid:13; \
+)
+# success cases
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/P"; \
+    sid:14; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.uri.raw; pcre:"/^(?:[A-F0-9]{2}){200,}$/I"; \
+    sid:15; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_client; \
+    http.response_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/Q"; \
+    sid:16; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.header.raw; pcre:"/^(?:[A-F0-9]{2}){200,}$/D"; \
+    sid:17; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.header; pcre:"/^(?:[A-F0-9]{2}){200,}$/H"; \
+    sid:18; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.cookie; pcre:"/^(?:[A-F0-9]{2}){200,}$/C"; \
+    sid:19; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_client; \
+    http.stat_code; pcre:"/^(?:[A-F0-9]{2}){200,}$/S"; \
+    sid:20; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_client; \
+    http.stat_msg; pcre:"/^(?:[A-F0-9]{2}){200,}$/Y"; \
+    sid:21; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.user_agent; pcre:"/^(?:[A-F0-9]{2}){200,}$/V"; \
+    sid:22; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.host; pcre:"/^(?:[a-f0-9]{2}){200,}$/W"; \
+    sid:23; \
+)
+alert http $HOME_NET any -> $EXTERNAL_NET any \
+( \
+    msg:"suri 5 pcre fun"; \
+    flow:established,to_server; \
+    http.method; content:"POST"; \
+    http.uri; content:".php"; \
+    http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \
+    http.method; pcre:"/^(?:[A-F0-9]{2}){200,}$/M"; \
+    sid:24; \
+)
diff --git a/tests/pcre-invalid-rule-01/test.yaml b/tests/pcre-invalid-rule-01/test.yaml
new file mode 100644
index 000000000..bf42d7355
--- /dev/null
+++ b/tests/pcre-invalid-rule-01/test.yaml
@@ -0,0 +1,59 @@
+checks:
+
+    - shell:
+        args: grep "1 rule files processed. 11 rules successfully loaded, 13 rules failed" suricata.log | wc -l | xargs
+        expect: 1
+
+    - shell:
+        args: grep SC_ERR_INVALID_SIGNATURE suricata.log | wc -l | xargs
+        expect: 26
+
+    - shell:
+        args: grep "Expression seen with a sticky buffer" suricata.log | wc -l | xargs
+        expect: 13
+
+    - shell:
+        args: grep -o "use a sticky.*\"http request body" suricata.log | wc -l | xargs
+        expect: 2
+
+    - shell:
+        args: grep -o "use a sticky.*\"raw http uri" suricata.log | wc -l | xargs
+        expect: 1
+
+    - shell:
+        args: grep -o "use a sticky.*\"http response body" suricata.log | wc -l | xargs
+        expect: 1
+
+    - shell:
+        args: grep -o "use a sticky.*\"raw http headers" suricata.log | wc -l | xargs
+        expect: 1
+
+    - shell:
+        args: grep -o "use a sticky.*\"http headers" suricata.log | wc -l | xargs
+        expect: 1
+
+    - shell:
+        args: grep -o "use a sticky.*\"http request method" suricata.log | wc -l | xargs
+        expect: 2
+
+    - shell:
+        args: grep -o "use a sticky.*\"http cookie header" suricata.log | wc -l | xargs
+        expect: 1
+
+    - shell:
+        args: grep -o "use a sticky.*\"http response status code" suricata.log | wc -l | xargs
+        expect: 1
+
+    - shell:
+        args: grep -o "use a sticky.*\"http response status message" suricata.log | wc -l | xargs
+        expect: 1
+
+    - shell:
+        args: grep -o "use a sticky.*\"http user agent" suricata.log | wc -l | xargs
+        expect: 1
+
+    - shell:
+        args: grep -o "use a sticky.*\"http host" suricata.log | wc -l | xargs
+        expect: 1
+
+exit-code: 1