From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Fri, 25 Mar 2022 10:29:09 +0000 (+0530)
Subject: Add tests for smb/dcerpc missing alert
X-Git-Tag: suricata-5.0.10~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f31ee04397d6ea7b9d517561c8cfe4ae2456e70a;p=thirdparty%2Fsuricata-verify.git

Add tests for smb/dcerpc missing alert
---

diff --git a/tests/dcerpc-smb-fail/README.md b/tests/dcerpc-smb-fail/README.md
new file mode 100644
index 000000000..d8a3e557d
--- /dev/null
+++ b/tests/dcerpc-smb-fail/README.md
@@ -0,0 +1,12 @@
+Description
+===========
+Out of the 3 rules present in the test, only sid:1 alerts on all versions,
+sid:2 alerts on master and master-6.0.x, sid:3 does not alert on any branch.
+
+PCAP
+====
+PCAP comes from https://redmine.openinfosecfoundation.org/issues/5162
+
+Reporter
+========
+Brandon Murphy @ ET Labs
diff --git a/tests/dcerpc-smb-fail/input.pcap b/tests/dcerpc-smb-fail/input.pcap
new file mode 100644
index 000000000..9da7d7f86
Binary files /dev/null and b/tests/dcerpc-smb-fail/input.pcap differ
diff --git a/tests/dcerpc-smb-fail/test.rules b/tests/dcerpc-smb-fail/test.rules
new file mode 100644
index 000000000..50b526da1
--- /dev/null
+++ b/tests/dcerpc-smb-fail/test.rules
@@ -0,0 +1,4 @@
+alert tcp any any -> any 445 (flow:established,to_server; content:"|fe|SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00 00 00 00 00 15 00 00 00|"; within:32; pcre:"/^(?:[A-Z]\x00){20}\x00\x00/R"; content:"|15 00 00 00 00 00 00 00 15 00 00 00|"; distance:6; within:12; pcre:"/^(?:[A-Z]\x00){20}\x00\x00/R"; content:"|03 00 00 00|"; distance:10; within:4; sid:1;)
+alert smb any any -> any any (msg:"test"; dcerpc.iface:367abb81-9844-35f1-ad32-98f038001003; dcerpc.opnum:12; dcerpc.stub_data; content:"|15 00 00 00 00 00 00 00 15 00 00 00|"; within:32; pcre:"/^(?:[A-Z]\x00){20}\x00\x00/R"; content:"|15 00 00 00 00 00 00 00 15 00 00 00|"; distance:6; within:12; pcre:"/^(?:[A-Z]\x00){20}\x00\x00/R"; content:"|03 00 00 00|"; distance:10; within:4; sid:2;)
+# sid:3 Should fire but doesn't acc to https://redmine.openinfosecfoundation.org/issues/5208
+alert dcerpc any any -> any any (msg:"ET POLICY DCERPC  SVCCTL OpenSCManagerW Request"; flow:established,to_server; dcerpc.iface:367abb81-9844-35f1-ad32-98f038001003; dcerpc.opnum:15; classtype:bad-unknown; sid:3; rev:1;)
diff --git a/tests/dcerpc-smb-fail/test.yaml b/tests/dcerpc-smb-fail/test.yaml
new file mode 100644
index 000000000..ef1c9171b
--- /dev/null
+++ b/tests/dcerpc-smb-fail/test.yaml
@@ -0,0 +1,39 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1445
+    match:
+      event_type: dcerpc
+- filter:
+    count: 22
+    match:
+      event_type: smb
+- filter:
+    count: 4
+    match:
+      event_type: dns
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 11
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats