From: Victor Julien Date: Sat, 26 Nov 2022 14:31:17 +0000 (+0100) Subject: tests: issue 5223 for 6 X-Git-Tag: suricata-6.0.9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1019%2Fhead;p=thirdparty%2Fsuricata-verify.git tests: issue 5223 for 6 --- diff --git a/tests/base64-issue-5223-6/README.md b/tests/base64-issue-5223-6/README.md new file mode 100644 index 000000000..b7f05b823 --- /dev/null +++ b/tests/base64-issue-5223-6/README.md @@ -0,0 +1,17 @@ +Description +=========== +Test corresponding to fix for the behavior of `base64_decode` keyword in case an +invalid character is encountered. +For handling of such cases, [RFC 4648](https://www.rfc-editor.org/rfc/rfc4648#section-3.3) has been taken into account. + +PCAP +==== +PCAP comes from the redmine ticket [5223](https://redmine.openinfosecfoundation.org/issues/5223) + +Redmine ticket +============== +https://redmine.openinfosecfoundation.org/issues/5223 + +Reported by +=========== +Brandon Murphy diff --git a/tests/base64-issue-5223-6/input.pcap b/tests/base64-issue-5223-6/input.pcap new file mode 100644 index 000000000..5ecd467d3 Binary files /dev/null and b/tests/base64-issue-5223-6/input.pcap differ diff --git a/tests/base64-issue-5223-6/test.rules b/tests/base64-issue-5223-6/test.rules new file mode 100644 index 000000000..98d08fed5 --- /dev/null +++ b/tests/base64-issue-5223-6/test.rules @@ -0,0 +1,4 @@ +alert http any any -> any any (msg:"base64 decode - no url_decode"; flow:established,to_server; http.cookie; content:"foobar="; base64_decode:relative; base64_data; content:"|9e|"; startswith; sid:1; rev:1;) +alert http any any -> any any (msg:"base64 decode - url_decode"; flow:established,to_server; http.cookie; url_decode; content:"foobar="; base64_decode:relative; base64_data; content:"|9e|"; sid:2; rev:1;) +alert http any any -> any any (msg:"base64 decode - no url_decode, proves no base64_data buffer via pcre"; flow:established,to_server; http.cookie; content:"foobar="; base64_decode:relative; base64_data; pcre:"/./"; sid:3; rev:1;) +alert http any any -> any any (msg:"base64 decode - no url_decode grab only the first two bytes"; flow:established,to_server; http.cookie; content:"foobar="; base64_decode:bytes 2,relative; base64_data; content:"|9e|"; startswith; sid:4; rev:1;) diff --git a/tests/base64-issue-5223-6/test.yaml b/tests/base64-issue-5223-6/test.yaml new file mode 100644 index 000000000..b21bf1ab4 --- /dev/null +++ b/tests/base64-issue-5223-6/test.yaml @@ -0,0 +1,156 @@ +requires: + min-version: 6 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 1 + alert.severity: 3 + alert.signature: base64 decode - no url_decode + alert.signature_id: 1 + app_proto: http + dest_ip: 172.16.188.115 + dest_port: 80 + event_type: alert + flow.bytes_toclient: 108 + flow.bytes_toserver: 262 + flow.pkts_toclient: 2 + flow.pkts_toserver: 3 + http.hostname: foo.bar + http.http_method: GET + http.length: 0 + http.protocol: HTTP/1.1 + http.url: / + proto: TCP + src_ip: 192.168.237.128 + src_port: 60078 + tx_id: 0 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 1 + alert.severity: 3 + alert.signature: base64 decode - url_decode + alert.signature_id: 2 + app_proto: http + dest_ip: 172.16.188.115 + dest_port: 80 + event_type: alert + flow.bytes_toclient: 108 + flow.bytes_toserver: 262 + flow.pkts_toclient: 2 + flow.pkts_toserver: 3 + http.hostname: foo.bar + http.http_method: GET + http.length: 0 + http.protocol: HTTP/1.1 + http.url: / + proto: TCP + src_ip: 192.168.237.128 + #src_port: 60078 + tx_id: 0 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 1 + alert.severity: 3 + alert.signature: base64 decode - no url_decode, proves no base64_data buffer + via pcre + alert.signature_id: 3 + app_proto: http + dest_ip: 172.16.188.115 + dest_port: 80 + event_type: alert + flow.bytes_toclient: 108 + flow.bytes_toserver: 262 + flow.pkts_toclient: 2 + flow.pkts_toserver: 3 + http.hostname: foo.bar + http.http_method: GET + http.length: 0 + http.protocol: HTTP/1.1 + http.url: / + proto: TCP + src_ip: 192.168.237.128 + src_port: 60078 + tx_id: 0 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 1 + alert.severity: 3 + alert.signature: base64 decode - no url_decode grab only the first two bytes + alert.signature_id: 4 + app_proto: http + dest_ip: 172.16.188.115 + dest_port: 80 + event_type: alert + flow.bytes_toclient: 108 + flow.bytes_toserver: 262 + flow.pkts_toclient: 2 + flow.pkts_toserver: 3 + http.hostname: foo.bar + http.http_method: GET + http.length: 0 + http.protocol: HTTP/1.1 + http.url: / + proto: TCP + src_ip: 192.168.237.128 + src_port: 60078 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 172.16.188.115 + dest_port: 80 + event_type: http + http.hostname: foo.bar + http.http_method: GET + http.length: 0 + http.protocol: HTTP/1.1 + http.url: / + proto: TCP + src_ip: 192.168.237.128 + src_port: 60078 + tx_id: 0 +- filter: + count: 1 + match: + app_proto: http + dest_ip: 172.16.188.115 + dest_port: 80 + event_type: flow + flow.age: 0 + flow.alerted: true + flow.bytes_toclient: 108 + flow.bytes_toserver: 262 + flow.pkts_toclient: 2 + flow.pkts_toserver: 3 + flow.reason: shutdown + flow.state: established + proto: TCP + src_ip: 192.168.237.128 + src_port: 60078 + tcp.ack: true + tcp.psh: true + tcp.state: established + tcp.syn: true + tcp.tcp_flags: 1a + tcp.tcp_flags_tc: '12' + tcp.tcp_flags_ts: 1a