From: Philippe Antoine Date: Wed, 27 Sep 2023 11:57:33 +0000 (+0200) Subject: Adds test for quic v2 X-Git-Tag: suricata-6.0.15~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1404%2Fhead;p=thirdparty%2Fsuricata-verify.git Adds test for quic v2 --- diff --git a/tests/quic-v2/README.md b/tests/quic-v2/README.md new file mode 100644 index 000000000..9f937b004 --- /dev/null +++ b/tests/quic-v2/README.md @@ -0,0 +1,16 @@ +# Description + +Test quic v2 parsing + +# PCAP + +The pcap comes from running https://github.com/quic-go/quic-go + +The example server is in example +`go run main.go -bind localhost:443` +The example client is in example/client +`go run main.go -insecure https://127.0.0.1:443/` +with this patch +``` ++qconf.Versions = []quic.VersionNumber{quic.VersionNumber(0x6b3343cf)} +``` diff --git a/tests/quic-v2/input.pcap b/tests/quic-v2/input.pcap new file mode 100644 index 000000000..49384a51d Binary files /dev/null and b/tests/quic-v2/input.pcap differ diff --git a/tests/quic-v2/test.rules b/tests/quic-v2/test.rules new file mode 100644 index 000000000..4ed74cc10 --- /dev/null +++ b/tests/quic-v2/test.rules @@ -0,0 +1,2 @@ +alert quic any any -> any any (msg:"QUIC V2"; quic.version; content:"|6b 33 43 cf|"; sid:4;) +alert quic any any -> any any (msg:"QUIC JA3"; ja3.string; content:"771,4865-4866-4867,5-10-11-13-65281-23-16-18-43-51-57,29-23-24-25,0"; sid:3;) diff --git a/tests/quic-v2/test.yaml b/tests/quic-v2/test.yaml new file mode 100644 index 000000000..a954b2634 --- /dev/null +++ b/tests/quic-v2/test.yaml @@ -0,0 +1,21 @@ +requires: + min-version: 7.0.0 + +checks: + - filter: + count: 1 + match: + event_type: quic + quic.extensions[0].name: "status_request" + quic.extensions[6].name: "alpn" + quic.extensions[6].values[0]: "h3" + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3