From: Andreas Herz Date: Tue, 29 Oct 2019 10:54:00 +0000 (+0100) Subject: tests: add rdp parser test X-Git-Tag: suricata-6.0.4~377 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F144%2Fhead;p=thirdparty%2Fsuricata-verify.git tests: add rdp parser test --- diff --git a/tests/rdp-protocol/RDP-003.pcap b/tests/rdp-protocol/RDP-003.pcap new file mode 100644 index 000000000..d7e8e8450 Binary files /dev/null and b/tests/rdp-protocol/RDP-003.pcap differ diff --git a/tests/rdp-protocol/README.md b/tests/rdp-protocol/README.md new file mode 100644 index 000000000..4ce083aa9 --- /dev/null +++ b/tests/rdp-protocol/README.md @@ -0,0 +1 @@ +Match on RDP event and check different protocol specific details. diff --git a/tests/rdp-protocol/suricata.yaml b/tests/rdp-protocol/suricata.yaml new file mode 100644 index 000000000..0bfabbc4b --- /dev/null +++ b/tests/rdp-protocol/suricata.yaml @@ -0,0 +1,16 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - rdp + - flow + +app-layer: + protocols: + rdp: + enabled: yes diff --git a/tests/rdp-protocol/test.yaml b/tests/rdp-protocol/test.yaml new file mode 100644 index 000000000..7c271e36d --- /dev/null +++ b/tests/rdp-protocol/test.yaml @@ -0,0 +1,35 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + + # Check if rdp is detected and some protocol specific details are in the output + # + - filter: + count: 1 + match: + event_type: flow + app_proto: rdp + + - filter: + count: 1 + match: + event_type: rdp + rdp.event_type: "initial_request" + rdp.cookie: "A70067" + + - filter: + count: 1 + match: + event_type: rdp + rdp.event_type: "connect_request" + rdp.client.version: "v5" + rdp.client.build: "Windows XP" + rdp.client.desktop_height: 864 + rdp.client.client_name: "ISD2-KM84178" + rdp.client.capabilities[0]: "support_errinfo_pdf" + rdp.client.id: "55274-OEM-0011903-00107" + rdp.channels[0]: "rdpdr" + rdp.channels[1]: "cliprdr" + rdp.channels[2]: "rdpsnd"