From: Juliana Fajardini Date: Tue, 24 Oct 2023 19:51:13 +0000 (-0300) Subject: tests: add more uricontent tests X-Git-Tag: suricata-6.0.16~41 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1469%2Fhead;p=thirdparty%2Fsuricata-verify.git tests: add more uricontent tests --- diff --git a/tests/uricontent/detect-uricontent-04/README.md b/tests/uricontent/detect-uricontent-04/README.md new file mode 100644 index 000000000..979c58016 --- /dev/null +++ b/tests/uricontent/detect-uricontent-04/README.md @@ -0,0 +1,10 @@ +Test +==== + +Tests a case where path traversal is sent as a path string in the HTTP URL and +normalized path string is checked. + +Pcap +==== + +Created using Scapy and based on unit test content. diff --git a/tests/uricontent/detect-uricontent-04/input.pcap b/tests/uricontent/detect-uricontent-04/input.pcap new file mode 100644 index 000000000..cf4374517 Binary files /dev/null and b/tests/uricontent/detect-uricontent-04/input.pcap differ diff --git a/tests/uricontent/detect-uricontent-04/test.rules b/tests/uricontent/detect-uricontent-04/test.rules new file mode 100644 index 000000000..541e38507 --- /dev/null +++ b/tests/uricontent/detect-uricontent-04/test.rules @@ -0,0 +1,4 @@ +alert http any any -> any any (msg:"Former HttpUriTest01"; http.method; content:"GET"; sid:1;) +alert tcp any any -> any any (msg:"Check hostname"; http.host; content:"www.example.com"; sid:2;) +alert http any any -> any any (msg:"Check http.uri"; http.uri; content:"/images.gif"; sid:3;) +alert tcp any any -> any any (msg:"Check uricontent"; uricontent:"images.gif"; sid:4;) diff --git a/tests/uricontent/detect-uricontent-04/test.yaml b/tests/uricontent/detect-uricontent-04/test.yaml new file mode 100644 index 000000000..a1a64a912 --- /dev/null +++ b/tests/uricontent/detect-uricontent-04/test.yaml @@ -0,0 +1,27 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: http +- filter: + count: 1 + match: + event_type: flow diff --git a/tests/uricontent/detect-uricontent-04/writepcap.py b/tests/uricontent/detect-uricontent-04/writepcap.py new file mode 100644 index 000000000..c467b9a09 --- /dev/null +++ b/tests/uricontent/detect-uricontent-04/writepcap.py @@ -0,0 +1,9 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=53, dport=80, flags='P''A')/"GET /../../images.gif HTTP/1.1\r\nHost: www.ExAmPlE.cOM\r\n\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/uricontent/detect-uricontent-05/README.md b/tests/uricontent/detect-uricontent-05/README.md new file mode 100644 index 000000000..0efd3f8f8 --- /dev/null +++ b/tests/uricontent/detect-uricontent-05/README.md @@ -0,0 +1,10 @@ +Test +==== + +Tests a case where path traversal is sent in special characters in HEX coding in +the HTTP URL and normalized path string is checked. + +Pcap +==== + +Created using Scapy and based on unit test content. diff --git a/tests/uricontent/detect-uricontent-05/input.pcap b/tests/uricontent/detect-uricontent-05/input.pcap new file mode 100644 index 000000000..90e7a5d8b Binary files /dev/null and b/tests/uricontent/detect-uricontent-05/input.pcap differ diff --git a/tests/uricontent/detect-uricontent-05/test.rules b/tests/uricontent/detect-uricontent-05/test.rules new file mode 100644 index 000000000..38822f6ee --- /dev/null +++ b/tests/uricontent/detect-uricontent-05/test.rules @@ -0,0 +1,4 @@ +alert http any any -> any any (msg:"Former HttpUriTest02"; http.method; content:"GET"; sid:1;) +alert http any any -> any any (msg:"Test http.host"; http.host; content:"www.example.com"; sid:2;) +alert tcp any any -> any any (msg:"Test uricontent"; uricontent:"images.gif"; sid:3;) +alert http any any -> any any (msg:"Test http.url"; http.uri; content:"images.gif"; sid:4;) diff --git a/tests/uricontent/detect-uricontent-05/test.yaml b/tests/uricontent/detect-uricontent-05/test.yaml new file mode 100644 index 000000000..3ace6efe1 --- /dev/null +++ b/tests/uricontent/detect-uricontent-05/test.yaml @@ -0,0 +1,32 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 1 + match: + event_type: http +- filter: + count: 1 + match: + event_type: flow diff --git a/tests/uricontent/detect-uricontent-05/writepcap.py b/tests/uricontent/detect-uricontent-05/writepcap.py new file mode 100644 index 000000000..850192a08 --- /dev/null +++ b/tests/uricontent/detect-uricontent-05/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=53, dport=80, + flags='P''A')/"GET /%2e%2e/images.gif HTTP/1.1\r\nHost: www.ExAmPlE.cOM\r\n\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/uricontent/detect-uricontent-06/README.md b/tests/uricontent/detect-uricontent-06/README.md new file mode 100644 index 000000000..166b0e33f --- /dev/null +++ b/tests/uricontent/detect-uricontent-06/README.md @@ -0,0 +1,18 @@ +Test +==== + +Tests a case where the NULL character is sent in HEX coding in the HTTP URL and +normalized path string is checked. + +Behavior +======== + +The null character will lead to no http traffic being recognzied by the stream, +and therefore no rule matching on HTTP traffic will be triggered. We have a +single simple TCP rule to confirm that Suricata indeed sees the stream and is +generating alerts. + +Pcap +==== + +Created using Scapy and based on unit test content. diff --git a/tests/uricontent/detect-uricontent-06/input.pcap b/tests/uricontent/detect-uricontent-06/input.pcap new file mode 100644 index 000000000..b97a59d54 Binary files /dev/null and b/tests/uricontent/detect-uricontent-06/input.pcap differ diff --git a/tests/uricontent/detect-uricontent-06/test.rules b/tests/uricontent/detect-uricontent-06/test.rules new file mode 100644 index 000000000..553537e97 --- /dev/null +++ b/tests/uricontent/detect-uricontent-06/test.rules @@ -0,0 +1,5 @@ +alert http any any -> any any (msg:"Former HttpUriTest03"; http.method; content:"GET"; sid:1;) +alert http any any -> any any (msg:"Test http.host"; http.host; content:"www.example.com"; sid:2;) +alert tcp any any -> any any (msg:"Test uricontent"; uricontent:"images.gif"; sid:3;) +alert http any any -> any any (msg:"Test http.url"; http.uri; content:"images.gif"; sid:4;) +alert tcp any any -> any any (msg:"Test uricontent"; sid:5;) diff --git a/tests/uricontent/detect-uricontent-06/test.yaml b/tests/uricontent/detect-uricontent-06/test.yaml new file mode 100644 index 000000000..51c98c98f --- /dev/null +++ b/tests/uricontent/detect-uricontent-06/test.yaml @@ -0,0 +1,37 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 5 +- filter: + count: 0 + match: + event_type: http +- filter: + count: 1 + match: + event_type: flow diff --git a/tests/uricontent/detect-uricontent-06/writepcap.py b/tests/uricontent/detect-uricontent-06/writepcap.py new file mode 100644 index 000000000..28a2f9ea2 --- /dev/null +++ b/tests/uricontent/detect-uricontent-06/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=53, dport=80, + flags='P''A')/"GET%00 /images.gif HTTP/1.1\r\nHost: www.ExAmPlE.cOM\r\n\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/uricontent/detect-uricontent-07/README.md b/tests/uricontent/detect-uricontent-07/README.md new file mode 100644 index 000000000..fba01baca --- /dev/null +++ b/tests/uricontent/detect-uricontent-07/README.md @@ -0,0 +1,10 @@ +Test +==== + +Tests a case where a self referencing directory request is sent in the HTTP URL +and normalized path string is checked. + +Pcap +==== + +Created using Scapy and based on unit test content. diff --git a/tests/uricontent/detect-uricontent-07/input.pcap b/tests/uricontent/detect-uricontent-07/input.pcap new file mode 100644 index 000000000..f237bd1d8 Binary files /dev/null and b/tests/uricontent/detect-uricontent-07/input.pcap differ diff --git a/tests/uricontent/detect-uricontent-07/test.rules b/tests/uricontent/detect-uricontent-07/test.rules new file mode 100644 index 000000000..38822f6ee --- /dev/null +++ b/tests/uricontent/detect-uricontent-07/test.rules @@ -0,0 +1,4 @@ +alert http any any -> any any (msg:"Former HttpUriTest02"; http.method; content:"GET"; sid:1;) +alert http any any -> any any (msg:"Test http.host"; http.host; content:"www.example.com"; sid:2;) +alert tcp any any -> any any (msg:"Test uricontent"; uricontent:"images.gif"; sid:3;) +alert http any any -> any any (msg:"Test http.url"; http.uri; content:"images.gif"; sid:4;) diff --git a/tests/uricontent/detect-uricontent-07/test.yaml b/tests/uricontent/detect-uricontent-07/test.yaml new file mode 100644 index 000000000..3ace6efe1 --- /dev/null +++ b/tests/uricontent/detect-uricontent-07/test.yaml @@ -0,0 +1,32 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 1 + match: + event_type: http +- filter: + count: 1 + match: + event_type: flow diff --git a/tests/uricontent/detect-uricontent-07/writepcap.py b/tests/uricontent/detect-uricontent-07/writepcap.py new file mode 100644 index 000000000..56d370a21 --- /dev/null +++ b/tests/uricontent/detect-uricontent-07/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=53, dport=80, + flags='P''A')/"GET /./././images.gif HTTP/1.1\r\nHost: www.ExAmPlE.cOM\r\n\r\n" + +wrpcap('input.pcap', pkts)