From: Modupe Falodun Date: Fri, 4 Mar 2022 10:41:30 +0000 (+0100) Subject: detect-pcre: add assorted tests X-Git-Tag: suricata-6.0.16~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1605%2Fhead;p=thirdparty%2Fsuricata-verify.git detect-pcre: add assorted tests Bring previously Suricata unit tests as suricata-verify tests. Conversions mapping: - detect-pcre-01: DetectPcreModifPTest04 - detect-pcre-02: DetectPcreModifPTest05 - detect-pcre-03: DetectPcreTestSig01-03 - detect-pcre-04: DetectPcreTestSig09-16 - detect-pcre-05: DetectPcreFlowvarCapture01- 03 Task #6147 --- diff --git a/tests/detect-pcre/detect-pcre-01/README.md b/tests/detect-pcre/detect-pcre-01/README.md new file mode 100644 index 000000000..63b23bb62 --- /dev/null +++ b/tests/detect-pcre/detect-pcre-01/README.md @@ -0,0 +1,12 @@ +# Test + +Test the pcre modifier P (match with L7 to http body data). + +## Ticket + +Redmine ticket https://redmine.openinfosecfoundation.org/issues/6147 + +## Pcap + +Crafted using Scapy based on buffers from the original unit tests. + diff --git a/tests/detect-pcre/detect-pcre-01/input.pcap b/tests/detect-pcre/detect-pcre-01/input.pcap new file mode 100644 index 000000000..14dda2e90 Binary files /dev/null and b/tests/detect-pcre/detect-pcre-01/input.pcap differ diff --git a/tests/detect-pcre/detect-pcre-01/test.rules b/tests/detect-pcre/detect-pcre-01/test.rules new file mode 100644 index 000000000..706c49ed6 --- /dev/null +++ b/tests/detect-pcre/detect-pcre-01/test.rules @@ -0,0 +1,2 @@ +alert http any any -> any any (msg:"Pcre modifier P"; pcre:"/DOCTYPE/P"; sid:1;) +alert http any any -> any any (msg:"Pcre modifier P - no match"; pcre:"/blah/P"; sid:2;) diff --git a/tests/detect-pcre/detect-pcre-01/test.yaml b/tests/detect-pcre/detect-pcre-01/test.yaml new file mode 100644 index 000000000..83cf4a245 --- /dev/null +++ b/tests/detect-pcre/detect-pcre-01/test.yaml @@ -0,0 +1,22 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/detect-pcre/detect-pcre-01/writepcap.py b/tests/detect-pcre/detect-pcre-01/writepcap.py new file mode 100644 index 000000000..360185a51 --- /dev/null +++ b/tests/detect-pcre/detect-pcre-01/writepcap.py @@ -0,0 +1,11 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +load_layer("http") +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IPv6(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/HTTP()/HTTPRequest(Method='GET', Path=' / ', Http_Version='HTTP/1.1', Host='www.emergingthreats.net', User_Agent='Mozilla/1.0', Content_Type='text/html; charset=utf-8\r\n\r\n15\r\n any any (msg:"Pcre modifier P"; pcre:"/DOC/P"; sid:1;) +alert http any any -> any any (msg:"Pcre modifier P"; pcre:"/DOCTYPE/P"; sid:2;) diff --git a/tests/detect-pcre/detect-pcre-02/test.yaml b/tests/detect-pcre/detect-pcre-02/test.yaml new file mode 100644 index 000000000..1a489d87c --- /dev/null +++ b/tests/detect-pcre/detect-pcre-02/test.yaml @@ -0,0 +1,23 @@ +args: +- --set stream.midstream=true +- -k none + +checks: +- filter: + count: 1 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/detect-pcre/detect-pcre-02/writepcap.t b/tests/detect-pcre/detect-pcre-02/writepcap.t new file mode 100644 index 000000000..4ff83c760 --- /dev/null +++ b/tests/detect-pcre/detect-pcre-02/writepcap.t @@ -0,0 +1,13 @@ +>>> +GET / HTTP/1.1 +Host: www.emergingthreats.net +User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13 +Content-Type: text/html; charset=utf-8 +Content-Length: 21 + +>> + any any (msg:"HTTP TEST"; pcre:"/^gEt/i"; pcre:"/\/two\//U"; pcre:"/GET \/two\//"; pcre:"/\s+HTTP/R"; sid:1;) +alert tcp any any -> any any (msg:"HTTP TEST"; pcre:"/two/O"; sid:2;) +alert tcp any any -> any any (msg:"HTTP TEST. Negated pcre - no match"; content:"GET"; pcre:!"/two/"; sid:3;) diff --git a/tests/detect-pcre/detect-pcre-03/test.yaml b/tests/detect-pcre/detect-pcre-03/test.yaml new file mode 100644 index 000000000..a8e90b096 --- /dev/null +++ b/tests/detect-pcre/detect-pcre-03/test.yaml @@ -0,0 +1,27 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/detect-pcre/detect-pcre-03/writepcap.py b/tests/detect-pcre/detect-pcre-03/writepcap.py new file mode 100644 index 000000000..8d5b5c018 --- /dev/null +++ b/tests/detect-pcre/detect-pcre-03/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"GET /one/ HTTP/1.1\r\nHost: one.example.org\r\n\r\n\r\nGET /two/ HTTP/1.1\r\nHost: two.example.org\r\n\r\n\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/detect-pcre/detect-pcre-04/README.md b/tests/detect-pcre/detect-pcre-04/README.md new file mode 100644 index 000000000..da20f21f6 --- /dev/null +++ b/tests/detect-pcre/detect-pcre-04/README.md @@ -0,0 +1,15 @@ +# Test + +Check that Suricata properly matches on signatures with method or cookie +modifiers passed to pcre, including cases with negated pcre and relative +modifiers. + +This test is based on Suricata unit tests adapted to SV. + +## Ticket + +Redmine ticket https://redmine.openinfosecfoundation.org/issues/6147 + +## Pcap + +Crafted with Scapy based on buffers present in the original unit tests. diff --git a/tests/detect-pcre/detect-pcre-04/input.pcap b/tests/detect-pcre/detect-pcre-04/input.pcap new file mode 100644 index 000000000..31abc5d37 Binary files /dev/null and b/tests/detect-pcre/detect-pcre-04/input.pcap differ diff --git a/tests/detect-pcre/detect-pcre-04/test.rules b/tests/detect-pcre/detect-pcre-04/test.rules new file mode 100644 index 000000000..b3c6b9657 --- /dev/null +++ b/tests/detect-pcre/detect-pcre-04/test.rules @@ -0,0 +1,10 @@ +alert http any any -> any any (msg:"HTTP cookie"; pcre:"/dummy/C"; sid:1;) +alert http any any -> any any (msg:"HTTP cookie"; pcre:!"/dummy/C"; sid:2;) +alert http any any -> any any (msg:"HTTP method"; pcre:"/POST/M"; sid:3;) +alert http any any -> any any (msg:"HTTP method"; pcre:!"/POST/M"; sid:4;) +alert http any any -> any any (msg:"pcre relative HTTP cookie"; content:"dummy"; http_cookie; pcre:"/1234/RC"; sid:5;) +alert http any any -> any any (msg:"pcre relative HTTP method"; content:"PO"; http_method; pcre:"/ST/RM"; sid:6;) +alert http any any -> any any (msg:"HTTP header"; pcre:"/User[-_]Agent[:]?\sMozilla/H"; sid:7;) +alert http any any -> any any (msg:"HTTP header"; pcre:"/User-Agent[:]?\s+Mozilla/H"; sid:8;) +alert http any any -> any any (msg:"HTTP header"; pcre:!"/User[-_]Agent[:]?\sIEXPLORER/H"; sid:9;) +alert http any any -> any any (msg:"HTTP header - no match"; pcre:!"/User[-_]Agent[:]?\sMozil/H"; sid:10;) diff --git a/tests/detect-pcre/detect-pcre-04/test.yaml b/tests/detect-pcre/detect-pcre-04/test.yaml new file mode 100644 index 000000000..b6a876dda --- /dev/null +++ b/tests/detect-pcre/detect-pcre-04/test.yaml @@ -0,0 +1,63 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 2 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + http.http_method: "GET" +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 6 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 7 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 8 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 9 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 10 diff --git a/tests/detect-pcre/detect-pcre-04/writepcap.py b/tests/detect-pcre/detect-pcre-04/writepcap.py new file mode 100644 index 000000000..a468628be --- /dev/null +++ b/tests/detect-pcre/detect-pcre-04/writepcap.py @@ -0,0 +1,14 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +load_layer("http") +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IPv6(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/HTTP()/HTTPRequest(Method='POST', Path=' / ', Http_Version='HTTP/1.0', User_Agent='Mozilla', Cookie='dummy 1234') +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IPv6(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=93, flags='P''A')/HTTP()/HTTPRequest(Method='GET', Path=' / ', Http_Version='HTTP/1.0', User_Agent='Mozilla', Cookie='dummoOOooooO') + +wrpcap('input.pcap', pkts) diff --git a/tests/detect-pcre/detect-pcre-05/README.md b/tests/detect-pcre/detect-pcre-05/README.md new file mode 100644 index 000000000..3a33078d0 --- /dev/null +++ b/tests/detect-pcre/detect-pcre-05/README.md @@ -0,0 +1,12 @@ +# Test + +Test flowvar capture on http buffer, based on a Suricata unit test and adapted +to SV. + +## Ticket + +Redmine ticket https://redmine.openinfosecfoundation.org/issues/6147 + +## Pcap + +Crafted with Scapy with buffers based on the ones from the unit tests. diff --git a/tests/detect-pcre/detect-pcre-05/input.pcap b/tests/detect-pcre/detect-pcre-05/input.pcap new file mode 100644 index 000000000..0e2f0e07c Binary files /dev/null and b/tests/detect-pcre/detect-pcre-05/input.pcap differ diff --git a/tests/detect-pcre/detect-pcre-05/test.rules b/tests/detect-pcre/detect-pcre-05/test.rules new file mode 100644 index 000000000..0f2cc5938 --- /dev/null +++ b/tests/detect-pcre/detect-pcre-05/test.rules @@ -0,0 +1,6 @@ +alert http any any -> any any (content:"User-Agent: "; http_header; pcre:"/(?P.*)\r\n/HR"; priority:1; sid:1;) +alert http any any -> any any (content:"User-Agent: "; http_header; pcre:"/(?P.*)\r\n/HR"; sid:2;) +alert http any any -> any any (content:"Server: "; http_header; pcre:"/(?P.*)\r\n/HR"; priority:3; sid:3;) +# Shouldn't match +alert http any any -> any any (msg:"pcre flowvar http header, user-agent, no match"; content:"User-Agent: "; http_header; pcre:"/(?P.*)\r\n/HR"; content:"xyz"; http_header; priority:1; sid:4;) +alert http any any -> any any (msg:"pcre flowvar http header, server, no match"; content:"Server: "; http_header; pcre:"/(?P.*)\r\n/HR"; content:"xyz"; http_header; priority:3; sid:5;) diff --git a/tests/detect-pcre/detect-pcre-05/test.yaml b/tests/detect-pcre/detect-pcre-05/test.yaml new file mode 100644 index 000000000..7dbfe2ee6 --- /dev/null +++ b/tests/detect-pcre/detect-pcre-05/test.yaml @@ -0,0 +1,37 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 2 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 5 diff --git a/tests/detect-pcre/detect-pcre-05/writepcap.py b/tests/detect-pcre/detect-pcre-05/writepcap.py new file mode 100644 index 000000000..f4104e7cd --- /dev/null +++ b/tests/detect-pcre/detect-pcre-05/writepcap.py @@ -0,0 +1,11 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +load_layer("http") +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IPv6(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/HTTP()/HTTPRequest(Method='GET', Path=' / ', Http_Version='HTTP/1.1', Host='www.emergingthreats.net', User_Agent='Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.13) Gecko/2009080315 Ubuntu/8.10 (intrepid) Firefox/3.0.13', Accept='text/html,application/xhtml+xml,application/xml;q=0.9;q=0.8', Accept_Language='es-es,es;q=0.8,en-us;q=0.5,en;q=0.3', Accept_Encoding='gzip,deflate', Accept_Charset='ISO-8859-1,utf-8;q=0.7,*;q=0.7', Content_Type='Apache