From: Giuseppe Longo Date: Sun, 14 Apr 2024 12:07:10 +0000 (+0200) Subject: sip: add tests for headers sticky buffers X-Git-Tag: suricata-7.0.7~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2053%2Fhead;p=thirdparty%2Fsuricata-verify.git sip: add tests for headers sticky buffers Ticket #6374 --- diff --git a/tests/sip-compact-form/Makefile b/tests/sip-compact-form/Makefile new file mode 100644 index 000000000..a646f1cde --- /dev/null +++ b/tests/sip-compact-form/Makefile @@ -0,0 +1,2 @@ +sip_compact_form.pcap: sip_compact_form.syn + flowsynth.py -f pcap -w $@ $^ diff --git a/tests/sip-compact-form/README.md b/tests/sip-compact-form/README.md new file mode 100644 index 000000000..1916fc171 --- /dev/null +++ b/tests/sip-compact-form/README.md @@ -0,0 +1,7 @@ +# Test Purpose + +Test that SIP headers with compact form are matched. + +## PCAP + +This PCAP was generated with flowsynth. diff --git a/tests/sip-compact-form/sip_compact_form.pcap b/tests/sip-compact-form/sip_compact_form.pcap new file mode 100644 index 000000000..61ed2ff54 Binary files /dev/null and b/tests/sip-compact-form/sip_compact_form.pcap differ diff --git a/tests/sip-compact-form/sip_compact_form.syn b/tests/sip-compact-form/sip_compact_form.syn new file mode 100644 index 000000000..836c048a1 --- /dev/null +++ b/tests/sip-compact-form/sip_compact_form.syn @@ -0,0 +1,33 @@ +flow default udp 1.1.1.1:5555 > 2.2.2.2:5060; +default > (content:"INVITE sip:97239287044@voip.brujula.net SIP/2.0\x0d +v: SIP/2.0/UDP 192.168.1.2:5060;branch=z9hG4bKnp104984053-44ce4a41192.168.1.2;rport\x0d +f: \"arik\" ;tag=6433ef9\x0d +t: \x0d +Call-ID: 105090259-446faf7a@192.168.1.2\x0d +CSeq: 1 INVITE\x0d +User-Agent: Nero SIPPS IP Phone Version 2.0.51.16\x0d +Expires: 120\x0d +Accept: application/sdp\x0d +c: application/sdp\x0d +l: 272\x0d +Contact: \x0d +Max-Forwards: 70\x0d +Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, INFO\x0d +\x0d +v=0\x0d +o=SIPPS 105015165 105015162 IN IP4 192.168.1.2\x0d +s=SIP call\x0d +i=Session Description Protocol\x0d +u=https://www.sdp.proto\x0d +e=j.doe@example.com (Jane Doe)\x0d +p=+1 617 555-6011 (Jane Doe)\x0d +c=IN IP4 192.168.1.2\x0d +b=AS:64\x0d +t=3034423619 3042462419\x0d +r=604800 3600 0 90000\x0d +z=2882844526 -1h 2898848070 0\x0d +k=prompt\x0d +a=sendrecv\x0d +m=audio 30000 RTP/AVP 0 8 97 2 3\x0d +a=rtpmap:0 pcmu/8000\x0d\x0a";); + diff --git a/tests/sip-compact-form/test.rules b/tests/sip-compact-form/test.rules new file mode 100644 index 000000000..2708cc47e --- /dev/null +++ b/tests/sip-compact-form/test.rules @@ -0,0 +1,6 @@ +alert sip any any -> any any (sip.from; content:"arik"; sid:1;) +alert sip any any -> any any (sip.to; content:"sip:"; sid:2;) +alert sip any any -> any any (sip.via; content:"SIP/2.0/UDP"; sid:3;) +alert sip any any -> any any (sip.content_type; content:"application/sdp"; sid:4;) +alert sip any any -> any any (sip.content_length; content:"272"; sid:5;) + diff --git a/tests/sip-compact-form/test.yaml b/tests/sip-compact-form/test.yaml new file mode 100644 index 000000000..0e2dfbca6 --- /dev/null +++ b/tests/sip-compact-form/test.yaml @@ -0,0 +1,34 @@ +pcap: sip_compact_form.pcap + +args: +- -k none + +requires: + min-version: 8.0.0 + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 diff --git a/tests/sip-content-length/README.md b/tests/sip-content-length/README.md new file mode 100644 index 000000000..dee6558b6 --- /dev/null +++ b/tests/sip-content-length/README.md @@ -0,0 +1 @@ +Match on SIP Content-Length header field. diff --git a/tests/sip-content-length/test.rules b/tests/sip-content-length/test.rules new file mode 100644 index 000000000..f556819fe --- /dev/null +++ b/tests/sip-content-length/test.rules @@ -0,0 +1,2 @@ +alert sip any any -> any any (flow:to_server; sip.content_length; content:"270"; sid:1;) +alert sip any any -> any any (flow:to_client; sip.content_length; content:"199"; sid:2;) diff --git a/tests/sip-content-length/test.yaml b/tests/sip-content-length/test.yaml new file mode 100644 index 000000000..9c55227d3 --- /dev/null +++ b/tests/sip-content-length/test.yaml @@ -0,0 +1,19 @@ +pcap: ../sip-method/sip.pcap + +args: +- -k none + +requires: + min-version: 8.0.0 + +checks: + - filter: + count: 8 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/sip-content-type/README.md b/tests/sip-content-type/README.md new file mode 100644 index 000000000..27726535b --- /dev/null +++ b/tests/sip-content-type/README.md @@ -0,0 +1 @@ +Match on SIP Content-Type header field. diff --git a/tests/sip-content-type/test.rules b/tests/sip-content-type/test.rules new file mode 100644 index 000000000..aaeea4076 --- /dev/null +++ b/tests/sip-content-type/test.rules @@ -0,0 +1,2 @@ +alert sip any any -> any any (flow:to_server; sip.content_type; content:"application/sdp"; sid:1;) +alert sip any any -> any any (flow:to_client; sip.content_type; content:"application/sdp"; sid:2;) diff --git a/tests/sip-content-type/test.yaml b/tests/sip-content-type/test.yaml new file mode 100644 index 000000000..aed8a9c20 --- /dev/null +++ b/tests/sip-content-type/test.yaml @@ -0,0 +1,19 @@ +pcap: ../sip-method/sip.pcap + +args: +- -k none + +requires: + min-version: 8.0.0 + +checks: + - filter: + count: 11 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/sip-from/README.md b/tests/sip-from/README.md new file mode 100644 index 000000000..5963bd767 --- /dev/null +++ b/tests/sip-from/README.md @@ -0,0 +1 @@ +Match on SIP From header field. diff --git a/tests/sip-from/test.rules b/tests/sip-from/test.rules new file mode 100644 index 000000000..f93f2597c --- /dev/null +++ b/tests/sip-from/test.rules @@ -0,0 +1,2 @@ +alert sip any any -> any any (flow:to_server; sip.from; content:"sip:"; sid:1;) +alert sip any any -> any any (flow:to_client; sip.from; content:"sip:"; sid:2;) diff --git a/tests/sip-from/test.yaml b/tests/sip-from/test.yaml new file mode 100644 index 000000000..aef99d853 --- /dev/null +++ b/tests/sip-from/test.yaml @@ -0,0 +1,19 @@ +pcap: ../sip-method/sip.pcap + +args: +- -k none + +requires: + min-version: 8.0.0 + +checks: + - filter: + count: 47 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 34 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/sip-header-multi-value/Makefile b/tests/sip-header-multi-value/Makefile new file mode 100644 index 000000000..5b46bff42 --- /dev/null +++ b/tests/sip-header-multi-value/Makefile @@ -0,0 +1,2 @@ +sip_header_multi_val.pcap: sip_header_multi_val.syn + flowsynth.py -f pcap -w $@ $^ diff --git a/tests/sip-header-multi-value/README.md b/tests/sip-header-multi-value/README.md new file mode 100644 index 000000000..c0bb998fe --- /dev/null +++ b/tests/sip-header-multi-value/README.md @@ -0,0 +1,7 @@ +# Test Purpose + +Test that SIP header with multiple values are matched. + +## PCAP + +This PCAP was generated with flowsynth. diff --git a/tests/sip-header-multi-value/sip_header_multi_val.pcap b/tests/sip-header-multi-value/sip_header_multi_val.pcap new file mode 100644 index 000000000..61718ec91 Binary files /dev/null and b/tests/sip-header-multi-value/sip_header_multi_val.pcap differ diff --git a/tests/sip-header-multi-value/sip_header_multi_val.syn b/tests/sip-header-multi-value/sip_header_multi_val.syn new file mode 100644 index 000000000..f82d79ac6 --- /dev/null +++ b/tests/sip-header-multi-value/sip_header_multi_val.syn @@ -0,0 +1,34 @@ +flow default udp 1.1.1.1:5555 > 2.2.2.2:5060; +default > (content:"INVITE sip:97239287044@voip.brujula.net SIP/2.0\x0d +v: SIP/2.0/UDP 192.168.1.2:5060;branch=z9hG4bKnp104984053-44ce4a41192.168.1.2;rport\x0d +f: \"arik\" ;tag=6433ef9\x0d +t: \x0d +To: \x0d +Call-ID: 105090259-446faf7a@192.168.1.2\x0d +CSeq: 1 INVITE\x0d +User-Agent: Nero SIPPS IP Phone Version 2.0.51.16\x0d +Expires: 120\x0d +Accept: application/sdp\x0d +c: application/sdp\x0d +l: 272\x0d +Contact: \x0d +Max-Forwards: 70\x0d +Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, INFO\x0d +\x0d +v=0\x0d +o=SIPPS 105015165 105015162 IN IP4 192.168.1.2\x0d +s=SIP call\x0d +i=Session Description Protocol\x0d +u=https://www.sdp.proto\x0d +e=j.doe@example.com (Jane Doe)\x0d +p=+1 617 555-6011 (Jane Doe)\x0d +c=IN IP4 192.168.1.2\x0d +b=AS:64\x0d +t=3034423619 3042462419\x0d +r=604800 3600 0 90000\x0d +z=2882844526 -1h 2898848070 0\x0d +k=prompt\x0d +a=sendrecv\x0d +m=audio 30000 RTP/AVP 0 8 97 2 3\x0d +a=rtpmap:0 pcmu/8000\x0d\x0a";); + diff --git a/tests/sip-header-multi-value/test.rules b/tests/sip-header-multi-value/test.rules new file mode 100644 index 000000000..d057ea6c9 --- /dev/null +++ b/tests/sip-header-multi-value/test.rules @@ -0,0 +1,3 @@ +alert sip any any -> any any (sip.to; content:"sip:97239287044"; sid:1;) +alert sip any any -> any any (sip.to; content:"sip:12345"; sid:2;) + diff --git a/tests/sip-header-multi-value/test.yaml b/tests/sip-header-multi-value/test.yaml new file mode 100644 index 000000000..23a1f69d9 --- /dev/null +++ b/tests/sip-header-multi-value/test.yaml @@ -0,0 +1,14 @@ +pcap: sip_header_multi_val.pcap + +args: +- -k none + +requires: + min-version: 8.0.0 + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/sip-to/README.md b/tests/sip-to/README.md new file mode 100644 index 000000000..2936ff154 --- /dev/null +++ b/tests/sip-to/README.md @@ -0,0 +1 @@ +Match on SIP To header field. diff --git a/tests/sip-to/test.rules b/tests/sip-to/test.rules new file mode 100644 index 000000000..247926264 --- /dev/null +++ b/tests/sip-to/test.rules @@ -0,0 +1,2 @@ +alert sip any any -> any any (flow:to_server; sip.to; content:"sip:97239287044"; sid:1;) +alert sip any any -> any any (flow:to_client; sip.to; content:"sip:97239287044"; sid:2;) diff --git a/tests/sip-to/test.yaml b/tests/sip-to/test.yaml new file mode 100644 index 000000000..48075ab64 --- /dev/null +++ b/tests/sip-to/test.yaml @@ -0,0 +1,19 @@ +pcap: ../sip-method/sip.pcap + +args: +- -k none + +requires: + min-version: 8.0.0 + +checks: + - filter: + count: 15 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 3 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/sip-user-agent/README.md b/tests/sip-user-agent/README.md new file mode 100644 index 000000000..9e66cd8dd --- /dev/null +++ b/tests/sip-user-agent/README.md @@ -0,0 +1 @@ +Match on SIP User-Agent header field. diff --git a/tests/sip-user-agent/test.rules b/tests/sip-user-agent/test.rules new file mode 100644 index 000000000..a38190187 --- /dev/null +++ b/tests/sip-user-agent/test.rules @@ -0,0 +1 @@ +alert sip any any -> any any (flow:to_server; sip.user_agent; content:"Nero"; sid:1;) diff --git a/tests/sip-user-agent/test.yaml b/tests/sip-user-agent/test.yaml new file mode 100644 index 000000000..125062b7c --- /dev/null +++ b/tests/sip-user-agent/test.yaml @@ -0,0 +1,14 @@ +pcap: ../sip-method/sip.pcap + +args: +- -k none + +requires: + min-version: 8.0.0 + +checks: + - filter: + count: 40 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/sip-via/README.md b/tests/sip-via/README.md new file mode 100644 index 000000000..40e60f42e --- /dev/null +++ b/tests/sip-via/README.md @@ -0,0 +1 @@ +Match on SIP Via header field. diff --git a/tests/sip-via/test.rules b/tests/sip-via/test.rules new file mode 100644 index 000000000..cde4b4387 --- /dev/null +++ b/tests/sip-via/test.rules @@ -0,0 +1,2 @@ +alert sip any any -> any any (flow:to_server; sip.via; content:"SIP/2.0/UDP"; sid:1;) +alert sip any any -> any any (flow:to_client; sip.via; content:"SIP/2.0/UDP"; sid:2;) diff --git a/tests/sip-via/test.yaml b/tests/sip-via/test.yaml new file mode 100644 index 000000000..aef99d853 --- /dev/null +++ b/tests/sip-via/test.yaml @@ -0,0 +1,19 @@ +pcap: ../sip-method/sip.pcap + +args: +- -k none + +requires: + min-version: 8.0.0 + +checks: + - filter: + count: 47 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 34 + match: + event_type: alert + alert.signature_id: 2