From: Juliana Fajardini Date: Fri, 27 Sep 2024 14:14:46 +0000 (-0300) Subject: tests: showcase bug 7286 (tls) X-Git-Tag: suricata-7.0.8~43 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2097%2Fhead;p=thirdparty%2Fsuricata-verify.git tests: showcase bug 7286 (tls) Related to Bug https://redmine.openinfosecfoundation.org/issues/7286 --- diff --git a/tests/tls/bug-7286-tls-metadata-01/README.md b/tests/tls/bug-7286-tls-metadata-01/README.md new file mode 100644 index 000000000..ed4ae3900 --- /dev/null +++ b/tests/tls/bug-7286-tls-metadata-01/README.md @@ -0,0 +1,11 @@ +### Test + +Showcase how TLS metadata is logged when JA4 is disabled. + +### Pcap + +Reused from test ja4-tls. + +### Ticket + +https://redmine.openinfosecfoundation.org/issues/7286 diff --git a/tests/tls/bug-7286-tls-metadata-01/suricata.yaml b/tests/tls/bug-7286-tls-metadata-01/suricata.yaml new file mode 100644 index 000000000..5bc22c93d --- /dev/null +++ b/tests/tls/bug-7286-tls-metadata-01/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - tls: + extended: yes # enable this for extended logging information + custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, ja3, ja3s, ja4] + ja4: off diff --git a/tests/tls/bug-7286-tls-metadata-01/test.yaml b/tests/tls/bug-7286-tls-metadata-01/test.yaml new file mode 100644 index 000000000..6a6e66218 --- /dev/null +++ b/tests/tls/bug-7286-tls-metadata-01/test.yaml @@ -0,0 +1,14 @@ +pcap: ../../ja4-tls/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: tls + tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS + tls.issuerdn: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS + tls.serial: 00:97:E6:47:09:8E:EA:C9:B4 + tls.fingerprint: 3a:0b:3b:23:15:2c:44:5c:27:ac:6a:0c:41:d6:fa:74:af:b4:09:5b + tls.version: TLS 1.2 + tls.notbefore: '2015-02-12T18:07:27' + tls.notafter: '2025-02-09T18:07:27' diff --git a/tests/tls/bug-7286-tls-metadata-02/README.md b/tests/tls/bug-7286-tls-metadata-02/README.md new file mode 100644 index 000000000..3bed5d65f --- /dev/null +++ b/tests/tls/bug-7286-tls-metadata-02/README.md @@ -0,0 +1,11 @@ +### Test + +Showcase how TLS metadata is logged when JA4 is enabled. + +### Pcap + +Reused from test ja4-tls. + +### Ticket + +https://redmine.openinfosecfoundation.org/issues/7286 diff --git a/tests/tls/bug-7286-tls-metadata-02/suricata.yaml b/tests/tls/bug-7286-tls-metadata-02/suricata.yaml new file mode 100644 index 000000000..76194e8d6 --- /dev/null +++ b/tests/tls/bug-7286-tls-metadata-02/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - tls: + extended: yes # enable this for extended logging information + custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, ja3, ja3s, ja4] + ja4: on diff --git a/tests/tls/bug-7286-tls-metadata-02/test.yaml b/tests/tls/bug-7286-tls-metadata-02/test.yaml new file mode 100644 index 000000000..666dd3962 --- /dev/null +++ b/tests/tls/bug-7286-tls-metadata-02/test.yaml @@ -0,0 +1,15 @@ +pcap: ../../ja4-tls/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: tls + tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS + tls.issuerdn: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS + tls.serial: 00:97:E6:47:09:8E:EA:C9:B4 + tls.fingerprint: 3a:0b:3b:23:15:2c:44:5c:27:ac:6a:0c:41:d6:fa:74:af:b4:09:5b + tls.version: TLS 1.2 + tls.notbefore: '2015-02-12T18:07:27' + tls.notafter: '2025-02-09T18:07:27' +