From: Vadym Malakhatko Date: Wed, 3 Jun 2020 13:19:27 +0000 (+0300) Subject: tests/hassh Add test cases for hassh X-Git-Tag: suricata-6.0.4~284 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F267%2Fhead;p=thirdparty%2Fsuricata-verify.git tests/hassh Add test cases for hassh --- diff --git a/tests/ssh-banner-only/input.pcap b/tests/ssh-banner-only/input.pcap new file mode 100644 index 000000000..89fd2bb71 Binary files /dev/null and b/tests/ssh-banner-only/input.pcap differ diff --git a/tests/ssh-banner-only/test.yaml b/tests/ssh-banner-only/test.yaml new file mode 100644 index 000000000..e40480a99 --- /dev/null +++ b/tests/ssh-banner-only/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 6.0.0 +features: + - RUST + +args: + - -k none + +checks: + # Check that we have the ssh event in eve.json + - filter: + count: 1 + match: + event_type: ssh + ssh.client.proto_version: "2.0" + ssh.server.proto_version: "2.0" + ssh.client.software_version: "OpenSSH_for_Windows_7.7" + ssh.server.software_version: "OpenSSH_7.4" \ No newline at end of file diff --git a/tests/ssh-hassh-only/input.pcap b/tests/ssh-hassh-only/input.pcap new file mode 100644 index 000000000..98b49f7f5 Binary files /dev/null and b/tests/ssh-hassh-only/input.pcap differ diff --git a/tests/ssh-hassh-only/test.rules b/tests/ssh-hassh-only/test.rules new file mode 100644 index 000000000..15e1b528c --- /dev/null +++ b/tests/ssh-hassh-only/test.rules @@ -0,0 +1,4 @@ +alert ssh any any -> any any (msg:"match SSH hash"; ssh.hassh; content:"2dd6531c7e89d3c925db9214711be76a"; sid:1;) +alert ssh any any -> any any (msg:"match SSH hash-server"; ssh.hassh.server; content:"6832f1ce43d4397c2c0a3e2f8c94334e"; sid:2;) +alert ssh any any -> any any (msg:"match SSH hash-string"; ssh.hassh.string; content:"umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1"; sid:3;) +alert ssh any any -> any any (msg:"match SSH hash-server-string"; ssh.hassh.server.string; content:"none,zlib@openssh.com"; sid:4;) \ No newline at end of file diff --git a/tests/ssh-hassh-only/test.yaml b/tests/ssh-hassh-only/test.yaml new file mode 100644 index 000000000..81d7a8474 --- /dev/null +++ b/tests/ssh-hassh-only/test.yaml @@ -0,0 +1,37 @@ +requires: + min-version: 6.0.0 +features: + - RUST + +args: + - -k none + +checks: + # Check that we have the following events in eve.json + # 4 - alert events, one per each type of data (ssh.hassh, ssh.hassh.string, ssh.hassh.server, ssh.hassh.server.string) + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: ssh + ssh.client.hassh: "2dd6531c7e89d3c925db9214711be76a" + ssh.server.hassh: "6832f1ce43d4397c2c0a3e2f8c94334e" diff --git a/tests/ssh-hassh-reassembled/input.pcap b/tests/ssh-hassh-reassembled/input.pcap new file mode 100644 index 000000000..b682bb803 Binary files /dev/null and b/tests/ssh-hassh-reassembled/input.pcap differ diff --git a/tests/ssh-hassh-reassembled/test.rules b/tests/ssh-hassh-reassembled/test.rules new file mode 100644 index 000000000..918f53e0c --- /dev/null +++ b/tests/ssh-hassh-reassembled/test.rules @@ -0,0 +1,4 @@ +alert ssh any any -> any any (msg:"match SSH hash"; ssh.hassh; content:"3cc67862bceac0f334c62ad1b76895b4"; sid:1;) +alert ssh any any -> any any (msg:"match SSH hash-server"; ssh.hassh.server; content:"3cc67862bceac0f334c62ad1b76895b4"; sid:2;) +alert ssh any any -> any any (msg:"match SSH hash-string"; ssh.hassh.string; content:"diffie-hellman-group1-sha1"; sid:3;) +alert ssh any any -> any any (msg:"match SSH hash-server-string"; ssh.hassh.server.string; content:"diffie-hellman-group1-sha1"; sid:4;) \ No newline at end of file diff --git a/tests/ssh-hassh-reassembled/test.yaml b/tests/ssh-hassh-reassembled/test.yaml new file mode 100644 index 000000000..b80d558d5 --- /dev/null +++ b/tests/ssh-hassh-reassembled/test.yaml @@ -0,0 +1,38 @@ +requires: + min-version: 6.0.0 +features: + - RUST + +args: + - -k none + +checks: + # Check that we have the following events in eve.json + # 4 - alert events, one per each type of data (ssh.hassh, ssh.hassh.string, ssh.hassh.server, ssh.hassh.server.string) + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: ssh + ssh.client.hassh: "3cc67862bceac0f334c62ad1b76895b4" + ssh.server.hassh: "3cc67862bceac0f334c62ad1b76895b4" + diff --git a/tests/ssh-hassh/input.pcap b/tests/ssh-hassh/input.pcap new file mode 100644 index 000000000..0a093f2cb Binary files /dev/null and b/tests/ssh-hassh/input.pcap differ diff --git a/tests/ssh-hassh/test.rules b/tests/ssh-hassh/test.rules new file mode 100644 index 000000000..15e1b528c --- /dev/null +++ b/tests/ssh-hassh/test.rules @@ -0,0 +1,4 @@ +alert ssh any any -> any any (msg:"match SSH hash"; ssh.hassh; content:"2dd6531c7e89d3c925db9214711be76a"; sid:1;) +alert ssh any any -> any any (msg:"match SSH hash-server"; ssh.hassh.server; content:"6832f1ce43d4397c2c0a3e2f8c94334e"; sid:2;) +alert ssh any any -> any any (msg:"match SSH hash-string"; ssh.hassh.string; content:"umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1"; sid:3;) +alert ssh any any -> any any (msg:"match SSH hash-server-string"; ssh.hassh.server.string; content:"none,zlib@openssh.com"; sid:4;) \ No newline at end of file diff --git a/tests/ssh-hassh/test.yaml b/tests/ssh-hassh/test.yaml new file mode 100644 index 000000000..e923e1c96 --- /dev/null +++ b/tests/ssh-hassh/test.yaml @@ -0,0 +1,37 @@ +requires: + min-version: 6.0.0 +features: + - RUST + +args: + - -k none + +checks: + # Check that we have the following events in eve.json + # 4 - alert events, one per each type of data (ssh.hassh, ssh.hassh.string, ssh.hassh.server, ssh.hassh.server.string) + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: ssh + ssh.client.hassh: "2dd6531c7e89d3c925db9214711be76a" + ssh.server.hassh: "6832f1ce43d4397c2c0a3e2f8c94334e" \ No newline at end of file