From: Victor Julien Date: Tue, 1 Feb 2022 09:38:41 +0000 (+0100) Subject: tests: add sip with frames test X-Git-Tag: suricata-6.0.5~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F711%2Fhead;p=thirdparty%2Fsuricata-verify.git tests: add sip with frames test --- diff --git a/tests/sip-body-frames/README.md b/tests/sip-body-frames/README.md new file mode 100644 index 000000000..8acd9b775 --- /dev/null +++ b/tests/sip-body-frames/README.md @@ -0,0 +1 @@ +pcap from https://www.cloudshark.org/captures/4ff29b39b8dc diff --git a/tests/sip-body-frames/public-cloudshark-sip-s0.pcap b/tests/sip-body-frames/public-cloudshark-sip-s0.pcap new file mode 100644 index 000000000..bca9fa286 Binary files /dev/null and b/tests/sip-body-frames/public-cloudshark-sip-s0.pcap differ diff --git a/tests/sip-body-frames/sip-frames.rules b/tests/sip-body-frames/sip-frames.rules new file mode 100644 index 000000000..d6e92c4bb --- /dev/null +++ b/tests/sip-body-frames/sip-frames.rules @@ -0,0 +1,15 @@ +alert sip any any -> any any (flow:to_server; frame:pdu; content:"REGISTER"; startswith; sid:1;) +alert sip any any -> any any (flow:to_server; frame:pdu; content:"INVITE sip"; startswith; sid:2;) + +alert sip any any -> any any (flow:to_client; frame:pdu; content:"SIP/2.0 200 OK|0D 0A|"; startswith; sid:11;) + +alert sip any any -> any any (flow:to_server; frame:request.line; content:"REGISTER"; startswith; sid:21;) +alert sip any any -> any any (flow:to_server; frame:request.line; content:"SIP/2.0|0D 0A|"; endswith; sid:22;) + +alert sip any any -> any any (flow:to_server; frame:request.headers; content:"Via:"; startswith; sid:31;) +alert sip any any -> any any (flow:to_server; frame:request.headers; content:"Via:"; startswith; content:"229|0d 0a|"; endswith; sid:32;) + +alert sip any any -> any any (flow:to_client; frame:response.headers; content:"Via:"; startswith; sid:41;) +alert sip any any -> any any (flow:to_client; frame:response.headers; content:"Via:"; startswith; content:"Content-Length: 0|0d 0a|"; endswith; sid:42;) + +alert sip any any -> any any (flow:to_server; frame:request.body; content:"v=0"; startswith; sid:51;) diff --git a/tests/sip-body-frames/test.yaml b/tests/sip-body-frames/test.yaml new file mode 100644 index 000000000..dd65cd7b4 --- /dev/null +++ b/tests/sip-body-frames/test.yaml @@ -0,0 +1,50 @@ +requires: + min-version: 7 + +checks: + - filter: + count: 8 + match: + event_type: sip + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 3 + match: + event_type: alert + alert.signature_id: 22 + - filter: + count: 3 + match: + event_type: alert + alert.signature_id: 31 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 32 + frame.type: "request.headers" + frame.complete: true + frame.length: 420 + frame.direction: toserver + - filter: + count: 5 + match: + event_type: alert + alert.signature_id: 41 + - filter: + count: 4 + match: + event_type: alert + alert.signature_id: 42 + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 51 + frame.type: "request.body" + frame.complete: true + frame.direction: toserver