From: Modupe Falodun Date: Tue, 1 Mar 2022 23:06:21 +0000 (+0100) Subject: detect-bytetest: add tests X-Git-Tag: suricata-6.0.9~21 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F982%2Fhead;p=thirdparty%2Fsuricata-verify.git detect-bytetest: add tests Task: 4911 --- diff --git a/tests/detect-bytetest-01/test.yaml b/tests/detect-bytetest-01/test.yaml index 2f5c8ec25..15c83aecb 100644 --- a/tests/detect-bytetest-01/test.yaml +++ b/tests/detect-bytetest-01/test.yaml @@ -1,5 +1,5 @@ requires: - version: 6.0.0 + min-version: 6.0 args: - -k none diff --git a/tests/detect-bytetest-02/README.md b/tests/detect-bytetest-02/README.md new file mode 100644 index 000000000..bfcdcefdb --- /dev/null +++ b/tests/detect-bytetest-02/README.md @@ -0,0 +1,3 @@ +Test the byte_test signature matching with operators + +Test to check matches of byte_test and byte_test relative works based on the previous keyword diff --git a/tests/detect-bytetest-02/input.pcap b/tests/detect-bytetest-02/input.pcap new file mode 100644 index 000000000..c5e52ddd3 Binary files /dev/null and b/tests/detect-bytetest-02/input.pcap differ diff --git a/tests/detect-bytetest-02/test.rules b/tests/detect-bytetest-02/test.rules new file mode 100644 index 000000000..547dbc4f2 --- /dev/null +++ b/tests/detect-bytetest-02/test.rules @@ -0,0 +1,5 @@ +alert tcp any any -> any any (msg:"pcre + byte_test + relative"; pcre:"/AllWorkAndNoPlayMakesWillADullBoy/"; byte_test:1,=,1,6,relative,string,dec; sid:1; rev:1;) +alert tcp any any -> any any (msg:"content + byte_test + relative"; byte_jump:1,44,string,dec; byte_test:1,=,0,0,relative,string,dec; sid:2; rev:1;) +alert tcp any any -> any any (msg:"content + byte_test"; byte_test:1,=,65,214748364; sid:3; rev:1;) +alert tcp any any -> any any (msg:"content + byte_test + relative"; content:"GET "; depth:4; content:"HTTP/1."; byte_test:1,<=,0,0,relative,string,dec; sid:4; rev:1;) +alert tcp any any -> any any (msg:"content + byte_test + relative"; content:"GET "; depth:4; content:"HTTP/1."; byte_test:1,>=,0,0,relative,string,dec; sid:5; rev:1;) diff --git a/tests/detect-bytetest-02/test.yaml b/tests/detect-bytetest-02/test.yaml new file mode 100644 index 000000000..2a965f11d --- /dev/null +++ b/tests/detect-bytetest-02/test.yaml @@ -0,0 +1,37 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 5 diff --git a/tests/detect-bytetest-02/writepcap.py b/tests/detect-bytetest-02/writepcap.py new file mode 100644 index 000000000..1b4e9bcaa --- /dev/null +++ b/tests/detect-bytetest-02/writepcap.py @@ -0,0 +1,11 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +load_layer("http") +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IPv6(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/HTTP()/HTTPRequest(Method='GET', Path='/AllWorkAndNoPlayMakesWillADullBoy', Http_Version='HTTP/1.0', User_Agent='Wget/1.11.4', Accept='*/*', Host='www.google.com', Connection='Keep-Alive', Date='Mon, 04 Jan 2010 17:29:39 GMT') + +wrpcap('input.pcap', pkts) diff --git a/tests/detect-bytetest-03/README.md b/tests/detect-bytetest-03/README.md new file mode 100644 index 000000000..d3840a218 --- /dev/null +++ b/tests/detect-bytetest-03/README.md @@ -0,0 +1 @@ +Simple dns match on first byte diff --git a/tests/detect-bytetest-03/input.pcap b/tests/detect-bytetest-03/input.pcap new file mode 100644 index 000000000..186aebd37 Binary files /dev/null and b/tests/detect-bytetest-03/input.pcap differ diff --git a/tests/detect-bytetest-03/test.rules b/tests/detect-bytetest-03/test.rules new file mode 100644 index 000000000..2cb555bc0 --- /dev/null +++ b/tests/detect-bytetest-03/test.rules @@ -0,0 +1,3 @@ +alert dns any any -> any any (msg:"Byte test against first byte"; byte_test:1,=,0x07,0,bitmask 0xF8; sid:1;) +alert dns any any -> any any (msg:"Test dns_query option"; byte_test:1,=,0x07,0,bitmask 0xFF; sid:2;) +alert dns any any -> any any (msg:"Test dns_query option"; byte_test:3,=,0x01,0,bitmask 0xFF; sid:3;) diff --git a/tests/detect-bytetest-03/test.yaml b/tests/detect-bytetest-03/test.yaml new file mode 100644 index 000000000..cacd0d21d --- /dev/null +++ b/tests/detect-bytetest-03/test.yaml @@ -0,0 +1,34 @@ +requires: + min-version: 6.0 + +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: dns +- filter: + count: 1 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/detect-bytetest-03/writepcap.py b/tests/detect-bytetest-03/writepcap.py new file mode 100644 index 000000000..e28cb68c1 --- /dev/null +++ b/tests/detect-bytetest-03/writepcap.py @@ -0,0 +1,12 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +data = ('\x38\x35\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x01\x00') + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/UDP(dport=53)/Raw(load=data) + +wrpcap('input.pcap', pkts)