From 032d476e3b0253bbe62342ce3c021b480c31d501 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Wed, 6 Mar 2019 08:57:48 +0100 Subject: [PATCH] Adds a test case for http auth unrecognized --- tests/http-auth-unrecognized/README.md | 9 +++++++++ tests/http-auth-unrecognized/input.pcap | Bin 0 -> 1738 bytes tests/http-auth-unrecognized/test.rules | 1 + tests/http-auth-unrecognized/test.yaml | 15 +++++++++++++++ 4 files changed, 25 insertions(+) create mode 100644 tests/http-auth-unrecognized/README.md create mode 100644 tests/http-auth-unrecognized/input.pcap create mode 100644 tests/http-auth-unrecognized/test.rules create mode 100644 tests/http-auth-unrecognized/test.yaml diff --git a/tests/http-auth-unrecognized/README.md b/tests/http-auth-unrecognized/README.md new file mode 100644 index 000000000..31045ae62 --- /dev/null +++ b/tests/http-auth-unrecognized/README.md @@ -0,0 +1,9 @@ +# Description + +Test http unrecognized authorisation method + +# PCAP + +The pcap comes from running +`python -m SimpleHTTPServer 8000` or `python3 -m http.server` as a server and the following command +`curl --header "Authorization: Turbo customAuthDataHere" 127.0.0.1:8000/` as a client diff --git a/tests/http-auth-unrecognized/input.pcap b/tests/http-auth-unrecognized/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..483baf96afef9aaec2337b4227dd6f689c181436 GIT binary patch literal 1738 zc-obePi)dq9LEdWjA_Cmo^~;N_T(1nYX=)xp|Vl38HXd#Wiip1uDn4LpjaMb>`&&| zgG;=acrl(mZ1Lc-qk1&)FikW&d-CE@Pn*BT-;u!FfJcAr@B91kd*A-(w@>fhxVb^D z^J>KE#`eRX_AsYG%$6Hgoa3VG6TQT7+Z^X&>u6{+y1cvjht=%4Pfm^lpdGyP!!q#t&vWK6u%Tz(~ zL{OCAEh`~Ol05uknK-`bEGa_HtT=fb6ej~BB&JQ1l;Gkx9*2_(&DoB%ZcxiEDoC$5 z%Qnc%)Gn};W>8~}IK;zyc-H>23)!$`gAHGM+3ed~9&HnmDV(QBc|{l=7sWmc%KPticwG*e?df2@elDA_`g}nVU$OLJ7lxa`_gL zf=VEy$N@B)&^>(2E>bYgM{6YzQ?f>Jju!H_k(o1`GNF+QUGarFx_MH}(wu@OC;cs_ zey^Q(@V4xTcYh3=Iy~hR+o8rd+v~%e0RXld9QUK%PVJAioZ?d5obYvRA*Me_#$jj@ z^C-DEGk-UR1Rusr{usuZt~C-c9x}%9`vMYjl$I2XtJSJl^^3NX#d@mlK>(MjW0_RU z(2St+VRnrjh>?LqflvdnS|52*u~s8O%OM?{6p-0CiwONJWkhPxJW(~vAttq*8p>N` zY8A6+#dZ)5<3^ef any any (msg:"SURICATA HTTP Request unrecognized authorization method"; flow:established,to_server; app-layer-event:http.request_auth_unrecognized; flowint:http.anomaly.count,+,1; classtype:protocol-command-decode; sid:1; rev:1;) diff --git a/tests/http-auth-unrecognized/test.yaml b/tests/http-auth-unrecognized/test.yaml new file mode 100644 index 000000000..2fadf930d --- /dev/null +++ b/tests/http-auth-unrecognized/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 5.0.0 + +# disables checksum verification +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 -- 2.47.2