From 2b4712d943a090b044582d341e0bcb9659a4e80d Mon Sep 17 00:00:00 2001
From: =?utf8?q?Eloy=20P=C3=A9rez=20Gonz=C3=A1lez?= <zer1t0ps@protonmail.com>
Date: Fri, 22 Oct 2021 11:35:43 +0200
Subject: [PATCH] smb: add dce_opnum tests

---
 tests/smb-dce_opnum/input.pcap | Bin 0 -> 12642 bytes
 tests/smb-dce_opnum/test.rules |   2 ++
 tests/smb-dce_opnum/test.yaml  |  17 +++++++++++++++++
 3 files changed, 19 insertions(+)
 create mode 100644 tests/smb-dce_opnum/input.pcap
 create mode 100644 tests/smb-dce_opnum/test.rules
 create mode 100644 tests/smb-dce_opnum/test.yaml

diff --git a/tests/smb-dce_opnum/input.pcap b/tests/smb-dce_opnum/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..1897e467c5692ff5645185e3bdcb2d0039c889f7
GIT binary patch
literal 12642
zc-rk+3s_WD9{=BAfEmVcAVk_!W|frH7Kah#kvmclpOw%E2&j`Xz@XU3AVUhR8d4b}
zWsl8KDGM-JH`I37O8d;mf)CV$G8)@d#4_`dz05~iy8m<To#D=O?})C}*Dm*dXYM`s
zoclY!|LffQKX=-j8*3#Xg|1Bs4E|31;?r#VUu1AUo|7Wkwc^~F3du*+cO|cp!My;Z
zwf~BTc%Nf2YeGA|!1B`CEM}9{-c&>|Y9wcU88hA`9mGf_GQS@W4IV?TGhSZ41bN7d
zGPnopq_CJQK1Ghw+2Wzx2Y{dwbY|1qtSa01!-zhsJn+huJ|_sW_nU|&V-TMp?nA^;
zh&D=yYq++Fa(%#!>nud=)G3)$TT)qxEr(@LL--4!yr69+D4%x<qJ%J~K0Znnn14Af
z`JQ;H#p~O`@LqCvJQkCsIA?rH=CpJ}!nkqibIguDN-DMThzvB?l@xb9GGV%<f_m&k
z&IfcMs-WP1Q>Y8Be3@%zem8g_AAsCxkHu&CUwW{5^KBnJTsit9U)oykEHzITEq!Lz
zekXi6l+t7NY#*OtK8&}wq{gJ4Q8QW{=i`TUDN_+Gkqq#W4_!F6;(Q<@k<inH?5Usg
z)Qi{KZ{<*Rc+KG3!wStMQ}c}Z1%<}EsRe~oQ<D;+BBNvCi%dp?#W=NKTA{hvNHo}X
z#G~JAqkeOro5c@Q*-{Up-<;fZn)RDY$7Rrt2<<{BJG9%W-@Gn}62hF+T%l^H=G%d9
zgYMenHeS~(8e8m^9q-idD0Nhgzq%J+V|4?is+9C`$!Tdidi%(V%1(D=B4hIj8RTMz
zTp?eZpj#&7YpDmV_U1D5wOjl8QAz&bkTDowE5q|OcNq-;z2L{6%P7Y(7LGvef)4e9
z12tZL3{&eW&VudI1x*ft&?^zA7sOD(te@WU?3J}Mjx5>XfSZqdA|Cx97cB+76JR2Y
zLxED!sU>(Hzs`UR`zC-IB5{%of?OyA6BwZw$wuIr0dg=920$LRkUkNDJ-kKk^hI=j
zfDn~$J}ZMSu||r!TQMEl9mK7UKJV&Q&1F@#bUC`!@k?}8XBx%aO43c0ySmjR=Xq@f
zlcBC)QtK+16ln!>zeDF<*cO8O6g+OjeKsD0aF3^Y_Jefpe$uYQJ&s|WPDm@oV8-79
zD1^18m2%UjJvwV!gKG2R&wVf}waA<`F5{7Z%#ej%`1`!iG>2B&2aWKxFdRRJE*<??
ziGMAN${`T@6hJ;$V7PNk$Cfjw@ceW6Uj@xB?VFjlMAJ%azx4+hRAF0{&?9o5Zn;pn
zrOU1M?ZYwL0)sUac)Y9a85%yGY(H#Z%a*3_?|<quy{RB4Wx*vj+~iQ}tM(?rM%{At
zWf`o&hBZR7-7DIibhdln)h)LVM|x9;Ti#MbM=a)3^Mc1vS-_nOQ(F#i{l3GruCn~_
zz|CXZRg+n2LqU&wBt(M-6+eO+NkjJtJRga>9_|AjDm;vG{}#C~!aElUsdcWdT2QT1
zkpC)FYd|n-Go3qkxd3;D$Nj{u=d)uT(x3aXzW>Er^?@6eXaF_W?+O#j5N2gwa@dOX
ztwLID)V5HqZgkV?DrDD4wEBRBf-U4T^X6$)D#9#g=@U&6Ew44K>)5hBF6?*9Vg;PT
zAz3+hujAdM6#Sj-7AV3{HKXfWa3}JFNae5(TlNWQdYkSgK}|PW?K_53O_x#FW$yCG
zuOd%my#F0uGwuu?W_bG9O#?fdCwBMwsdTNDb4L<>V;B}=jN21Ys*uBXc>bM`#g1xs
zQHxc&T5Jc#!GsjF*cV~d6leoqLOIW3-Xapd`FwS1Q`7uaieuXN$6pBgb0lhhEU&K^
zV{qasyp%L{*ghMS8<bs-1_nwqq5`7=_cnYD%%FRxSsTc8=|h!^PW9Ur@G8FN3{#HH
zmT(%lA2r}1nqC&N@q`rA!YQ<|QYf0_JR6H?U}9;jxAhz4<h=v*bxUG*4+!9-;oIiX
z-g0Qb^9CW?tkCYJwrO><%_(G8M{M)KaSAkxWyZROjAt7k5oWK;7S6l7?tn7$v4wM{
zumAR)NSt~2u5~rrs0sC-ka{atT7{IlRkuP=sdZNS&TLd_?_m0*gBRVY%dbNH9#zvJ
z<-O^D^4j~=lq|b?QUFp<ba9(r)NK-ZZgU4d%KbrKR8VBpTZ+tPlf~i;HZhk;x?K(z
z@%*BYVZPMvp@y07YM7nbRkn;cG|aIv11b1cv7iYSkuLb){`0m;dxoSvdj77OUA_8|
zpwV4Z&;XTQ$Kl4%tMr`~PB)W5*o_=B>HA6^PKI-EDpcV#ISQiOrd6Ve6}Ni~o>zqI
zoDpZWw}eqUUnO|NH1W5?$2E_KEIFw%?AA|OG`%o@lZwx5NvOx*d5_xYJy#pGgdw}d
z#74D!JqJ%;5oYhsP|aVb*c+Q4Y<wf3<F2{a6+AnUdLvdEg_Qc5?o~mhE=KyxX+}Je
zB9)2-j~Mk#)muX&R(}$wdLy&CG=4)P37&8l_mNQd3Fq!}dDtk}!=s$?%QbR1iT*~4
zyYjscYWEW5cRuZ={N+`)Oh3#>kNrSrF2y#n02v}8f%<#j<o<D?{~S4Yz;o;7mCYdm
zlCHS+03r7fM<1=|3XlPn-4Bp`YgvsLdbXaeXY1MiPquE%{H=86uX3IFTaz6#|Ao^%
zvu4lMv-NB}+i!8^x8aMgO(@~2)V9%ttHX8XZ)fPtj|o?J!_A%f$@@5Axe{4Azm>V?
zR^hrDq1-Cd51ATtN>xywLoCW!jmNaN)&mO3(5{m9isd(xSB+WPR6TmaqNfzmnHu|N
z0bH)aPkUQOc}#oXr&efjvw{KHk#+53Ay0Wud&5PT&3?+zU;SiISorF+A#2`gxp-Y^
zZ|`V1yp7_J;;vN1YF(Y6Ql}t&J5g$%T{LN&E0*?(QTIuZo{2pZ7Mief@);(=_fwMg
z-l_O`+IuIL6b31H-<}lgBJO6)5$myZ;9!HXq|4ar{&+m+3lM>&5V^nX%`QTh;8Bm|
z9CliaWw4aJ{t5mxVVQ)b6X8oG?DcPu@W)t+u=p@+h@InBj~8>t!P2fpZXujW+`4`z
zw}ewF>FO_pU&Jkf`EW;@<5LFR5+DxrZb`5nOBt3DFv3h20UCP6v81ktL`a4EAcKCl
zO2ayvGV8IY9(7(!u}UBTdly1J)}}!OVw-RWxY6T1f;a`(dpi0-G2S16qZJ|YjUQ<y
z*76V~5679!lSpg<AsMgd(r<<qEcrO53P&xZObfBai1(;aUuI5UDtev0R_wf%i|sR!
zp#f_J^y{MuO9@J$qD%^q3;EJ_<K-=(JsnJLo&{aU`6FTySq;>4Ow^+6m0#bYsdNl8
z9ZQACMr?f;Yi1lzg(Da!7ry;&2Im4=Ow=20o>hLSaoG6nt_8+pRHb1(1|sPvOJO!?
zKVy@~i<C5KF)~-^A&K)bV%Z`ZsRdkX8MYFyEJO?oj-^JV2s%zaOhrr2#PJBHsSu0$
z$%kk}P-C=e@M;dW$0Eag<e7swcRPDu@BDakB#IT0D2DzYAO_FLe+_aFDIZ&+aUY4b
zT*OJH-(xZ{T6OgQ0}*JUnZE#kqBs7WB*Z?FYF&->5qOq|dp@=saVMYUW8Lg=BW88}
ze4UP0Ra7fUJ^uM$N)#y~Q9h0lMWx9>kBq^3F1Bgt$Z9%zGGtNzyxQBq|F&Odp*7R!
zlgf;3k07Rz^U_SpwS-EkLi{N1(~mbV0eL%G?&;5nAJ9J|j&@5x>{Yg$4xN%|dznkq
z_9x4s9^X(&aYvCX)9xcEpY0Ju31Qk^xJ=*AO=2IAVnlKQ#^39u&^rPGPFm%kpFSQl
zmV7|^k-7E{NaP;!UVW7P7o79oN~Bz{vTYX36TaIGaMmB-!M-SIW0xMuF_L;F(QrdU
zcRoDja(!}tgI+rUQt(Mnp7$Aumk8r<Cvp$rCB)<}Qgdj8YefFTM&2Hb)MJaecU|%K
zk%k5phpoB>ea)dgrsFlDfiAS5a@K1{rFdKxSS6If=5$!?`;)}}n8jZf5cAp^d0Rrp
zO#d-&8krM)o|y1@0Ox`HWr5+T9+w3^q{{-^UE^tgQk5-NL*i-U7SGE9u_DYafBnqE
zm#TNH`0(r9RRh0?JAYlv0;e%j>akKUq|{})dLgCeYLNa$s?=nPWD;8z5ThQpFsZ!1
zttz^2(}&GX?TIR~EYMHjYj{5{g_iO{m$0s1?{OMzr_*4po5D9D^EzDs)3(gOO@r$_
gu2%h3Q1&`RdRM1Z1vpl#0^ae6vf2Ym5CB2>55<&l-~a#s

literal 0
Hc-jL100001

diff --git a/tests/smb-dce_opnum/test.rules b/tests/smb-dce_opnum/test.rules
new file mode 100644
index 000000000..b182b14ae
--- /dev/null
+++ b/tests/smb-dce_opnum/test.rules
@@ -0,0 +1,2 @@
+alert smb any any -> any any (msg: "smb dcerpc.opnum 10"; dcerpc.opnum: 10; sid: 10;)
+alert smb any any -> any any (msg: "smb dcerpc.opnum 89"; dcerpc.opnum: 89; sid: 89;)
\ No newline at end of file
diff --git a/tests/smb-dce_opnum/test.yaml b/tests/smb-dce_opnum/test.yaml
new file mode 100644
index 000000000..864d64fff
--- /dev/null
+++ b/tests/smb-dce_opnum/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  min-version: 7
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 4
+    match:
+      event_type: alert
+      alert.signature_id: 10
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 89
-- 
2.47.2