From 48131f0ed1c6fa104f2d60e1c78c9f5e5a5f3233 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Tue, 23 May 2023 10:03:06 +0200 Subject: [PATCH] tests: add rule types check --- tests/rule-types/rule-types.rules | 40 ++++++++ tests/rule-types/test.yaml | 162 ++++++++++++++++++++++++++++++ 2 files changed, 202 insertions(+) create mode 100644 tests/rule-types/rule-types.rules create mode 100644 tests/rule-types/test.yaml diff --git a/tests/rule-types/rule-types.rules b/tests/rule-types/rule-types.rules new file mode 100644 index 000000000..b0520262b --- /dev/null +++ b/tests/rule-types/rule-types.rules @@ -0,0 +1,40 @@ +alert tcp-stream any any -> any any (msg:"tcp-stream, no content"; sid:101;) +alert tcp-stream any any -> any any (msg:"tcp-stream, simple content"; content:"abc"; sid:102;) +alert tcp-stream any any -> any any (msg:"tcp-stream, anchored content"; content:"abc"; startswith; sid:103;) + +alert tcp-pkt any any -> any any (msg:"tcp-pkt, no content"; sid:201;) +alert tcp-pkt any any -> any any (msg:"tcp-pkt, simple content"; content:"abc"; sid:202;) +alert tcp-pkt any any -> any any (msg:"tcp-pkt, anchored content"; content:"abc"; startswith; sid:203;) + +alert tcp any any -> any any (msg:"tcp, no content"; sid:301;) +alert tcp any any -> any any (msg:"tcp, simple content"; content:"abc"; sid:302;) +alert tcp any any -> any any (msg:"tcp, anchored content"; content:"abc"; startswith; sid:303;) + +alert tcp any any -> any any (msg:"tcp, pd negated"; app-layer-protocol:!http; sid:401;) +alert tcp any any -> any any (msg:"tcp, pd positive"; app-layer-protocol:http; sid:402;) + +alert tcp any any -> any any (msg:"http, pos event"; app-layer-event:http.file_name_too_long; sid:501;) +#alert tcp any any -> any any (msg:"http, neg event"; app-layer-event:!http.file_name_too_long; sid:502;) +# TODO fix +#alert tcp any any -> any any (msg:"http, unknown event"; app-layer-event:http.non_existing_event; sid:503;) + +alert http any any -> any any (msg:"http, no content"; sid:601;) +alert http any any -> any any (msg:"http, simple content"; content:"abc"; sid:602;) +alert http any any -> any any (msg:"http, anchored content"; content:"abc"; startswith; sid:603;) + +alert tcp any any -> any any (msg:"ttl"; ttl:123; sid:701;) +alert tcp any any -> any any (msg:"ttl"; ttl:123; flow:established; sid:702;) +alert tcp any any -> any any (msg:"ttl"; ttl:123; flow:not_established; sid:703;) +alert tcp any any -> any any (msg:"ttl"; ttl:123; flow:stateless; sid:704;) +alert tcp any any -> any any (msg:"ttl"; ttl:123; prefilter; flow:stateless; sid:705;) +alert tcp any any -> any any (msg:"ttl"; ttl:123; flow:stateless; prefilter; sid:706;) + +alert http any any -> any any (uricontent:"abc"; sid:801;) +alert http any any -> any any (content:"abc"; http_uri; sid:802;) +alert http any any -> any any (http.uri; content:"abc"; sid:803;) + +alert tcp any any -> any any (msg:"byte_extract with dce"; byte_extract:4,0,var,dce; byte_test:4,>,var,4,little; sid:901;) +alert tcp any any -> any any (msg:"byte_extract with dce"; dcerpc.stub_data; content:"abc"; byte_extract:4,0,var,relative; byte_test:4,>,var,4,little; sid:902;) + +alert udp any any -> any any (msg:"UDP with flow direction"; flow:to_server; sid:1001;) + diff --git a/tests/rule-types/test.yaml b/tests/rule-types/test.yaml new file mode 100644 index 000000000..ed16f105b --- /dev/null +++ b/tests/rule-types/test.yaml @@ -0,0 +1,162 @@ +requires: + min-version: 7 + pcap: false +args: +- --engine-analysis +checks: + - filter: + filename: rules.json + count: 1 + match: + id: 101 + type: "ip_only" + - filter: + filename: rules.json + count: 1 + match: + id: 102 + type: "stream" + - filter: + filename: rules.json + count: 1 + match: + id: 201 + type: "ip_only" + - filter: + filename: rules.json + count: 1 + match: + id: 202 + type: "pkt" + - filter: + filename: rules.json + count: 1 + match: + id: 203 + type: "pkt" + - filter: + filename: rules.json + count: 1 + match: + id: 301 + type: "ip_only" + - filter: + filename: rules.json + count: 1 + match: + id: 302 + type: "stream" + - filter: + filename: rules.json + count: 1 + match: + id: 303 + type: "pkt_stream" + - filter: + filename: rules.json + count: 1 + match: + id: 401 + type: "pd_only" + - filter: + filename: rules.json + count: 1 + match: + id: 402 + type: "pd_only" + - filter: + filename: rules.json + count: 1 + match: + id: 501 + type: "app_tx" + - filter: + filename: rules.json + count: 1 + match: + id: 601 + type: "app_layer" + - filter: + filename: rules.json + count: 1 + match: + id: 602 + type: "stream" + - filter: + filename: rules.json + count: 1 + match: + id: 603 + type: "pkt_stream" + - filter: + filename: rules.json + count: 1 + match: + id: 701 + type: "pkt" + - filter: + filename: rules.json + count: 1 + match: + id: 702 + type: "pkt" + - filter: + filename: rules.json + count: 1 + match: + id: 703 + type: "pkt" + - filter: + filename: rules.json + count: 1 + match: + id: 704 + type: "pkt" + - filter: + filename: rules.json + count: 1 + match: + id: 705 + type: "pkt" + - filter: + filename: rules.json + count: 1 + match: + id: 706 + type: "pkt" + - filter: + filename: rules.json + count: 1 + match: + id: 801 + type: "app_tx" + - filter: + filename: rules.json + count: 1 + match: + id: 802 + type: "app_tx" + - filter: + filename: rules.json + count: 1 + match: + id: 803 + type: "app_tx" + - filter: + filename: rules.json + count: 1 + match: + id: 901 + type: "stream" + - filter: + filename: rules.json + count: 1 + match: + id: 902 + type: "app_tx" + - filter: + filename: rules.json + count: 1 + match: + id: 1001 + type: "pkt" -- 2.47.2