From 6570a66d8f6e418bb0540303ba00cc58b9d285e9 Mon Sep 17 00:00:00 2001 From: Modupe Falodun Date: Wed, 9 Feb 2022 13:14:09 +0100 Subject: [PATCH] detect-uricontent: add tests Task: 4911 --- .../uricontent/detect-uricontent-01/README.md | 1 + .../detect-uricontent-01/input.pcap | Bin 0 -> 165 bytes .../detect-uricontent-01/test.rules | 3 ++ .../uricontent/detect-uricontent-01/test.yaml | 31 +++++++++++++++ .../detect-uricontent-01/writepcap.py | 10 +++++ .../uricontent/detect-uricontent-02/README.md | 1 + .../detect-uricontent-02/input.pcap | Bin 0 -> 310 bytes .../detect-uricontent-02/test.rules | 3 ++ .../uricontent/detect-uricontent-02/test.yaml | 31 +++++++++++++++ .../detect-uricontent-02/writepcap.py | 13 ++++++ .../uricontent/detect-uricontent-03/README.md | 1 + .../detect-uricontent-03/input.pcap | Bin 0 -> 179 bytes .../detect-uricontent-03/test.rules | 4 ++ .../uricontent/detect-uricontent-03/test.yaml | 37 ++++++++++++++++++ .../detect-uricontent-03/writepcap.py | 10 +++++ 15 files changed, 145 insertions(+) create mode 100644 tests/uricontent/detect-uricontent-01/README.md create mode 100644 tests/uricontent/detect-uricontent-01/input.pcap create mode 100644 tests/uricontent/detect-uricontent-01/test.rules create mode 100644 tests/uricontent/detect-uricontent-01/test.yaml create mode 100644 tests/uricontent/detect-uricontent-01/writepcap.py create mode 100644 tests/uricontent/detect-uricontent-02/README.md create mode 100644 tests/uricontent/detect-uricontent-02/input.pcap create mode 100644 tests/uricontent/detect-uricontent-02/test.rules create mode 100644 tests/uricontent/detect-uricontent-02/test.yaml create mode 100644 tests/uricontent/detect-uricontent-02/writepcap.py create mode 100644 tests/uricontent/detect-uricontent-03/README.md create mode 100644 tests/uricontent/detect-uricontent-03/input.pcap create mode 100644 tests/uricontent/detect-uricontent-03/test.rules create mode 100644 tests/uricontent/detect-uricontent-03/test.yaml create mode 100644 tests/uricontent/detect-uricontent-03/writepcap.py diff --git a/tests/uricontent/detect-uricontent-01/README.md b/tests/uricontent/detect-uricontent-01/README.md new file mode 100644 index 000000000..6e1f3faf9 --- /dev/null +++ b/tests/uricontent/detect-uricontent-01/README.md @@ -0,0 +1 @@ +Tests the signature working to alert when http_cookie is matched diff --git a/tests/uricontent/detect-uricontent-01/input.pcap b/tests/uricontent/detect-uricontent-01/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..8f7a9e756a4105c2a7dd91b13fb10eaab0f8aab7 GIT binary patch literal 165 zc-p&ic+)~A1{MYw`2U}Qfe}b=j5(dy8_&s53uM=V#X*39k%^gwwUL2=jf26Jfgu~D z)PXIll9i2}10*HI#Sj29DL_Jj!7Twu`v-?8=;!C9DtLs11n3*;8Srw27N-{JI;N-Q ml~^hG=2vCr any any (msg:"Test uricontent"; content:"foo"; http_uri; sid:1;) +alert tcp any any -> any any (msg:"Test uricontent"; content:"one"; http_uri; sid:2;) +alert tcp any any -> any any (msg:"Test uricontent"; content:"oisf"; http_uri; sid:3;) diff --git a/tests/uricontent/detect-uricontent-01/test.yaml b/tests/uricontent/detect-uricontent-01/test.yaml new file mode 100644 index 000000000..7c4d72c86 --- /dev/null +++ b/tests/uricontent/detect-uricontent-01/test.yaml @@ -0,0 +1,31 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: http diff --git a/tests/uricontent/detect-uricontent-01/writepcap.py b/tests/uricontent/detect-uricontent-01/writepcap.py new file mode 100644 index 000000000..6a49a10be --- /dev/null +++ b/tests/uricontent/detect-uricontent-01/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"POST /one HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie: hellocatch\r\n\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/uricontent/detect-uricontent-02/README.md b/tests/uricontent/detect-uricontent-02/README.md new file mode 100644 index 000000000..15189412d --- /dev/null +++ b/tests/uricontent/detect-uricontent-02/README.md @@ -0,0 +1 @@ +Tests the working of search once per packet only in applayer match diff --git a/tests/uricontent/detect-uricontent-02/input.pcap b/tests/uricontent/detect-uricontent-02/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..55153fb51778c042803176ad4380c990c7cb42f9 GIT binary patch literal 310 zc-p&ic+)~A1{MYw`2U}Qfe}dG$UL36ftih=7Raszi-Q0IBNHSVBxmq)@p6G2BhJaj0JIp4u{tIn>X=d_ U$Cx5JrfNEpV~SIA(#UrZ01x6yod5s; literal 0 Hc-jL100001 diff --git a/tests/uricontent/detect-uricontent-02/test.rules b/tests/uricontent/detect-uricontent-02/test.rules new file mode 100644 index 000000000..33103bfd2 --- /dev/null +++ b/tests/uricontent/detect-uricontent-02/test.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any any (msg:"Test uricontent"; content:"foo"; http_uri; sid:1;) +alert tcp any any -> any any (msg:"Test uricontent"; content:"one"; http_uri; sid:2;) +alert tcp any any -> any any (msg:"Test uricontent"; content:"self"; http_uri; sid:3;) \ No newline at end of file diff --git a/tests/uricontent/detect-uricontent-02/test.yaml b/tests/uricontent/detect-uricontent-02/test.yaml new file mode 100644 index 000000000..788ea52be --- /dev/null +++ b/tests/uricontent/detect-uricontent-02/test.yaml @@ -0,0 +1,31 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 2 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 2 + match: + event_type: http diff --git a/tests/uricontent/detect-uricontent-02/writepcap.py b/tests/uricontent/detect-uricontent-02/writepcap.py new file mode 100644 index 000000000..92246cfbc --- /dev/null +++ b/tests/uricontent/detect-uricontent-02/writepcap.py @@ -0,0 +1,13 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"POST /one HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie: hellocatch\r\n\r\n" +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=53, flags='P''A')/"POST /oneself HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie: hellocatch\r\n\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/uricontent/detect-uricontent-03/README.md b/tests/uricontent/detect-uricontent-03/README.md new file mode 100644 index 000000000..3e29b8cf8 --- /dev/null +++ b/tests/uricontent/detect-uricontent-03/README.md @@ -0,0 +1 @@ +Tests the modifiers for uricontent and content match diff --git a/tests/uricontent/detect-uricontent-03/input.pcap b/tests/uricontent/detect-uricontent-03/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0d6ead78c1472632dfc01e80204f9ade779c5792 GIT binary patch literal 179 zc-p&ic+)~A1{MYw`2U}Qfe}c12V71p+0Vn!4P any any (msg:"Test uricontent"; content:"foo"; http_uri; content:"bar"; sid:1;) +alert tcp any any -> any any (msg:"Test uricontent"; content:"one"; http_uri; offset:1; depth:10; content:"one"; offset:1; depth:10; content:"two"; http_uri; distance:3; within: 4; content:"two"; distance:1; within: 4; content:"three"; http_uri; distance:1; within: 6; content:"/three"; distance:0; within: 7; sid:2;) +alert tcp any any -> any any (msg:"Test uricontent"; content:"one"; http_uri; offset:1; depth:10; content:"two"; http_uri; distance:1; within: 4; content:"three"; http_uri; distance:1; within: 6; sid:3;) +alert tcp any any -> any any (msg:"test"; content:"one"; http_uri; sid:4;) diff --git a/tests/uricontent/detect-uricontent-03/test.yaml b/tests/uricontent/detect-uricontent-03/test.yaml new file mode 100644 index 000000000..dd04841f5 --- /dev/null +++ b/tests/uricontent/detect-uricontent-03/test.yaml @@ -0,0 +1,37 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 1 + match: + event_type: http + \ No newline at end of file diff --git a/tests/uricontent/detect-uricontent-03/writepcap.py b/tests/uricontent/detect-uricontent-03/writepcap.py new file mode 100644 index 000000000..aadb1ac5d --- /dev/null +++ b/tests/uricontent/detect-uricontent-03/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, flags='P''A')/"POST /one/two/three/six HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie: hellocatch\r\n\r\n" + +wrpcap('input.pcap', pkts) -- 2.47.2