From 7d159ae9db74fcce9f597a9ccd851413e29be47e Mon Sep 17 00:00:00 2001
From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Thu, 1 Nov 2018 23:21:51 +0100
Subject: [PATCH] Add test for TLS 1.3 draft 23

---
 tests/tls13-draft23/README.md          |   8 ++++++++
 tests/tls13-draft23/suricata.yaml      |  25 +++++++++++++++++++++++++
 tests/tls13-draft23/test.yaml          |  19 +++++++++++++++++++
 tests/tls13-draft23/tls13_draft23.pcap | Bin 0 -> 2907 bytes
 4 files changed, 52 insertions(+)
 create mode 100644 tests/tls13-draft23/README.md
 create mode 100644 tests/tls13-draft23/suricata.yaml
 create mode 100644 tests/tls13-draft23/test.yaml
 create mode 100644 tests/tls13-draft23/tls13_draft23.pcap

diff --git a/tests/tls13-draft23/README.md b/tests/tls13-draft23/README.md
new file mode 100644
index 000000000..2cbabe741
--- /dev/null
+++ b/tests/tls13-draft23/README.md
@@ -0,0 +1,8 @@
+Simple test that tests a TLS 1.3 draft 23 pcap file from Wireshark issue
+tracker [1].
+
+PCAP URL:
+  https://bugs.wireshark.org/bugzilla/attachment.cgi?id=16071
+
+[1] "12779 - Add TLS 1.3 support"
+https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12779
diff --git a/tests/tls13-draft23/suricata.yaml b/tests/tls13-draft23/suricata.yaml
new file mode 100644
index 000000000..7a29ad442
--- /dev/null
+++ b/tests/tls13-draft23/suricata.yaml
@@ -0,0 +1,25 @@
+%YAML 1.1
+---
+
+include: ../../etc/suricata-3.1.2.yaml
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - tls:
+            extended: yes     # enable this for extended logging information
+
+app-layer:
+  protocols:
+    tls:
+      enabled: yes
+      detection-ports:
+        dp: 443
+
+      # Generate JA3 fingerprint from client hello
+      ja3-fingerprints: yes
+
+      encrypt-handling: bypass
diff --git a/tests/tls13-draft23/test.yaml b/tests/tls13-draft23/test.yaml
new file mode 100644
index 000000000..b6fad771c
--- /dev/null
+++ b/tests/tls13-draft23/test.yaml
@@ -0,0 +1,19 @@
+min-version: 4.1.0
+
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - HAVE_NSS
+
+args:
+  - -k none
+
+checks:
+
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.version: "TLS 1.3 draft-23"
+        tls.ja3.hash: "0558cf38ebac58d332d7f39308fcd006"
+        tls.ja3.string: "771,4865-4866-4867-49195-49199-49196-49200-52393-52392-49161-49187-49171-49191-49162-49188-49172-49192-156-157-47-60-53-61-10,65281-23-35-13-11-51-45-43-10,29-23-24,0"
diff --git a/tests/tls13-draft23/tls13_draft23.pcap b/tests/tls13-draft23/tls13_draft23.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..3b3021d2a7297c04cd4adf8804afc7d886e9b65c
GIT binary patch
literal 2907
zc-n=Q2{@E%8^@n_#xm9nV<{zx;gqeDDeI|^BiTtILqt>@`<89S77m&$Q?d`qnGP+c
zNF<XbN8;ni8YYT3k|UZEDc}1}R}070H`jH)*Icvwp8xy5|IhurPZ}9TD8L22zPJDc
zUo|X<4x<+_zyyAeRDiijmza=6-u02TKnyShK$nHt5BBpI74q`|2rg9D0@hkXnkb1d
zXs7@YoB;qRF7Df0C=CCLr(O}r=MWmri;!o(A%9|i;(sCofROQYgo@Cy)?Eu^PZ3v`
zE=3ddm;IKEP2EI8=%2|;Fj*g_>aV9+gT=?uT)IZH6ij!E76Icp9atmuNiRZ1h_;t7
zKohnEskKCC2a6ve9=NeCQ3{NU?^;ciKto^-Ce5JHfyOMXv|l_S*vH=5mhG6@mFVXj
zy!%k?Vt*+8V1~&a*(Xk7e<`@{6M02d@M0Y4dEF2@_$)V)Z^G2o0aETrI1JRqATg8}
znz@sy##CmiKfd~y&g5fmXNoZunfy$7CXT5D@<2XNgFPhxJ-`ny9JB%<4My6u9WEh&
z1EO4L3>O!~jmB_uLl_<&2n7KF0AIjvfCutm3y>AO7yPVSoogc2yDIHgK;GH^^yt2H
zeq!l<;LP$#zn?s?Kn4Ci1a<;G3|SJ5Mx)@{<OdkQ1OHhPNFhEtUHaOYfAw608j1Lr
zv3pI=-87^fh2hRjf9}lZej`MB4hHm~0H@XxQ7zOcgm}JiU7{42mgx9GEJBD9Xfz0i
zNg-(T19zW&HbV96${!;(uP6$bRtma(<gz{9VI{&WG#(jH`@fwLgS}IQ-Q##yY!SZ{
z>-KI%Hasl$gNEqx^>h8tWfq(!j`Qh|uf&MD!LFgmk~nyI2!g!>k~`J4)%R+~#gsk}
z+Mg15%5KPO`)E2w9R3cn=)ck!tJ8dXLquoj)alKZrX#&fHYTYe<yEfS#3Sa_N9wc$
zUuDfU!9y>aj%OxL5IwLs6Y~ytE4}F;yD*YzVN=-%LnTA#a4BB^z5c?*IDXY9c7HBA
zbq8eE7Ldyvh^eO>FJFv(zI3K7aVD7%P3o2w@2BgV4u|_6UCtui>?@t!+TZUN;X|s?
zi{Nd|65hotW~*|9$LnT6Uf?|W5k+A#IhVAl_x8Azv96a1QBB3C{pOIY{|?Q?12g<9
zj|JN;Z69Tu*lTM!D?{YC4_5j?`@)A?C9r!vDh$)SZ0b&^J9H3jb&A=qv2T)zJ>6CG
zdSaN7(}1fS??fu=)>CfZg(@oT{IT%S!6E%>&%8nzm%N8;2T?EYkQ*cTs7?EiI?TIt
zk-7zUgkL>Z)nnS;_v{aW;fzs&f<`b<x!Cj4!fe}O`;(cWmY80@A;fN%cRdl6WgQP3
z1skGO*^Jt}<AWW(stZ>x$j1)VO_qDu=U1ejverta-W(73K~F$%&ew10<oPT9Z?Y}1
z|Fk5R1#3$Ze$U8gjeM1nprj~YJPR%2mFDo7n=6E#L-PYN^2j0tGjv_!y^(kvKNJ!`
zysu1Obp5TIu8iGSF#o!1+FMWmc6c@Sh=E?)`?y^KEJ{+L^7F(=b0p*yIo};<0-S+X
zvU>bD3X?rW+3>cR{bry=B0)!pJcSq#3)5oPBL=YqIYhU0iBd2z;tMefA%4v*Au5bE
zLAcvDI6vrSs6e-WTXwGB>vXoE#PGP7_{L+w0!MC@<n*0#mvKD7<W8Dgw3M3CwwvWB
zqG7-wyk(GDyOE*CR1%^nEqnDw7G=Y#ERc;X-u-1G7bB_=EiEe-*im})9EQw`>rV%#
zdQ%dpjx~bm*`X}MMY@rS?xe|^kIj$Te(t=KvO)6L9#AoMSJ~WDq;HesuP9j(wsGIv
zw=d=2{zSx2REPU5y*Zm)B^u{iUZG`BtypYXc85giNTJmHRp~juIZ?l-zelej#GA@y
z_qo-DYJE7iZ5yT3Dju&(x8|`MCsRGfOjEq^`c>NbOWDMuK5-xKSS)uPO|ReMu#!U<
z49>z{rDgI-H`gcGFb>K#P?tyC_epi-O@7eEj{U;9m#n|B_g6rcW{KWXk#W>Dmc3<r
zZ&*ZrKJJHW<GJEtAJNk956$hpWAq#<aeCNR_vhB^s{FC*ybTUU!BewMe{V^!pR-)i
z8q~onUulpD*iSy(sQFS$j(-*v%v37UPnZ&&E?fGqNx@8s>Mv(#)`S|RUz__%Tm$Y(
zv=QFkxI9P4cdB{0G@DxsoDO6d%i$}8s^S@*4cN|m1&%pVaUBNSCyy&v9y#`|C^J*S
z<Hhdb4{oBNjm!&)waa~j19_xHT)c3FwzxaeX;HY-$df?CdfD@4330M_dQJ8$$euU~
z-04MJ(5mbeBkpL_bsA)HzqSJU)b4zT8ikG1kqxrdE5hPg=im9aFg3v*g1rvPOligP
zS#8sxeRP*u!buxM%5Sg~XE<=q>xIsmN=Brli>(eFjsnX`<b=-tU!jAf{*b>Wo3PD`
z<RvG0(5ITkwwv<FdiHuRW&3TpvEfYKv{Su;_l(b!yn6T`oiErj^nJa+$j{>gvSTjB
zGC#&gqa1D(G@9qPY8obvSh<|MbWTHMV@OLw66K&(D@$$kV7jD$-woU8S+1A4By{;l
z9-F(|52Lq?=7;VK+E&RO)Mi%xQ*ZHzahhrpqkcDU)QM}O2B-yM_;id3-{CVm;?ri8
zXwbdKF}^iL^f;L@=d<?}O4}(Disx>W%$ViPW>V~m?<XdA2X082Y<@}(OYSXF%nH#J
zW6)<9oq7|E|G3x$T6CH^%>-=bm909ke0?aWi7gq~+UL7q>U{P0B8GqeKym8%ri~;+
zb9}f`vr$lOZp>6?hr-s&Nr>HdXx}~lqdCXF+G@MS%Q$vpR~`QxyAk3X?Yomvn3JWV
oHCal8spZjFi0hll$jK5yeD{5gF&vGmYc!U_)TA|!C>)Ld1JQC&NB{r;

literal 0
Hc-jL100001

-- 
2.47.2