From c313bf9088432b6e862762e3ddd97d3891287c3d Mon Sep 17 00:00:00 2001 From: Modupe Falodun Date: Tue, 22 Feb 2022 18:19:27 +0100 Subject: [PATCH] detect-dce-iface: add tests Task: 4911 --- tests/dcerpc/dcerpc-dce-iface-02/README.md | 1 + tests/dcerpc/dcerpc-dce-iface-02/test.rules | 4 ++ tests/dcerpc/dcerpc-dce-iface-02/test.yaml | 38 +++++++++++++++++++ tests/dcerpc/dcerpc-dce-stub-data/README.md | 3 ++ tests/dcerpc/dcerpc-dce-stub-data/input.pcap | Bin 0 -> 1378 bytes tests/dcerpc/dcerpc-dce-stub-data/test.rules | 3 ++ tests/dcerpc/dcerpc-dce-stub-data/test.yaml | 38 +++++++++++++++++++ 7 files changed, 87 insertions(+) create mode 100644 tests/dcerpc/dcerpc-dce-iface-02/README.md create mode 100644 tests/dcerpc/dcerpc-dce-stub-data/README.md create mode 100644 tests/dcerpc/dcerpc-dce-stub-data/input.pcap create mode 100644 tests/dcerpc/dcerpc-dce-stub-data/test.rules create mode 100644 tests/dcerpc/dcerpc-dce-stub-data/test.yaml diff --git a/tests/dcerpc/dcerpc-dce-iface-02/README.md b/tests/dcerpc/dcerpc-dce-iface-02/README.md new file mode 100644 index 000000000..7d910697d --- /dev/null +++ b/tests/dcerpc/dcerpc-dce-iface-02/README.md @@ -0,0 +1 @@ +Tests the dcerpc.iface keyword diff --git a/tests/dcerpc/dcerpc-dce-iface-02/test.rules b/tests/dcerpc/dcerpc-dce-iface-02/test.rules index 27cccb31c..a9018d05d 100644 --- a/tests/dcerpc/dcerpc-dce-iface-02/test.rules +++ b/tests/dcerpc/dcerpc-dce-iface-02/test.rules @@ -1 +1,5 @@ alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dce_iface:afa8bd80-7d8a-11c9-bef4-08002b102989;sid:1;) +alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dcerpc.iface:afa8bd80-7d8a-11c9-bef4-08002b102989,=1; sid:2;) +alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dcerpc.iface:afa8bd80-7d8a-11c9-bef4-08002b102989,=0; sid:3;) +alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dcerpc.iface:afa8bd80-7d8a-11c9-bef4-08002b102989,>1,any_frag; sid:4;) +alert tcp any any -> any any (msg:"DCE Iface test";flow:established,to_server;dcerpc.iface:afa8bd80-7d8a-11c9-bef4-08002b102989,=1,any_frag; sid:5;) diff --git a/tests/dcerpc/dcerpc-dce-iface-02/test.yaml b/tests/dcerpc/dcerpc-dce-iface-02/test.yaml index 7c47e217d..1e0a812e9 100644 --- a/tests/dcerpc/dcerpc-dce-iface-02/test.yaml +++ b/tests/dcerpc/dcerpc-dce-iface-02/test.yaml @@ -10,3 +10,41 @@ checks: count: 1 match: event_type: alert + alert.signature_id: 1 + pcap_cnt: 10 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + pcap_cnt: 10 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 + pcap_cnt: 10 + - filter: + min-version: 6.0.0 + count: 1 + match: + dcerpc.response: RESPONSE + dcerpc.res.stub_data_size: 68 + dcerpc.res.frag_cnt: 1 + dcerpc.rpc_version: '5.0' + pcap_cnt: 10 + dcerpc.request: REQUEST + dcerpc.req.stub_data_size: 24 + dcerpc.req.frag_cnt: 1 + dcerpc.call_id: 27 + event_type: dcerpc diff --git a/tests/dcerpc/dcerpc-dce-stub-data/README.md b/tests/dcerpc/dcerpc-dce-stub-data/README.md new file mode 100644 index 000000000..b3ead405c --- /dev/null +++ b/tests/dcerpc/dcerpc-dce-stub-data/README.md @@ -0,0 +1,3 @@ +Tests the dce_stub_data keyword + +Pcap from dcerpc-dce-iface-02 diff --git a/tests/dcerpc/dcerpc-dce-stub-data/input.pcap b/tests/dcerpc/dcerpc-dce-stub-data/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..d6d7cb50a585c7f32e0863355b919826fa9146a6 GIT binary patch literal 1378 zc-noFO=uHA7>2){?8enBnDkI03VMh%+8An5BSH_cHWHPP65=L`g(6x|@F$RyR1C)Y zlbarL3WyM-qz6ITOVJRmNNWo2K_ueAlTZ+}iio7K>o>DmQp30dGdt|gKJ(7=G4B?h zJ|ZAOr->lo_$feCB`3i!&S_61q2~aRp|4n;g>&AfhxY*le;Oh=dZWHzgRt@3b2%lZ!-Oxdsrn+xJo$qZSuc&ySXX)YN#7 zuAiPWh(cr3qd?&G)8a>%UCom&2r;Jmunpq)%+u0_b!8q1%x@bL$;TDJLk-n-c-7uz*{+tTdX`-Nx=) zx_!mmzUQ*g?S&P30`iaBAtPve=(L^f=jAKs&Idi=RN%z^z(_piAC4saiO5LwaMFJy z9_u8#F=e;7L5iE}b`8^2@CHTc4f=|daN6n~Dt#6dSBLWYl%?_S%+jAOOBE!wnDO1F i1IlWgv1I*XtlwOg3t66xtn`@W>3rPNwU9SsI{FK<+gUaM literal 0 Hc-jL100001 diff --git a/tests/dcerpc/dcerpc-dce-stub-data/test.rules b/tests/dcerpc/dcerpc-dce-stub-data/test.rules new file mode 100644 index 000000000..ba9609450 --- /dev/null +++ b/tests/dcerpc/dcerpc-dce-stub-data/test.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any any (msg:"DCE stub data";flow:established,to_server; dcerpc.stub_data; content:"|09 00 00 00 00 01 00 00|"; sid:1;) +alert tcp any any -> any any (msg:"DCE stub data";flow:established,to_server; dcerpc.stub_data; content:"|09 00|"; sid:2;) +alert tcp any any -> any any (msg:"DCE stub data";flow:established,to_server; dcerpc.stub_data; content:"|01 09 00|"; sid:3;) diff --git a/tests/dcerpc/dcerpc-dce-stub-data/test.yaml b/tests/dcerpc/dcerpc-dce-stub-data/test.yaml new file mode 100644 index 000000000..389fbe9b3 --- /dev/null +++ b/tests/dcerpc/dcerpc-dce-stub-data/test.yaml @@ -0,0 +1,38 @@ +requires: + features: + - HAVE_LIBJANSSON + +args: +- -k none + +checks: +- filter: + min-version: 6.0.0 + count: 2 + match: + event_type: dcerpc +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 10 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + pcap_cnt: 10 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats -- 2.47.2