From d1a5f68bd0cdf86299ed1f4aea2a05a469984b4d Mon Sep 17 00:00:00 2001
From: =?utf8?q?Eloy=20P=C3=A9rez=20Gonz=C3=A1lez?= <zer1t0ps@protonmail.com>
Date: Fri, 22 Oct 2021 12:18:39 +0200
Subject: [PATCH] dcerpc: add dce_iface test to match many request/responses

---
 tests/dcerpc/dcerpc-dce-iface-many/input.pcap | Bin 0 -> 2652 bytes
 tests/dcerpc/dcerpc-dce-iface-many/test.rules |   1 +
 tests/dcerpc/dcerpc-dce-iface-many/test.yaml  |  12 ++++++++++++
 3 files changed, 13 insertions(+)
 create mode 100644 tests/dcerpc/dcerpc-dce-iface-many/input.pcap
 create mode 100644 tests/dcerpc/dcerpc-dce-iface-many/test.rules
 create mode 100644 tests/dcerpc/dcerpc-dce-iface-many/test.yaml

diff --git a/tests/dcerpc/dcerpc-dce-iface-many/input.pcap b/tests/dcerpc/dcerpc-dce-iface-many/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..7cfb59254d2933f7da610304947cec10889fbc93
GIT binary patch
literal 2652
zc-qyHYe*DP7>2){nH`sQUB^kS$k0;4s7!5HSHqM*D3Fk)3kZsp8Hqs~<z*w?>`xYi
zkdaYd@>ds$kVLVFSR)dOghIOvWwx26U=j4gi0wPaS=^ZpQ_v4_;LM)0bI$vH?{nT4
z1Kn3S5Mb^Rz=ZE>PNlRb%??{|P6jvF`r~^8*W6Tgw%-Ez95}3t^1vs)&h1Kg+lu3|
zf68xhDOK-?hR;9qb&V5G3FbQ{p0}7x0!I`-gey|5S>0JhTYxA65H+IexA><<JO_`V
z>Zs2h492$qspw9(0~Vq~*CRlR)k=FT(DgWqs#S$jVvKNW)@dE845Pv@%jsjQji|i3
z&Qw{N7_$>q%wXjuJl#PQa16x_#Ss!bWom+&T@KkHKfO5(rlkA>&wdidLh<P{lktPm
z?GqMQD{U?1=uY<Djb@Lh|9<ASQ_FhZOka88G|@Wjz3bw8E9I8Fd|tiL(0%e5cId=;
zCyRcw?IV+Zl}oAi5tp$+;?hQ4R))EBL;;B4$Z}?8P`4cY!hTpTc;K0PNym-YaUah6
zSod<n8cFZvk@jAyec1IF>G)_Q=@@9o4Qj^~l!u_M03==2(7FuvK^mk(D*o1@-~Dg|
z_TZ`#-+O`TY96!hoYuz-`Y6JA5sQ3*ZJbGd%%#+D=woqgFVW|yk7TuTn|iNZE@2?B
z;(2|jQf{Ul#&JH*BKFd1r^GI5iPdl;o(hpvs#`Kg?6#WT7FsFlzln*ubE58Cvije@
zlLZI{H>@PCPh{Dl1lJ`jzJ<0=EWQ;YI`5`@@6Pc}QC&+a-|$MS03MKP#o30bjG~Mm
z>KJ!p#Z*%5aFaHb!n~#OUbbN>Cz#YyT}rJ3eaQM$3Sp^S-*|F+@2?>_RH=27VJam`
z?1Gk9tplsM2{G>_Z7R(RB$cak3{&};$=8j}1C*~WmFB;svLnYZmC=;3U&lCr6}^P<
zAz7PBao$q-EypmGUzpUqF2!4pKBD!h6vI-PG+n>reL~;vP^EL54O1yoV&}EQyyaM}
jjS#C|u1#gc0!d{c*D#fnOulU{<#-&rmh`ENFi7QZ@`Oam

literal 0
Hc-jL100001

diff --git a/tests/dcerpc/dcerpc-dce-iface-many/test.rules b/tests/dcerpc/dcerpc-dce-iface-many/test.rules
new file mode 100644
index 000000000..bc685b37e
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dce-iface-many/test.rules
@@ -0,0 +1 @@
+alert dcerpc any any -> any any (msg: "DCE Netlogon"; dcerpc.iface: 12345678-1234-abcd-ef00-01234567cffb; sid: 1;)
\ No newline at end of file
diff --git a/tests/dcerpc/dcerpc-dce-iface-many/test.yaml b/tests/dcerpc/dcerpc-dce-iface-many/test.yaml
new file mode 100644
index 000000000..6ebc6140c
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dce-iface-many/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 7
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 12
+    match:
+      event_type: alert
+      alert.signature_id: 1
-- 
2.47.2