From df3dd3ec426d98ac3c7ab47cf466248f58591de0 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Wed, 19 Feb 2020 09:19:42 -0500 Subject: [PATCH] tests/pcre: Add test to check sticky buffer This commit adds test support to ensure that modifiers to pcre have the proper content. --- tests/pcre-invalid-rule-01/.test.rules.swp | Bin 0 -> 24576 bytes tests/pcre-invalid-rule-01/.test.yaml.swp | Bin 0 -> 12288 bytes tests/pcre-invalid-rule-01/README.md | 1 + tests/pcre-invalid-rule-01/input.pcap | Bin 0 -> 571 bytes tests/pcre-invalid-rule-01/test.rules | 233 +++++++++++++++++++++ tests/pcre-invalid-rule-01/test.yaml | 59 ++++++ 6 files changed, 293 insertions(+) create mode 100644 tests/pcre-invalid-rule-01/.test.rules.swp create mode 100644 tests/pcre-invalid-rule-01/.test.yaml.swp create mode 100644 tests/pcre-invalid-rule-01/README.md create mode 100644 tests/pcre-invalid-rule-01/input.pcap create mode 100644 tests/pcre-invalid-rule-01/test.rules create mode 100644 tests/pcre-invalid-rule-01/test.yaml diff --git a/tests/pcre-invalid-rule-01/.test.rules.swp b/tests/pcre-invalid-rule-01/.test.rules.swp new file mode 100644 index 0000000000000000000000000000000000000000..6258592bc23cbc7a7cca86ad7d6e223afc956fbe GIT binary patch literal 24576 zc-rmTdu&s67{>7*urbF)1jHFG$zdR2NVl%zvUP$Goov9kZCp2K&f3$pqgzK$JF;vO z6O4%o22o;Sz(Arz3@QYIXe3HRFa#Ci1vExUL;?Lr6BE%Hg5PatY%7IrWeCXoB%hqD zmvc@Z%G&qWuFSrqpis+Bw<~g=Qja9fUG;I=1M1mQr78jucd*7>U8}C23d8HQnURp+ zt%vpN-0sOMJIpXc?u-gOkkNWCTa6L&duuboh8Z?9s@);O=C7*J1AdP!6bTqMduH=h z=}kYFN+OYTFOjgl3Z*2y6RA)b$dHL?V$$Boc{4B9TaLUUZLA8yU_& z>8qMQ|8JfDe;=gOAsoauG++gsxNxshA7U@|;3?F@g=rX$#(_%hLK6k;$2;Y@F(zQYIDidrm35{~!c_;{~%!6Z#-#1{@%r-zI+5hMC%Gwdo0 zdTMjErY}=CQ!`eLf7Dqr)Aoejmb0?X(U4Z>u-hj#jLle@nyZzz-PdR69wU^ixr0?< zqblr7t+#tLyI#N8G(xtST4klJ>e(W#3JuMsjr^;x>+u-A9oVke>$Cg`En&r;artgtxlbau_ z=8aS}-+esvfDsBeA4eOTKff@~H7~DN)2nJV+jMPg-m>DnMe}CPy>elxinqlj(qa#^ zxLjK7ffkGI!WLV)GW{Os)DEZ8t>Oyh>37xBuc^{0@mHEJmBy@ea{QG(E|tctbW;44 zE|f}RR+<%mr3F%H%t{?sKZs76Tp&%xY%;TT|I%MK`WvHpb$=kjUfjBAn9cM5P-fEg zi7oSg>*x0;ne#uzZajwy%*J2L_6PAc-o#b};KLlGp)bxc<8Q_?%tk&Q#QnI)jQ=(E z;swk=GX7z{{~O0}1UvBz3XqE&BqI?QnDdX~RjfxQE;8T$g7Y|leRv6BEJP;GFz3I4 zEqEDzYaJjTbmp2Amn4cil2`gLP4 zexvWtP=^v^;~ew3Tug$43dPxuI zYh~df-bSO>$IR+rm1%T$>EYJ>wwfIMuh6BZgG~6>sPhIEqGVR>IIEfwx7#pHYgTR7 zah9y|_e{r4^M4&PuPeD_{&#e7{@;za(12Q$!if}IWX9hCKT5Fz6EF_RIM1wq1UpcK z6l?xZ!f9svFYyjGV+|JKGV}dm?8iQ9=3j?0%)lsI;xX*9KKIv?t;ZyhNF)-8MDm{| zt=(HzM;G6+>Nc-@N3V;cR%ZNTfP7=`8lBqX@AUTj{@$#-;#2I(`i93z}hBON_V6 TsK3nMpf0_f2@gRzuG_5Tqf>7I10=8&sdy>ZO?rgHnHoKjfZ4=RY z^epJXe?V_uMfBi7kM^oZFM@dY*UfLzq);t|nvzm{ANVlr%U7%uCO+bgX>GHue_xt*lR&(#lEA+d-=Nl(i(4 z?^RPqYNJz;qon1Rm+ZiIEfojS>P^>&l2v;lAckSKNo+i8sGIux()FW$HgQHAKQ_&E zVHk#C7=~e({|FOx(0#P~8rPQ_ZO0!i!!QiPFbu;m48t&c7uzMub`ss_qWb^;&ENk& zdx(C(uTa6;Fb{LE3w}RB^bLN258(>D2P1eA9)SDduWq7e@G*P@AHWnm4Nt)y`0_CB zfluKRI1UHkC3p_59wK@TU%}^a29ClJI0!!+Bzgzm!WVEFj=-yM0DeMltMEO10~cW) z&UUTkeH~tbpHYX8oxCR)hG7_HuOchHv7FGA8Ij(2L85`IMA9*}u4a#|3OXYSN=Cv8 zMIzQx*g_lMDOHmfZY7GwL_*2MSZX5{q$!4fPb_ybRx#8jA)4PvCWEjb?uuncSOMBf zZHD@Eme55R1esRDp;HOFAj|Cxs-%v>GDftqO{`H@t+9q(TtV&SwK2RCh9zH$qO@J9 zT8i8E?;F`|W5R2h>h?rb_OfVy)Q$UUE_ADH&K9wDVJo$sX#Zw$6JwPK#ngUS7Fx=( zSoTeEeHCIZ_Pkb4&fsQor$+K)xm-RwIWv4MJDQ)$j!zEXoX(By_^V8$MeQqh;rW5o uB2uA)Y^9qN>9qlkh)%7~i-Vvlf)HETy@+ZxMm-x3Ztn;?Md_4uhJFK=4RMPA literal 0 Hc-jL100001 diff --git a/tests/pcre-invalid-rule-01/README.md b/tests/pcre-invalid-rule-01/README.md new file mode 100644 index 000000000..eabbda582 --- /dev/null +++ b/tests/pcre-invalid-rule-01/README.md @@ -0,0 +1 @@ +Ensure that PCRE buffer requirements are met diff --git a/tests/pcre-invalid-rule-01/input.pcap b/tests/pcre-invalid-rule-01/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..bc6ba8ff9464e18bcba05a79b5252977d0a7caae GIT binary patch literal 571 zc-p&ic+)~A1{MYcU}0bclE0UAhkxJ7%@74-gD}@F>)RHm8T>t!jF~tXTp1XA7{VDC z8U&{@9$3M|I%k#}sDw3^)o`uVlFQ)=Sayf&&$bAOyMoh%mcEEOAAsG zOH!GW^K(J!7(q6Dd&|wR5~v4+A$CCQ1KGqln}NZB!9;KYC&(6%Z49R0${5>UonN8d z*Z?$v6$FW~=>QKaVwx-NN;AIxWrO9Amu%s!|Jk@rnwU^(01IU4{V Ct(Oh} literal 0 Hc-jL100001 diff --git a/tests/pcre-invalid-rule-01/test.rules b/tests/pcre-invalid-rule-01/test.rules new file mode 100644 index 000000000..8bf448758 --- /dev/null +++ b/tests/pcre-invalid-rule-01/test.rules @@ -0,0 +1,233 @@ +# failure cases +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + pcre:"/^(?:[A-F0-9]{2}){200,}$/P"; \ + sid:1; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.uri; pcre:"/^(?:[A-F0-9]{2}){200,}$/P"; \ + sid:2; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/I"; \ + sid:3; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/Q"; \ + sid:4; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/D"; \ + sid:5; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/H"; \ + sid:6; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/M"; \ + sid:7; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/C"; \ + sid:8; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/S"; \ + sid:9; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_client; \ + http.method; content:"GET"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/Y"; \ + sid:10; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/V"; \ + sid:11; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.request_body; pcre:"/^(?:[a-f0-9]{2}){200,}$/W"; \ + sid:12; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/M"; \ + sid:13; \ +) +# success cases +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.request_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/P"; \ + sid:14; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.uri.raw; pcre:"/^(?:[A-F0-9]{2}){200,}$/I"; \ + sid:15; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_client; \ + http.response_body; pcre:"/^(?:[A-F0-9]{2}){200,}$/Q"; \ + sid:16; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.header.raw; pcre:"/^(?:[A-F0-9]{2}){200,}$/D"; \ + sid:17; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.header; pcre:"/^(?:[A-F0-9]{2}){200,}$/H"; \ + sid:18; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.cookie; pcre:"/^(?:[A-F0-9]{2}){200,}$/C"; \ + sid:19; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_client; \ + http.stat_code; pcre:"/^(?:[A-F0-9]{2}){200,}$/S"; \ + sid:20; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_client; \ + http.stat_msg; pcre:"/^(?:[A-F0-9]{2}){200,}$/Y"; \ + sid:21; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.user_agent; pcre:"/^(?:[A-F0-9]{2}){200,}$/V"; \ + sid:22; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.host; pcre:"/^(?:[a-f0-9]{2}){200,}$/W"; \ + sid:23; \ +) +alert http $HOME_NET any -> $EXTERNAL_NET any \ +( \ + msg:"suri 5 pcre fun"; \ + flow:established,to_server; \ + http.method; content:"POST"; \ + http.uri; content:".php"; \ + http.header; content:"|0d 0a|User-Agent|0d 0a|"; content:!"Referer|3a 20|"; \ + http.method; pcre:"/^(?:[A-F0-9]{2}){200,}$/M"; \ + sid:24; \ +) diff --git a/tests/pcre-invalid-rule-01/test.yaml b/tests/pcre-invalid-rule-01/test.yaml new file mode 100644 index 000000000..bf42d7355 --- /dev/null +++ b/tests/pcre-invalid-rule-01/test.yaml @@ -0,0 +1,59 @@ +checks: + + - shell: + args: grep "1 rule files processed. 11 rules successfully loaded, 13 rules failed" suricata.log | wc -l | xargs + expect: 1 + + - shell: + args: grep SC_ERR_INVALID_SIGNATURE suricata.log | wc -l | xargs + expect: 26 + + - shell: + args: grep "Expression seen with a sticky buffer" suricata.log | wc -l | xargs + expect: 13 + + - shell: + args: grep -o "use a sticky.*\"http request body" suricata.log | wc -l | xargs + expect: 2 + + - shell: + args: grep -o "use a sticky.*\"raw http uri" suricata.log | wc -l | xargs + expect: 1 + + - shell: + args: grep -o "use a sticky.*\"http response body" suricata.log | wc -l | xargs + expect: 1 + + - shell: + args: grep -o "use a sticky.*\"raw http headers" suricata.log | wc -l | xargs + expect: 1 + + - shell: + args: grep -o "use a sticky.*\"http headers" suricata.log | wc -l | xargs + expect: 1 + + - shell: + args: grep -o "use a sticky.*\"http request method" suricata.log | wc -l | xargs + expect: 2 + + - shell: + args: grep -o "use a sticky.*\"http cookie header" suricata.log | wc -l | xargs + expect: 1 + + - shell: + args: grep -o "use a sticky.*\"http response status code" suricata.log | wc -l | xargs + expect: 1 + + - shell: + args: grep -o "use a sticky.*\"http response status message" suricata.log | wc -l | xargs + expect: 1 + + - shell: + args: grep -o "use a sticky.*\"http user agent" suricata.log | wc -l | xargs + expect: 1 + + - shell: + args: grep -o "use a sticky.*\"http host" suricata.log | wc -l | xargs + expect: 1 + +exit-code: 1 -- 2.47.2