From f281fc24f110923c3e189df80d75ca9ad3446449 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Sun, 13 Oct 2019 12:19:28 +0200
Subject: [PATCH] base64: add basic tests

---
 tests/base64/README.md  |   1 +
 tests/base64/input.pcap | Bin 0 -> 9607 bytes
 tests/base64/test.rules |   6 ++++++
 tests/base64/test.yaml  |  31 +++++++++++++++++++++++++++++++
 4 files changed, 38 insertions(+)
 create mode 100644 tests/base64/README.md
 create mode 100644 tests/base64/input.pcap
 create mode 100644 tests/base64/test.rules
 create mode 100644 tests/base64/test.yaml

diff --git a/tests/base64/README.md b/tests/base64/README.md
new file mode 100644
index 000000000..4fb949a2a
--- /dev/null
+++ b/tests/base64/README.md
@@ -0,0 +1 @@
+Match on base64 operations.
diff --git a/tests/base64/input.pcap b/tests/base64/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..392ce8d9acb1882182f203398533861d0a46ce06
GIT binary patch
literal 9607
zc-pl&OKc;_b(D5CYthhR9ORHgKBZn;?4D_M^E3L9YK=9Tne}F8R+AlS5ksW4#qMIW
zq-J+-S5XpIBCtS!#Q7X@jsbhuA0Ro#27>sQ_!0zxk%O_w#ef0B#s<D@-~c(~uz6M8
zO*SdcjAmCBM6#>u)%(AC?^XZgN8kToK6foQ{=1f&gYUWj{&wpl>*d_n;8}eB=ih$u
zdN2CVN59;xJo>YrzMcDnzssq=_2nCLFRz&Y_=UGWR&rms|FsXlf#$aVBbWc*zf4fg
zeUIlJefgz3buoB<{uA|IKFa0huf6!!*XBQ$$N&0!9SQWp3oi+3KYx2nEv6IG1ZtnV
z`$s@+V;cK3_1vTH@ejWK(JMf4^Znlr{-&IvroVG|C@7}X{tu|V1xVhSEgQPDY@0yw
zi|<{Z`{c*J1Cw)7u0T)|REqfJ+z$cxhqI~t>2p%~-MLRb_|=F?D5$)8uYt_lIC3rL
z)oy54ym!C)CvSRo^^adiUuiTRnPsEAnEy(^cnx)f9x)=~Qf>s1yO`f&Br0yZ#D_Jz
zA9?1QvASxM7W3P-O+uKwVcuBGFXn|HfB08pb<Hpiy0me=2*P~pz3aK3{rKNwK|qL}
z5M~~z{Niutb8me<CqEadeEw5V`PEA!D&G-QQk|emsf2c4U(DadoYc_czOSQl746y_
zR>~Wwv{AcNs+HH!s}CEC`Nt$WCQ%J-huH2Cvtrybs_RI-OWG9s+G73z^^a<3v&(tN
zYNk1<X!9g29<snUx9TV&o~5K<IHbmjgisdqZ{cVF1f=GR_k25Ws1G)3MA&B?uv0n(
zrt0?nBjPOPcLJY-@rsQ>2qJKD%FQnCd3Aum5hL8%Yuqoc3kz0O?8;((bLsBxPUEYO
z?jZrTmEROU$iu#CDa0@CJywwIVa6=Q4}fDuKoIO~<rg-4gyRufMdDRP^FHnoOF5?G
zBn%=BNMgP$<%BxCYdPeY+N3B4I-)-16njNxV~<#6iNyo;#i|LTphG>Ppl(Duv8F&#
zZZCADo=!WyS(bYiHklpKkZ-A-zHf6H_^OabI}_iA6yptG3t4D#0?ZP6*e0skY)dJd
zZBs8CvVu0$R41_eJ>c9(AMSZX{Al$}Ga;AX<dl14s}UeDdjAw*-$89M2;gT4Ex)o}
zDVOW$k%uXx5krI{=SP3fsOR+=@W_zUM?HWg@a>SuC!1!BFF#g7!SPu!1o;WKyM<U2
z1=H++R+-@jf$I_Q9A?--uYk-;>}0W*Wq{+A)DIKPjAKsi7_A)zj0F*OsUKqotYB83
z*nEnnf;|p`Kolv6gCoL37<$yk!X{?K*v-?P2TMXqOL>CYBK%H2sH6LYI9b!rh@}pI
zn96UCg`J=$EY2>&i=Dt`nOZ6qQKL&4Vw4lqXM`c%CFoUYHni<yZvaYWs69Xr!5@I{
z*L+6ZE>H};zEJn^8k{Z_R786W!acKvN7z0RQ$>_AbaHZH^kOtLK_l#EqGE9i;yw1+
zL?`lmIK;;|o>h>8IWF2A%m%(~DIM%FqQI_&V;rF#J%9sGxGYNlEL4!373yOc$<hHx
z8Kp2h>XQtBA0#jl!Egi$ByxWO;ZTO#9(l|ovEt%lGEv;yE>@~*>s9y^%VGy?FmIsy
zNvtCtAct`9MihjcI4J0Ip=^k_8zz9JX97AnaB)L00D5M-0(7^}RSlg1&_YCbKl0Hi
z>g^ynqQsyOo~OGVHN)IZRIr3(1r2SXVp&KqOnJH+gN@BYJJRI9SW&PQV@2eYGO$j}
zAAqP&<SpUu1o#L}_QzbbGU^>s-%Y5DBz~g&02z#AN7GUR?iupdf$fk+gjtPlUq{t4
zx=U<GkQ*DQQmw6Qz(3k+?9@?+;h;CAX%TuB=L@L@COs&Tdwif%o#}z@>XDB1o_0p}
z3vn2YLSnalC=R5S71il})Uw3a`T1zSCh;w(V%m7eihs_}_gk6~_E}ejqDiWNX+vEu
zdRF;{Pfn1i2~@3)Er=#?Tuzcapaz;QQTAZPC24wKcLojYitGXa`=wSL8*xyT;fY1I
z<<@&fh$8@f15SN#Fc6pDA)O#1st`@!g!B{ZO;0VO7ve}Q=!H1a<FmhrQ}Jb}k4KQi
z^g_nq1uc%7h0L5<hy^O>s4y90FoF9#fKAgoAmxiy;MOLOA3uO+Vatnf5qYN%z9L}3
z^pIr-9U#>Q?<qVLSe)b389xa@W^v&IOd-TB5tW977$O3PR_r#Aomk)z!wXy$DGCz8
zXPqhWE)g^7=?R4i@q!RejYPGR3Ki>apE`uWN$+_?;u$X=GBXag1$mVDK@fJt0e697
zdd~QL&y!3o4C@oy#KNc8nyBXa_K7O{+BfE}ruF&O2VeiSXnj8Z=WnM?$?rErr7fuZ
z(>LdHA70PN&&68)`umry<$pb@<v;%O$yy$C5Q6lH9t@}*c_4CKENUns6qaMdq;qWM
z9Fzc)lS024_nWC>0pk&2x6wgjz}V&87)N}@NeIhAB{bTYSSNuRj<I#Jxb|UZvE0hy
z62b)?09yitg&;ot(D}L82s6UkVw8dzUCMW`=e0qGcuOioA;Zi>;1u2nIEwndFA~|T
zETR@5IgEKMwP2_q1O7B9rfdu+IT{3g03o1I4s!yNJmraF0O-wGWr0?Iie`8;7%@8`
zlbUWDBB=H3E>g*<lq<VEar}%3$(jDtxPc^)3ar(iga`cV&LHVB#&J9oZW}D~6nguu
zClZNBFE}Ps?wMrRiPK&r*~~cADCCt`0#L`Oi&=~dRr6AHsjMYO4c8N@$*nP4#=%Jl
zOdrz6gmbVy1IEsjHfCfm@|0RqO*hSE+L$y=+Jj@AHQ}6%NYj*?o6zVP6{FNN*D9xL
zm8Pla3ebf8M(DdRV8`yK!v`BBHu$|4BZMb04*HPcl-ijBAps60w<Y)``pNRYDf)Wq
z+g{%hq@a@&6LM1#x)N|~V)UpF+3Yry($<PmHp<FyC=%Pk(#R9A-qvmHY!qsan9<I}
zX<%DWI)VO-P89TZp!eQ^;-M~jS%RZCA@tRfUeb?@xUoJmx<uGZ(>()PXs-dvQf)(Y
zLIagUN1|g5z)M<P7T(s8!2_ss@ZOsbz(GDe)^-LfnZlYD*l;+J;YdWNd13+Eb=pyv
zyz}#=F>)>5vsA9L6ACe{dWLYdJD^Rd4us<cp(2<G#0A4@sf4PP@Dy!F6nhGYcxD5n
z(($mX)Dl!`+j7+Xm6htss=l(iUV-oQxxCTRCsx)grRv18rY$c|AXuwbE3j6sti$)M
zN_G5PUeC;z$IsQ$Z1`JiW8xBPOgsZRIRW^mAj(q{K<ODcfTpG|wY9obQ{v%?nMP6y
z$hFmyzOlAZ(N|YW)l^IAg2b6w6)1<P;l_sUq=vSw_EaIQB*z9YA}eI9+lE6r5GS@V
z`+(8gvny^zTu~{a>=s@LnS7^9Jx8^*p`h&QU7hNO`q4!WZ0rMa1w0$P7EsIEv{Syk
zoE@o31(4UF_Eit9?I^+nHFhpNQJw~jvwkQpzL<3e1!XjVu<+g5Qb`|=?wyKjz5B2c
z=AqfJN_Dz<m{tq)=1pykW&d!WwptcZ#cvk9F~(=joLyd?#-hi}Lhcts@Z_2M#@t!Y
zSieX?8t}8BT*^QQc0uI3yAR(4vkt7KGK?bem?nKI)81tPL9H_>ou8}S$vqS3ROtQM
z26mi#$KVwYphqV@iEgVG=TrrVC0DKw0_+e+0q0sOYdW3*>j6ZvuGLh4;2hgs38X54
zpDb&F_T-A>PF%$iyNi97D0+r@$V|P^Bb+F3q_$&89t&7um}$8*O_$o2Y3=;{Y^b|N
zCbQk{s1swY<{C-jUS4($ev&+@0xlV8x)>x-nx+je^sG-P0c1ZnzC;z(1Rsb?lX0xu
zOx!rrp1@yZJ?fExE{75kI?FF4U1beXU*rO`M0>*8*yn(~9Yl_}qW6P~E2l-)#lY6A
z)i}S^P?_{57i0pQG2esgm-;m*=#A3a^dh(&lu_6#Vvo82R4f@65D4?QQPB6DS^R|H
zOY)k(G%-IE#hXys#C>@|PO&b579CN?DuC+RUSJ;;J=%_NG$?{r3n+8nJM-;CTEz$(
zn4o2DP9TX1%VGuq#??$AHeVq%Ujg-qL$Or=ADq6KekP;53+M9Huq#nrExX|VJ|8f8
z$_aF3^1}QAubHd#iA#Dx>vji&M-QxrB#P(><e@H!zEs`5RVsa{va=??H{>_WP!7&x
z$Md7-jnVVk&O<>25Me%nVr}O&KW^rr0E<_aUny1B>#W}vuWewO`T#3`i=c$hq7YXc
zb5xMKoXwJVLa}X_IiXK;j4bmwGG5iVb(O}Gt5?7@<KmX%C*QoXyOh6p;k)l$pZl+W
zP)Bzud+A-u557B}`|!n_{9L?CdGWG$DL^5;OL^td<Xwsg@ZV6h#KC!0Y8NptF^(Oi
zQYx>PE7j7oS%#)}pLUSP(QEfmxzu_NDd<%(Pf3>X)zW%-^%9KlLuE@lE$GFkq}X^q
zA=a-<iuEfMWBvKWSi3SY);_Bk*=v!)RM%42%9}S3!0+7MZfx(P8)ja<7@K@$cK{8(
z;M0*8C5P;Qh+>c(q;Hgznj&u8q33`aMwX5TK!*78jWR4k@uibfq8~CnbUJz%a-F;H
z>hID}KlK=FqkdbI8wcVojo7e%)>OoEQ>itTX0vI!f%tAJdQ<Umn|N{occ3Y!P#rdv
zp+3Dsybcy`Kb>c6Yyo*;mxKP)UCpGi1Qcf7tjO^T$zfe+u+`cUy34$Uf2!7zXepoV
x74ZvK$T?H*RUp4d#S^F}!-#;7U<TQfnTO0w?UcROiQkECWmvlyo|j<u{{ilT9yb60

literal 0
Hc-jL100001

diff --git a/tests/base64/test.rules b/tests/base64/test.rules
new file mode 100644
index 000000000..50217b044
--- /dev/null
+++ b/tests/base64/test.rules
@@ -0,0 +1,6 @@
+# input pcap contains a query to http://home.regit.org/?arg=dGhpc2lzYXRlc3QK
+# "dGhpc2lzYXRlc3QK" is "thisisatest"
+alert http any any -> any any (msg:"Example"; http.uri; content:"arg"; base64_decode:bytes 17, offset 1, relative; base64_data; content:"thisisatest"; sid:1; rev:1;)
+alert http any any -> any any (msg:"Example"; content:"arg"; http_uri; base64_decode:bytes 17, offset 1, relative; base64_data; content:"thisisatest"; sid:2; rev:1;)
+alert http any any -> any any (msg:"Example"; http.uri; content:"arg"; base64_decode:bytes 10, offset 1, relative; base64_data; content:"test"; sid:3; rev:1;)
+alert http any any -> any any (msg:"Example"; http.uri; content:"arg"; base64_decode:bytes 17, offset 1, relative; base64_data; content:"toast"; sid:4; rev:1;)
diff --git a/tests/base64/test.yaml b/tests/base64/test.yaml
new file mode 100644
index 000000000..7bc37ceba
--- /dev/null
+++ b/tests/base64/test.yaml
@@ -0,0 +1,31 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 5.0.0
+
+args:
+  - -k none
+
+pcap: input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 2
+  - filter:
+      count: 0
+      match:
+         event_type: alert
+         alert.signature_id: 3
+  - filter:
+      count: 0
+      match:
+         event_type: alert
+         alert.signature_id: 4
-- 
2.47.2