From fd7f75e762b96889ffe8274b76e9279ac5b1c932 Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Wed, 27 Nov 2024 16:55:57 -0300 Subject: [PATCH] tests: add rule type checks for iprep rules To accompany rule types documentation. Added these separately, as they require extra config files. As the test name still includes `rule-types`, it's still possible to both batches of tests at once. Related to Task #https://redmine.openinfosecfoundation.org/issues/7031 --- tests/iprep-12-rule-types/README.md | 5 +++ tests/iprep-12-rule-types/iprep.rules | 6 +++ .../scirius-categories.txt | 10 +++++ tests/iprep-12-rule-types/scirius-iprep.list | 15 +++++++ tests/iprep-12-rule-types/suricata.yaml | 17 +++++++ tests/iprep-12-rule-types/test.yaml | 44 +++++++++++++++++++ 6 files changed, 97 insertions(+) create mode 100644 tests/iprep-12-rule-types/README.md create mode 100644 tests/iprep-12-rule-types/iprep.rules create mode 100644 tests/iprep-12-rule-types/scirius-categories.txt create mode 100644 tests/iprep-12-rule-types/scirius-iprep.list create mode 100644 tests/iprep-12-rule-types/suricata.yaml create mode 100644 tests/iprep-12-rule-types/test.yaml diff --git a/tests/iprep-12-rule-types/README.md b/tests/iprep-12-rule-types/README.md new file mode 100644 index 000000000..a44354843 --- /dev/null +++ b/tests/iprep-12-rule-types/README.md @@ -0,0 +1,5 @@ +# Test Description + +Check rule types with iprep keyword present: set, isset and isnotset options. + +Test setup copied and adapted from test `iprep-11-isset`. diff --git a/tests/iprep-12-rule-types/iprep.rules b/tests/iprep-12-rule-types/iprep.rules new file mode 100644 index 000000000..6ace6716f --- /dev/null +++ b/tests/iprep-12-rule-types/iprep.rules @@ -0,0 +1,6 @@ +alert ip any any -> any any (sid:1; iprep:dst,2402000,isset;) +alert ip any any -> any any (sid:2; iprep:dst,2402000,isnotset;) +alert ip any any -> any any (sid:3; iprep:dst,2402000,=,0;) +alert http any any -> any any (sid:4; iprep:dst,2402000,=,0;) +alert http any any -> any any (sid:5; iprep:dst,2402000,isset;) +alert http any any -> any any (sid:6; iprep:dst,2402000,isnotset;) diff --git a/tests/iprep-12-rule-types/scirius-categories.txt b/tests/iprep-12-rule-types/scirius-categories.txt new file mode 100644 index 000000000..7b1ea8c8d --- /dev/null +++ b/tests/iprep-12-rule-types/scirius-categories.txt @@ -0,0 +1,10 @@ +1,2520000,ET TOR Known Tor Exit Node Traffic +2,2522000,ET TOR Known Tor Relay/Router (Not Exit) Node Traffic +3,2403300,ET CINS Active Threat Intelligence Poor Reputation IP +4,2525000,ET 3CORESec Poor Reputation IP +5,2400000,ET DROP Spamhaus DROP Listed Traffic Inbound +6,2500000,ET COMPROMISED Known Compromised or Hostile Host Traffic +7,2404033,ET CNC Shadowserver Reported CnC Server +8,2404000,ET CNC Shadowserver Reported CnC Server IP +9,2404300,ET CNC Feodo Tracker Reported CnC Server +10,2402000,ET DROP Dshield Block Listed Source diff --git a/tests/iprep-12-rule-types/scirius-iprep.list b/tests/iprep-12-rule-types/scirius-iprep.list new file mode 100644 index 000000000..d1de253a9 --- /dev/null +++ b/tests/iprep-12-rule-types/scirius-iprep.list @@ -0,0 +1,15 @@ +#8.8.8.8,10,100 +4.4.4.4,10,100 +104.244.72.152,1,100 +51.210.242.169,1,100 +193.218.118.100,1,100 +51.210.242.133,1,100 +91.192.103.50,1,100 +198.251.80.157,1,100 +135.148.33.65,1,100 +199.249.230.89,1,100 +46.194.44.245,1,100 +45.153.160.137,1,100 +135.148.33.89,1,100 +185.242.113.224,1,100 +37.139.8.104,1,100 diff --git a/tests/iprep-12-rule-types/suricata.yaml b/tests/iprep-12-rule-types/suricata.yaml new file mode 100644 index 000000000..803a008b0 --- /dev/null +++ b/tests/iprep-12-rule-types/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +reputation-categories-file: scirius-categories.txt +reputation-files: + - scirius-iprep.list + +engine-analysis: + # enables printing reports for each rule + rules: yes + +outputs: + - eve-log: + enabled: yes + filetype: regular + types: + - alert diff --git a/tests/iprep-12-rule-types/test.yaml b/tests/iprep-12-rule-types/test.yaml new file mode 100644 index 000000000..4b193c9de --- /dev/null +++ b/tests/iprep-12-rule-types/test.yaml @@ -0,0 +1,44 @@ +requires: + min-version: 7 + pcap: false + +args: +- --engine-analysis + +checks: + - filter: + filename: rules.json + count: 1 + match: + id: 1 + type: "ip_only" + - filter: + filename: rules.json + count: 1 + match: + id: 2 + type: "ip_only" + - filter: + filename: rules.json + count: 1 + match: + id: 3 + type: "ip_only" + - filter: + filename: rules.json + count: 1 + match: + id: 4 + type: "pkt" + - filter: + filename: rules.json + count: 1 + match: + id: 5 + type: "pkt" + - filter: + filename: rules.json + count: 1 + match: + id: 6 + type: "pkt" -- 2.47.2