From 8c26f3afbb630b9817e2e89f32d91b3daa4d6908 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Sat, 26 Nov 2022 15:31:17 +0100
Subject: [PATCH] tests: issue 5223 for 6

---
 tests/base64-issue-5223-6/README.md  |  17 +++
 tests/base64-issue-5223-6/input.pcap | Bin 0 -> 474 bytes
 tests/base64-issue-5223-6/test.rules |   4 +
 tests/base64-issue-5223-6/test.yaml  | 156 +++++++++++++++++++++++++++
 4 files changed, 177 insertions(+)
 create mode 100644 tests/base64-issue-5223-6/README.md
 create mode 100644 tests/base64-issue-5223-6/input.pcap
 create mode 100644 tests/base64-issue-5223-6/test.rules
 create mode 100644 tests/base64-issue-5223-6/test.yaml

diff --git a/tests/base64-issue-5223-6/README.md b/tests/base64-issue-5223-6/README.md
new file mode 100644
index 000000000..b7f05b823
--- /dev/null
+++ b/tests/base64-issue-5223-6/README.md
@@ -0,0 +1,17 @@
+Description
+===========
+Test corresponding to fix for the behavior of `base64_decode` keyword in case an
+invalid character is encountered.
+For handling of such cases, [RFC 4648](https://www.rfc-editor.org/rfc/rfc4648#section-3.3) has been taken into account.
+
+PCAP
+====
+PCAP comes from the redmine ticket [5223](https://redmine.openinfosecfoundation.org/issues/5223)
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5223
+
+Reported by
+===========
+Brandon Murphy
diff --git a/tests/base64-issue-5223-6/input.pcap b/tests/base64-issue-5223-6/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..5ecd467d31bd676325376d4264edfb0ccab230b0
GIT binary patch
literal 474
zc-p&ic+)~A1{MYw`2U}Qfe}cjvad?o_LY~x49EuI`>esSB@6#K*N83G=3sDTV9)?5
zb6`tRI<Vqx!y17-#jn;e1OOFsflLWtQef!Qfta%A2f~zl_m*x6n|}LE<Wj#YsHT8S
z0GY%P05pezAq9xJ1B4V9dbdMNvHguOMW!Gw;3RXI_+5YFbi8ii26-ev0BFh%h$$xj
zc^PH_1wq)ZP;`#KOu_d_ry4GTP3eJ{lDrSADG~|{r)(J*++9Ny^c6fpLIU&+^$dBr
zob&UuGgGY;((?0@5{qo}3RI1p9Dz6~I3?6L*u~g5IWQvCry|2LJ)$rx%%sF9&>-1A
zJkZFX%(=|mMAg`Zm&+r+xCCr~9?%3{E?zE>OJ^|h!Tl@I>c}3reDPG34s{Q_p_U57
L`C$KsFfafBN6LUP

literal 0
Hc-jL100001

diff --git a/tests/base64-issue-5223-6/test.rules b/tests/base64-issue-5223-6/test.rules
new file mode 100644
index 000000000..98d08fed5
--- /dev/null
+++ b/tests/base64-issue-5223-6/test.rules
@@ -0,0 +1,4 @@
+alert http any any -> any any (msg:"base64 decode - no url_decode"; flow:established,to_server; http.cookie; content:"foobar="; base64_decode:relative; base64_data; content:"|9e|"; startswith; sid:1; rev:1;)
+alert http any any -> any any (msg:"base64 decode - url_decode"; flow:established,to_server; http.cookie; url_decode; content:"foobar="; base64_decode:relative; base64_data; content:"|9e|"; sid:2; rev:1;)
+alert http any any -> any any (msg:"base64 decode - no url_decode, proves no base64_data buffer via pcre"; flow:established,to_server; http.cookie; content:"foobar="; base64_decode:relative; base64_data; pcre:"/./"; sid:3; rev:1;)
+alert http any any -> any any (msg:"base64 decode - no url_decode grab only the first two bytes"; flow:established,to_server; http.cookie; content:"foobar="; base64_decode:bytes 2,relative; base64_data; content:"|9e|"; startswith; sid:4; rev:1;)
diff --git a/tests/base64-issue-5223-6/test.yaml b/tests/base64-issue-5223-6/test.yaml
new file mode 100644
index 000000000..b21bf1ab4
--- /dev/null
+++ b/tests/base64-issue-5223-6/test.yaml
@@ -0,0 +1,156 @@
+requires:
+  min-version: 6
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 1
+      alert.severity: 3
+      alert.signature: base64 decode - no url_decode
+      alert.signature_id: 1
+      app_proto: http
+      dest_ip: 172.16.188.115
+      dest_port: 80
+      event_type: alert
+      flow.bytes_toclient: 108
+      flow.bytes_toserver: 262
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 3
+      http.hostname: foo.bar
+      http.http_method: GET
+      http.length: 0
+      http.protocol: HTTP/1.1
+      http.url: /
+      proto: TCP
+      src_ip: 192.168.237.128
+      src_port: 60078
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 1
+      alert.severity: 3
+      alert.signature: base64 decode - url_decode
+      alert.signature_id: 2
+      app_proto: http
+      dest_ip: 172.16.188.115
+      dest_port: 80
+      event_type: alert
+      flow.bytes_toclient: 108
+      flow.bytes_toserver: 262
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 3
+      http.hostname: foo.bar
+      http.http_method: GET
+      http.length: 0
+      http.protocol: HTTP/1.1
+      http.url: /
+      proto: TCP
+      src_ip: 192.168.237.128
+      #src_port: 60078
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 1
+      alert.severity: 3
+      alert.signature: base64 decode - no url_decode, proves no base64_data buffer
+        via pcre
+      alert.signature_id: 3
+      app_proto: http
+      dest_ip: 172.16.188.115
+      dest_port: 80
+      event_type: alert
+      flow.bytes_toclient: 108
+      flow.bytes_toserver: 262
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 3
+      http.hostname: foo.bar
+      http.http_method: GET
+      http.length: 0
+      http.protocol: HTTP/1.1
+      http.url: /
+      proto: TCP
+      src_ip: 192.168.237.128
+      src_port: 60078
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 1
+      alert.severity: 3
+      alert.signature: base64 decode - no url_decode grab only the first two bytes
+      alert.signature_id: 4
+      app_proto: http
+      dest_ip: 172.16.188.115
+      dest_port: 80
+      event_type: alert
+      flow.bytes_toclient: 108
+      flow.bytes_toserver: 262
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 3
+      http.hostname: foo.bar
+      http.http_method: GET
+      http.length: 0
+      http.protocol: HTTP/1.1
+      http.url: /
+      proto: TCP
+      src_ip: 192.168.237.128
+      src_port: 60078
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      dest_ip: 172.16.188.115
+      dest_port: 80
+      event_type: http
+      http.hostname: foo.bar
+      http.http_method: GET
+      http.length: 0
+      http.protocol: HTTP/1.1
+      http.url: /
+      proto: TCP
+      src_ip: 192.168.237.128
+      src_port: 60078
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      app_proto: http
+      dest_ip: 172.16.188.115
+      dest_port: 80
+      event_type: flow
+      flow.age: 0
+      flow.alerted: true
+      flow.bytes_toclient: 108
+      flow.bytes_toserver: 262
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 3
+      flow.reason: shutdown
+      flow.state: established
+      proto: TCP
+      src_ip: 192.168.237.128
+      src_port: 60078
+      tcp.ack: true
+      tcp.psh: true
+      tcp.state: established
+      tcp.syn: true
+      tcp.tcp_flags: 1a
+      tcp.tcp_flags_tc: '12'
+      tcp.tcp_flags_ts: 1a
-- 
2.47.2