From 4798439f6349cb97b8722d93846ddad50faa37ae Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 27 Jan 2023 16:55:00 +0100 Subject: [PATCH] tests: add frame ips test --- tests/http-gap-simple-frames-ips/README.md | 13 ++++ tests/http-gap-simple-frames-ips/input.pcap | Bin 0 -> 2818 bytes .../http-gap-simple-frames-ips/suricata.yaml | 22 ++++++ tests/http-gap-simple-frames-ips/test.rules | 3 + tests/http-gap-simple-frames-ips/test.yaml | 69 ++++++++++++++++++ tests/http-gap-simple-frames-ips/toaddgap.txt | 53 ++++++++++++++ 6 files changed, 160 insertions(+) create mode 100644 tests/http-gap-simple-frames-ips/README.md create mode 100644 tests/http-gap-simple-frames-ips/input.pcap create mode 100644 tests/http-gap-simple-frames-ips/suricata.yaml create mode 100644 tests/http-gap-simple-frames-ips/test.rules create mode 100644 tests/http-gap-simple-frames-ips/test.yaml create mode 100644 tests/http-gap-simple-frames-ips/toaddgap.txt diff --git a/tests/http-gap-simple-frames-ips/README.md b/tests/http-gap-simple-frames-ips/README.md new file mode 100644 index 000000000..73de7efbc --- /dev/null +++ b/tests/http-gap-simple-frames-ips/README.md @@ -0,0 +1,13 @@ +# Description + +Test http gap handling + +This test case contains a single simple gap in response body with defined content-length + +# PCAP + +The pcap comes from running +`python test/htptopcap.py toaddgap.txt` +With the attached toaddgap.txt + +Then removing packet 17 diff --git a/tests/http-gap-simple-frames-ips/input.pcap b/tests/http-gap-simple-frames-ips/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..5edd0f198d51e6a6e2a96f3aae46a6253d3aa59f GIT binary patch literal 2818 zc-pm<%Wo1<6o)TR9~n!uCc?N7raMinFtk<6#!{&@!A6Ss0NMh@5lBXc(82gf)PxO5 zyJ%OWabay@qB~;ZPLn34hAyyCn`#;tZZuu?FK9iNJJ5myy_4vKL&(hV-S7P72k$|l4r;LGXgb@tl1p<%y~xh7=p2^lBnN=IV}!N^>c zQYj%OC#95=i;2=CIVD5$UH%7Y;K{;$*_M#+iaQss2&uT7aB{q(n#=D1^<0#or*+8X zt6DDYL4+ zsWNR2x@kKQqMo)5SaTD+SJk`+fb$HIQaFW{92PiJdraHE9HevhYRkzG^`qL%mn|M> zc}1<|g%Ir^Sv<9t8wSZ$cVOy@HoHJGyTYg@P8>L&)HpZBsJo1-bZJ)a^6{7^yKI9U zrkXLQL~oaEVrTx_?w2;Z9N3lB>=wqU?Q-;XpT{-X%{H^+!_-?1;jqB*)^jRbO*h?E z;|B2RF^; z%T_%Eu&frqqX=z~R(&Oa4)q}CwD}kseAp`I(1b=#hdReSLEV=DSjQU%1asIw&5Xx0 literal 0 Hc-jL100001 diff --git a/tests/http-gap-simple-frames-ips/suricata.yaml b/tests/http-gap-simple-frames-ips/suricata.yaml new file mode 100644 index 000000000..3bcb3d6d5 --- /dev/null +++ b/tests/http-gap-simple-frames-ips/suricata.yaml @@ -0,0 +1,22 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + # app layer frames + - frame: + enabled: yes + - anomaly: + enabled: yes + types: + # decode: no + # stream: no + # applayer: yes + #packethdr: no + - http: + extended: yes + - files diff --git a/tests/http-gap-simple-frames-ips/test.rules b/tests/http-gap-simple-frames-ips/test.rules new file mode 100644 index 000000000..7199fa804 --- /dev/null +++ b/tests/http-gap-simple-frames-ips/test.rules @@ -0,0 +1,3 @@ +drop http any any -> any any (frame:http1.response; content:"|0d 0a|AAA"; sid:1;) +# shouldn't match +drop http any any -> any any (frame:http1.response; content:"|0d 0a|AAA"; endswith; sid:4;) diff --git a/tests/http-gap-simple-frames-ips/test.yaml b/tests/http-gap-simple-frames-ips/test.yaml new file mode 100644 index 000000000..8f41b1a9d --- /dev/null +++ b/tests/http-gap-simple-frames-ips/test.yaml @@ -0,0 +1,69 @@ +requires: + features: + - HAVE_LIBJANSSON + min-version: 7.0.0 + +# disables checksum verification +args: + - -k none + - --simulate-ips + +checks: + + # Check that there is one file event with content range. + - filter: + count: 1 + match: + event_type: http + http.url: "/1" + http.status: 200 + - filter: + count: 1 + match: + event_type: http + http.url: "/2" + http.status: 200 + - filter: + count: 0 + match: + event_type: http + http.url: "/3" + http.status: 200 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.size: 14 + fileinfo.state: "CLOSED" + fileinfo.gaps: false + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.size: 14 + fileinfo.filename: "/2" + fileinfo.state: "TRUNCATED" + fileinfo.gaps: false + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 15 + alert.action: "blocked" + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: frame + app_proto: http + frame.id: 2 + frame.stream_offset: 0 + frame.type: request + frame.length: 40 + frame.direction: toserver + frame.tx_id: 0 diff --git a/tests/http-gap-simple-frames-ips/toaddgap.txt b/tests/http-gap-simple-frames-ips/toaddgap.txt new file mode 100644 index 000000000..c6859edfa --- /dev/null +++ b/tests/http-gap-simple-frames-ips/toaddgap.txt @@ -0,0 +1,53 @@ +>>> +GET /1 HTTP/1.0 +User-Agent: Mozilla + + +<<< +HTTP/1.0 200 OK +Date: Mon, 31 Aug 2009 20:25:50 GMT +Server: Apache +Connection: close +Content-Type: text/html +Content-Length: 12 + + +<<< +Hello World! + +>>> +GET /2 HTTP/1.0 +User-Agent: Mozilla + + +<<< +HTTP/1.0 200 OK +Server: Apache +Connection: close +Content-Type: text/html +Content-Length: 70 + + +<<< +AAAAAAAAAAAAAA +<<< +AAAAAAAAAAAAAA +<<< +AAAAAAAAAAAAAA +<<< +AAAAAAAAAAAAAA +<<< +AAAAAAAAAAAAAA +>>> +GET /3 HTTP/1.0 +User-Agent: Mozilla + + +<<< +HTTP/1.0 200 OK +Server: Apache +Connection: close +Content-Type: text/html +Content-Length: 12 + +Hello People -- 2.47.2