From 69edfc2797d3d9610422337e1f3e152646559228 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Mon, 27 Mar 2023 12:21:41 +0200 Subject: [PATCH] tests: add http_uri parsing test --- tests/rules/http_uri/test.rules | 6 +++ tests/rules/http_uri/test.yaml | 87 +++++++++++++++++++++++++++++++++ 2 files changed, 93 insertions(+) create mode 100644 tests/rules/http_uri/test.rules create mode 100644 tests/rules/http_uri/test.yaml diff --git a/tests/rules/http_uri/test.rules b/tests/rules/http_uri/test.rules new file mode 100644 index 000000000..e4d3ac653 --- /dev/null +++ b/tests/rules/http_uri/test.rules @@ -0,0 +1,6 @@ +alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; urilen:<70; http.uri; content:".php?"; content:"=01&"; distance:4; within:4; fast_pattern; sid:1;) +alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.uri; bsize:<70; content:".php?"; content:"=01&"; distance:4; within:4; fast_pattern; sid:2;) +alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; urilen:<70; http.uri; content:".php?"; content:"=01&"; distance:4; within:4; sid:3;) +alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.uri; content:".php?"; content:"=01&"; distance:4; within:4; fast_pattern; sid:4;) +# urilen followed by "raw" content, make sure the urilen doesn't act as http.uri sticky buffer +alert http1 any any -> any any (urilen:44; content:"abc"; sid:5;) diff --git a/tests/rules/http_uri/test.yaml b/tests/rules/http_uri/test.yaml new file mode 100644 index 000000000..45bd5c59e --- /dev/null +++ b/tests/rules/http_uri/test.yaml @@ -0,0 +1,87 @@ +requires: + min-version: 7.0.0 + pcap: false + +args: + - --engine-analysis + +checks: +- filter: + filename: rules.json + count: 1 + match: + id: 1 + mpm.buffer: "http_uri" + mpm.pattern: "=01&" + engines[0].name: "http_uri" + engines[0].app_proto: "http2" + engines[0].matches[0].name: "urilen" + engines[0].matches[1].name: "content" + engines[0].matches[2].name: "content" + engines[1].name: "http_uri" + engines[1].app_proto: "http" + engines[1].matches[0].name: "urilen" + engines[1].matches[1].name: "content" + engines[1].matches[2].name: "content" +- filter: + filename: rules.json + count: 1 + match: + id: 2 + mpm.buffer: "http_uri" + mpm.pattern: "=01&" + engines[0].name: "http_uri" + engines[0].app_proto: "http2" + engines[0].matches[0].name: "bsize" + engines[0].matches[1].name: "content" + engines[0].matches[2].name: "content" + engines[1].name: "http_uri" + engines[1].app_proto: "http" + engines[1].matches[0].name: "bsize" + engines[1].matches[1].name: "content" + engines[1].matches[2].name: "content" +- filter: + filename: rules.json + filename: rules.json + count: 1 + match: + id: 3 + mpm.buffer: "http_uri" + mpm.pattern: ".php?" + engines[0].name: "http_uri" + engines[0].app_proto: "http2" + engines[0].matches[0].name: "urilen" + engines[0].matches[1].name: "content" + engines[0].matches[2].name: "content" + engines[1].name: "http_uri" + engines[1].app_proto: "http" + engines[1].matches[0].name: "urilen" + engines[1].matches[1].name: "content" + engines[1].matches[2].name: "content" +- filter: + filename: rules.json + count: 1 + match: + id: 4 + mpm.buffer: "http_uri" + mpm.pattern: "=01&" + engines[0].name: "http_uri" + engines[0].app_proto: "http2" + engines[0].matches[0].name: "content" + engines[0].matches[1].name: "content" + engines[1].name: "http_uri" + engines[1].app_proto: "http" + engines[1].matches[0].name: "content" + engines[1].matches[1].name: "content" +- filter: + filename: rules.json + count: 1 + match: + id: 5 + mpm.buffer: "payload" + mpm.pattern: "abc" + engines[0].name: "stream" + engines[0].matches[0].name: "content" + engines[1].name: "http_uri" + engines[1].app_proto: "http" + engines[1].matches[0].name: "urilen" -- 2.47.2