From e0b79ad8d32a19bfc7abd3a97c16358ac4e6ab0e Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Tue, 24 Oct 2023 16:51:13 -0300 Subject: [PATCH] tests: add more uricontent tests --- .../uricontent/detect-uricontent-04/README.md | 10 +++++ .../detect-uricontent-04/input.pcap | Bin 0 -> 151 bytes .../detect-uricontent-04/test.rules | 4 ++ .../uricontent/detect-uricontent-04/test.yaml | 27 +++++++++++++ .../detect-uricontent-04/writepcap.py | 9 +++++ .../uricontent/detect-uricontent-05/README.md | 10 +++++ .../detect-uricontent-05/input.pcap | Bin 0 -> 152 bytes .../detect-uricontent-05/test.rules | 4 ++ .../uricontent/detect-uricontent-05/test.yaml | 32 +++++++++++++++ .../detect-uricontent-05/writepcap.py | 10 +++++ .../uricontent/detect-uricontent-06/README.md | 18 +++++++++ .../detect-uricontent-06/input.pcap | Bin 0 -> 148 bytes .../detect-uricontent-06/test.rules | 5 +++ .../uricontent/detect-uricontent-06/test.yaml | 37 ++++++++++++++++++ .../detect-uricontent-06/writepcap.py | 10 +++++ .../uricontent/detect-uricontent-07/README.md | 10 +++++ .../detect-uricontent-07/input.pcap | Bin 0 -> 151 bytes .../detect-uricontent-07/test.rules | 4 ++ .../uricontent/detect-uricontent-07/test.yaml | 32 +++++++++++++++ .../detect-uricontent-07/writepcap.py | 10 +++++ 20 files changed, 232 insertions(+) create mode 100644 tests/uricontent/detect-uricontent-04/README.md create mode 100644 tests/uricontent/detect-uricontent-04/input.pcap create mode 100644 tests/uricontent/detect-uricontent-04/test.rules create mode 100644 tests/uricontent/detect-uricontent-04/test.yaml create mode 100644 tests/uricontent/detect-uricontent-04/writepcap.py create mode 100644 tests/uricontent/detect-uricontent-05/README.md create mode 100644 tests/uricontent/detect-uricontent-05/input.pcap create mode 100644 tests/uricontent/detect-uricontent-05/test.rules create mode 100644 tests/uricontent/detect-uricontent-05/test.yaml create mode 100644 tests/uricontent/detect-uricontent-05/writepcap.py create mode 100644 tests/uricontent/detect-uricontent-06/README.md create mode 100644 tests/uricontent/detect-uricontent-06/input.pcap create mode 100644 tests/uricontent/detect-uricontent-06/test.rules create mode 100644 tests/uricontent/detect-uricontent-06/test.yaml create mode 100644 tests/uricontent/detect-uricontent-06/writepcap.py create mode 100644 tests/uricontent/detect-uricontent-07/README.md create mode 100644 tests/uricontent/detect-uricontent-07/input.pcap create mode 100644 tests/uricontent/detect-uricontent-07/test.rules create mode 100644 tests/uricontent/detect-uricontent-07/test.yaml create mode 100644 tests/uricontent/detect-uricontent-07/writepcap.py diff --git a/tests/uricontent/detect-uricontent-04/README.md b/tests/uricontent/detect-uricontent-04/README.md new file mode 100644 index 000000000..979c58016 --- /dev/null +++ b/tests/uricontent/detect-uricontent-04/README.md @@ -0,0 +1,10 @@ +Test +==== + +Tests a case where path traversal is sent as a path string in the HTTP URL and +normalized path string is checked. + +Pcap +==== + +Created using Scapy and based on unit test content. diff --git a/tests/uricontent/detect-uricontent-04/input.pcap b/tests/uricontent/detect-uricontent-04/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..cf4374517ec0c1df1e28edc35086a2445150d361 GIT binary patch literal 151 zc-p&ic+)~A1{MYw`2U}Qfe}bgueVHo-1=D_yd z{=f=GRv>0%Fl7jUnGztOz;M};fx+E1L_uFq4}>yv6Vp?R_0lub6g)yg0`v{_40*Xc c@{3EX6w1rX^;|0)a|3c*^^*O4dAWGG0I??|kpKVy literal 0 Hc-jL100001 diff --git a/tests/uricontent/detect-uricontent-04/test.rules b/tests/uricontent/detect-uricontent-04/test.rules new file mode 100644 index 000000000..541e38507 --- /dev/null +++ b/tests/uricontent/detect-uricontent-04/test.rules @@ -0,0 +1,4 @@ +alert http any any -> any any (msg:"Former HttpUriTest01"; http.method; content:"GET"; sid:1;) +alert tcp any any -> any any (msg:"Check hostname"; http.host; content:"www.example.com"; sid:2;) +alert http any any -> any any (msg:"Check http.uri"; http.uri; content:"/images.gif"; sid:3;) +alert tcp any any -> any any (msg:"Check uricontent"; uricontent:"images.gif"; sid:4;) diff --git a/tests/uricontent/detect-uricontent-04/test.yaml b/tests/uricontent/detect-uricontent-04/test.yaml new file mode 100644 index 000000000..a1a64a912 --- /dev/null +++ b/tests/uricontent/detect-uricontent-04/test.yaml @@ -0,0 +1,27 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: http +- filter: + count: 1 + match: + event_type: flow diff --git a/tests/uricontent/detect-uricontent-04/writepcap.py b/tests/uricontent/detect-uricontent-04/writepcap.py new file mode 100644 index 000000000..c467b9a09 --- /dev/null +++ b/tests/uricontent/detect-uricontent-04/writepcap.py @@ -0,0 +1,9 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=53, dport=80, flags='P''A')/"GET /../../images.gif HTTP/1.1\r\nHost: www.ExAmPlE.cOM\r\n\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/uricontent/detect-uricontent-05/README.md b/tests/uricontent/detect-uricontent-05/README.md new file mode 100644 index 000000000..0efd3f8f8 --- /dev/null +++ b/tests/uricontent/detect-uricontent-05/README.md @@ -0,0 +1,10 @@ +Test +==== + +Tests a case where path traversal is sent in special characters in HEX coding in +the HTTP URL and normalized path string is checked. + +Pcap +==== + +Created using Scapy and based on unit test content. diff --git a/tests/uricontent/detect-uricontent-05/input.pcap b/tests/uricontent/detect-uricontent-05/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..90e7a5d8b6356b6bb35f715612d141161bde6a47 GIT binary patch literal 152 zc-p&ic+)~A1{MYw`2U}Qfe}bI)?23TbmCwr0J00f;vm4l$i&RT%E92uz>ow|=D_yd z?!XF0Rv>0%Fl7jUnGztO!0^3^fx+E1L_uHGC>4nGGjkKuQ;YS|Gt(42LP7%c4fPCp exjgcVORN;i%ggm#D;#qJa$NP2{e5}4c)0*j&?Y+o literal 0 Hc-jL100001 diff --git a/tests/uricontent/detect-uricontent-05/test.rules b/tests/uricontent/detect-uricontent-05/test.rules new file mode 100644 index 000000000..38822f6ee --- /dev/null +++ b/tests/uricontent/detect-uricontent-05/test.rules @@ -0,0 +1,4 @@ +alert http any any -> any any (msg:"Former HttpUriTest02"; http.method; content:"GET"; sid:1;) +alert http any any -> any any (msg:"Test http.host"; http.host; content:"www.example.com"; sid:2;) +alert tcp any any -> any any (msg:"Test uricontent"; uricontent:"images.gif"; sid:3;) +alert http any any -> any any (msg:"Test http.url"; http.uri; content:"images.gif"; sid:4;) diff --git a/tests/uricontent/detect-uricontent-05/test.yaml b/tests/uricontent/detect-uricontent-05/test.yaml new file mode 100644 index 000000000..3ace6efe1 --- /dev/null +++ b/tests/uricontent/detect-uricontent-05/test.yaml @@ -0,0 +1,32 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 1 + match: + event_type: http +- filter: + count: 1 + match: + event_type: flow diff --git a/tests/uricontent/detect-uricontent-05/writepcap.py b/tests/uricontent/detect-uricontent-05/writepcap.py new file mode 100644 index 000000000..850192a08 --- /dev/null +++ b/tests/uricontent/detect-uricontent-05/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=53, dport=80, + flags='P''A')/"GET /%2e%2e/images.gif HTTP/1.1\r\nHost: www.ExAmPlE.cOM\r\n\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/uricontent/detect-uricontent-06/README.md b/tests/uricontent/detect-uricontent-06/README.md new file mode 100644 index 000000000..166b0e33f --- /dev/null +++ b/tests/uricontent/detect-uricontent-06/README.md @@ -0,0 +1,18 @@ +Test +==== + +Tests a case where the NULL character is sent in HEX coding in the HTTP URL and +normalized path string is checked. + +Behavior +======== + +The null character will lead to no http traffic being recognzied by the stream, +and therefore no rule matching on HTTP traffic will be triggered. We have a +single simple TCP rule to confirm that Suricata indeed sees the stream and is +generating alerts. + +Pcap +==== + +Created using Scapy and based on unit test content. diff --git a/tests/uricontent/detect-uricontent-06/input.pcap b/tests/uricontent/detect-uricontent-06/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..b97a59d54b1112d764632e3c8e09e0724de787de GIT binary patch literal 148 zc-p&ic+)~A1{MYw`2U}Qfe}cT)mx?>YT;(c0kU(z;vm4l$i&RT%E92uzz_#g=D_yd z>A(s`Rv>0%Fl7jUnGztOz%ZGQfx+E1MAg7RK|eD$F+H_dFFi9&!6PIjK;KZ$keACN czqrIop}f3Y&$YraHz3DVFWKLhmy4GR0Ht;$d;kCd literal 0 Hc-jL100001 diff --git a/tests/uricontent/detect-uricontent-06/test.rules b/tests/uricontent/detect-uricontent-06/test.rules new file mode 100644 index 000000000..553537e97 --- /dev/null +++ b/tests/uricontent/detect-uricontent-06/test.rules @@ -0,0 +1,5 @@ +alert http any any -> any any (msg:"Former HttpUriTest03"; http.method; content:"GET"; sid:1;) +alert http any any -> any any (msg:"Test http.host"; http.host; content:"www.example.com"; sid:2;) +alert tcp any any -> any any (msg:"Test uricontent"; uricontent:"images.gif"; sid:3;) +alert http any any -> any any (msg:"Test http.url"; http.uri; content:"images.gif"; sid:4;) +alert tcp any any -> any any (msg:"Test uricontent"; sid:5;) diff --git a/tests/uricontent/detect-uricontent-06/test.yaml b/tests/uricontent/detect-uricontent-06/test.yaml new file mode 100644 index 000000000..51c98c98f --- /dev/null +++ b/tests/uricontent/detect-uricontent-06/test.yaml @@ -0,0 +1,37 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 5 +- filter: + count: 0 + match: + event_type: http +- filter: + count: 1 + match: + event_type: flow diff --git a/tests/uricontent/detect-uricontent-06/writepcap.py b/tests/uricontent/detect-uricontent-06/writepcap.py new file mode 100644 index 000000000..28a2f9ea2 --- /dev/null +++ b/tests/uricontent/detect-uricontent-06/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=53, dport=80, + flags='P''A')/"GET%00 /images.gif HTTP/1.1\r\nHost: www.ExAmPlE.cOM\r\n\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/uricontent/detect-uricontent-07/README.md b/tests/uricontent/detect-uricontent-07/README.md new file mode 100644 index 000000000..fba01baca --- /dev/null +++ b/tests/uricontent/detect-uricontent-07/README.md @@ -0,0 +1,10 @@ +Test +==== + +Tests a case where a self referencing directory request is sent in the HTTP URL +and normalized path string is checked. + +Pcap +==== + +Created using Scapy and based on unit test content. diff --git a/tests/uricontent/detect-uricontent-07/input.pcap b/tests/uricontent/detect-uricontent-07/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..f237bd1d8d43865ee562f1c53625bb7fb43a75a9 GIT binary patch literal 151 zc-p&ic+)~A1{MYw`2U}Qfe}cH=UJr+HnTG11KIgtaS&i&WMXDv! ze_#b8D-bg>m@)*wObL)sV7O?-z~Js0qM)w_hMBpE>8Ztf>6vK?9w8wC`i6Rjyj&jn b#U)k><>lpit`&~C0XeRE$^O2)T)bQWlCvaN literal 0 Hc-jL100001 diff --git a/tests/uricontent/detect-uricontent-07/test.rules b/tests/uricontent/detect-uricontent-07/test.rules new file mode 100644 index 000000000..38822f6ee --- /dev/null +++ b/tests/uricontent/detect-uricontent-07/test.rules @@ -0,0 +1,4 @@ +alert http any any -> any any (msg:"Former HttpUriTest02"; http.method; content:"GET"; sid:1;) +alert http any any -> any any (msg:"Test http.host"; http.host; content:"www.example.com"; sid:2;) +alert tcp any any -> any any (msg:"Test uricontent"; uricontent:"images.gif"; sid:3;) +alert http any any -> any any (msg:"Test http.url"; http.uri; content:"images.gif"; sid:4;) diff --git a/tests/uricontent/detect-uricontent-07/test.yaml b/tests/uricontent/detect-uricontent-07/test.yaml new file mode 100644 index 000000000..3ace6efe1 --- /dev/null +++ b/tests/uricontent/detect-uricontent-07/test.yaml @@ -0,0 +1,32 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 1 + match: + event_type: http +- filter: + count: 1 + match: + event_type: flow diff --git a/tests/uricontent/detect-uricontent-07/writepcap.py b/tests/uricontent/detect-uricontent-07/writepcap.py new file mode 100644 index 000000000..56d370a21 --- /dev/null +++ b/tests/uricontent/detect-uricontent-07/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=53, dport=80, + flags='P''A')/"GET /./././images.gif HTTP/1.1\r\nHost: www.ExAmPlE.cOM\r\n\r\n" + +wrpcap('input.pcap', pkts) -- 2.47.2