From e0018e44f994b1687d29867b13fd5074feb17703 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 27 Nov 2023 17:28:47 +0100 Subject: [PATCH] Adds test about ssh new keys Ticket: 6578 --- tests/ssh-newkeys/README.md | 8 ++++++++ tests/ssh-newkeys/input.pcap | Bin 0 -> 4730 bytes tests/ssh-newkeys/test.rules | 1 + tests/ssh-newkeys/test.yaml | 12 ++++++++++++ 4 files changed, 21 insertions(+) create mode 100644 tests/ssh-newkeys/README.md create mode 100644 tests/ssh-newkeys/input.pcap create mode 100644 tests/ssh-newkeys/test.rules create mode 100644 tests/ssh-newkeys/test.yaml diff --git a/tests/ssh-newkeys/README.md b/tests/ssh-newkeys/README.md new file mode 100644 index 000000000..39fb109c2 --- /dev/null +++ b/tests/ssh-newkeys/README.md @@ -0,0 +1,8 @@ +# Description + +Test rule on ssh for new keys packet. +https://redmine.openinfosecfoundation.org/issues/6578 + +# PCAP + +The pcap comes from https://forum.suricata.io/t/can-not-get-ssh-alert/4223/9 diff --git a/tests/ssh-newkeys/input.pcap b/tests/ssh-newkeys/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..275d7283c4d57f3fc0cbaf52682cbcb030b248ee GIT binary patch literal 4730 zc-q~VdsI_L9>?c~Bye~M;&Vd*QBFV;%!7nLLBT2(iiKUQw!%t75)wFpK!Q*Z6fC8> zA_!Jc^H+EdjNnVWkYD}2uktO3A7!}9}~ zQ~#yi4`f-eoy81Eki^4wq^G-wl{rEm z{dyWbL!hr_<0}PLg)V>sJEqa{m?)J>#$>sBx^r+e^&1TMK&%guYS-FPTs6x;brr_+uOn7HlA zmu>)HexfbPWC@4IV|y`GG9ib@XUypFn>5Z{p_DQtBC!nbX2!>;k`mB-gD$SX!?26T zVKc-r(a|vyrc5H2#|h(^Ql(-`0#ovVNG6PzO0-K8O=9!WD38q{9u*iH)mwmA1KY#s z;vPos#D}13{ZZtVDj@@2lU5@=Q(s>CNc(llZ|E+G7o+To%ty z0n-)vU8IO(2qh{uN5B*%Deo7{@p60* zLJ6;4UVpi1{Qt9IbK@295=I&}sc}?Y?h9o?77O`M=^uJqq|Kp0a zQK$A0)+WQgmqlH#4^?$--$6yudAB z5?By|Ti~y2!B{OBP~jOBT{Bq2wG)Vy5JAX-=N$P#9Mov$2;aHzve19RI>lGk4RlZR zeOYj@y6#>IH&K?*KB(zFd$(cx7w)&_{IvkhxlV6*LT_Mze@&OH@WDgQ}UUmfl9PCHYV;gx9?I%#2PK36|S`Wwk00JZ~&;wsR5Oc>XY zt}-tren`DROih1aEN*K2w4b<4-`8GBNRC8t3m59Lu0d8ZY$p>blxcPmDvX>`I01l^ z-deC?;>zh~ac`U`7+sx>Jr%Ss^gdzpM|&Tq+aYZ+M@IgUb<&&ObocQuJ4Oqs7wS*t zUYT=gm{ETDez94O_zqHWf550k7;e#00*fkeix%lxgjiaOX0T*x5}t_<30W``e_ah9 z$P7|NOHk$E5r?uYRma7{F_)H=9%#$Wa;9sV_NRwL+sY$yy;k2Fn47bqg_WP?m~l(v zR#|<(V#C({%fV_a6RGeVB!e8NAcx4WA82+H`V}crBfr|u0-!8=$Ew@@?R6WzNDS-@ zs!VMN{C?>REiyUMjM-h#FksGcopAF?IZ> zFfz~eP)YX@&m!8>J$V+}q$hnhZ-1kX&5T&uht3~|w-W`Q+H1~a5y2+$6+`Zni)PCdcTdMj@M{DZm zvEslB)!%J##_*j}Lot@KWISi-`o8p@?N()tSI_s_wK+?NtT^~<+elm}cw8n(&E7GhN3?>CGb>jZK_;nE0|7qYj%U{{kO?&kIqpMf1 zpWr)K?(1D*GoHnKzJv3v=|_Qz$bTk%z1*_jy7xYI>ALsL($qzz%bxXpe6Or>+uOe( zm6>YHSgm+K6c=k)&Ad^qz)-FDLqKwH!K#Ml-BQcan{n)wON09YpJb#9clC|@wmxH_ zZSSF3w6E;8rzJl5`5iZDI5TMZ?cihPCjz2=D0(+me!&~5_?z13esJx*g_TO zCq0hU8T*Z|rsC0aG4Qw&k?`oTb))z9CZjAi_@% literal 0 Hc-jL100001 diff --git a/tests/ssh-newkeys/test.rules b/tests/ssh-newkeys/test.rules new file mode 100644 index 000000000..3837fe45c --- /dev/null +++ b/tests/ssh-newkeys/test.rules @@ -0,0 +1 @@ +alert ssh any any -> any 22 (msg:"This is a test"; content:"|15 00 00 00 00 00 00 00 00 00 00|"; classtype:protocol-command-decode; sid:1300013; rev:1; metadata:created_at 2023_05_23, updated_at 2023_05_24;) diff --git a/tests/ssh-newkeys/test.yaml b/tests/ssh-newkeys/test.yaml new file mode 100644 index 000000000..2c78fd6f3 --- /dev/null +++ b/tests/ssh-newkeys/test.yaml @@ -0,0 +1,12 @@ +requires: + min-version: 8 + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1300013 -- 2.47.2