From 9b7894738a7850c917535d6365a5eb4e9ef69e64 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 31 May 2024 15:14:29 +0200 Subject: [PATCH] tests: add tls alpn tests --- tests/tls-alpn-client-log-01/test.yaml | 15 +++++++++++++ tests/tls-alpn-log-detect-02/README.md | 4 ++++ tests/tls-alpn-log-detect-02/input.pcap | Bin 0 -> 10042 bytes tests/tls-alpn-log-detect-02/test.rules | 2 ++ tests/tls-alpn-log-detect-02/test.yaml | 27 ++++++++++++++++++++++++ 5 files changed, 48 insertions(+) create mode 100644 tests/tls-alpn-client-log-01/test.yaml create mode 100644 tests/tls-alpn-log-detect-02/README.md create mode 100644 tests/tls-alpn-log-detect-02/input.pcap create mode 100644 tests/tls-alpn-log-detect-02/test.rules create mode 100644 tests/tls-alpn-log-detect-02/test.yaml diff --git a/tests/tls-alpn-client-log-01/test.yaml b/tests/tls-alpn-client-log-01/test.yaml new file mode 100644 index 000000000..65ddb5802 --- /dev/null +++ b/tests/tls-alpn-client-log-01/test.yaml @@ -0,0 +1,15 @@ +requires: + min-version: 8.0.0 + +args: + - -k none + +pcap: ../ja4-tls-quic/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: tls + tls.client_alpns[0]: h2 + tls.client_alpns[1]: http/1.1 diff --git a/tests/tls-alpn-log-detect-02/README.md b/tests/tls-alpn-log-detect-02/README.md new file mode 100644 index 000000000..349507634 --- /dev/null +++ b/tests/tls-alpn-log-detect-02/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +Pcap recorded by Victor Julien diff --git a/tests/tls-alpn-log-detect-02/input.pcap b/tests/tls-alpn-log-detect-02/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..f08296a32d584c173a1902d284b33ba6f2cf83ea GIT binary patch literal 10042 zc-qyOcRW^a{Qu9rjN9HLa#Qv?H@BG?!UxF+8QIx;MTpyuWK%LiQZz^;vyfF*i3SNN z8K26Q@;f)BeA46B@1NiI@x6PTI_F&1^?YCBeZAh-`}DNA;u0J{0zZF9z#jU$rrPvG zodFV1g6;{I+U7q>fFcq03)&EdrCFI#8j^t3M)~x#6I$JZZ)}7^7&sDD2}2-=U@#K2 zRVSOuCK0~HbBjX)a?rEf7Eg}A!x71C5Lg5ztaeCZF;@RL#O%nY{T55hwaF_(!b#8! zzWY`QJcvz9VD%>=0UX4^ZLx4$eG?=8Pv1Hqo@E#{38R!20DSM09)b0PAp`Y|aH#=s znJoqg-<82k!dMZplfj69!2uWmTSp*Hruq4Wq{?n=j8cU1CXJ-dC>nk^>_1svJVswg z(fn#3=CjS~cF)+RxEr$0t6yJfFRe`_c~a(h7e~K$?8R}Vis5nB&8fC&ILpxOX{2FL;Qix*IRCV&}W0muM2^p+Z+1jylzVkC~fzMi63 z5iEcLP_Ruf1yqd@i6B8DVJHL~L4qPdp>0_JG$dPj%^v`)7KqF4O=^)zvV~_zWYfD&h&%v6a{QvY5?kK zl>&hg&i5xq(21Q4Mg#)zg&f%vfe7|rzLY$yxS!}2A1&GyZx)8+?KmFtO&QLxfFJ!< zD2%D^FAmfaHxQN{WeNaWL5sQV!MU&Rm7#*6wW*0sy`($07X403-r{Tpj8e zTfYy@XOS zIwlo+Z(pYqPPW#*P9E+UWj|j>4{s;mKr9_dL#TnKLw|4YZYzQ%14#)liRj=*4Zyuj z6k_675W289F>#zJ^oYY^#ju-?;-;YKj_N;vB;;rnYgeZe9^URw*4tLdf3?C1a%^^; z9NK|mQoHRy@EAx(L<|kMTOJN0BH6q_z=#nC0i-qMvZmAIv6%DyX1W-@aJJR-`BRLH z3{Pq+JH>^G)yZl~`h12b9(q6E8R)+--nFj?7Ie4M%9NXH%BaU)4O?4?M^%D&)Gd%4 z>H|9+47P!UgTQ8w*!LlsLB=rpp`bL?;3Ur^#@u11i!fD0^fLi|FuaC{M34xELJ`AY z$nY{S{34NdK`! z=1(QN3+ZMF_KziEe=HIIV+rn$B@%xuk^E!HALl^)k8>dY$2q|LaSm{QoCDmha{$^9 zmJ5S4gZ68VVY`3?&z4ed1F6!xL8hXir1VIr{C|@9-FPi6vdwRS6(K(?qke$$w z63K|9*DR=_iN0jl=hFGjr1tCH*pm%ii6AARn2NC3kO(+&7^Dhh-@8JzhZv58Lz4FE zE2`~RyK21RrpEK`)Oh2KO^s)Ut?i@Qsqx!bvMnqgwnT)6hKz(g3xwW4yJ8Z$#$cm> zAE3yjr8~%_Zj#1s&lcH0K|7lyb($l}dHQ}MU)0QsojXL1H@6nW0|aqD1ggR@KHevl_R?U0xKc)Mm;IpD+~vJzvX^VEUSt%mzDOR_82nQD-E8=# zSq<uaWH4lS?s2c(z)RNdR`cqd%ExpCVljt;>t;rp^)!wh z^5VFY{oQcjFNRB#9R0nui4H0q@mcm>nr%@8F@|Rj%-!&s?52j%PVzxjy4+_2QK3RK zw^Qww$4jTRyx}(_d~2zkN$S1~7-K?H{}V+Kc<69-q(WIM@c2lfh@4X{eYy^&ymcg? zCgswT1Nmwep=WSshR-bpPSExoe*YPMNuQ|bP5p?uuHb{tQYMl9bYWRy%GI+i%+he_ z#!|5B^Gzcw&?+z`ShV?Vg&YNOC3~8aPJ{cayOLIW*>zi=KDrpa>R8lhRy;S=DLoO- zP-aI>k$$B4k)Esrc+uu`D#F~@`{Lke(8$S13^Pquid0B!%^O<;I%ZDXfZ_z0Pqdct zhQ;z4e--l8>Dj~NYXxHAdiyQgS94d2RcepFXysVys#ZouKYElGJk+{g7&YZn-IM!T zhpubFnn$4U>^@$gRjK;NZDT$_o+m09IvQL=sEEc77xFXrZF#l?&}A! z5|WwdOue-I3YwZ32JZteDTPm=YE#qo*2ljF(`YT{lH6v{WFTJclgiK55?i{{^2)hy z9X-1=+RC3_67ThmBBkz|p(iuit!C-90XQ~hZ#XLqW_EV?|N+d^<4Ef=NO1rH+fXHMq(%#eMJvAT5v2ba+P3fDAno?aj|7A=?hPn6 z`*|dTPIr7D54iuA!xrQWgx^C`H z-jIunfnpMy5z}ld#v6kA{|U?_+Yw)y2yGRu0gL|X3MKTQ0Lb@C{Ac?${_n7)a>QUa zp)&>EyA_|LyeY2n&fE0kg;mL%X_eR}UFTH!lGol*q)p`Of}f68GwDe3E$XZ1^0%yb z=;O!O?`a~)5iwXr#)i(4Y+mi-n!Vgcebl2&{0H;3E>v#35Lp;jOURyx{1o+wXimg8 zuJRsFaOx*^cg~UH+5RR;mj;el41dzQ(|1+utX_GDYwXEsolpU`^P*an#LKD0nHx{% z^w%yabx5s*RA@Qhm=v6Wpo?8Gp_0b`5*ZzXB zv>W2rd7o;GoI2{u`I4CmT0|Tu39Y&q7Kg)`fdY;Ib+X+V) z_%mNV?F*IKP!ySGaNK>1{GRNE0l!(ur}_B`5=a~l%D;A5V}y=obVBsL!TU;snYE=4 z>Kz-I$?L7H=+cg}rM9-)*fIG5v~G7_7Oc*j31|7i^gPOWdFR9VSRWxQxFf|cn=2on z_6u(hVu$DFiU(r`4ms4Q!H@J$vGkXnX1g+|5cf7DgUdBUqzd$VURfol7WdELe_U4K z)hwqa8(Awp3Wi!9*(f7*yReQQIQi-Xu<_bm zDLMh?9Af=*M=FgO{pg#MH)fM2?tW0G6f%)3H#nfpW<6EAKAY1S+m0WpRaeV>BJ4aV zVRJ?~Z=PZ7`iYB9gZ$OP3?fVW4xAu$y=f|Vw|7cYKsbJRHXn}|f+E>d=;{UW@Vnn5 znt+mn=c|DT=3AU?5m)li9RE|C3oDa9%EYg2g+240RQD5ekn?N=B8{t+|Xo!b2 zQuH!aJ$BYVrRDk>u}#LCK10&PC!7?s>MGTd#Yq!Gu=CA+;%*UioCG!`RmJp z{L_X{p9xcFpD%8{lXy5gumdf@b#b=x+9&PB`VZscvni^B-|GLRXzrCzGd|S0FdZA2 zKx9iDhEJIJ(B%ZuBYiqrL3aQ1Y%0wSG z-ohlGN`j5k>sa3#EZ&himE|1ZH4s2tdM*9Pnbk;HTBGI{)kKwEp~2Td#m%pMqFM(L zj$jx``Te`+{NUewgzxJn zW0qU{cSi5azh#_2K#WhEMZYsl=}#)h#=P`2-@$r(clpk(rll zTbP9iog^^&Ach0f-eHU3P^GfTNZOSFi95s6PR1`?CplUwe~6B6j{8mApx&5QmcpQ0 z5DlX!_fktjN_=_EL7-{;X^rLwX@c3S2B^PSpMF8ev?RgTFfH428$mElV6+&c05KG> zd8q*?u`Px$>8=cDeLD7UGolC#CIkYx`hB`#{}_|pbHRy!qH3k!@BbFo^4=!k$f7Hy zc>mRJY2Ze7H}|otA3bw|+Zo0zV^*)voR}CoO+5TE$s`n|(iv*vg&VJIk}n3CIhOV! zYp4&Lnd&j%{fsBPJQ6yRJ4&Q_?X;ZR5tD&3og1eLwarGE4hi+Ly;A z6tZuHUW?OpHe1OW?4v9?s~kA=VRTsNORWx<4S8lLbAYT@;8aaFZ*r)Oq53S~yY}SH z(Y=_i(+vd~^Is1qeJi&~Zhb#6^X7I;f^TAQ%iO~+WWuEf?LH7C&X&^T-V2pL}9vr8R`UNqL z%T%miHaZ!Y9@b8o7~FQ*S$G+)aOFWvvwunF{m&+0;7oS^%D=bUdEL{@&^hTJd1_f6 zYIzOZ%3l~7x%Mt7f41yP_mxpGgct9NlQ5nv=0^8*;*caX+_TG0pV^Y;QrvXpRSNcHyE!6>*Gsf@u z%Z~(}sx!2AMz`~lyDep?4!#-~e0{kj%1p1<>`YyF2pOvRjwQRyk)^qGxi;aDNl6yj zg*JG|Jli3#~=h)n51#koCe>v5mR zGplCFOkOG(mt?xKxD0zZKp&9A8=Y+~AuDeR;Rb-aSPvdZ1;zJUh=l;q^G_2Mc;plbvhEN++p# zyL5REuuqppHw07m^ijSokU4KWJr~HP`7lG2l3J&20X_B6_UfLh_2=T}JKa7Io4)C$ z8-c@EeX}l~Mgtm?v#(Vygg+iSYL<9YFu#@S_*{*fLP%Tx$vZ`jCnQ$dqAlYy^uOfk zV!ZF(rFWnoScOlsxQ|=p_Rfe-oh{Pv6mvsooL|U}FL%^4UFe+~zyB$I@lki?lzrlP zWrxN>DtQOb8rS+~=xc~L#ZZYJhgb8hFb)qce2+~~LNsbsthiS>>uuRx$!(v<}g7)BaWc}Rv55(sR1z7?-7o3r-Bah|4`6qo8J@^c=KIB;TCu= zDSFq(NaqN9CaaX&6sksENr5NLeQejc$hdFVQ?R!cfFF-#d%t~Wm^PrBb@Mt+5i_#s z?dk9XB+N_IqDA6Y_guQ0v$w*(EO(8WP5yH?SxC>l=jV^K#M5@35Gto#c!QI%_;A_z zDE|oO;mHZPk4}qHx?)W$^%Dl>t$6~-wTRV-6E!N%M#RjxPJ6NgObW%}t%j>fs!rF3 zR?NrfCZ;(`X9JKUdtkCdluuv z-1UwMI$bM$M}GmEjvB@dTL$y`k~6!~GG!$3j@Yg;gcvTQ%E~D0QOAAoblliqLuR|+ z_147eoK)7mcSY0V3s+}VlZ)nK-TB$Y3!R5?= zR>oTg+lFaba_`Ie$=wxS)pfcfE=*-!^LxWd^$(So>Z}925A}Umm$h36{@U5Z7C1OU7rmx+W3@={TMdC$k9Y6rBCEW@UF$zGqlmnjxdJH4*IK zdqO&EC<=v#iBg%-S6Q?lM0)Wr?3e&g^MawOii6p9iK?C>xr7RCILLHp1$*2X5#x9t<8iZJC8D#O1HWvK5j7c7?ME4dwxvO`@-Tmy>{G*>+ z=j*Mf-XU(@=89^_cRK7PAW5;T(8lAbq%>Nmk@(8*u%sWEn!B5KHQ zDT{rp=zM=!nDt7I&9zg3N!zphV zd*p9<(DSIvn?{#~d-6{4<(aY;e>H981mnFq!ON z*-}=J!&Yh+{VFzsM>=#WvdPxA?G?h?MWMplM8&qXaZ(+Qc#3tAJ#hQ^o`rpFHB}^0 z2WZ$6WphP*iA3Wis+f?m-DWX(vlojG3A>b$n)okHw?kBmu})dg>Gm_@|TX%8*i{A zm>6dIt8R*HnxG*882xsdATaKz?POG`Z;D#uPC;_YB5(+z#^${(NH++aT^SmijD}qp hqG2=;!}E8>V~xKWizvi7A4Uz0#pK6W*ii(|{{bLtZ|wj8 literal 0 Hc-jL100001 diff --git a/tests/tls-alpn-log-detect-02/test.rules b/tests/tls-alpn-log-detect-02/test.rules new file mode 100644 index 000000000..dc1994b75 --- /dev/null +++ b/tests/tls-alpn-log-detect-02/test.rules @@ -0,0 +1,2 @@ +alert tls any any -> any any (tls.sni; content:"icloud"; tls.alpn; content:"http/1.1"; sid:1;) +alert tls any any -> any any (tls.subjectaltname; content:"p142-contacts.icloud.com"; tls.alpn; content:"http/1.1"; sid:2;) diff --git a/tests/tls-alpn-log-detect-02/test.yaml b/tests/tls-alpn-log-detect-02/test.yaml new file mode 100644 index 000000000..deb1be80e --- /dev/null +++ b/tests/tls-alpn-log-detect-02/test.yaml @@ -0,0 +1,27 @@ +requires: + min-version: 8.0.0 + +checks: + - filter: + count: 1 + match: + event_type: tls + tls.client_alpns[0]: h2 + tls.client_alpns[1]: http/1.1 + tls.server_alpns[0]: http/1.1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + tls.client_alpns[0]: h2 + tls.client_alpns[1]: http/1.1 + tls.server_alpns[0]: http/1.1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + tls.client_alpns[0]: h2 + tls.client_alpns[1]: http/1.1 + tls.server_alpns[0]: http/1.1 -- 2.47.2