From e49965fae0d955cb3bd5674c91166e86829d850a Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Tue, 27 Feb 2024 09:02:35 -0500
Subject: [PATCH] tests/transform: from_base64 test

Issue: 6487

Test cases for the from_base64 transform
- Case 01 tests RFC4648 (default) with various offsets
- Case 02 tests RFC2045 and verifies success and failure case
  (with other modes)
- Case 03 -- case 01 with fast_pattern associated with the
  post transform content.
---
 tests/from_base64-01/README.md  |   1 +
 tests/from_base64-01/test.rules |   8 ++++++++
 tests/from_base64-01/test.yaml  |  34 ++++++++++++++++++++++++++++++++
 tests/from_base64-02/README.md  |   1 +
 tests/from_base64-02/input.pcap | Bin 0 -> 3296 bytes
 tests/from_base64-02/test.rules |   4 ++++
 tests/from_base64-02/test.yaml  |  24 ++++++++++++++++++++++
 tests/from_base64-03/README.md  |   1 +
 tests/from_base64-03/test.rules |   8 ++++++++
 tests/from_base64-03/test.yaml  |  34 ++++++++++++++++++++++++++++++++
 10 files changed, 115 insertions(+)
 create mode 100644 tests/from_base64-01/README.md
 create mode 100644 tests/from_base64-01/test.rules
 create mode 100644 tests/from_base64-01/test.yaml
 create mode 100644 tests/from_base64-02/README.md
 create mode 100644 tests/from_base64-02/input.pcap
 create mode 100644 tests/from_base64-02/test.rules
 create mode 100644 tests/from_base64-02/test.yaml
 create mode 100644 tests/from_base64-03/README.md
 create mode 100644 tests/from_base64-03/test.rules
 create mode 100644 tests/from_base64-03/test.yaml

diff --git a/tests/from_base64-01/README.md b/tests/from_base64-01/README.md
new file mode 100644
index 000000000..d1024db4c
--- /dev/null
+++ b/tests/from_base64-01/README.md
@@ -0,0 +1 @@
+from_base64 transform tests
diff --git a/tests/from_base64-01/test.rules b/tests/from_base64-01/test.rules
new file mode 100644
index 000000000..ef04cf0dd
--- /dev/null
+++ b/tests/from_base64-01/test.rules
@@ -0,0 +1,8 @@
+# input pcap contains a query to http://home.regit.org/?arg=dGhpc2lzYXRlc3QK
+# "dGhpc2lzYXRlc3QK" is "thisisatest\n"
+alert http any any -> any any (msg:"from_base64: offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6 ; content:"thisisatest"; sid:1; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #2 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 10 ; content:"sisatest"; sid:2; rev:1;)
+alert http any any -> any any (msg:"from_base64: bytes, offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: bytes 6, offset 6 ; content:"this"; sid:3; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #3, mode rfc2045 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc2045 ; content:"thisisatest"; sid:4; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #3, mode rfc4648 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc4648 ; content:"thisisatest"; sid:5; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #4, mode strict - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode strict ; content:"thisisatest"; sid:6; rev:1;)
diff --git a/tests/from_base64-01/test.yaml b/tests/from_base64-01/test.yaml
new file mode 100644
index 000000000..97deff62f
--- /dev/null
+++ b/tests/from_base64-01/test.yaml
@@ -0,0 +1,34 @@
+requires:
+  min-version: 8
+
+pcap: ../base64/input.pcap
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 5
diff --git a/tests/from_base64-02/README.md b/tests/from_base64-02/README.md
new file mode 100644
index 000000000..2b080d7c0
--- /dev/null
+++ b/tests/from_base64-02/README.md
@@ -0,0 +1 @@
+Match on base64 operations using rfc2045 URI
diff --git a/tests/from_base64-02/input.pcap b/tests/from_base64-02/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ae79adf10749120c4bb572f265ea2ebab220c0f0
GIT binary patch
literal 3296
zc-rljUr19?9LLY5Ex9nTo_Yz7iy*@7+-)lEIxTfGORbSJac^roZWp%Qd3QD&5d~2Y
z5%tiU73F&m^%#}?k(8{c2*ig5`j~qT0(Je))lIkN=wU%nmwV1Ve?Q#s@6WmS%j?Gv
z^r#kXUA0ID^}Fv&l<ha56VN_^imy84M#wq4dK4WsuxA$$((!WnO~b9p>7}oH#eIEl
zVO>N>Uz=N~)z=B_^*6rpaa~Q#ZcaY`$H><!k`dx$=aW3S;nw9hbsvUz0X=hnZ*IPn
z%uAkp<ByRif!qzG?sDYj*)`1?GbPr@0Nrq@UXRuf!Jux7%87TYPMiheA`lkK5$9*u
zHDXg);yxfw7l<pIc+Bm^<cMDlb@-wOZK5Lu)hKWErg5Lw>mgQ))hP5S2`1r)67WaD
zyxAtUiAG^KK~-~Ch{j-UBt#jkwZUx^x&i?jhrz?-aK2-9#{x=Fj)f#F2VsZI(ng_2
ziN$Du$x2MZ{glSdT@g7&je=3&Lf`%?LO)fE5nme@x_qr9o(+@J%gIaiy4<!H;X+q9
z@pILQHyaHo1B6UD;zyr@6PL1OiQE}8#l%g6i`XWL_*B197@}&5suCWOqwxsUrbSCD
z_M}-@i4nWSDq5^yZ<n7@3HPdU6Bey_(60i(){Lz!lHDP-wBlofUd`AH3~y%XI4oxL
z93x>CjkM!H*smri>qxRObKBOs0U8Uju!QY4N8Tg1|0%V18Y`YrIW5s%6(`zq5)@DE
z6fO6vPMiVab@&|eQcBca@JX6SI!in<mG?+)yg<xyqO;L;s>eI(aYO144q(r4_rUQU
zY%&uvV(%fu<#laLG+RU~A?}kVYzi|Lmk61dn6OOPEs7c<-qV_;n@NJHa)4QaENJQ!
zoP3Nws6PmgC}n=k_nPT=QciW4@_z7wzf3r=(d#hn<Ty@*GbBPgU9t*Ch@z%(L{2a`
zVDOlt7LGLRNa4{a?oB(%#&W?)Hecba5=`?Kvi?2-*1`rAswCG!v|8(vO&Zyd$z3z|
z-!*@$Yu;DP!#V9wiM{+a56`SX9<FW6L++X^Cw{0p@kd3XuU-3AT`dluGb>v7>?!&~
wDiBwzPJDQvqH3L{`b8Pl*`0`ws!n`bk?3=3s;`u&&H^=6@~2rKKCdeACtK}^p8x;=

literal 0
Hc-jL100001

diff --git a/tests/from_base64-02/test.rules b/tests/from_base64-02/test.rules
new file mode 100644
index 000000000..c3a6f0699
--- /dev/null
+++ b/tests/from_base64-02/test.rules
@@ -0,0 +1,4 @@
+# "Zm 9v Ym Fy" is "foobar" with mode RFC2045
+alert http any any -> any any (msg:"from_base64: RFC2045 - will succeed"; http.uri; content:"/?arg=Zm 9v Ym Fy"; from_base64: offset 6, mode rfc2045; content:"foobar"; sid:1; rev:1;)
+alert http any any -> any any (msg:"from_base64: mode strict - will fail"; http.uri; content:"/?arg=Zm 9v Ym Fy"; from_base64: offset 6, mode strict; content:"foobar"; sid:2; rev:1;)
+alert http any any -> any any (msg:"from_base64: mode RFC4648 - will fail"; http.uri; content:"/?arg=Zm 9v Ym Fy"; from_base64: offset 6, mode rfc4648; content:"foobar"; sid:3; rev:1;)
diff --git a/tests/from_base64-02/test.yaml b/tests/from_base64-02/test.yaml
new file mode 100644
index 000000000..190f846d6
--- /dev/null
+++ b/tests/from_base64-02/test.yaml
@@ -0,0 +1,24 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+         event_type: alert
+         alert.signature_id: 2
+  - filter:
+      count: 0
+      match:
+         event_type: alert
+         alert.signature_id: 2
diff --git a/tests/from_base64-03/README.md b/tests/from_base64-03/README.md
new file mode 100644
index 000000000..cfb70fcb0
--- /dev/null
+++ b/tests/from_base64-03/README.md
@@ -0,0 +1 @@
+from_base64 transform tests that assign fast-pattern to the post-transform content
diff --git a/tests/from_base64-03/test.rules b/tests/from_base64-03/test.rules
new file mode 100644
index 000000000..b07e32c80
--- /dev/null
+++ b/tests/from_base64-03/test.rules
@@ -0,0 +1,8 @@
+# input pcap contains a query to http://home.regit.org/?arg=dGhpc2lzYXRlc3QK
+# "dGhpc2lzYXRlc3QK" is "thisisatest"
+alert http any any -> any any (msg:"from_base64: offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6 ; content:"thisisatest"; fast_pattern; sid:1; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #2 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 10 ; content:"sisatest"; fast_pattern; sid:2; rev:1;)
+alert http any any -> any any (msg:"from_base64: bytes, offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: bytes 6, offset 6 ; content:"this"; fast_pattern; sid:3; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #3, mode rfc2045 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc2045 ; content:"thisisatest"; fast_pattern; sid:4; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #3, mode rfc4648 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc4648 ; content:"thisisatest"; fast_pattern; sid:5; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #4, mode strict - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode strict ; content:"thisisatest"; fast_pattern; sid:6; rev:1;)
diff --git a/tests/from_base64-03/test.yaml b/tests/from_base64-03/test.yaml
new file mode 100644
index 000000000..97deff62f
--- /dev/null
+++ b/tests/from_base64-03/test.yaml
@@ -0,0 +1,34 @@
+requires:
+  min-version: 8
+
+pcap: ../base64/input.pcap
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 5
-- 
2.47.2