From 0b3caeec0fd4653ee52340544b456eb45e416544 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 21 Feb 2020 16:54:11 +0100 Subject: [PATCH] decoder: initial hdlc test --- tests/decode-chdlc-01/README.md | 1 + tests/decode-chdlc-01/hdlc-http_1tx.pcap | Bin 0 -> 10616 bytes tests/decode-chdlc-01/test.rules | 1 + tests/decode-chdlc-01/test.yaml | 36 +++++++++++++++++++++++ 4 files changed, 38 insertions(+) create mode 100644 tests/decode-chdlc-01/README.md create mode 100644 tests/decode-chdlc-01/hdlc-http_1tx.pcap create mode 100644 tests/decode-chdlc-01/test.rules create mode 100644 tests/decode-chdlc-01/test.yaml diff --git a/tests/decode-chdlc-01/README.md b/tests/decode-chdlc-01/README.md new file mode 100644 index 000000000..5fa361331 --- /dev/null +++ b/tests/decode-chdlc-01/README.md @@ -0,0 +1 @@ +Ensure Cisco HDLC packets are decoded diff --git a/tests/decode-chdlc-01/hdlc-http_1tx.pcap b/tests/decode-chdlc-01/hdlc-http_1tx.pcap new file mode 100644 index 0000000000000000000000000000000000000000..43d736c1b567c4466cdc131608227b7ee1a25ff4 GIT binary patch literal 10616 zc-rk+TWlj&8J^wkZo39=yDi%-t%MH4va#EEF1{tPGue7=Z{qFxvWcDDW;a;lnG<`G zx$Vq2cCx#us*rd>AaQv>eL;Z40}>Zi;t?dEFT5ausHi|fqJ7|@f`^qVwF}FCW_*p~ zB&e-uA&H%g=lr+x|Nr^^^PlnWfBDnz9Hkzjx<3ydP*el{NALaXG8KH3ijr%1KT179 zWhsg~v+_Lk(h2pqzxct?hf`C|&z`tUm0pRSR0*$n^m*#^JVhOS==iHgjy!ZU1~R_# z@{ti4UxYvUiOO4qpU9y~Ph38;`t}0I(agsmJSco^SjLaPe1w_={>i?Kz?rIR$M1I7 zp@E!S>9LF%f0LpJ@56sSM!kKEa^D{BvA>;B39oW|SKg;G=HsU*YCc;=Y`Rcpl}!b= zSU%22qcMJZij@@$OHQ(-FnpX#HWVh#aV*EPd^k284u|8>SUeiPAgPM9Av7GvOt7qs z?G45-9cE3@Y;0{}Mlv*3)i>A+8$ux?Z56ijvEugCNMSuUmEW#}^Xv9@VZG8WX0lWH z%towOt~al&Z!}l5dJ``g%@rluE|ynPR~KZX#$8O+!fhkBU^?=`%BHL}QdiSl`}($; zx;noc7O!7!)aJRmr183}sgA5kb#Y|Di zG|}wdST}LKdu@6jMAHOEi;iOGKyNn;X`>}>;?SBZ+Kox{Ec>kAw}{uUg{=hIGa5BT zW*zzeF(9(&h(a_P5o32E(_A!uCmf5e-Qk#ccq$sc6N^M7D;|IzdQm!1dk`O>R9z$f=g)X$WjxvgA*K-1jRO#g0q%LFeuxb3hFM^pX2Y}*9* zuoDOpzZ5AYP`V`0g<=k6mP#mHTtw;0B1&cQD3e`AchAvi?P^FMV zCAdx(^Qe$oMmg|PCYwh~K-6rv1Jp?0~(-h5`npQXCf+IIas(F+Rk@%)nIe zHug*s@`f&pTa$>7h6=`JD9rIZ;<$wSLi71@5<#dM0-Hp#p^1tv42EG)TfUOZ2ml&pG$m;qGm~)=VlvNl;>t0#ZmDbH^WWyGu3doS}8AA%L|$1#cIh=m1-r% zRiTEop@7V?9$ar4C}O|$dJgK*-mPrRabQPl18<27dJ)kE+NiP4YrNP^NpKM4? zjYw%(;B8e8Ow2B&7bnnjXd+iCqbsSxd?huX6_zh9x$eF>HxW$k#s+T1mStE7G6;r{ z4q+NY3Tqe{mq_6(sp1y4U}9+t!%`~N)?uLp=%sFXb%~fAA8B-cB-+6-s&Z>6XLrO7 zstlrX1M6d$M$@GXjvPar)n$}h8?Qc4Fr1wU7(^-H3XG)eEQ;)D*!y!F{SkH2o`bXO zKsvg~2W$GS-?!G(T}VYTcEIkE+5`kimu8^yaPe>?65(g2_&^YdZzGcVDDc^lAi$V6 z)L&JmE5{~FNN=htSt=ugjOvzPG>5n#8YkgKKNiS!DGDjqgbJ@y+Qy+h6bd8ZU?db!c19%jG6t%BIm#19N{%?YFE zlyq|zUKo%V4JS+=$j223Tyr+rFca@VyPLSX*b&`B`TNlv+gEes!_eF>W#iO__x3it z_J)T}mQ;6+RCBuRh`NN4;Hq|;Y?9cAefF3>o1O$9)ao`k>BcH}KG^}?mfK=6q6O`> zQWbf4c}Yb4K6tm|X+>8Y1vbdr?#879@`0wV+-l;gA_s5Zo$QBWbbJzETbo37b8Ss& zdy1TfVlysB*%GCV0a?kR!G_fwCx;|dSFI~#yzc(wlwJxU&j~krlmKvaFU9E9j<325 zo;?Kb|9Rq(QM~`0i}yE%@&4T(b@Bf01BxQchNcHh(dqO4q>K5d_gTRpohz+`Z*GrSToi%7XR;QcYxf;R7i3xB2 zx?2tJZ1REs($!1>h-uQKfc;qNPk@zeHhno=D5rCUc~HR8-R8i>9N_Bk_c4gDxP_!I zxl3a=YjCOP^#C{N2_SU)O@ZuUW({|r1r4NV+lnmEk_!J4nebFPb1|L`rLyr%i07rX z&`kW|bSN5)#$u6J6nbc=tdb$)8X%?6ogrkEt{S4uXrg2p8kQB&ovhicvAr`YRuXGA z>()xvZn^&%xJ4tPUXhosUD|0ajojW$prL7`Q3Df?3p8|(^xTBsM`mG)mZ(83*T5Fd z*iQX-^afv`B+?t8lU{Fd_v|jU;+$J6R)%T?@O5j&w@VatpeWOb-EHL) zEc%ZY{unv#wtrc)?4Gb*(GW)VX6I9umNFG#aPvU!rAZ=IEcJuR?sHJB&XEl7$}Srl zSQp&eW9D(I2|E{Ot2c`V0OuG|8z}2~k5YBU(5Z%D_Nd5t&KSCu2DPC_Xqe)yv81A^ z8ZGZMhn%O|eXomZOWd*t*sxZ^G8$p%Q+8(DovJr0fxc3v5wW~$vUhT~=Q9)HK^E|mCc$ui_>XMZ5h#fh`sTJgsp zQq=!wl*ey(QLi$6oJtbw^%$Lxq;tB9I>#_xyR=WEGAklSwCWg~P_3z=z5z~gd;Aa7 z=Z5Zmb%BPq?&icHnvKcxn-jr6uX7KQmR&gX)_$lkaB^{Tf}Wct2O!>4NAgVbzgo)I z&AM00_dp$XZk842CcMLuS=Kw>-uFT1(6lT~_U7e&HR)*|HFb<~-<_`}MV|RS!TaXR z!+8IR-?(`H>HBlveT|}ApExR;={%On7|u2FV1`+@$s^ta+BLV6J+KG<1d|7si-w(} z8~y8j5bSW_e3<3*W4hi*HVx(wOTM!JBkmV1$TIrsq;GV~^|-s`LZe%*Q?HXP*XeJ1 zTduRWcj0};&rOo$Yn~WhzNcOXewJ+4Ui@|UdzSwO DmlY`m literal 0 Hc-jL100001 diff --git a/tests/decode-chdlc-01/test.rules b/tests/decode-chdlc-01/test.rules new file mode 100644 index 000000000..90536fb91 --- /dev/null +++ b/tests/decode-chdlc-01/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (http.method; content:"GET"; sid:666;) diff --git a/tests/decode-chdlc-01/test.yaml b/tests/decode-chdlc-01/test.yaml new file mode 100644 index 000000000..0d40b8851 --- /dev/null +++ b/tests/decode-chdlc-01/test.yaml @@ -0,0 +1,36 @@ +requires: + + min-version: 6.0.0 + + +checks: + + - filter: + count: 1 + match: + event_type: http + http.hostname: "view.atdmt.com" + http.status: 200 + http.length: 8079 + + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.state: CLOSED + + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 666 + + - filter: + count: 1 + match: + event_type: flow + proto: TCP + + - stats: + decoder.ipv4: 17 + decoder.chdlc: 17 -- 2.47.2