From 2f97c25fd7760fb13c18d12f4e832fa66ddc25b9 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 30 Nov 2023 14:46:04 +0100 Subject: [PATCH] Adds tests for negated content and absent keyword Ticket: 2224 --- tests/detect-absent-file-multi/README.md | 18 +++++ tests/detect-absent-file-multi/input.pcap | Bin 0 -> 1259 bytes tests/detect-absent-file-multi/test.rules | 10 +++ tests/detect-absent-file-multi/test.yaml | 52 +++++++++++++++ .../detect-absent-http-request-body/README.md | 14 ++++ .../input.pcap | Bin 0 -> 1694 bytes .../test.rules | 6 ++ .../detect-absent-http-request-body/test.yaml | 37 +++++++++++ tests/detect-absent-negated-content/README.md | 11 ++++ .../no_referer.pcap | Bin 0 -> 617 bytes .../detect-absent-negated-content/test.rules | 17 +++++ tests/detect-absent-negated-content/test.yaml | 62 ++++++++++++++++++ tests/rules/absent/README.md | 11 ++++ tests/rules/absent/test.rules | 3 + tests/rules/absent/test.yaml | 37 +++++++++++ 15 files changed, 278 insertions(+) create mode 100644 tests/detect-absent-file-multi/README.md create mode 100644 tests/detect-absent-file-multi/input.pcap create mode 100644 tests/detect-absent-file-multi/test.rules create mode 100644 tests/detect-absent-file-multi/test.yaml create mode 100644 tests/detect-absent-http-request-body/README.md create mode 100644 tests/detect-absent-http-request-body/input.pcap create mode 100644 tests/detect-absent-http-request-body/test.rules create mode 100644 tests/detect-absent-http-request-body/test.yaml create mode 100644 tests/detect-absent-negated-content/README.md create mode 100644 tests/detect-absent-negated-content/no_referer.pcap create mode 100644 tests/detect-absent-negated-content/test.rules create mode 100644 tests/detect-absent-negated-content/test.yaml create mode 100644 tests/rules/absent/README.md create mode 100644 tests/rules/absent/test.rules create mode 100644 tests/rules/absent/test.yaml diff --git a/tests/detect-absent-file-multi/README.md b/tests/detect-absent-file-multi/README.md new file mode 100644 index 000000000..fd2738782 --- /dev/null +++ b/tests/detect-absent-file-multi/README.md @@ -0,0 +1,18 @@ +# Test Description + +Test `absent` keyword with files + +## PCAP + +Manually crafted with input +``` +GET /noheaders HTTP/1.0 + +HTTP/1.0 500 BAD +Header1: value1 + +``` + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/2224 diff --git a/tests/detect-absent-file-multi/input.pcap b/tests/detect-absent-file-multi/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..724dfefd8a47ff2b8e59a1e2ded9c8dbde04813f GIT binary patch literal 1259 zc-p&ic+)~A1{MYcfUwW?Wv1Oa#>(IVWP>mh5W6xkIDn7?8v{c<0|O%nA4-*X;t$xS z0MfI8>Hq(KCP1|;_BR-rnb{Z_Ik*lo27U#b$^J#I<(&?te();I0-CG1K?u{# zniG;0Aah}6iUZBG0GefiFw+EwI~9TEW;X~(y#A*F6ok4DWFE*ISt87Vx-A=I7P2`o zH-XG)ImOBl0Ms9VFvkb4dnAD7IKbWW4P=(PYlwn=UVcVuVoGXJv4TfPNPxbfo&gug z{9UI=a;GJlJ1aqUfXq1rG{+LC-x6VtDGqm9!riHf;?7F2gN~8rAS+xB`T#V?6R6)4 zVU8MK}#WEpMq2GX`&rigVTZFC^fWF zC`-&KO*P~KJ5ca6(IMCiHdqjQ2#S&B(Oz60l_braK3wKZCDj~3?B?ttK79IsW?5rP FVE}rFELZ>l literal 0 Hc-jL100001 diff --git a/tests/detect-absent-file-multi/test.rules b/tests/detect-absent-file-multi/test.rules new file mode 100644 index 000000000..87ab2a630 --- /dev/null +++ b/tests/detect-absent-file-multi/test.rules @@ -0,0 +1,10 @@ +alert http any any -> any any (msg:"no file data"; flow:established,to_client; file.data; absent; http.stat_code; content: "500"; sid:1;) +alert http any any -> any any (msg:"no file data, no alert"; flow:established,to_client; file.data; bsize: >0; http.stat_code; content: "500"; sid:2;) +alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_client; file.data; absent: or_else; content: !"abc"; http.stat_code; content: "500"; sid:3;) +alert http any any -> any any (msg:"not abc, no alert"; flow:established,to_client; file.data; content: !"abc"; http.stat_code; content: "500"; sid:4;) +alert http any any -> any any (msg:"alert on only stat code"; flow:established,to_client; http.stat_code; content: "500"; sid:5;) +alert http any any -> any any (msg:"no file data"; flow:established,to_client; file.data; absent; sid:6;) +alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_client; file.data; absent: or_else; content: !"abc"; sid:7;) + +alert http any any -> any any (msg:"no request headers or not abc"; flow:established,to_server; http.request_header; absent: or_else; content: !"abc"; sid:10;) +alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_server; http.request_header; absent; http.uri; content: "noheaders"; sid:11;) diff --git a/tests/detect-absent-file-multi/test.yaml b/tests/detect-absent-file-multi/test.yaml new file mode 100644 index 000000000..9d374042f --- /dev/null +++ b/tests/detect-absent-file-multi/test.yaml @@ -0,0 +1,52 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 6 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 7 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 10 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 11 diff --git a/tests/detect-absent-http-request-body/README.md b/tests/detect-absent-http-request-body/README.md new file mode 100644 index 000000000..d9cb67210 --- /dev/null +++ b/tests/detect-absent-http-request-body/README.md @@ -0,0 +1,14 @@ +# Test Description + +Test `absent` keyword with `http.request_body` + +## PCAP + +Manually crafted with server +`python3 -m http.server` +and client +`curl -X POST http://127.0.0.1:8000/toto` + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/2224 diff --git a/tests/detect-absent-http-request-body/input.pcap b/tests/detect-absent-http-request-body/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..1e4de3a6f5cae7a972fa0aee65baa3f6fec12876 GIT binary patch literal 1694 zc-obe&1w@-6vrn?Nn~Kav!%tt=j5T|KMTP%{&KvPPoo0z%zu+zE2%#E}t zSm;8b_y8g<1RtQdw_S)2Ac(l>O3|v|1Gq>$cP4R?HZ92{7jEvk=g0Z~&zXFB|Msg2R*Vw@kFA?^V34?ND(OY0d0&ZF*n@++$aBvC>M zS}GLsk|HVszeH@BMoMg2l;NYKQ?e`z{F;re=v)OG5G&O!U78k?DG>s5r4lyba8jBS zc!6i7joceVVloU8fAx}hqa5NIkl*k)e=p^X0_V?v&QHc^>5@@WR?wPZ*G-dH6l-W3 z(<;%>#5gly{HDOKV(THc(rC4|ZR*&`lf@~N--UaI6c?447#H}3BE@O6j`kfNmHQ|Uwk-B~UO{5&xXT%t8%fLS`Rv2#Shyl7$9gnWv3s8prf`t4G+XxW&~ z)M+`I@~-8uQK8i|iYKSruCAB+9l&Jx+OaJqlaZz)(&QEZ>h}wE1j^Ic~ znAWI{GmDl*EM#HZB!-Pu$vt&>k_S}p6K%I6xvHGYgd;C*w!$T%f&DNGs$_PBm$7XZ zD-gS6M#Qs89uwgm6XX}&p0intB6pyWMzDdo|rE_xnl)ww$JiyIx7B>5TJuuzK{1>iIS(C)}IU>|d7-tl=|%HIA-- DZU?H( literal 0 Hc-jL100001 diff --git a/tests/detect-absent-http-request-body/test.rules b/tests/detect-absent-http-request-body/test.rules new file mode 100644 index 000000000..b368a6087 --- /dev/null +++ b/tests/detect-absent-http-request-body/test.rules @@ -0,0 +1,6 @@ +alert http any any -> any any (msg:"no request body"; flow:established,to_server; http.request_body; absent; http.method; content: "POST"; sid:1;) +alert http any any -> any any (msg:"no request body, no alert"; flow:established,to_server; http.request_body; bsize: >0; http.method; content: "POST"; sid:2;) +alert http any any -> any any (msg:"no request body or not abc"; flow:established,to_server; http.request_body; absent: or_else; content: !"abc"; http.method; content: "POST"; sid:3;) +alert http any any -> any any (msg:"not abc, no alert"; flow:established,to_server; http.request_body; content: !"abc"; http.method; content: "POST"; sid:4;) +alert http any any -> any any (msg:"no request body"; flow:established,to_server; http.request_body; absent; sid:5;) +alert http any any -> any any (msg:"no request body or not abc"; flow:established,to_server; http.request_body; absent: or_else; content: !"abc"; sid:6;) diff --git a/tests/detect-absent-http-request-body/test.yaml b/tests/detect-absent-http-request-body/test.yaml new file mode 100644 index 000000000..549bf9ce4 --- /dev/null +++ b/tests/detect-absent-http-request-body/test.yaml @@ -0,0 +1,37 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 6 diff --git a/tests/detect-absent-negated-content/README.md b/tests/detect-absent-negated-content/README.md new file mode 100644 index 000000000..a5b9b8e39 --- /dev/null +++ b/tests/detect-absent-negated-content/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test rules with negated content on buffers that are absent + +## PCAP + +From the issue https://redmine.openinfosecfoundation.org/issues/2224 + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/2224 diff --git a/tests/detect-absent-negated-content/no_referer.pcap b/tests/detect-absent-negated-content/no_referer.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0ef6c2e989b92da480aadfd77977e9f59f0d1545 GIT binary patch literal 617 zc-p&ic+)~A1{MYw`2U}Qfe}c%<_4t%G_Wz40ofp&Skb!Ab-CGhL2dnD4hB~S1`Uuh z2Q~-p11r8H@Ca0{zI=`$0H}})WJ&;&0z<=Bh$*$r2vgoXiFsY>s4-)r*+VH*Q$Qww zOkxNCn!~`50>s<_LO@d*Af~9cAxydPB*wT?wNP^E!Om-V-NFsTsR05&QyL+r6nC*P zXad!O@R`cK`tAGXc`eSry#Ztjqcp@6dkL(jNGLD_PhnticMVa{SMUf43D7sxGvwv+ z$S*FjQb?^x%q_@C)l1IL<>d-3PA$@POi#@NN~GoI^Kv;RC#MzwIVGtTCHh)A3W)^; zIho0cC7Jno`dTn)U7y6f^wPxiRG?{jx~0W%ao4=${FKbRbSs7Qs>}i%g_P8^oWzn; zUM}bSyb_=#x*?SXKuySoW)f#vg3lR*Mj3f`%y1-gzonPo`&d{Xn$OERn!3=Ir` zf{Do)sk$JkqWl~yg}i*-WRM6i7cUnm;COlw!5 $EXTERNAL_NET any (msg:"TP test for URI"; flow:established,to_server; http.uri; bsize:1; content:"/"; sid:1;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"No match without `absent` and negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; content:!"example"; sid:5;) + +# Positive tests about alerts +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:!"example"; sid:6;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated pcre"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else ; pcre:!"/example/"; sid:7;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent; sid:8;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content to fast_pattern"; flow:established,to_server; http.referer; absent; sid:9;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or positive content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:"example"; sid:10;) + +# reference test with positive and negated content +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for UA"; flow:established,to_server; http.user_agent; content:"foo"; content:!"bar"; sid:20;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent or negated content matches on the negated content"; flow:established,to_server; http.user_agent; absent: or_else; content:!"bar"; sid:21;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only does not match"; flow:established,to_server; http.user_agent; absent; sid:22;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent or positive content matches on the positive content"; flow:established,to_server; http.user_agent; absent: or_else; content:"foo"; sid:23;) diff --git a/tests/detect-absent-negated-content/test.yaml b/tests/detect-absent-negated-content/test.yaml new file mode 100644 index 000000000..a2921b99b --- /dev/null +++ b/tests/detect-absent-negated-content/test.yaml @@ -0,0 +1,62 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 5 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 6 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 7 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 8 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 9 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 20 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 21 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 22 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 23 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 10 diff --git a/tests/rules/absent/README.md b/tests/rules/absent/README.md new file mode 100644 index 000000000..40150cdd5 --- /dev/null +++ b/tests/rules/absent/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test `absent` keyword rule analysis + +## PCAP + +From the issue https://redmine.openinfosecfoundation.org/issues/2224 + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/2224 diff --git a/tests/rules/absent/test.rules b/tests/rules/absent/test.rules new file mode 100644 index 000000000..a095e1393 --- /dev/null +++ b/tests/rules/absent/test.rules @@ -0,0 +1,3 @@ +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:!"example"; sid:6;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated pcre"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else ; pcre:!"/example/"; sid:7;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent; sid:8;) diff --git a/tests/rules/absent/test.yaml b/tests/rules/absent/test.yaml new file mode 100644 index 000000000..69e3bd443 --- /dev/null +++ b/tests/rules/absent/test.yaml @@ -0,0 +1,37 @@ +requires: + min-version: 8 + pcap: false + +args: + - --engine-analysis + +checks: +- filter: + filename: rules.json + count: 1 + match: + id: 6 + engines[2].name: "http_referer" + engines[2].matches[0].name: "absent" + engines[2].matches[0].absent.or_else: true + engines[2].matches[1].name: "content" + engines[2].matches[1].content.negated: true +- filter: + filename: rules.json + count: 1 + match: + id: 7 + engines[2].name: "http_referer" + engines[2].matches[0].name: "absent" + engines[2].matches[0].absent.or_else: true + engines[2].matches[1].name: "pcre" + engines[2].matches[1].pcre.negated: true +- filter: + filename: rules.json + count: 1 + match: + id: 8 + engines[2].name: "http_referer" + engines[2].matches[0].name: "absent" + engines[2].matches[0].absent.or_else: false + engines[2].matches.__len: 1 -- 2.47.2