From 57b7a90adf53c87d2890383834b5743c30a7bf3f Mon Sep 17 00:00:00 2001
From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Thu, 29 Aug 2024 16:29:11 +0530
Subject: [PATCH] dcerpc: add test for frames

Feature 4904
---
 tests/dcerpc/dcerpc-frames/README.md     | 17 +++++++++++++++++
 tests/dcerpc/dcerpc-frames/suricata.yaml | 11 +++++++++++
 tests/dcerpc/dcerpc-frames/test.rules    |  3 +++
 tests/dcerpc/dcerpc-frames/test.yaml     | 24 ++++++++++++++++++++++++
 4 files changed, 55 insertions(+)
 create mode 100644 tests/dcerpc/dcerpc-frames/README.md
 create mode 100644 tests/dcerpc/dcerpc-frames/suricata.yaml
 create mode 100644 tests/dcerpc/dcerpc-frames/test.rules
 create mode 100644 tests/dcerpc/dcerpc-frames/test.yaml

diff --git a/tests/dcerpc/dcerpc-frames/README.md b/tests/dcerpc/dcerpc-frames/README.md
new file mode 100644
index 000000000..bf15e8cab
--- /dev/null
+++ b/tests/dcerpc/dcerpc-frames/README.md
@@ -0,0 +1,17 @@
+Description
+===========
+Test for DCERPC frames.
+Three types of frames exist for DCERPC:
+1. Hdr: Header
+2. Pdu: Protocol Data Unit
+3. Data: Data inside the PDU
+
+as per the generic PDU structure defined in https://pubs.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_01
+
+PCAP
+====
+PCAP comes from an existing test.
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/4904
diff --git a/tests/dcerpc/dcerpc-frames/suricata.yaml b/tests/dcerpc/dcerpc-frames/suricata.yaml
new file mode 100644
index 000000000..ba9783870
--- /dev/null
+++ b/tests/dcerpc/dcerpc-frames/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - alert
+        - dcerpc
+        - frame
diff --git a/tests/dcerpc/dcerpc-frames/test.rules b/tests/dcerpc/dcerpc-frames/test.rules
new file mode 100644
index 000000000..db4b11f43
--- /dev/null
+++ b/tests/dcerpc/dcerpc-frames/test.rules
@@ -0,0 +1,3 @@
+alert dcerpc any any -> any any (flow:established,to_server; frame:dcerpc.hdr; content:"|05 00 0b 03 10 00 00 00 74 00 00 00 1b 00 00 00|"; sid:1;)
+alert dcerpc any any -> any any (flow:established,to_server; frame:dcerpc.pdu; content:"|05 00 0b 03 10 00 00 00 74 00 00 00 1b 00 00 00 d0 16 d0 16|"; sid:2;)
+alert dcerpc any any -> any any (flow:established,to_server; frame:dcerpc.data; content:"|d0 16 d0 16|"; sid:3;)
diff --git a/tests/dcerpc/dcerpc-frames/test.yaml b/tests/dcerpc/dcerpc-frames/test.yaml
new file mode 100644
index 000000000..d9f22a393
--- /dev/null
+++ b/tests/dcerpc/dcerpc-frames/test.yaml
@@ -0,0 +1,24 @@
+requires:
+  min-version: 8
+
+pcap: ../dcerpc-dce-iface-02/input.pcap
+
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
-- 
2.47.2