From 9ba0db4c9def14d492e0d8ae2a2a42b80be95e27 Mon Sep 17 00:00:00 2001 From: Vadym Malakhatko Date: Wed, 3 Jun 2020 16:19:27 +0300 Subject: [PATCH] tests/hassh Add test cases for hassh --- tests/ssh-banner-only/input.pcap | Bin 0 -> 2207 bytes tests/ssh-banner-only/test.yaml | 18 ++++++++++++ tests/ssh-hassh-only/input.pcap | Bin 0 -> 4363 bytes tests/ssh-hassh-only/test.rules | 4 +++ tests/ssh-hassh-only/test.yaml | 37 ++++++++++++++++++++++++ tests/ssh-hassh-reassembled/input.pcap | Bin 0 -> 11721 bytes tests/ssh-hassh-reassembled/test.rules | 4 +++ tests/ssh-hassh-reassembled/test.yaml | 38 +++++++++++++++++++++++++ tests/ssh-hassh/input.pcap | Bin 0 -> 6105 bytes tests/ssh-hassh/test.rules | 4 +++ tests/ssh-hassh/test.yaml | 37 ++++++++++++++++++++++++ 11 files changed, 142 insertions(+) create mode 100644 tests/ssh-banner-only/input.pcap create mode 100644 tests/ssh-banner-only/test.yaml create mode 100644 tests/ssh-hassh-only/input.pcap create mode 100644 tests/ssh-hassh-only/test.rules create mode 100644 tests/ssh-hassh-only/test.yaml create mode 100644 tests/ssh-hassh-reassembled/input.pcap create mode 100644 tests/ssh-hassh-reassembled/test.rules create mode 100644 tests/ssh-hassh-reassembled/test.yaml create mode 100644 tests/ssh-hassh/input.pcap create mode 100644 tests/ssh-hassh/test.rules create mode 100644 tests/ssh-hassh/test.yaml diff --git a/tests/ssh-banner-only/input.pcap b/tests/ssh-banner-only/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..89fd2bb71d31b48aa7f46c2cf45353968eb773b5 GIT binary patch literal 2207 zc-pPiZ%k8H6aesZU;jNGWh?3&%c9%J5*d?P5UAU1?T`iuL6NFmvJ3(ii==6>E}4T( zUkhErCLwV;W#R|phlx`sZi~z69L#J?6CiG5LfF3#kTDY@Zn%^#vpeTK%AeA7exS)~ z?o00do%7DU@4O$bUOdTx5@vr&VEDhU@n*%6wj@}OW4a>JZ&}d2vM-ZY1LHxB6XpBv z(-4x^;)ub5UjtgVgZ!dd?YFd0fMdG8z4F-kz+oO%-KuHf!3vOT8nA#x-C)M`&a=bI z`bQ74;J|p~ocrIW>O~!A^#2UN7%y-Eqt9jE>>zPei1)Bb5b5 z50ZxJc~J+G`_g66Wxrp-`Fi&^qSz5uK`CmbvCm85hKKtx$J7sw(bM7;37l9z0nhGv z$7X%8eB-7k3v7jDYYh5qq0qXcc%#*15Ny_RX_PIziMY32h$$vawtf-roh_z(kM!d+ z#dIz#CRr!Z%EU2U(~4ZosKv?mk}#vv%9Za6F-426r=s~y77*2ce@wG!?O+`&_jI)N zQ5ca6Ppqg0;FPLQm_orbrsPO;&k^V4B8dRBv7g-~O?tBBgLPv^|JsFWzqrJ!^G!{Q zsG+JM(Q9rM||E4>=+u?a_Z>3RhOp!MCT?~_tA@buDA*1VSDuQNROc9(I z>Q0#s#(cNsWG6-hC_$hko?`0yMpDw_Drqq0=N2Yw)aS|x?ioo=l;Aaq&Ye$Bje9zd z*fGI>q6rrLlu)@YDQn{>O>>paIa=6`!1j2pps3G8uh~c%DOb%8ajiEY57r(!JRHK# zGTmIb93wL*vh&v|vY*S*>~?2WIUHVPmAAeMKnsk5sJ3aL1*f*e>kf^7OkzP(nVtej zFG(JTan`ZnP@qW)!u~f%cPgl9TBZRqx>MC|PqoMKdXmetv&vQL+50L;uP56o0-WxK zq~}GNNr~N^(k43HR_R1untvjX^o|`3*W&3;+PO4(y7!}%{D@|zVKJyU5DCw1SlVq= z$v3{FhIJ00@R1#O~^nM*&7cK>2UPxIS@Bz|{Bm7x0z)ztle|DH6t`->LRP`!?#qUc9i>&T)t*4b?6b8=mfwMNP7wXqG U+VDr)A7I1%i2vD{yeJ#~AHcP)ng9R* literal 0 Hc-jL100001 diff --git a/tests/ssh-banner-only/test.yaml b/tests/ssh-banner-only/test.yaml new file mode 100644 index 000000000..e40480a99 --- /dev/null +++ b/tests/ssh-banner-only/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 6.0.0 +features: + - RUST + +args: + - -k none + +checks: + # Check that we have the ssh event in eve.json + - filter: + count: 1 + match: + event_type: ssh + ssh.client.proto_version: "2.0" + ssh.server.proto_version: "2.0" + ssh.client.software_version: "OpenSSH_for_Windows_7.7" + ssh.server.software_version: "OpenSSH_7.4" \ No newline at end of file diff --git a/tests/ssh-hassh-only/input.pcap b/tests/ssh-hassh-only/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..98b49f7f560f2e854e867213ab0c86a1c92cecec GIT binary patch literal 4363 zc-rlkdrVVT9LG;u`Q)wB3cxpj)`cesBDnZ-afRnwFPCUvvhzu zbtan*ALxQ{4{BU*{1jcV7V`- z^?LR~#6iPe<-qD{68>$h-FL^KSrFrPu6g2-svSaDxn_8aPd z3Tx}w%4xcMr~fm{<5-(h#7%YGM2N!?65OiP3UgkL4ihDnK?6h&%g4pUsRanF6>Mw3 zG)(0*b!^2npdN9G(1Wr#57C_WB%52&^43})*7otye4x!|o);5mj&Fk+Cw#ICpB7qw z)xPQ7=;c*g)L9veX3ve8rOwQqDov6RnORHb&CW`f66&l)bR;9z1KhrwV2FtxY&+H0 zGAO2}59sItF%84T#H>1CO@SCUFU2FKkHz)$X~F;%?-cJL7^3<1W6@mcD&!RWaSX4< zd)rr_2y5;3R-DGk?dzUYgb5@3*& z&U3S@aJ;|{+eV!9?v~hnY%Kgh2iM|7z%QH`l!qU=l(bpRZ_1LTDSkK&<&eqKNNtIo z4yVa|AuXnN6c!k?#ms$p1!MSM$k$$4tkIH61xc0o@1VyqiaBA#6F#LznFUctoRzVs zQz}?X7&*Ovx%eW5;Iz0gjhvt8Zox**RWgixowasnBpCUl z>Mr_`?oT2t?6U+T)BpWV0kKeO(P?5yd<&#e5kRWwK<5W{;+SoFSb$-DOG=Prs4 zUJ9oc-(5K2_NohwYq}o({7O&%o~46X^+|!~0Q?h+8`HZvJKX26ck|Etdv`DP?m5`I z-(H3}93Jrkd>EmHvN#Do&yYBSx7Cpye6s2IJ2S@;`#XM&zZR^Do)W#RHMA)BjqH`q z>lZHNyX$|=jLg53ACDrEr`EObgjMzvwn^Q~KNR%}LQdfmR`NQIZai>u|BbGN=O#y8 z(|wuKaPv+;P-WeTJ=MozE| any any (msg:"match SSH hash"; ssh.hassh; content:"2dd6531c7e89d3c925db9214711be76a"; sid:1;) +alert ssh any any -> any any (msg:"match SSH hash-server"; ssh.hassh.server; content:"6832f1ce43d4397c2c0a3e2f8c94334e"; sid:2;) +alert ssh any any -> any any (msg:"match SSH hash-string"; ssh.hassh.string; content:"umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1"; sid:3;) +alert ssh any any -> any any (msg:"match SSH hash-server-string"; ssh.hassh.server.string; content:"none,zlib@openssh.com"; sid:4;) \ No newline at end of file diff --git a/tests/ssh-hassh-only/test.yaml b/tests/ssh-hassh-only/test.yaml new file mode 100644 index 000000000..81d7a8474 --- /dev/null +++ b/tests/ssh-hassh-only/test.yaml @@ -0,0 +1,37 @@ +requires: + min-version: 6.0.0 +features: + - RUST + +args: + - -k none + +checks: + # Check that we have the following events in eve.json + # 4 - alert events, one per each type of data (ssh.hassh, ssh.hassh.string, ssh.hassh.server, ssh.hassh.server.string) + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: ssh + ssh.client.hassh: "2dd6531c7e89d3c925db9214711be76a" + ssh.server.hassh: "6832f1ce43d4397c2c0a3e2f8c94334e" diff --git a/tests/ssh-hassh-reassembled/input.pcap b/tests/ssh-hassh-reassembled/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..b682bb80302549524b87f2c2dc33fd79ea8e216e GIT binary patch literal 11721 zc-p0!2RN1e|Htoh>=`nSO?LJsn<#sRP}$i+LM5Zf9!W#UCL=qegbvw{mC9olLdX_n z{O|jIF3(lx@jL(Lcl}(~ea_wCykGCn=li+8vv=rF))_=zWo99<8MH4K(c##yauRRQ3 zo}k{20R;tHvkk;B&TmbwkeEq|h+!PYhLVw5bwFBuHpeWe3;{m|f_^hCqkcgm~ zvyYvpps0|TBrzo1d<+lJ0!6isGAWOwgiX%<(_{=OC``7a^OvxwkgP1G@_`T@a1B(w zc9gOck_uLSiJ^QOR;HjJD|duKM^NKZuXhe4EN)*Qo06rTBA5k$GK|5PJ0dac=ANU6P zOjhjhR!mX~y8UnenBU3W#ttS5{Cy`VEA`hu-0da*z5ze{@BbXv!_&jzm-pX)pzP}D zVQu5%a2wZSv@!ayjVnlj|2aF5i`(v4T~Na=>V9`YgLCM@`91*ruQ`TXyotf;f(CX` zi{V1;&_zuP=;D8DDaZv*F<9^5CwfP@P)5?iE+#Ns+&+AsO9uh0?QPM8HAXsE{RM{l zll0_RP6G<^P5($(Crz6Ug{%U_M;pjE$*>Hoah^2Qw85p=OFtlAFt?V|pP#(g~Z5E*pU#S(R zgIu%_;R70=1C66x$RO!q7t_DHpk;(zpvX6^J^(-!N1B?u%-zLjujKyDaDO;Ha1HFM zt{v51IZffh{Z;$#{Z%X{sLT(l+LP(R{gpf+EBI#idoP58fJaOfAgw;6EKub1k=W)NBTVzbosboc;HSpdHct(&**F4c~@=y_n)+vV*aq};;0`?mpU1!XQJ?{Bv1`A6pmA*y5dTTwC!D$l-Z5cnT4( zdV}uqbB5I$Mj<8)L402fqjUOZ6W#2Q6i&wP@=^8YKo9!Aho^k*>iGwDcUW#6P$YBj zp3@cllu6JQQToXJ7Tf87A*Ad|tG`KSK?J^9UYX;0`!9`4ilVJ*Q8&!YO-6thVKj2$ zzt%ZP-Y;#7Io!%j;T<*H#@QdXLZC7%L`qEa`_mIKjkRJJ;EI{Ts2F}o*#JdW9k_h7 zY8ws#-~!&e9HnZ7WQ0{;W2nl3s#ihP+~-LEAY2qei*R!?XIO~9ndaf7eG!FZJ-5S? zOK>mv*-&6k=RLDNOWE}=+wc3(YR7Q>q%YU@vO{D#j$g=_S+bhKhqE+*k)^939h{Vq zvl$oyK;^MqHJmJMrF#lbKlJ!`a`s%> z)sOMBB9RdJtSSMv9)Jmsxf~;AaMlu6U_e3Ub&?YRyb|Y1{l1&NmYK?qEm<0D+K=Gr zNPJyd;!MSPC(^$~;T{psc*Q=sqrzqnE3(Ij=DMa4!#kTm6DoXjD#fkdRk%HE2(V2& znPC@;7%oa-7br5X5LW=`&yCRfj7u(5uq&~eZ~|WhBGZzPV4J40 zz)>t?L{SOSN5Nbw+|4+w#eGoA{2e*Ac439Jp8qGU*a85!bHH9YMd`O9{r+0%`PQ7{ z^^8G&Dosp?9j0UoGWh|SHgczvQK~$XFW4eu-CtN)r=j9(s8mFgFIOCdY}&`?K`tJy zlVh9HvcWEfFL6&-@x&KTd$wN04HnHV&{d>;3{6cf@FB>0jSIcE+#C1zpj6@ zlFk$%+)9%etu#7PO-BGKN9dITfRLmjZIwd!XM=!|%o_#;Gfa=kneOzy9PQA3z?kUo zP%uAs|0zVW5CX7ek{ynr`1cs-2-1_|0Wg#F>fkuf&CJR#!(C z9+ykKL^FK#Q}`+CV+D8ob?cG>6|+@)&V-+91Vm0EIjtX_3zvwtZ{$YmLN3yD0c;h1 z0(LQr;o=PJ0!2oT2D7DR6%5X=AgviU09%Cu}qicYwq{c9mT#yjec;rGZMNysZf7G+bWZKFT;#T$pj*+#9+-O z2OLEqMikm0UBZBZbVj-cZ14Qx@b+A-<6Wt#eF9>UG!q*y|NQZJ0 z*K=)FRmT2)R2ZS~Y6pd1kDt8odZEy!g;^wbk00dXd=Y@HDmh^nLl`ciVHYUUnYWAJ zg5&YQ20>uVRNu9se$BzjSE9`1Bam`-C)TPYhBG^kky!~){VAxtvI~-3J8v%CR4(UQ z&(#+e7Im$f(Mu_NDrFSM80lkl&5NUKCz&6%!!7)@}#PAfPnS-R})O-Ml zy+~im!%R^V`iEB6ZdQSLd}Q)0YVBDGqoo;_fUg4_;JyQg6l8w>TfWEUHWp}I(TjV>crSu_?e3ZTB2C_c z+eR;JQk<JTRR%s~NUsX~1?eW_Zw9~quB&r?T)#H>T z#xC23amzh$={rL+oQlJQM<}~NN9>fGC^YlsJw#UQ!kRyL3lH7#d;StoARU}ZlCrh7 z13*)hfUl%enUOiJ1h=F=7geq6nCIP4$MH|dow)4F?rC8=?0>k(jY~S;U*&6!F6vpU zob`vu&e&TH-lRigthW+$4#~FR06=berG4Vg7K-x?PwNIV&FSMoqm+2VcWWbD7@rf8 z?*;AbH}7$kr*|w9HkV1t6^_LJwQk?Exr2mj0$y7ws`qo_xE0&NB-hKA#tQCotWU6!~lrg#D|p(@64g! zVvws2$p^y#FrF{w6ud2Ps^>*tR6>e?!jC8-{4vqsSJ@JRds*%CrF$xm<|X^c)$ig} zzRY@L-~w!CCqQJ)vslUSei6DAgFJUg?i>REw-pxk$Ek1I-!4AoBQHK!#ucdEbIFo_ zHnts87tG^I@7qWlCVg3M=iafku~z;z&&r4~4~V>c838yV0r#f@TR2{zl{h7TH#nAcUZlvU(z z5DWKv)NeTZy7jCsTHI7QU`i?_5)q27SCMRHC84t&_xxhGRsO}Cp*+n&R{4GaqxE^i z5aJT=^NmPPI|d&Y+$9S6aAmX4VQz1DQP)o1{id&bBDC<;*W{g9@ju0`)v_5|D~Dgj zs}$GxPB{MHeueq%63bm7)AvYx)e%}^gf#}+Piq>nhEpdPN#KJ935Ewt!Rt2 zMJRJlm#CTi+`+dy-@7T6x!$8+`2Aaia;@g4&FL1q{kg`v(9;_BfJa1nYyF=zlcHN2 zolfPxoMp#CnNIuEFS!cYv}bYG%-6|eE;FhtJ`tPV!ch`0kZOP6X-s?nX^bip#fML^ z@+m$*ic_V`Q_&`o>;SH~w$u7)wQo6Wi5yk0oW$9S{q)#9bZw{gkDZ5tB#|_}6Z{h= z??uiM>rl29KTP-8jeYn_Xmmh4;>=|7I>N177o9 zNnrn$1ypr8;RtNKGe6v;e#Yog!F6hq4s--?EAiLf`8B9@60F{nM^!M>6uiIq2Iuz* zPWrp2`UuWj5Sy`75pmg!Pl5oL4t5J#$%U;-+$Xy^QF(#9A9M3CS7FI~nE_O7u z&!IJ~NSZ5nvbK^TOn~!@uqNAdCfS39IiybWU30Ros(I*x4;(XBV`-+TL!V8s<_;hV z`D+>&FLrSv6x|yF=e1H6U4~zZ$#R=HXjkyDz1rNQvhYL{1-5>=Vtv!~-mtYLvY~w{ zS0SjX*Kzh;u&tu4aNp|Ur_ydUd7JV3c?m-SnVjF8$oup1)r2YVlFH(jOviINFDHhK z(&4RUHF)vH;)-h1i5lIp<5X&YQWg0}wRvJ^dyz(&3oVn{gUx0Wb1v}!wGt|gp8;0_ zs%GDy6!-nB%n7O|s^3av8^$G6mQ^5V;$PktnzDLjN=w?%MS~B&Na#WgBZTX7n1^cejc8D}N2m8|mgUP`!wm>t6#X=@?0vCB+hw3_?K|6-e;l88P7#v z8`lNkDlGYD6(%bipvVPq!By+B%u0d*E_0`+4!g{yyYoTy<%OJ$iOmOitzXVj&eG%_ zxR}w3=fx=OHSzA1-^fb3SoZz^%A8e0L7X`L}CcoWZg* zOwILb^k=jfoT*OrvaRcv_E?==7+|E-v|0UQvd!4iJh1X0q7NdwwqhM=;C*oPo8O<7 zWMznMfFfD^8VdkBG!`V^_k_z6Wvf3L`RDXz?F`XvW=20amBc7GSdJ6O(3ZzCI74yw0cy}J1i4pVF z!{o#n*tSN8n00GVyuQhE+bpU5Q73ah4vlM{O$a~Usx2vzhgF5ZYORA`r< zc+B|Gb6rB+a^T~TeQ#}W$WVD^+FSuEb=mBLDN^kl-?M}zUN~+-&hFzNvE@Ygs1-Op z3FHo3`)|*A13-%jX=U_g#uq~q!vWcH7JUUa37&lZ5VDgOWOIj4NJpHP=%(qP`S$d6 zvQ(s@JAF+yPR!^ae&w+CjRK0R@RcFwL($aIps-w%%L>j$#ZW z3MEL-fPyS1u=!9632GVYVV!G>!deAKYN5z-lyw2X+GB-oa41a7clXC7?cuFI#`JJF z`R?XEP|wTur~SEjM)r|Nb?cjZ=0A6IzFywFuuk;RISnFLy93x}Lh!joGx~^(_<$K< z+I|55FE@Ir`>e)FyxnVhB~pyXw8r<#*|cuqj2&wfqZq!!_r19zW}TzWj6K(PTHd7C zL+E05!w#Ij;2K?>Y_up}p5v+QN%ACDFVYj8ysFmC` zqN}UW2Sf&kKR@>({*fD{+P$|N)#>&sZ?cR}+KXIL?2~P#OqR@IJ=x zfr-%_#G05%9In6RTA1I}`J`{AK}3FxE#j6x$F^N`Npu&+7!wI~CadR8?5)0UEoRcO z7%$%26){95C9d2&f4-mU>B0Krjt5@pm2CY?uD6VfjCS3&&QNi)hrC^%%{gnbr)xu;XsZyYo zeW@eo!;n|1+I2(AZ?2=e?E_2p>$LGc`d@j5Z}XwOs}r$e<09_P*YY`?eQ@h%JsawK zw_H08`5cMm@#`1kNgZa=D=BOntFfIF+482RK?9m=Ah1$2}9m4CfdFRX46#T)xea$Go$X7xd}8dujR&sa?vv zWDUDc`N~L)v0u}PJmEuii%oO2ib0=3^Yc!7fzS8FA|6KGfkDPZZIz!g=d6r&Z=iKv zq(D{o1zcSdBmTPn@f_|>!Dk<6mfx%H;Wk`#C=#Y6DFBexSx9xBirw~*6Ryplu*-Ym zsP?{eehTkkiQG=^c}IijR#9APan+AYnYXX>4Awm?DSB@w@rvbE26A#}?}@gThGf;k z<6&|eJod+fl}{kvFRuiZiO;)yclawAO`mY z`4~NcPkQpBZUYo?hJq;oxNA+sOU0jm-7~s|BJj++OOdwq;ojZ@X1smw)r(qr>Ugzz z<6lcD>m1j%$k_&@12;Y@J%`8^U0BKDFgXu{oPS8>Ap?L#(gqcNIfUzsb6O97VN~IJ z#;Alxwf(BEh0iQWZc0d~L?|l+Q%xzG-ZH#!qb77uvPeq@BH#atl`H|1b1}#xf0G9R z;N!O!A*h~?$_G)S?`yxUdCn?d+UmSDlE35k6}YhfXJ4bR{g-LQ8}XAr*RPPZFFKx% zQwP{Y%;@Ko`;FG4o2f^f|TMJV6JS?xV5vue-WQ$^~WccI> zUH?1zF>pv$#RGs(8Fx&r7Vy`a9JR*@e$-w&_k%xf%1x+0Py}Dh{1fxi!zEf_*X)5f zQH`ubA`9I7uBmIMAhKmKfNdm~f?MtbM$4%|bU1%Rzvk~5_Ps0k%nMzI5rxEI6y56p zpl<&v+xE1|!1JK}P1f;tVv(XN;~REb_vLW;(^}_3R|W2hSV#%{QEW6bs>RA9{LGN5 zBShl`3t)T z(cA(vq-=Y1mu_b#%w1uBuM(~NNfjb96JwoS!>3c|8VqvkA(`tN0MHqu*xM7S6c6gZI>}F9H#ZBWJ9wH6>cg`P~5l~YY;>(Q$+&TLF)CR z$Zk{ci4-~ygWPvWR#yXn_off=pEf@AX1I`$n99;XYRHB((&Y0Czo=iE5So561i$WW zYZ=4lpYfxY%@gq7^htfx;(b$p<}OD&$8pycr?w8;>s*kN1sf!`6A6x^_Oeo_51mNO z0|1BC#E6&DWjkP)Xz*)s8bia@u)}wuS_;Bj-CEqiPon&NufK*!0wGvQ@W~On1%o7W zNJ=aMfSJOLCWB+4KSC_B%^VVi_0}_dWh%;52#o8`wK$enO^(?GE;olU!Mz?46H2$pB16AF)qkRFu>#kq5cE+*#g3o) any any (msg:"match SSH hash"; ssh.hassh; content:"3cc67862bceac0f334c62ad1b76895b4"; sid:1;) +alert ssh any any -> any any (msg:"match SSH hash-server"; ssh.hassh.server; content:"3cc67862bceac0f334c62ad1b76895b4"; sid:2;) +alert ssh any any -> any any (msg:"match SSH hash-string"; ssh.hassh.string; content:"diffie-hellman-group1-sha1"; sid:3;) +alert ssh any any -> any any (msg:"match SSH hash-server-string"; ssh.hassh.server.string; content:"diffie-hellman-group1-sha1"; sid:4;) \ No newline at end of file diff --git a/tests/ssh-hassh-reassembled/test.yaml b/tests/ssh-hassh-reassembled/test.yaml new file mode 100644 index 000000000..b80d558d5 --- /dev/null +++ b/tests/ssh-hassh-reassembled/test.yaml @@ -0,0 +1,38 @@ +requires: + min-version: 6.0.0 +features: + - RUST + +args: + - -k none + +checks: + # Check that we have the following events in eve.json + # 4 - alert events, one per each type of data (ssh.hassh, ssh.hassh.string, ssh.hassh.server, ssh.hassh.server.string) + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: ssh + ssh.client.hassh: "3cc67862bceac0f334c62ad1b76895b4" + ssh.server.hassh: "3cc67862bceac0f334c62ad1b76895b4" + diff --git a/tests/ssh-hassh/input.pcap b/tests/ssh-hassh/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0a093f2cb330fe39a9326dc10fb281bee57bf2c8 GIT binary patch literal 6105 zc-rlldr(tX9>>oONeJO#c&bZ9V6>u5FaZ+i7BnanEd@nHKr2p20s%vUNl--85WqK! z<7yG1cJNu>jpFEvTGT3vqQxiFXLn#~Eht*-1{BzHZU~UeCF>u~?sTUaPB{0Tb3VWC z`TcHw$@$&BaI}H~sG$Ev1sHtKUUo0Zsn`Yt!#-*~_{*hA;ZZk%K?fKE(BVYmb@eyE zU|b7(7#Q@*fvnal#(QIxKC=T;U>~*1XGb0`+{^&uo=Mj-KsW#aAvc6TNY9xB*QXwA zbh+NN0js+4wC9kb%PUjMq6F$50)Sx*CZ#YiPaYpFK}2?eeIL=tGI0@cViEw$=tV~m z4NJ(4OsWB+BEvBPn?`E0#fGc_$4-L0S}Xzlb<_*mbDUaqm{NTiALE zzY1;xA1zuR8y-4q>NL+Ov0*bOa(#Ksu<$w4r-p}cnX%!s@E(u39KuzlOoB5(d(oNB znto>*uOZsK&zY%%orzc#kTn7JQR}4`ooQlGjMq4!kBU}$Y-19fW?GM&rV9}QE&can zXf|4VCmpyc%Zuxf87-x=ZB#M<6e_I}v$A4f7?pyEiUCA3EjSSX6xfq55e?s&+nx00 zlHXDw^}5zc#mejGB|;jcS|g&ctlv|EH2UZ!;Tq2pG+u|))R`<6Gt+LMrv&?$ARhMP z$yn2MlW|r#DQg6aIj#nP*w|?tKVL3qMy6B&`wLQ(ss-_B3W;)wdO@IXpgkVkze6(u zXhJ~d1RwoH2W*ud)*g)R^ zqrhl;TaZKpcq96OHd7}=et5Z=;D;9wpNsr(aTroW8)M^Q_2Cz*VvZnyBh{F%!0#gz zaX^L!OrEkZ3Y|LSD39EnAb?cD(B{p}_2d7aH%3(`719C!0r~fHF3h$9m}yZXCUTmO zz6K?7ihz*FbCu;=hQmbuW>qWxlkP3k#c9{L1F_(^wBUBpSmoTNu`qK8|ID`Ul5I)H zOi>K&O)(ad5LuEOkiH<~$bU0g^x=}leK=zm$H8v0T)8AA4Jt$zVv$;7n(i-=s!`{U zDf!P7`A6HBD@u**9GHR#-*!U|43$MI-E2V$?5B|Zc2CfS;=kS3oBw9rGQ7FOfPS;m zf)?Q*Hr)fhd%C!P)yDpt%Ka}_S-Y;eO5>izI6hufTe+mQQv^awz*%k z40NY6Xom&VrlYHOoZf!FHRke|5qBjgqK`a$YHeRoacbMDW1cs%;2g=&dZxqX1s*TZ ziVv==t4mV0f9~8e!cg9}CiX@2ogydS-exKgc^>FDH{bIeY ztIXpckLI{>vt}o~*=iO>JEm*@#kA^(?%l$KxXR+?(f%z57OsAIo;kcMM*U_kk^dhi1GD(l%Q+71vfo&=zmf_TV{u&?TR(kUvlD!j4ix&(PVEOKU-ux& zZ2eW7LMNrbPl0YEJT2DW=TuzjdaF6I^vSEQV-g$x86*5b|Eof|d-ppy~ zp7m2gZDiukV#nO$iHe1rHa`30o>(;BUUqd)wA;SvWKJeePxzPXq{@V+8asd?BedCeU@e@wmaKZU?3Z?U;CIA)kpaAj!-r;4)3HWF zVLomI`;SJd9RVFpo4^G=)sA$9GFd5EY9m*QMRJ)^tpRxX2#e7I@J%(a`KuPqM8YP_ zwFB$m;5xF%=jyMa$kQL1N50bq#-av~d?*0Ne03uY4q-g5^$)0Og z?ZvwpWgpD{p*8zv*G4DXi(V~fB`x8<>vsrC%dB(KFVe~zRBwOvS@iwZjNSWOAHI6z zozVE(qn6;$OE2$6%3gNZS*i<#<4?#5!V^*h)yZbEST?surv_oAn#vk5QtH3hyysSm+d#W3GX-E<{neTmU5)J<ZU*6LNsIDR4YU@ zNUeoLtBAWs;<>_4WR!xfWm-t|9&c|!KR4fvY#I0Ygyp+ z+ESCo8JM+Uo)i(I>MhlFH`xinYkGPZq8T+dFc1w=^^lk|=A4meZIE|U@+WoXLE`9r kbPKgz=lv+)J5QTxyN`=ez=xN any any (msg:"match SSH hash"; ssh.hassh; content:"2dd6531c7e89d3c925db9214711be76a"; sid:1;) +alert ssh any any -> any any (msg:"match SSH hash-server"; ssh.hassh.server; content:"6832f1ce43d4397c2c0a3e2f8c94334e"; sid:2;) +alert ssh any any -> any any (msg:"match SSH hash-string"; ssh.hassh.string; content:"umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1"; sid:3;) +alert ssh any any -> any any (msg:"match SSH hash-server-string"; ssh.hassh.server.string; content:"none,zlib@openssh.com"; sid:4;) \ No newline at end of file diff --git a/tests/ssh-hassh/test.yaml b/tests/ssh-hassh/test.yaml new file mode 100644 index 000000000..e923e1c96 --- /dev/null +++ b/tests/ssh-hassh/test.yaml @@ -0,0 +1,37 @@ +requires: + min-version: 6.0.0 +features: + - RUST + +args: + - -k none + +checks: + # Check that we have the following events in eve.json + # 4 - alert events, one per each type of data (ssh.hassh, ssh.hassh.string, ssh.hassh.server, ssh.hassh.server.string) + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: ssh + ssh.client.hassh: "2dd6531c7e89d3c925db9214711be76a" + ssh.server.hassh: "6832f1ce43d4397c2c0a3e2f8c94334e" \ No newline at end of file -- 2.47.2