From 30943c4caa0fe4e322b5ae43c96be5f884ba7417 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Fri, 8 Oct 2021 12:26:37 +0200
Subject: [PATCH] tests: test for security ticket 4710

---
 tests/security-4710-01/input.pcap | Bin 0 -> 1646 bytes
 tests/security-4710-01/test.rules |   2 ++
 tests/security-4710-01/test.yaml  |  23 +++++++++++++++++++++++
 tests/security-4710-02/input.pcap | Bin 0 -> 2534 bytes
 tests/security-4710-02/test.rules |   2 ++
 tests/security-4710-02/test.yaml  |  23 +++++++++++++++++++++++
 6 files changed, 50 insertions(+)
 create mode 100644 tests/security-4710-01/input.pcap
 create mode 100644 tests/security-4710-01/test.rules
 create mode 100644 tests/security-4710-01/test.yaml
 create mode 100644 tests/security-4710-02/input.pcap
 create mode 100644 tests/security-4710-02/test.rules
 create mode 100644 tests/security-4710-02/test.yaml

diff --git a/tests/security-4710-01/input.pcap b/tests/security-4710-01/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..82a8f6f7e79ddca6fb4ab700aa7688270eeae9c0
GIT binary patch
literal 1646
zc-rlhPfXKL9LIkk4Axi#^Z@blf)_~kuib{DS*D9D5E$6NxUh>|_qH|EZnkg4#TdPq
z_$N^=o-_t-9Mpq)0cS!q8ZRC+vV$S<Pdq4z#&{rc(dg^SL~%jG*`|M9-uva#-}`>Q
z?ehn>=IWsVHjV~3M(?u=qtcl#O%R~tfHhqQHrUy-@9{T)W{3cE(-}Bu>zrPi&z@eI
z&z)W2Km@q7Y?h1l2<~$hXZmXsgy>wzdV$5c`>wpsaZm~zu)WYthRFhPg$oz2y{D|w
zk@oVZk52&V8yfFev@7SDx6@UL5?94m1g}q6oW&kHL@6R#n-g5;Bx-SH_aJx{2iV>I
z&{!*;T)evW=yK`&_twB0i~ZoK9f}lNtj)e|u{%E3?6CvELK0vg5<~91N_5G{>nT@;
z997X^EGD`+7soPTS;jfyjA(K;sc2~dDM_pmg%nt3Fl!J2aecgt>kYU#jy}D;EHhzX
z-5E~PDglWFlF4e$ysoNB!tHg@<wIFb!!l8_nt)_AYhadP8FMdtm+f1**FA(y_h#BQ
zxwi^1Gby%~RojJXvP{~&k{#l7_vZB{t!{WIWzsHws7dQ6tB#uhRTU8L@u0)QEYmL$
zETD0TI1ukg<2XlGcn*2|g5M|jJZNAf#xmnrpT@d?!Z}IKU^nmbx%fWRJ(0+3B;Ug_
zQOO|A5vpcN!ASwdGI<B`@EbJFE6~%s-=alg5*59RPdfc_!o#P$y#WvA5?w!?8I!a$
zHUyL?5NuTBB~*H66l-ac5s=ScQ}SwAtdOHSBKSCQo5q`71kFK+u?MNkDh{DSHjiXo
zlBbYDf^KV)3A(MSs?=K=m#!GM>vySV*^1O{WwkN=t8x9K%r-u|naN6|+Yr23vpA>5
zn610YRJv-})Kv>*#c7<THoBUlw70ka5+|h+r_~y9ii@4)DaVcfar%cinNsi2w-tam
NHO~;~|MH~*@B>E7&wBs>

literal 0
Hc-jL100001

diff --git a/tests/security-4710-01/test.rules b/tests/security-4710-01/test.rules
new file mode 100644
index 000000000..c34827cbf
--- /dev/null
+++ b/tests/security-4710-01/test.rules
@@ -0,0 +1,2 @@
+reject tcp any any -> any any (msg: "Bad keyword detected!"; content: "ultrasurf"; http_uri; sid: 1;)
+alert tcp any any -> any any (msg:"SURICATA STREAM suspected RST injection"; stream-event:suspected_rst_inject; classtype:protocol-command-decode; sid:2210058; rev:1;)
diff --git a/tests/security-4710-01/test.yaml b/tests/security-4710-01/test.yaml
new file mode 100644
index 000000000..d39c1f9da
--- /dev/null
+++ b/tests/security-4710-01/test.yaml
@@ -0,0 +1,23 @@
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2210058
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.url: /ultrasurf.html
diff --git a/tests/security-4710-02/input.pcap b/tests/security-4710-02/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..55a730ea8df820c7bf93c2c2257ce34929588938
GIT binary patch
literal 2534
zc-rli&r2IY6vv-Gkg_zQr3VWYrwf7yv$HW`HBHi}iCXH9t;Uu@tFFmt7B<;*ccKjx
z3hiC66iU6d1rG{66zrk&R6*#WpwNTI{sF!9)JyG~-Dp}gB0`}D6DIpI^FA~0`!et4
z>*l*x)lduNmuL4j%;>FeYM>o$F{*JS0NS7mAXfM2%VU5lF{U<JVgSo81*26Hcyh~Q
z*O66mPA#*zO$=FpeYPbwwV|)APa(fDb761q7eU|J>$`o(f4f(EYCewq{b1dx`61*#
zwAP=RA47gQCY>~QE4atB)<B@p4ItR(1JdEMJ@)fa?94?1uWJCBYggL@zd9<xEON7D
zeyYU3IP&Z!0t*)b1`|m_$xt$>(SQ>0Nkf*yLnP2~RZ;Pc6a7{$$5Py|av_p3Er<Ce
zpCnHFF?xjBqq8-Qr*3Nvn61m6+VA5MY$3B%W<MRvHX-{SpcJP{I#iX6-SkNl%wAx2
zh)fvSyvf{URp}yHk!P$N4JtiCLR{x8L<Vf5ov7VpEX5J;2oSX=6by#cAQ>D<x;i<_
zaX&BS(V4S{oMw2|yhc(P-F6s{6!@IKyX-g2a`QYBB3*&b{fs0gBzT5$#PC#AFI7<W
z(^Yk8Zx5aVgs;TM`jdCH1pW>q!$h0x8@|y`WIv^Mg8h`nlW}jMQ&9tyCPrl<XE@J?
zC|z7!R2GAZWzW;(xEpULb+~P$xRT~+IVy$4oOm!jjgKtjIuWd&Jt!Cp5qV!t5>?A2
z<$a6DmE?;Zxxq~qjT<)J3d=4M({Q+vn<sOYO=y^U%Tkz@j-0j9MG-)tGJ<R9VB<$Y
z#A+JRFh*&!xrm%H4Gc(`x8&%78K!zPOwsFaS0SszkLsD8b(DNc&&$!na}{8#!1D!8
z<!H&M;5MG<jgKUhET;Crtl;XnH`9&$z^vfPnZp&kU@}LJmhI!5i+a{9`3mz7SL&wF
zO(rd+o_cpc+|bR*6L+X>w@Wl)hpO^w_T250*85vgvpZU2x!#u+PJHf;zV=bmu)C$t
m<G%~CyGA{<W2Y0tV{4A<GdrTHs+#}jUU63MXZ8N?>-{&WAh72E

literal 0
Hc-jL100001

diff --git a/tests/security-4710-02/test.rules b/tests/security-4710-02/test.rules
new file mode 100644
index 000000000..9c1d6e240
--- /dev/null
+++ b/tests/security-4710-02/test.rules
@@ -0,0 +1,2 @@
+reject tcp any any -> any any (content: "/"; http_uri; startswith; endswith; sid: 1;)
+alert tcp any any -> any any (msg:"SURICATA STREAM suspected RST injection"; stream-event:suspected_rst_inject; classtype:protocol-command-decode; sid:2210058; rev:1;)
diff --git a/tests/security-4710-02/test.yaml b/tests/security-4710-02/test.yaml
new file mode 100644
index 000000000..d5eca191f
--- /dev/null
+++ b/tests/security-4710-02/test.yaml
@@ -0,0 +1,23 @@
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2210058
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.url: /
-- 
2.47.2