From c14a26c4d562016d97c6a5388c2c8ddbc4c1ddf2 Mon Sep 17 00:00:00 2001
From: Modupe Falodun <falodunmodupeola@gmail.com>
Date: Wed, 19 Jan 2022 22:48:58 +0100
Subject: [PATCH] detect-hostbits: convert unittests

Task: 4911
---
 .../detect-hostbits-01/README.md              |   1 +
 .../detect-hostbits-01/input.pcap             | Bin 0 -> 143 bytes
 .../detect-hostbits-01/test.rules             |   3 ++
 .../detect-hostbits-01/test.yaml              |  27 +++++++++++++
 .../detect-hostbits-01/writepcap.py           |  10 +++++
 .../detect-hostbits-02/README.md              |   1 +
 .../detect-hostbits-02/input.pcap             | Bin 0 -> 143 bytes
 .../detect-hostbits-02/test.rules             |   5 +++
 .../detect-hostbits-02/test.yaml              |  37 ++++++++++++++++++
 .../detect-hostbits-02/writepcap.py           |  10 +++++
 .../detect-hostbits-03/README.md              |   1 +
 .../detect-hostbits-03/input.pcap             | Bin 0 -> 143 bytes
 .../detect-hostbits-03/test.rules             |   4 ++
 .../detect-hostbits-03/test.yaml              |  32 +++++++++++++++
 .../detect-hostbits-03/writepcap.py           |  10 +++++
 15 files changed, 141 insertions(+)
 create mode 100644 tests/detect-hostbits/detect-hostbits-01/README.md
 create mode 100644 tests/detect-hostbits/detect-hostbits-01/input.pcap
 create mode 100644 tests/detect-hostbits/detect-hostbits-01/test.rules
 create mode 100644 tests/detect-hostbits/detect-hostbits-01/test.yaml
 create mode 100644 tests/detect-hostbits/detect-hostbits-01/writepcap.py
 create mode 100644 tests/detect-hostbits/detect-hostbits-02/README.md
 create mode 100644 tests/detect-hostbits/detect-hostbits-02/input.pcap
 create mode 100644 tests/detect-hostbits/detect-hostbits-02/test.rules
 create mode 100644 tests/detect-hostbits/detect-hostbits-02/test.yaml
 create mode 100644 tests/detect-hostbits/detect-hostbits-02/writepcap.py
 create mode 100644 tests/detect-hostbits/detect-hostbits-03/README.md
 create mode 100644 tests/detect-hostbits/detect-hostbits-03/input.pcap
 create mode 100644 tests/detect-hostbits/detect-hostbits-03/test.rules
 create mode 100644 tests/detect-hostbits/detect-hostbits-03/test.yaml
 create mode 100644 tests/detect-hostbits/detect-hostbits-03/writepcap.py

diff --git a/tests/detect-hostbits/detect-hostbits-01/README.md b/tests/detect-hostbits/detect-hostbits-01/README.md
new file mode 100644
index 000000000..13cb4df98
--- /dev/null
+++ b/tests/detect-hostbits/detect-hostbits-01/README.md
@@ -0,0 +1 @@
+Test noalert flag for hostbits
diff --git a/tests/detect-hostbits/detect-hostbits-01/input.pcap b/tests/detect-hostbits/detect-hostbits-01/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..49593f3d9db37e0fc3a1c5ef0a337119b9cb6c1f
GIT binary patch
literal 143
zc-p&ic+)~A1{MYw`2U}Qfe}c*Nq(Hz@|T4n9mq}xi-Q0IBNH<VYa;^#8wZ0c14AfC
zsRLV9KPwwM2S`eaiy;7JQh<a4!x9Mw26xvG1^xWIRDA`HkdOd<Lp?)YE|2`;5-SCu
Vpk8W4Vs1fBs$PCkIxiP57XW>=Ao2hJ

literal 0
Hc-jL100001

diff --git a/tests/detect-hostbits/detect-hostbits-01/test.rules b/tests/detect-hostbits/detect-hostbits-01/test.rules
new file mode 100644
index 000000000..007c7d11c
--- /dev/null
+++ b/tests/detect-hostbits/detect-hostbits-01/test.rules
@@ -0,0 +1,3 @@
+alert ip any any -> any any (hostbits:noalert; content:"GET "; sid:1;)
+alert ip any any -> any any (msg:"isset option"; hostbits:isset,fbt; content:"GET "; sid:2;)
+alert ip any any -> any any (hostbits:set,abc; content:"GET "; sid:3;)
diff --git a/tests/detect-hostbits/detect-hostbits-01/test.yaml b/tests/detect-hostbits/detect-hostbits-01/test.yaml
new file mode 100644
index 000000000..c4b433b0e
--- /dev/null
+++ b/tests/detect-hostbits/detect-hostbits-01/test.yaml
@@ -0,0 +1,27 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
diff --git a/tests/detect-hostbits/detect-hostbits-01/writepcap.py b/tests/detect-hostbits/detect-hostbits-01/writepcap.py
new file mode 100644
index 000000000..fe7a0b191
--- /dev/null
+++ b/tests/detect-hostbits/detect-hostbits-01/writepcap.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"GET /one/ HTTP/1.1\r\nHost: one.example.org\r\n\r\n"
+
+wrpcap('input.pcap', pkts)
diff --git a/tests/detect-hostbits/detect-hostbits-02/README.md b/tests/detect-hostbits/detect-hostbits-02/README.md
new file mode 100644
index 000000000..d9f27bdba
--- /dev/null
+++ b/tests/detect-hostbits/detect-hostbits-02/README.md
@@ -0,0 +1 @@
+Tests the set / isset hostbits keywords
diff --git a/tests/detect-hostbits/detect-hostbits-02/input.pcap b/tests/detect-hostbits/detect-hostbits-02/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..49593f3d9db37e0fc3a1c5ef0a337119b9cb6c1f
GIT binary patch
literal 143
zc-p&ic+)~A1{MYw`2U}Qfe}c*Nq(Hz@|T4n9mq}xi-Q0IBNH<VYa;^#8wZ0c14AfC
zsRLV9KPwwM2S`eaiy;7JQh<a4!x9Mw26xvG1^xWIRDA`HkdOd<Lp?)YE|2`;5-SCu
Vpk8W4Vs1fBs$PCkIxiP57XW>=Ao2hJ

literal 0
Hc-jL100001

diff --git a/tests/detect-hostbits/detect-hostbits-02/test.rules b/tests/detect-hostbits/detect-hostbits-02/test.rules
new file mode 100644
index 000000000..ca017ddd8
--- /dev/null
+++ b/tests/detect-hostbits/detect-hostbits-02/test.rules
@@ -0,0 +1,5 @@
+alert ip any any -> any any (hostbits:isset,abc,src; content:"GET "; sid:1;)
+alert ip any any -> any any (hostbits:isnotset,abc,dst; content:"GET "; sid:2;)
+alert ip any any -> any any (hostbits:unset,abc,src; content:"GET "; sid:4;)
+alert ip any any -> any any (hostbits:set,myflow2; sid:10;)
+alert ip any any -> any any (hostbits:isset,myflow2; sid:11;)
diff --git a/tests/detect-hostbits/detect-hostbits-02/test.yaml b/tests/detect-hostbits/detect-hostbits-02/test.yaml
new file mode 100644
index 000000000..e908228b3
--- /dev/null
+++ b/tests/detect-hostbits/detect-hostbits-02/test.yaml
@@ -0,0 +1,37 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 10
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
diff --git a/tests/detect-hostbits/detect-hostbits-02/writepcap.py b/tests/detect-hostbits/detect-hostbits-02/writepcap.py
new file mode 100644
index 000000000..fe7a0b191
--- /dev/null
+++ b/tests/detect-hostbits/detect-hostbits-02/writepcap.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"GET /one/ HTTP/1.1\r\nHost: one.example.org\r\n\r\n"
+
+wrpcap('input.pcap', pkts)
diff --git a/tests/detect-hostbits/detect-hostbits-03/README.md b/tests/detect-hostbits/detect-hostbits-03/README.md
new file mode 100644
index 000000000..f05087f36
--- /dev/null
+++ b/tests/detect-hostbits/detect-hostbits-03/README.md
@@ -0,0 +1 @@
+Tests the set / toggle / toggle / isset keywords
diff --git a/tests/detect-hostbits/detect-hostbits-03/input.pcap b/tests/detect-hostbits/detect-hostbits-03/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..49593f3d9db37e0fc3a1c5ef0a337119b9cb6c1f
GIT binary patch
literal 143
zc-p&ic+)~A1{MYw`2U}Qfe}c*Nq(Hz@|T4n9mq}xi-Q0IBNH<VYa;^#8wZ0c14AfC
zsRLV9KPwwM2S`eaiy;7JQh<a4!x9Mw26xvG1^xWIRDA`HkdOd<Lp?)YE|2`;5-SCu
Vpk8W4Vs1fBs$PCkIxiP57XW>=Ao2hJ

literal 0
Hc-jL100001

diff --git a/tests/detect-hostbits/detect-hostbits-03/test.rules b/tests/detect-hostbits/detect-hostbits-03/test.rules
new file mode 100644
index 000000000..4f2c60a15
--- /dev/null
+++ b/tests/detect-hostbits/detect-hostbits-03/test.rules
@@ -0,0 +1,4 @@
+alert ip any any -> any any (hostbits:toggle,abc,dst; content:"GET "; sid:1;)
+alert ip any any -> any any (hostbits:set,myflow2; sid:2;)
+alert ip any any -> any any (hostbits:toggle,myflow2; sid:3;)
+alert ip any any -> any any (hostbits:isset,myflow2; sid:4;)
diff --git a/tests/detect-hostbits/detect-hostbits-03/test.yaml b/tests/detect-hostbits/detect-hostbits-03/test.yaml
new file mode 100644
index 000000000..dfcf30bc7
--- /dev/null
+++ b/tests/detect-hostbits/detect-hostbits-03/test.yaml
@@ -0,0 +1,32 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
diff --git a/tests/detect-hostbits/detect-hostbits-03/writepcap.py b/tests/detect-hostbits/detect-hostbits-03/writepcap.py
new file mode 100644
index 000000000..fe7a0b191
--- /dev/null
+++ b/tests/detect-hostbits/detect-hostbits-03/writepcap.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"GET /one/ HTTP/1.1\r\nHost: one.example.org\r\n\r\n"
+
+wrpcap('input.pcap', pkts)
-- 
2.47.2