From 1c1ffcf3bb08128635594569cd7d7869d6ef53cf Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Tue, 1 Feb 2022 10:38:41 +0100
Subject: [PATCH] tests: add sip with frames test

---
 tests/sip-body-frames/README.md               |   1 +
 .../public-cloudshark-sip-s0.pcap             | Bin 0 -> 6060 bytes
 tests/sip-body-frames/sip-frames.rules        |  15 ++++++
 tests/sip-body-frames/test.yaml               |  50 ++++++++++++++++++
 4 files changed, 66 insertions(+)
 create mode 100644 tests/sip-body-frames/README.md
 create mode 100644 tests/sip-body-frames/public-cloudshark-sip-s0.pcap
 create mode 100644 tests/sip-body-frames/sip-frames.rules
 create mode 100644 tests/sip-body-frames/test.yaml

diff --git a/tests/sip-body-frames/README.md b/tests/sip-body-frames/README.md
new file mode 100644
index 000000000..8acd9b775
--- /dev/null
+++ b/tests/sip-body-frames/README.md
@@ -0,0 +1 @@
+pcap from https://www.cloudshark.org/captures/4ff29b39b8dc
diff --git a/tests/sip-body-frames/public-cloudshark-sip-s0.pcap b/tests/sip-body-frames/public-cloudshark-sip-s0.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..bca9fa286b711f0885127fc15b6b779b347f109d
GIT binary patch
literal 6060
zc-rll&u<$=6vsD7Nn1;<NZkuRBu2S_AWr7z?v7JOaW-~jHEkm&E%XGlyR(VGzgWBJ
zj|*I&{{ROLNKnB)00IetdZ8@>l?w=34phwnD&PcMC`hQx*l}Vz4*Aidwo)vOY`>X(
zJNw>e<~#eoz4*cTUSpTh{M^267(MFy={-NE><jyhAA5~@Q=b>EKVtNK@`g9I$4DE!
zSC^vW#_fT>`oG}2FRJ!c>{9G<?`Ofa?2+TyxiqNeD~TW!B`;s~%HyuA)?{JWD;E=t
zK@)=6?92!rhSA9Jyht?vjU1bt0T{wzW(`}zh_g{wdss-G<qK2PJro4orDotl#yrR{
z@;po-roP~&=VQK+xB9J7hfmCr&!HqpP|L-bxjyv$AfSX1$vsc`%!F#z;Glk>F5XU7
zWtgliluL4Kv?k`0Q#pon&rT6)#tDr^=E?~$*ewo&4Ug-GXe=6WM4=GRP9^}t5D|>Y
zc<TgI|Ezpjb%I97)&Fv-CcIkL$u4_TBV?%-pF2~L2_Pz!Lf#X#e7Q7I^((90)3P*Q
zTSx!^Fy_%nG_sgffhZ@Pf(TW=o)59j#+RjT53)0~HPmJ_Qe7GBFz0YI;w8Hdt0f^&
zu8T==($ALxg~T#JZf<5Ib$kZc0NH@*evu4om7=I5Y%t>-PL0?Qwp!J&DGT#XGu2ko
zX@%Owu@&pAEcrR<Ek+}n`Mp2vGyYTyK(_|%4e~YfJ--ZChVkmaxhtA?&3){0>{8En
zZysDG4j>4@TzDp5n%@C?eX#59Ft=@nA*G$zu3oq@DK$(3jJB~PW@Wf2!vuIPKAo>g
z5XyoSRS6J+q_~!Ms9AqTVel3;j9Wd8wg!V=2kbfqU$$Xz_0i{7Ft8!WDF}8rc#t_D
zii7Ky`;D<aqux3>=z{|vX%1fRZ{?ux@h9GGa-gOJj=r>m!2N;12HLkZLe!jFba7>(
z01*f&x1j!k2&H(9I;tno>e#qVH(jg`=+H$iRxPp!0Rh|w+)|2z+N7=G6;E~wo~^B-
z(@Ma6wb*G?PV>_f&Kk1?sud|uuhCtIfJ&&Wvk{kzDnctmf?};P0LBq(tR``GxABwO
zQFZG)Q1)C~dRQMQ|L$!)Q1)DW>Xnpp2y8&Z_KuS<pxl(iHKpbHh(ZZn3nFMC4`IrL
zyPc&bY|LFo17uo0c3tLj(=@S5WgwvIdggt!)Hb<%RQR`YvTWNz52~amYyHLzmGB$g
zr1b0k`T7?6ew&nDcxOD9p32V7rE~SnuRhCW65WJiG^~`vT1S3p+A=3oY0F{ErV|)V
zWNe3JOk15EO~*;GW`0CbhH86QKdOy*5}Vo_Vu)EIHydBp63fBm(Suvs?IuYIn;D02
zi%w9Qb|zSgn`vlaMIIz+(sHwA5(&o?fo4dfk@V?GK9tpjKB%Zr9u}wLnR0kagub#_
z%5qFm7*EZsd~QiG>*@Zm-#DON7!P!NY3yGbsJ}FR)3(O{IQLkaVjkLDcBLoti_%ZF
zb~SRI?6NR7oA`B;vQg?cbK%`h<Mu$3&E#XPFDmsxTk7=&6c_)M`c$D%K9x}O$fR>a
zO5QR@hrq;%^bl}TN1XKZ&>F#QW5iL6oOo}qaZ~Yevl}DdFCEZ~-1?`juyE<q7yrk?
z0vEOkDG|&U0pkIcTm-&Nq&kcRo+<6^C_zAkD|{q;+w^QR@OVH1AuXjjjM~hkE5KzJ
zMG2$|`Ln{8%Nb-0QAU-J;_-V~a$qK=_n_neS=W*Sf;Mh^k-J=SFkwf@;Vu;%R!a+-
z`pV~fjs1#v-8zM^cULT<h48iWZ9@3l$4}mAX<-NLmg5hF+{Tcb7Qcg6jZLhIZM<!2
kLiR)>MoiHW>qf{!v8g&CZ?_Th`)Kx#s}4JeJQ#@l3so1F*8l(j

literal 0
Hc-jL100001

diff --git a/tests/sip-body-frames/sip-frames.rules b/tests/sip-body-frames/sip-frames.rules
new file mode 100644
index 000000000..d6e92c4bb
--- /dev/null
+++ b/tests/sip-body-frames/sip-frames.rules
@@ -0,0 +1,15 @@
+alert sip any any -> any any (flow:to_server; frame:pdu; content:"REGISTER"; startswith; sid:1;)
+alert sip any any -> any any (flow:to_server; frame:pdu; content:"INVITE sip"; startswith; sid:2;)
+
+alert sip any any -> any any (flow:to_client; frame:pdu; content:"SIP/2.0 200 OK|0D 0A|"; startswith; sid:11;)
+
+alert sip any any -> any any (flow:to_server; frame:request.line; content:"REGISTER"; startswith; sid:21;)
+alert sip any any -> any any (flow:to_server; frame:request.line; content:"SIP/2.0|0D 0A|"; endswith; sid:22;)
+
+alert sip any any -> any any (flow:to_server; frame:request.headers; content:"Via:"; startswith; sid:31;)
+alert sip any any -> any any (flow:to_server; frame:request.headers; content:"Via:"; startswith; content:"229|0d 0a|"; endswith; sid:32;)
+
+alert sip any any -> any any (flow:to_client; frame:response.headers; content:"Via:"; startswith; sid:41;)
+alert sip any any -> any any (flow:to_client; frame:response.headers; content:"Via:"; startswith; content:"Content-Length: 0|0d 0a|"; endswith; sid:42;)
+
+alert sip any any -> any any (flow:to_server; frame:request.body; content:"v=0"; startswith; sid:51;)
diff --git a/tests/sip-body-frames/test.yaml b/tests/sip-body-frames/test.yaml
new file mode 100644
index 000000000..dd65cd7b4
--- /dev/null
+++ b/tests/sip-body-frames/test.yaml
@@ -0,0 +1,50 @@
+requires:
+  min-version: 7
+
+checks:
+ - filter:
+    count: 8
+    match:
+      event_type: sip
+ - filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 2
+ - filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 22
+ - filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 31
+ - filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 32
+      frame.type: "request.headers"
+      frame.complete: true
+      frame.length: 420
+      frame.direction: toserver
+ - filter:
+    count: 5
+    match:
+      event_type: alert
+      alert.signature_id: 41
+ - filter:
+    count: 4
+    match:
+      event_type: alert
+      alert.signature_id: 42
+ - filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 51
+      frame.type: "request.body"
+      frame.complete: true
+      frame.direction: toserver
-- 
2.47.2