From 39e5f9a949954c7b4d4284384ee3f3d7103e19a0 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sat, 15 Oct 2022 16:56:14 +0200 Subject: [PATCH] tests: various tag rules --- tests/eve-tag-01/suricata.yaml | 14 ++++++++++++++ tests/eve-tag-01/test.rules | 1 + tests/eve-tag-01/test.yaml | 21 +++++++++++++++++++++ tests/eve-tag-02/suricata.yaml | 14 ++++++++++++++ tests/eve-tag-02/test.rules | 1 + tests/eve-tag-02/test.yaml | 15 +++++++++++++++ tests/eve-tag-03/suricata.yaml | 14 ++++++++++++++ tests/eve-tag-03/test.rules | 1 + tests/eve-tag-03/test.yaml | 15 +++++++++++++++ tests/eve-tag-04/suricata.yaml | 14 ++++++++++++++ tests/eve-tag-04/test.rules | 1 + tests/eve-tag-04/test.yaml | 15 +++++++++++++++ tests/eve-tag-05/suricata.yaml | 14 ++++++++++++++ tests/eve-tag-05/test.rules | 1 + tests/eve-tag-05/test.yaml | 15 +++++++++++++++ tests/eve-tag-06/suricata.yaml | 14 ++++++++++++++ tests/eve-tag-06/test.rules | 1 + tests/eve-tag-06/test.yaml | 15 +++++++++++++++ tests/eve-tag-07/suricata.yaml | 14 ++++++++++++++ tests/eve-tag-07/test.rules | 1 + tests/eve-tag-07/test.yaml | 15 +++++++++++++++ 21 files changed, 216 insertions(+) create mode 100644 tests/eve-tag-01/suricata.yaml create mode 100644 tests/eve-tag-01/test.rules create mode 100644 tests/eve-tag-01/test.yaml create mode 100644 tests/eve-tag-02/suricata.yaml create mode 100644 tests/eve-tag-02/test.rules create mode 100644 tests/eve-tag-02/test.yaml create mode 100644 tests/eve-tag-03/suricata.yaml create mode 100644 tests/eve-tag-03/test.rules create mode 100644 tests/eve-tag-03/test.yaml create mode 100644 tests/eve-tag-04/suricata.yaml create mode 100644 tests/eve-tag-04/test.rules create mode 100644 tests/eve-tag-04/test.yaml create mode 100644 tests/eve-tag-05/suricata.yaml create mode 100644 tests/eve-tag-05/test.rules create mode 100644 tests/eve-tag-05/test.yaml create mode 100644 tests/eve-tag-06/suricata.yaml create mode 100644 tests/eve-tag-06/test.rules create mode 100644 tests/eve-tag-06/test.yaml create mode 100644 tests/eve-tag-07/suricata.yaml create mode 100644 tests/eve-tag-07/test.rules create mode 100644 tests/eve-tag-07/test.yaml diff --git a/tests/eve-tag-01/suricata.yaml b/tests/eve-tag-01/suricata.yaml new file mode 100644 index 000000000..0a1e2f4ac --- /dev/null +++ b/tests/eve-tag-01/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + tagged-packets: true + - dns + - smtp + - anomaly diff --git a/tests/eve-tag-01/test.rules b/tests/eve-tag-01/test.rules new file mode 100644 index 000000000..87786486d --- /dev/null +++ b/tests/eve-tag-01/test.rules @@ -0,0 +1 @@ +alert dns any any -> any any (dns.query; content:"mail"; tag:host,100,packets,src; tag:session; sid:1;) diff --git a/tests/eve-tag-01/test.yaml b/tests/eve-tag-01/test.yaml new file mode 100644 index 000000000..53aad32cf --- /dev/null +++ b/tests/eve-tag-01/test.yaml @@ -0,0 +1,21 @@ +args: +- --runmode=single +- -k none + +pcap: ../smtp-file-data-02/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 58 + match: + event_type: packet + - filter: + count: 1 + match: + event_type: packet + src_ip: 10.10.1.1 + dest_ip: 10.10.1.4 diff --git a/tests/eve-tag-02/suricata.yaml b/tests/eve-tag-02/suricata.yaml new file mode 100644 index 000000000..0a1e2f4ac --- /dev/null +++ b/tests/eve-tag-02/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + tagged-packets: true + - dns + - smtp + - anomaly diff --git a/tests/eve-tag-02/test.rules b/tests/eve-tag-02/test.rules new file mode 100644 index 000000000..36e1443f4 --- /dev/null +++ b/tests/eve-tag-02/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (flags:S; tag:session; sid:1;) diff --git a/tests/eve-tag-02/test.yaml b/tests/eve-tag-02/test.yaml new file mode 100644 index 000000000..6ffda4ab1 --- /dev/null +++ b/tests/eve-tag-02/test.yaml @@ -0,0 +1,15 @@ +args: +- --runmode=single +- -k none + +pcap: ../ssh-banner-only/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 8 + match: + event_type: packet diff --git a/tests/eve-tag-03/suricata.yaml b/tests/eve-tag-03/suricata.yaml new file mode 100644 index 000000000..0a1e2f4ac --- /dev/null +++ b/tests/eve-tag-03/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + tagged-packets: true + - dns + - smtp + - anomaly diff --git a/tests/eve-tag-03/test.rules b/tests/eve-tag-03/test.rules new file mode 100644 index 000000000..c4adb3bcf --- /dev/null +++ b/tests/eve-tag-03/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (flags:S; tag:host,100,packets,src; sid:1;) diff --git a/tests/eve-tag-03/test.yaml b/tests/eve-tag-03/test.yaml new file mode 100644 index 000000000..6ffda4ab1 --- /dev/null +++ b/tests/eve-tag-03/test.yaml @@ -0,0 +1,15 @@ +args: +- --runmode=single +- -k none + +pcap: ../ssh-banner-only/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 8 + match: + event_type: packet diff --git a/tests/eve-tag-04/suricata.yaml b/tests/eve-tag-04/suricata.yaml new file mode 100644 index 000000000..0a1e2f4ac --- /dev/null +++ b/tests/eve-tag-04/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + tagged-packets: true + - dns + - smtp + - anomaly diff --git a/tests/eve-tag-04/test.rules b/tests/eve-tag-04/test.rules new file mode 100644 index 000000000..c7a21b9f9 --- /dev/null +++ b/tests/eve-tag-04/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (flags:S; tag:host,9,packets,dst; sid:1;) diff --git a/tests/eve-tag-04/test.yaml b/tests/eve-tag-04/test.yaml new file mode 100644 index 000000000..6ffda4ab1 --- /dev/null +++ b/tests/eve-tag-04/test.yaml @@ -0,0 +1,15 @@ +args: +- --runmode=single +- -k none + +pcap: ../ssh-banner-only/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 8 + match: + event_type: packet diff --git a/tests/eve-tag-05/suricata.yaml b/tests/eve-tag-05/suricata.yaml new file mode 100644 index 000000000..0a1e2f4ac --- /dev/null +++ b/tests/eve-tag-05/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + tagged-packets: true + - dns + - smtp + - anomaly diff --git a/tests/eve-tag-05/test.rules b/tests/eve-tag-05/test.rules new file mode 100644 index 000000000..92d0a376a --- /dev/null +++ b/tests/eve-tag-05/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (flags:S; tag:host,100,packets,dst; sid:1;) diff --git a/tests/eve-tag-05/test.yaml b/tests/eve-tag-05/test.yaml new file mode 100644 index 000000000..f168439ce --- /dev/null +++ b/tests/eve-tag-05/test.yaml @@ -0,0 +1,15 @@ +args: +- --runmode=single +- -k none + +pcap: ../ssh-banner-only/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 14 + match: + event_type: packet diff --git a/tests/eve-tag-06/suricata.yaml b/tests/eve-tag-06/suricata.yaml new file mode 100644 index 000000000..0a1e2f4ac --- /dev/null +++ b/tests/eve-tag-06/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + tagged-packets: true + - dns + - smtp + - anomaly diff --git a/tests/eve-tag-06/test.rules b/tests/eve-tag-06/test.rules new file mode 100644 index 000000000..6660a48e5 --- /dev/null +++ b/tests/eve-tag-06/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (flags:S; tag:host,9,packets,src; tag:host,15,packets,dst; sid:1;) diff --git a/tests/eve-tag-06/test.yaml b/tests/eve-tag-06/test.yaml new file mode 100644 index 000000000..f168439ce --- /dev/null +++ b/tests/eve-tag-06/test.yaml @@ -0,0 +1,15 @@ +args: +- --runmode=single +- -k none + +pcap: ../ssh-banner-only/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 14 + match: + event_type: packet diff --git a/tests/eve-tag-07/suricata.yaml b/tests/eve-tag-07/suricata.yaml new file mode 100644 index 000000000..0a1e2f4ac --- /dev/null +++ b/tests/eve-tag-07/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + tagged-packets: true + - dns + - smtp + - anomaly diff --git a/tests/eve-tag-07/test.rules b/tests/eve-tag-07/test.rules new file mode 100644 index 000000000..33e0bff69 --- /dev/null +++ b/tests/eve-tag-07/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (flags:S; tag:host,2,packets,src; tag:session; sid:1;) diff --git a/tests/eve-tag-07/test.yaml b/tests/eve-tag-07/test.yaml new file mode 100644 index 000000000..6ffda4ab1 --- /dev/null +++ b/tests/eve-tag-07/test.yaml @@ -0,0 +1,15 @@ +args: +- --runmode=single +- -k none + +pcap: ../ssh-banner-only/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 8 + match: + event_type: packet -- 2.47.2