From eaf32c3c84a5838ac94de2d4e03ffa6fa295bee6 Mon Sep 17 00:00:00 2001
From: Modupe Falodun <falodunmodupeola@gmail.com>
Date: Wed, 2 Mar 2022 00:06:21 +0100
Subject: [PATCH] detect-bytetest: add tests

Task: 4911
---
 tests/detect-bytetest-01/test.yaml    |   2 +-
 tests/detect-bytetest-02/README.md    |   3 +++
 tests/detect-bytetest-02/input.pcap   | Bin 0 -> 290 bytes
 tests/detect-bytetest-02/test.rules   |   5 ++++
 tests/detect-bytetest-02/test.yaml    |  37 ++++++++++++++++++++++++++
 tests/detect-bytetest-02/writepcap.py |  11 ++++++++
 tests/detect-bytetest-03/README.md    |   1 +
 tests/detect-bytetest-03/input.pcap   | Bin 0 -> 104 bytes
 tests/detect-bytetest-03/test.rules   |   3 +++
 tests/detect-bytetest-03/test.yaml    |  34 +++++++++++++++++++++++
 tests/detect-bytetest-03/writepcap.py |  12 +++++++++
 11 files changed, 107 insertions(+), 1 deletion(-)
 create mode 100644 tests/detect-bytetest-02/README.md
 create mode 100644 tests/detect-bytetest-02/input.pcap
 create mode 100644 tests/detect-bytetest-02/test.rules
 create mode 100644 tests/detect-bytetest-02/test.yaml
 create mode 100644 tests/detect-bytetest-02/writepcap.py
 create mode 100644 tests/detect-bytetest-03/README.md
 create mode 100644 tests/detect-bytetest-03/input.pcap
 create mode 100644 tests/detect-bytetest-03/test.rules
 create mode 100644 tests/detect-bytetest-03/test.yaml
 create mode 100644 tests/detect-bytetest-03/writepcap.py

diff --git a/tests/detect-bytetest-01/test.yaml b/tests/detect-bytetest-01/test.yaml
index 2f5c8ec25..15c83aecb 100644
--- a/tests/detect-bytetest-01/test.yaml
+++ b/tests/detect-bytetest-01/test.yaml
@@ -1,5 +1,5 @@
 requires:
-    version: 6.0.0
+  min-version: 6.0
 
 args:
  - -k none
diff --git a/tests/detect-bytetest-02/README.md b/tests/detect-bytetest-02/README.md
new file mode 100644
index 000000000..bfcdcefdb
--- /dev/null
+++ b/tests/detect-bytetest-02/README.md
@@ -0,0 +1,3 @@
+Test the byte_test signature matching with operators 
+
+Test to check matches of byte_test and byte_test relative works based on the previous keyword
diff --git a/tests/detect-bytetest-02/input.pcap b/tests/detect-bytetest-02/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c5e52ddd3725697ba70eeded0027a521b9bed831
GIT binary patch
literal 290
zc-p&ic+)~A1{MYw`2U}Qfe}dadB`TEr1LWT0<wRB#X*39k%^gwwUL2=t?h0CNcjOa
z2L>d)tZeKY$b67;DJ}+km`H$x0z>Fl1_pQ65Cwh5oSg9dqHM>!6u<m{oWx4s#O&1K
z@XVYXN0-u^9H;zB1&@%B0DVI}170r2<mA+X5-SBQeJx%t=ls09)Z~)P{5&fK@6^-+
zUB{fvvQ%C!m&B4(D+S;DJRJoC69uotJOv{ILjwgvb1NfDD`QIqci#|RE|2_TpgHB`
r<$CG)`RO^Sddc~@yj-EhsYSYu>8W`@x$yMV5}>VyhI%HvT)bQWwoFRu

literal 0
Hc-jL100001

diff --git a/tests/detect-bytetest-02/test.rules b/tests/detect-bytetest-02/test.rules
new file mode 100644
index 000000000..547dbc4f2
--- /dev/null
+++ b/tests/detect-bytetest-02/test.rules
@@ -0,0 +1,5 @@
+alert tcp any any -> any any (msg:"pcre + byte_test + relative"; pcre:"/AllWorkAndNoPlayMakesWillADullBoy/"; byte_test:1,=,1,6,relative,string,dec; sid:1; rev:1;)
+alert tcp any any -> any any (msg:"content + byte_test + relative"; byte_jump:1,44,string,dec; byte_test:1,=,0,0,relative,string,dec; sid:2; rev:1;)
+alert tcp any any -> any any (msg:"content + byte_test"; byte_test:1,=,65,214748364; sid:3; rev:1;)
+alert tcp any any -> any any (msg:"content + byte_test + relative"; content:"GET "; depth:4; content:"HTTP/1."; byte_test:1,<=,0,0,relative,string,dec; sid:4; rev:1;)
+alert tcp any any -> any any (msg:"content + byte_test + relative"; content:"GET "; depth:4; content:"HTTP/1."; byte_test:1,>=,0,0,relative,string,dec; sid:5; rev:1;)
diff --git a/tests/detect-bytetest-02/test.yaml b/tests/detect-bytetest-02/test.yaml
new file mode 100644
index 000000000..2a965f11d
--- /dev/null
+++ b/tests/detect-bytetest-02/test.yaml
@@ -0,0 +1,37 @@
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 5
diff --git a/tests/detect-bytetest-02/writepcap.py b/tests/detect-bytetest-02/writepcap.py
new file mode 100644
index 000000000..1b4e9bcaa
--- /dev/null
+++ b/tests/detect-bytetest-02/writepcap.py
@@ -0,0 +1,11 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+load_layer("http")
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IPv6(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/HTTP()/HTTPRequest(Method='GET', Path='/AllWorkAndNoPlayMakesWillADullBoy', Http_Version='HTTP/1.0', User_Agent='Wget/1.11.4', Accept='*/*', Host='www.google.com', Connection='Keep-Alive', Date='Mon, 04 Jan 2010 17:29:39 GMT')
+
+wrpcap('input.pcap', pkts)
diff --git a/tests/detect-bytetest-03/README.md b/tests/detect-bytetest-03/README.md
new file mode 100644
index 000000000..d3840a218
--- /dev/null
+++ b/tests/detect-bytetest-03/README.md
@@ -0,0 +1 @@
+Simple dns match on first byte
diff --git a/tests/detect-bytetest-03/input.pcap b/tests/detect-bytetest-03/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..186aebd3718a739d49e2291ff9625215f5aba669
GIT binary patch
literal 104
zc-p&ic+)~A1{MYw`2U}Qfe}bo$;l-x)L>z70J0sx;vm4l$i&RT+Q`7b#=+pqz@P_G
f>L8f4nw5>610=;@3WQQy*epyLA;y3KBM<@rj`k6n

literal 0
Hc-jL100001

diff --git a/tests/detect-bytetest-03/test.rules b/tests/detect-bytetest-03/test.rules
new file mode 100644
index 000000000..2cb555bc0
--- /dev/null
+++ b/tests/detect-bytetest-03/test.rules
@@ -0,0 +1,3 @@
+alert dns any any -> any any (msg:"Byte test against first byte"; byte_test:1,=,0x07,0,bitmask 0xF8; sid:1;)
+alert dns any any -> any any (msg:"Test dns_query option"; byte_test:1,=,0x07,0,bitmask 0xFF; sid:2;)
+alert dns any any -> any any (msg:"Test dns_query option"; byte_test:3,=,0x01,0,bitmask 0xFF; sid:3;)
diff --git a/tests/detect-bytetest-03/test.yaml b/tests/detect-bytetest-03/test.yaml
new file mode 100644
index 000000000..cacd0d21d
--- /dev/null
+++ b/tests/detect-bytetest-03/test.yaml
@@ -0,0 +1,34 @@
+requires:
+  min-version: 6.0
+
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: dns
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
diff --git a/tests/detect-bytetest-03/writepcap.py b/tests/detect-bytetest-03/writepcap.py
new file mode 100644
index 000000000..e28cb68c1
--- /dev/null
+++ b/tests/detect-bytetest-03/writepcap.py
@@ -0,0 +1,12 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+data = ('\x38\x35\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x01\x00')
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/UDP(dport=53)/Raw(load=data)
+
+wrpcap('input.pcap', pkts)
-- 
2.47.2