tests: add ja3 tests for issue 8336

diff --git a/tests/bug-8336-01-default-track-only/README.md b/tests/bug-8336-01-default-track-only/README.md
new file mode 100644 (file)
index 0000000..95fa157
--- /dev/null
+++ b/tests/bug-8336-01-default-track-only/README.md
@@ -0,0 +1,5 @@
+# Test for Issue 8336
+
+https://redmine.openinfosecfoundation.org/issues/8336
+
+Passes when we don't enable encryption handling.

diff --git a/tests/bug-8336-01-default-track-only/input.pcap b/tests/bug-8336-01-default-track-only/input.pcap
new file mode 100644 (file)
index 0000000..0dbb0ca
Binary files /dev/null and b/tests/bug-8336-01-default-track-only/input.pcap differ

diff --git a/tests/bug-8336-01-default-track-only/test.rules b/tests/bug-8336-01-default-track-only/test.rules
new file mode 100644 (file)
index 0000000..8b828cb
--- /dev/null
+++ b/tests/bug-8336-01-default-track-only/test.rules
@@ -0,0 +1,6 @@
+alert tls any any -> any any (msg:"8336 JA3 match, set flowbit"; flow:established,to_server; ja3.hash; content:"fae0e5d973c96ae1888b99538efa0363"; flowbits:set,JA3_MATCH; sid:8336001; rev:1;)
+
+alert tls any any -> any any (msg:"8336 JA3S match, check JA3 flowbit"; flow:established,to_client; ja3s.hash; content:"907bf3ecef1c987c889946b737b43de8"; flowbits:isset,JA3_MATCH; sid:8336002; rev:1;)
+
+alert tls any any => any any (msg:"8336 JA3S match, check JA3 flowbit"; ja3.hash; content:"fae0e5d973c96ae1888b99538efa0363"; ja3s.hash; content:"907bf3ecef1c987c889946b737b43de8"; fast_pattern; sid:8336003; rev:1;)
+alert tls any any => any any (msg:"8336 JA3S match, check JA3 flowbit"; ja3.hash; content:"fae0e5d973c96ae1888b99538efa0363"; fast_pattern; ja3s.hash; content:"907bf3ecef1c987c889946b737b43de8"; sid:8336004; rev:1;)

diff --git a/tests/bug-8336-01-default-track-only/test.yaml b/tests/bug-8336-01-default-track-only/test.yaml
new file mode 100644 (file)
index 0000000..6dce19f
--- /dev/null
+++ b/tests/bug-8336-01-default-track-only/test.yaml
@@ -0,0 +1,32 @@
+requires:
+  features:
+    - HAVE_JA3
+  min-version: 9
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8336001
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8336002
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8336003
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8336004

diff --git a/tests/bug-8336-02-bypass/README.md b/tests/bug-8336-02-bypass/README.md
new file mode 100644 (file)
index 0000000..87eee8d
--- /dev/null
+++ b/tests/bug-8336-02-bypass/README.md
@@ -0,0 +1,5 @@
+# Test for Issue 8336
+
+https://redmine.openinfosecfoundation.org/issues/8336
+
+Show how we deal with bypass encryption handling.

diff --git a/tests/bug-8336-02-bypass/test.rules b/tests/bug-8336-02-bypass/test.rules
new file mode 100644 (file)
index 0000000..8b828cb
--- /dev/null
+++ b/tests/bug-8336-02-bypass/test.rules
@@ -0,0 +1,6 @@
+alert tls any any -> any any (msg:"8336 JA3 match, set flowbit"; flow:established,to_server; ja3.hash; content:"fae0e5d973c96ae1888b99538efa0363"; flowbits:set,JA3_MATCH; sid:8336001; rev:1;)
+
+alert tls any any -> any any (msg:"8336 JA3S match, check JA3 flowbit"; flow:established,to_client; ja3s.hash; content:"907bf3ecef1c987c889946b737b43de8"; flowbits:isset,JA3_MATCH; sid:8336002; rev:1;)
+
+alert tls any any => any any (msg:"8336 JA3S match, check JA3 flowbit"; ja3.hash; content:"fae0e5d973c96ae1888b99538efa0363"; ja3s.hash; content:"907bf3ecef1c987c889946b737b43de8"; fast_pattern; sid:8336003; rev:1;)
+alert tls any any => any any (msg:"8336 JA3S match, check JA3 flowbit"; ja3.hash; content:"fae0e5d973c96ae1888b99538efa0363"; fast_pattern; ja3s.hash; content:"907bf3ecef1c987c889946b737b43de8"; sid:8336004; rev:1;)

diff --git a/tests/bug-8336-02-bypass/test.yaml b/tests/bug-8336-02-bypass/test.yaml
new file mode 100644 (file)
index 0000000..5ba7a70
--- /dev/null
+++ b/tests/bug-8336-02-bypass/test.yaml
@@ -0,0 +1,36 @@
+pcap: ../bug-8336-01-default-track-only/input.pcap
+
+requires:
+  features:
+    - HAVE_JA3
+  min-version: 9
+
+args:
+  - -k none
+  - --set app-layer.protocols.tls.encryption-handling=bypass
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8336001
+
+  # Expected to fail on affected versions: sid 8336002 does not alert in IDS+bypass.
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8336002
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8336003
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8336004

diff --git a/tests/bug-8336-03-ips/README.md b/tests/bug-8336-03-ips/README.md
new file mode 100644 (file)
index 0000000..2c75e16
--- /dev/null
+++ b/tests/bug-8336-03-ips/README.md
@@ -0,0 +1,5 @@
+# Test for Issue 8336
+
+https://redmine.openinfosecfoundation.org/issues/8336
+
+Show how we deal with ips mode.

diff --git a/tests/bug-8336-03-ips/test.rules b/tests/bug-8336-03-ips/test.rules
new file mode 100644 (file)
index 0000000..8b828cb
--- /dev/null
+++ b/tests/bug-8336-03-ips/test.rules
@@ -0,0 +1,6 @@
+alert tls any any -> any any (msg:"8336 JA3 match, set flowbit"; flow:established,to_server; ja3.hash; content:"fae0e5d973c96ae1888b99538efa0363"; flowbits:set,JA3_MATCH; sid:8336001; rev:1;)
+
+alert tls any any -> any any (msg:"8336 JA3S match, check JA3 flowbit"; flow:established,to_client; ja3s.hash; content:"907bf3ecef1c987c889946b737b43de8"; flowbits:isset,JA3_MATCH; sid:8336002; rev:1;)
+
+alert tls any any => any any (msg:"8336 JA3S match, check JA3 flowbit"; ja3.hash; content:"fae0e5d973c96ae1888b99538efa0363"; ja3s.hash; content:"907bf3ecef1c987c889946b737b43de8"; fast_pattern; sid:8336003; rev:1;)
+alert tls any any => any any (msg:"8336 JA3S match, check JA3 flowbit"; ja3.hash; content:"fae0e5d973c96ae1888b99538efa0363"; fast_pattern; ja3s.hash; content:"907bf3ecef1c987c889946b737b43de8"; sid:8336004; rev:1;)

diff --git a/tests/bug-8336-03-ips/test.yaml b/tests/bug-8336-03-ips/test.yaml
new file mode 100644 (file)
index 0000000..69a0b78
--- /dev/null
+++ b/tests/bug-8336-03-ips/test.yaml
@@ -0,0 +1,36 @@
+pcap: ../bug-8336-01-default-track-only/input.pcap
+
+requires:
+  features:
+    - HAVE_JA3
+  min-version: 9
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8336001
+
+  # Expected to fail on affected versions: sid 8336002 does not alert in IDS+bypass.
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8336002
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8336003
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8336004

diff --git a/tests/bug-8336-04-ips-bypass/README.md b/tests/bug-8336-04-ips-bypass/README.md
new file mode 100644 (file)
index 0000000..927a107
--- /dev/null
+++ b/tests/bug-8336-04-ips-bypass/README.md
@@ -0,0 +1,5 @@
+# Test for Issue 8336
+
+https://redmine.openinfosecfoundation.org/issues/8336
+
+Show how deal we with bypass encryption handling in ips mode.

diff --git a/tests/bug-8336-04-ips-bypass/test.rules b/tests/bug-8336-04-ips-bypass/test.rules
new file mode 100644 (file)
index 0000000..8b828cb
--- /dev/null
+++ b/tests/bug-8336-04-ips-bypass/test.rules
@@ -0,0 +1,6 @@
+alert tls any any -> any any (msg:"8336 JA3 match, set flowbit"; flow:established,to_server; ja3.hash; content:"fae0e5d973c96ae1888b99538efa0363"; flowbits:set,JA3_MATCH; sid:8336001; rev:1;)
+
+alert tls any any -> any any (msg:"8336 JA3S match, check JA3 flowbit"; flow:established,to_client; ja3s.hash; content:"907bf3ecef1c987c889946b737b43de8"; flowbits:isset,JA3_MATCH; sid:8336002; rev:1;)
+
+alert tls any any => any any (msg:"8336 JA3S match, check JA3 flowbit"; ja3.hash; content:"fae0e5d973c96ae1888b99538efa0363"; ja3s.hash; content:"907bf3ecef1c987c889946b737b43de8"; fast_pattern; sid:8336003; rev:1;)
+alert tls any any => any any (msg:"8336 JA3S match, check JA3 flowbit"; ja3.hash; content:"fae0e5d973c96ae1888b99538efa0363"; fast_pattern; ja3s.hash; content:"907bf3ecef1c987c889946b737b43de8"; sid:8336004; rev:1;)

diff --git a/tests/bug-8336-04-ips-bypass/test.yaml b/tests/bug-8336-04-ips-bypass/test.yaml
new file mode 100644 (file)
index 0000000..99b74be
--- /dev/null
+++ b/tests/bug-8336-04-ips-bypass/test.yaml
@@ -0,0 +1,37 @@
+pcap: ../bug-8336-01-default-track-only/input.pcap
+
+requires:
+  features:
+    - HAVE_JA3
+  min-version: 9
+
+args:
+  - -k none
+  - --simulate-ips
+  - --set app-layer.protocols.tls.encryption-handling=bypass
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8336001
+
+  # Expected to fail on affected versions: sid 8336002 does not alert in IDS+bypass.
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8336002
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8336003
+
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8336004