dcerpc: move dce-stub-data unit test to SV

author Philippe Antoine <pantoine@oisf.net>

Tue, 28 Apr 2026 07:47:42 +0000 (09:47 +0200)

committer Victor Julien <vjulien@oisf.net>

Tue, 28 Apr 2026 12:18:44 +0000 (12:18 +0000)
author Philippe Antoine <pantoine@oisf.net>
Tue, 28 Apr 2026 07:47:42 +0000 (09:47 +0200)
committer Victor Julien <vjulien@oisf.net>
Tue, 28 Apr 2026 12:18:44 +0000 (12:18 +0000)
diff --git a/tests/dcerpc/dcerpc-dce-stub-data-02/input.pcap b/tests/dcerpc/dcerpc-dce-stub-data-02/input.pcap

new file mode 100644 (file)

index 0000000..cbd8f6b

Binary files /dev/null and b/tests/dcerpc/dcerpc-dce-stub-data-02/input.pcap differ
diff --git a/tests/dcerpc/dcerpc-dce-stub-data-02/test.rules b/tests/dcerpc/dcerpc-dce-stub-data-02/test.rules

new file mode 100644 (file)

index 0000000..25d9a45
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dce-stub-data-02/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"DCERPC stub data match"; dce_stub_data; content:"|42 42 42 42|"; sid:1;)
diff --git a/tests/dcerpc/dcerpc-dce-stub-data-02/test.yaml b/tests/dcerpc/dcerpc-dce-stub-data-02/test.yaml

new file mode 100644 (file)

index 0000000..f6fb441
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dce-stub-data-02/test.yaml
@@ -0,0 +1,15 @@
+args:
+- -k none --set stream.inline=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      pcap_cnt: 8
diff --git a/tests/dcerpc/dcerpc-dce-stub-data-03/input.pcap b/tests/dcerpc/dcerpc-dce-stub-data-03/input.pcap

new file mode 100644 (file)

index 0000000..8bb58dd

Binary files /dev/null and b/tests/dcerpc/dcerpc-dce-stub-data-03/input.pcap differ
diff --git a/tests/dcerpc/dcerpc-dce-stub-data-03/test.rules b/tests/dcerpc/dcerpc-dce-stub-data-03/test.rules

new file mode 100644 (file)

index 0000000..25d9a45
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dce-stub-data-03/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"DCERPC stub data match"; dce_stub_data; content:"|42 42 42 42|"; sid:1;)
diff --git a/tests/dcerpc/dcerpc-dce-stub-data-03/test.yaml b/tests/dcerpc/dcerpc-dce-stub-data-03/test.yaml

new file mode 100644 (file)

index 0000000..9dfdb05
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dce-stub-data-03/test.yaml
@@ -0,0 +1,16 @@
+args:
+- -k none --set stream.inline=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      pcap_cnt: 4
+\ No newline at end of file
diff --git a/tests/dcerpc/dcerpc-dce-stub-data-04/input.pcap b/tests/dcerpc/dcerpc-dce-stub-data-04/input.pcap

new file mode 100644 (file)

index 0000000..600c53e

Binary files /dev/null and b/tests/dcerpc/dcerpc-dce-stub-data-04/input.pcap differ
diff --git a/tests/dcerpc/dcerpc-dce-stub-data-04/test.rules b/tests/dcerpc/dcerpc-dce-stub-data-04/test.rules

new file mode 100644 (file)

index 0000000..fac4338
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dce-stub-data-04/test.rules
@@ -0,0 +1,3 @@
+alert tcp any any -> any any (msg:"DCERPC stub data request1"; dce_stub_data; content:"|00 02|"; sid:1;)
+alert tcp any any -> any any (msg:"DCERPC stub data request2"; dce_stub_data; content:"|00 75|"; sid:2;)
+alert tcp any any -> any any (msg:"DCERPC stub data request3"; dce_stub_data; content:"|00 18|"; sid:3;)
diff --git a/tests/dcerpc/dcerpc-dce-stub-data-04/test.yaml b/tests/dcerpc/dcerpc-dce-stub-data-04/test.yaml

new file mode 100644 (file)

index 0000000..ee26160
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dce-stub-data-04/test.yaml
@@ -0,0 +1,37 @@
+args:
+- -k none --set stream.inline=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      pcap_cnt: 8
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+      pcap_cnt: 12
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+      pcap_cnt: 16
diff --git a/tests/dcerpc/dcerpc-dce-stub-data-05/input.pcap b/tests/dcerpc/dcerpc-dce-stub-data-05/input.pcap

new file mode 100644 (file)

index 0000000..a7343d4

Binary files /dev/null and b/tests/dcerpc/dcerpc-dce-stub-data-05/input.pcap differ
diff --git a/tests/dcerpc/dcerpc-dce-stub-data-05/test.rules b/tests/dcerpc/dcerpc-dce-stub-data-05/test.rules

new file mode 100644 (file)

index 0000000..fac4338
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dce-stub-data-05/test.rules
@@ -0,0 +1,3 @@
+alert tcp any any -> any any (msg:"DCERPC stub data request1"; dce_stub_data; content:"|00 02|"; sid:1;)
+alert tcp any any -> any any (msg:"DCERPC stub data request2"; dce_stub_data; content:"|00 75|"; sid:2;)
+alert tcp any any -> any any (msg:"DCERPC stub data request3"; dce_stub_data; content:"|00 18|"; sid:3;)
diff --git a/tests/dcerpc/dcerpc-dce-stub-data-05/test.yaml b/tests/dcerpc/dcerpc-dce-stub-data-05/test.yaml

new file mode 100644 (file)

index 0000000..7e5b278
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dce-stub-data-05/test.yaml
@@ -0,0 +1,37 @@
+args:
+- -k none --set stream.inline=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      pcap_cnt: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+      pcap_cnt: 8
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+      pcap_cnt: 12
diff --git a/tests/dcerpc/dcerpc-dce-stub-data-06/test.rules b/tests/dcerpc/dcerpc-dce-stub-data-06/test.rules

new file mode 100644 (file)

index 0000000..acbde8a
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dce-stub-data-06/test.rules
@@ -0,0 +1 @@
+alert dns any any -> any any (dce_stub_data; content:"0"; sid:1;)
diff --git a/tests/dcerpc/dcerpc-dce-stub-data-06/test.yaml b/tests/dcerpc/dcerpc-dce-stub-data-06/test.yaml

new file mode 100644 (file)

index 0000000..3d1b210
--- /dev/null
+++ b/tests/dcerpc/dcerpc-dce-stub-data-06/test.yaml
@@ -0,0 +1,6 @@
+args:
+- --init-errors-fatal
+
+pcap: false
+
+exit-code: 1
author	Philippe Antoine <pantoine@oisf.net>
	Tue, 28 Apr 2026 07:47:42 +0000 (09:47 +0200)
committer	Victor Julien <vjulien@oisf.net>
	Tue, 28 Apr 2026 12:18:44 +0000 (12:18 +0000)
tests/dcerpc/dcerpc-dce-stub-data-02/input.pcap	[new file with mode: 0644]	patch \| blob
tests/dcerpc/dcerpc-dce-stub-data-02/test.rules	[new file with mode: 0644]	patch \| blob
tests/dcerpc/dcerpc-dce-stub-data-02/test.yaml	[new file with mode: 0644]	patch \| blob
tests/dcerpc/dcerpc-dce-stub-data-03/input.pcap	[new file with mode: 0644]	patch \| blob
tests/dcerpc/dcerpc-dce-stub-data-03/test.rules	[new file with mode: 0644]	patch \| blob
tests/dcerpc/dcerpc-dce-stub-data-03/test.yaml	[new file with mode: 0644]	patch \| blob
tests/dcerpc/dcerpc-dce-stub-data-04/input.pcap	[new file with mode: 0644]	patch \| blob
tests/dcerpc/dcerpc-dce-stub-data-04/test.rules	[new file with mode: 0644]	patch \| blob
tests/dcerpc/dcerpc-dce-stub-data-04/test.yaml	[new file with mode: 0644]	patch \| blob
tests/dcerpc/dcerpc-dce-stub-data-05/input.pcap	[new file with mode: 0644]	patch \| blob
tests/dcerpc/dcerpc-dce-stub-data-05/test.rules	[new file with mode: 0644]	patch \| blob
tests/dcerpc/dcerpc-dce-stub-data-05/test.yaml	[new file with mode: 0644]	patch \| blob
tests/dcerpc/dcerpc-dce-stub-data-06/test.rules	[new file with mode: 0644]	patch \| blob
tests/dcerpc/dcerpc-dce-stub-data-06/test.yaml	[new file with mode: 0644]	patch \| blob