tests: add ntp.stratum keyword checks

Ticket: #8431

diff --git a/tests/ntp-keywords/README.md b/tests/ntp-keywords/README.md
index 6b25939fa96456522e9bfa73e816e7dd3ceaa9c3..eebbf22be4deea85c89ec30242e28c8b4fce07da 100644 (file)
--- a/tests/ntp-keywords/README.md
+++ b/tests/ntp-keywords/README.md
@@ -1,7 +1,7 @@
 Test
 ====
 
-Test alerts with the `ntp.version` keyword.
+Test alerts with the `ntp.version` and `ntp.stratum` keywords.
 
 PCAP
 ----
@@ -11,3 +11,5 @@ exchanges:
 
 - one NTPv4 request/reply pair
 - one NTPv3 request/reply pair
+- requests at stratum 0
+- replies at stratum 2

diff --git a/tests/ntp-keywords/test.rules b/tests/ntp-keywords/test.rules
index 635a3c078a9f919899d8fe783f016fbd417f78d4..4e364f479ab2e01984eeb8ac847b7816cb2b7e7d 100644 (file)
--- a/tests/ntp-keywords/test.rules
+++ b/tests/ntp-keywords/test.rules
@@ -1,3 +1,4 @@
+# ntp.version
 alert ntp any any -> any any (msg:"NTPv4 packet"; ntp.version:4; sid:1; rev:1;)
 alert ntp any any -> any any (msg:"NTPv3 packet"; ntp.version:3; sid:2; rev:1;)
 alert ntp any any -> any any (msg:"NTP version greater than 4"; ntp.version:>4; sid:3; rev:1;)
@@ -9,3 +10,16 @@ alert ntp any any -> any any (msg:"NTPv4 request"; flow:to_server; ntp.version:4
 alert ntp any any -> any any (msg:"NTPv4 reply"; flow:to_client; ntp.version:4; sid:9; rev:1;)
 alert ntp any any -> any any (msg:"NTPv3 request"; flow:to_server; ntp.version:3; sid:10; rev:1;)
 alert ntp any any -> any any (msg:"NTPv3 reply"; flow:to_client; ntp.version:3; sid:11; rev:1;)
+
+# ntp.stratum
+alert ntp any any -> any any (msg:"NTP stratum 0"; ntp.stratum:0; sid:12; rev:1;)
+alert ntp any any -> any any (msg:"NTP stratum 2"; ntp.stratum:2; sid:13; rev:1;)
+alert ntp any any -> any any (msg:"NTP stratum greater than 2"; ntp.stratum:>2; sid:14; rev:1;)
+alert ntp any any -> any any (msg:"NTP stratum less than 2"; ntp.stratum:<2; sid:15; rev:1;)
+alert ntp any any -> any any (msg:"NTP stratum greater or equal to 2"; ntp.stratum:>=2; sid:16; rev:1;)
+alert ntp any any -> any any (msg:"NTP stratum greater than 0"; ntp.stratum:>0; sid:17; rev:1;)
+alert ntp any any -> any any (msg:"NTP stratum less than 1"; ntp.stratum:<1; sid:18; rev:1;)
+alert ntp any any -> any any (msg:"NTP stratum 0 request"; flow:to_server; ntp.stratum:0; sid:19; rev:1;)
+alert ntp any any -> any any (msg:"NTP stratum 2 reply"; flow:to_client; ntp.stratum:2; sid:20; rev:1;)
+alert ntp any any -> any any (msg:"NTP stratum 2 request"; flow:to_server; ntp.stratum:2; sid:21; rev:1;)
+alert ntp any any -> any any (msg:"NTP stratum 0 reply"; flow:to_client; ntp.stratum:0; sid:22; rev:1;)

diff --git a/tests/ntp-keywords/test.yaml b/tests/ntp-keywords/test.yaml
index 70c497c661e2c003f48290842ee9e00b0808807e..0e4e3431900d7e42025c518eee7ba3d08cb7055d 100644 (file)
--- a/tests/ntp-keywords/test.yaml
+++ b/tests/ntp-keywords/test.yaml
@@ -22,6 +22,20 @@ checks:
         event_type: ntp
         ntp.version: 4
 
+  - filter:
+      # 2 NTP request events at stratum 0.
+      count: 2
+      match:
+        event_type: ntp
+        ntp.stratum: 0
+
+  - filter:
+      # 2 NTP reply events at stratum 2.
+      count: 2
+      match:
+        event_type: ntp
+        ntp.stratum: 2
+
   - filter:
       count: 2
       match:
@@ -87,3 +101,80 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 11
+
+  - filter:
+      # Should see stratum 0 on both requests.
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 12
+
+  - filter:
+      # Should see stratum 2 on both replies.
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 13
+
+  - filter:
+      # Should see no stratum greater than 2.
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 14
+
+  - filter:
+      # Should see only stratum values below 2 on requests.
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 15
+
+  - filter:
+      # Should see stratum 2 on both reply events.
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 16
+
+  - filter:
+      # Should see only replies with stratum greater than 0.
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 17
+
+  - filter:
+      # Should see only requests with stratum less than 1.
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 18
+
+  - filter:
+      # Should see stratum 0 only to_server.
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 19
+
+  - filter:
+      # Should see stratum 2 only to_client.
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 20
+
+  - filter:
+      # Should see no to_server with stratum 2.
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 21
+
+  - filter:
+      # Should see no to_client with stratum 0.
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 22