From: Philippe Antoine Date: Tue, 28 Apr 2026 08:19:14 +0000 (+0200) Subject: dcerpc: move dcepayload unit tests to SV X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;ds=sidebyside;p=thirdparty%2Fsuricata-verify.git dcerpc: move dcepayload unit tests to SV Ticket: 8391 --- diff --git a/tests/dcerpc/dcerpc-dcepayload-15/input.pcap b/tests/dcerpc/dcerpc-dcepayload-15/input.pcap new file mode 100644 index 000000000..93cc9860c Binary files /dev/null and b/tests/dcerpc/dcerpc-dcepayload-15/input.pcap differ diff --git a/tests/dcerpc/dcerpc-dcepayload-15/test.rules b/tests/dcerpc/dcerpc-dcepayload-15/test.rules new file mode 100644 index 000000000..6ca601996 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-15/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (msg:"DcePayloadTest15 sig1"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_test:2,=,14080,0,relative,dce; sid:1;) +alert tcp any any -> any any (msg:"DcePayloadTest15 sig2"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_test:2,=,46,5,relative,dce; sid:2;) diff --git a/tests/dcerpc/dcerpc-dcepayload-15/test.yaml b/tests/dcerpc/dcerpc-dcepayload-15/test.yaml new file mode 100644 index 000000000..1b2592ad2 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-15/test.yaml @@ -0,0 +1,16 @@ +args: +- -k none --set stream.inline=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + pcap_cnt: 4 diff --git a/tests/dcerpc/dcerpc-dcepayload-16/input.pcap b/tests/dcerpc/dcerpc-dcepayload-16/input.pcap new file mode 100644 index 000000000..28180067d Binary files /dev/null and b/tests/dcerpc/dcerpc-dcepayload-16/input.pcap differ diff --git a/tests/dcerpc/dcerpc-dcepayload-16/test.rules b/tests/dcerpc/dcerpc-dcepayload-16/test.rules new file mode 100644 index 000000000..ec7f4e1de --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-16/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (msg:"DcePayloadTest16 sig1"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_test:2,=,55,0,relative; sid:1;) +alert tcp any any -> any any (msg:"DcePayloadTest16 sig2"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_test:2,=,11776,5,relative; sid:2;) diff --git a/tests/dcerpc/dcerpc-dcepayload-16/test.yaml b/tests/dcerpc/dcerpc-dcepayload-16/test.yaml new file mode 100644 index 000000000..1b2592ad2 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-16/test.yaml @@ -0,0 +1,16 @@ +args: +- -k none --set stream.inline=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + pcap_cnt: 4 diff --git a/tests/dcerpc/dcerpc-dcepayload-17/input.pcap b/tests/dcerpc/dcerpc-dcepayload-17/input.pcap new file mode 100644 index 000000000..bb89de9b9 Binary files /dev/null and b/tests/dcerpc/dcerpc-dcepayload-17/input.pcap differ diff --git a/tests/dcerpc/dcerpc-dcepayload-17/test.rules b/tests/dcerpc/dcerpc-dcepayload-17/test.rules new file mode 100644 index 000000000..cb5552618 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-17/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (msg:"DcePayloadTest17 sig1"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_test:2,=,55,0,relative,big; sid:1;) +alert tcp any any -> any any (msg:"DcePayloadTest17 sig2"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_test:2,=,46,5,relative,little; sid:2;) diff --git a/tests/dcerpc/dcerpc-dcepayload-17/test.yaml b/tests/dcerpc/dcerpc-dcepayload-17/test.yaml new file mode 100644 index 000000000..1b2592ad2 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-17/test.yaml @@ -0,0 +1,16 @@ +args: +- -k none --set stream.inline=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + pcap_cnt: 4 diff --git a/tests/dcerpc/dcerpc-dcepayload-18/input.pcap b/tests/dcerpc/dcerpc-dcepayload-18/input.pcap new file mode 100644 index 000000000..38f149386 Binary files /dev/null and b/tests/dcerpc/dcerpc-dcepayload-18/input.pcap differ diff --git a/tests/dcerpc/dcerpc-dcepayload-18/test.rules b/tests/dcerpc/dcerpc-dcepayload-18/test.rules new file mode 100644 index 000000000..98ba33c32 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-18/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (msg:"DcePayloadTest18 sig1"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_jump:2,0,relative,dce; byte_test:2,=,46,0,relative,dce; sid:1;) +alert tcp any any -> any any (msg:"DcePayloadTest18 sig2"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_jump:2,2,relative,dce; byte_test:2,=,14080,0,relative; sid:2;) diff --git a/tests/dcerpc/dcerpc-dcepayload-18/test.yaml b/tests/dcerpc/dcerpc-dcepayload-18/test.yaml new file mode 100644 index 000000000..1b2592ad2 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-18/test.yaml @@ -0,0 +1,16 @@ +args: +- -k none --set stream.inline=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + pcap_cnt: 4 diff --git a/tests/dcerpc/dcerpc-dcepayload-19/input.pcap b/tests/dcerpc/dcerpc-dcepayload-19/input.pcap new file mode 100644 index 000000000..031a73377 Binary files /dev/null and b/tests/dcerpc/dcerpc-dcepayload-19/input.pcap differ diff --git a/tests/dcerpc/dcerpc-dcepayload-19/test.rules b/tests/dcerpc/dcerpc-dcepayload-19/test.rules new file mode 100644 index 000000000..c1aba2a94 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-19/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (msg:"DcePayloadTest19 sig1"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_jump:2,0,relative; byte_test:2,=,46,0,relative,dce; sid:1;) +alert tcp any any -> any any (msg:"DcePayloadTest19 sig2"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_jump:2,2,relative; byte_test:2,=,14080,0,relative; sid:2;) diff --git a/tests/dcerpc/dcerpc-dcepayload-19/test.yaml b/tests/dcerpc/dcerpc-dcepayload-19/test.yaml new file mode 100644 index 000000000..1b2592ad2 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-19/test.yaml @@ -0,0 +1,16 @@ +args: +- -k none --set stream.inline=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + pcap_cnt: 4 diff --git a/tests/dcerpc/dcerpc-dcepayload-20/input.pcap b/tests/dcerpc/dcerpc-dcepayload-20/input.pcap new file mode 100644 index 000000000..b8c8d7f3e Binary files /dev/null and b/tests/dcerpc/dcerpc-dcepayload-20/input.pcap differ diff --git a/tests/dcerpc/dcerpc-dcepayload-20/test.rules b/tests/dcerpc/dcerpc-dcepayload-20/test.rules new file mode 100644 index 000000000..e918b884e --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-20/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (msg:"DcePayloadTest20 sig1"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_jump:2,0,relative,big; byte_test:2,=,46,0,relative,dce; sid:1;) +alert tcp any any -> any any (msg:"DcePayloadTest20 sig2"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_jump:2,2,little,relative; byte_test:2,=,14080,0,relative; sid:2;) diff --git a/tests/dcerpc/dcerpc-dcepayload-20/test.yaml b/tests/dcerpc/dcerpc-dcepayload-20/test.yaml new file mode 100644 index 000000000..1b2592ad2 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-20/test.yaml @@ -0,0 +1,16 @@ +args: +- -k none --set stream.inline=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + pcap_cnt: 4