From de3db0741fcc118f997e1344499946546c56818f Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 28 Apr 2026 10:19:14 +0200 Subject: [PATCH] dcerpc: move dcepayload unit tests to SV Ticket: 8391 --- tests/dcerpc/dcerpc-dcepayload-15/input.pcap | Bin 0 -> 408 bytes tests/dcerpc/dcerpc-dcepayload-15/test.rules | 2 ++ tests/dcerpc/dcerpc-dcepayload-15/test.yaml | 16 ++++++++++++++++ tests/dcerpc/dcerpc-dcepayload-16/input.pcap | Bin 0 -> 408 bytes tests/dcerpc/dcerpc-dcepayload-16/test.rules | 2 ++ tests/dcerpc/dcerpc-dcepayload-16/test.yaml | 16 ++++++++++++++++ tests/dcerpc/dcerpc-dcepayload-17/input.pcap | Bin 0 -> 408 bytes tests/dcerpc/dcerpc-dcepayload-17/test.rules | 2 ++ tests/dcerpc/dcerpc-dcepayload-17/test.yaml | 16 ++++++++++++++++ tests/dcerpc/dcerpc-dcepayload-18/input.pcap | Bin 0 -> 408 bytes tests/dcerpc/dcerpc-dcepayload-18/test.rules | 2 ++ tests/dcerpc/dcerpc-dcepayload-18/test.yaml | 16 ++++++++++++++++ tests/dcerpc/dcerpc-dcepayload-19/input.pcap | Bin 0 -> 408 bytes tests/dcerpc/dcerpc-dcepayload-19/test.rules | 2 ++ tests/dcerpc/dcerpc-dcepayload-19/test.yaml | 16 ++++++++++++++++ tests/dcerpc/dcerpc-dcepayload-20/input.pcap | Bin 0 -> 408 bytes tests/dcerpc/dcerpc-dcepayload-20/test.rules | 2 ++ tests/dcerpc/dcerpc-dcepayload-20/test.yaml | 16 ++++++++++++++++ 18 files changed, 108 insertions(+) create mode 100644 tests/dcerpc/dcerpc-dcepayload-15/input.pcap create mode 100644 tests/dcerpc/dcerpc-dcepayload-15/test.rules create mode 100644 tests/dcerpc/dcerpc-dcepayload-15/test.yaml create mode 100644 tests/dcerpc/dcerpc-dcepayload-16/input.pcap create mode 100644 tests/dcerpc/dcerpc-dcepayload-16/test.rules create mode 100644 tests/dcerpc/dcerpc-dcepayload-16/test.yaml create mode 100644 tests/dcerpc/dcerpc-dcepayload-17/input.pcap create mode 100644 tests/dcerpc/dcerpc-dcepayload-17/test.rules create mode 100644 tests/dcerpc/dcerpc-dcepayload-17/test.yaml create mode 100644 tests/dcerpc/dcerpc-dcepayload-18/input.pcap create mode 100644 tests/dcerpc/dcerpc-dcepayload-18/test.rules create mode 100644 tests/dcerpc/dcerpc-dcepayload-18/test.yaml create mode 100644 tests/dcerpc/dcerpc-dcepayload-19/input.pcap create mode 100644 tests/dcerpc/dcerpc-dcepayload-19/test.rules create mode 100644 tests/dcerpc/dcerpc-dcepayload-19/test.yaml create mode 100644 tests/dcerpc/dcerpc-dcepayload-20/input.pcap create mode 100644 tests/dcerpc/dcerpc-dcepayload-20/test.rules create mode 100644 tests/dcerpc/dcerpc-dcepayload-20/test.yaml diff --git a/tests/dcerpc/dcerpc-dcepayload-15/input.pcap b/tests/dcerpc/dcerpc-dcepayload-15/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..93cc9860c44bb90bfb83f60ecf7b0ad6e1cf9c86 GIT binary patch literal 408 zc-p&ic+)~A1{MYw`2U}Q;R%r5lk*|-OawE729OQHt{{q$fx&_8d-Z`8jEq3c#BzzD zoq>V*1xQ~2lL7;?A4H#VBu;%yAiWIjK%ETi7l3+S1_&uI{LX>sONb=OzL!9~7Xt)< z`f?%qx`Fy80QF3O=$io5CyZ5}gaX5~Mg|5}pnw2SeFhLSg4_@Gy%a-Poe={+G%P@L z3=kSJm;0>S any any (msg:"DcePayloadTest15 sig1"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_test:2,=,14080,0,relative,dce; sid:1;) +alert tcp any any -> any any (msg:"DcePayloadTest15 sig2"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_test:2,=,46,5,relative,dce; sid:2;) diff --git a/tests/dcerpc/dcerpc-dcepayload-15/test.yaml b/tests/dcerpc/dcerpc-dcepayload-15/test.yaml new file mode 100644 index 000000000..1b2592ad2 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-15/test.yaml @@ -0,0 +1,16 @@ +args: +- -k none --set stream.inline=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + pcap_cnt: 4 diff --git a/tests/dcerpc/dcerpc-dcepayload-16/input.pcap b/tests/dcerpc/dcerpc-dcepayload-16/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..28180067d30818af77acea57cf416da1dff72bb5 GIT binary patch literal 408 zc-p&ic+)~A1{MYw`2U}Q;R%r5lk*|-Uko#Y29OQHt{{q$fx&_8d-Z`8jEq3c#BzzD zoq>V*1xQ~2lL7;?A4H#ZEKYq)AiWIjK%ETi7l3+S1_&uI{LX>s%Zw$;zL!9~7Xt)< z`f?%qCIj_N0P2|l(Ki9APZ+B{2?d5}jSLK|Kmh@u`V1gu1i2sVdntypIwJ;tXjp*g z7$7ucFb85iC~3i90wm3VJO-#<5N`Qd&xi=a|NljPLHHo|JtHnWE;2B%1cLnqbQ}Q5 Ce^pcf literal 0 Hc-jL100001 diff --git a/tests/dcerpc/dcerpc-dcepayload-16/test.rules b/tests/dcerpc/dcerpc-dcepayload-16/test.rules new file mode 100644 index 000000000..ec7f4e1de --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-16/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (msg:"DcePayloadTest16 sig1"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_test:2,=,55,0,relative; sid:1;) +alert tcp any any -> any any (msg:"DcePayloadTest16 sig2"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_test:2,=,11776,5,relative; sid:2;) diff --git a/tests/dcerpc/dcerpc-dcepayload-16/test.yaml b/tests/dcerpc/dcerpc-dcepayload-16/test.yaml new file mode 100644 index 000000000..1b2592ad2 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-16/test.yaml @@ -0,0 +1,16 @@ +args: +- -k none --set stream.inline=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + pcap_cnt: 4 diff --git a/tests/dcerpc/dcerpc-dcepayload-17/input.pcap b/tests/dcerpc/dcerpc-dcepayload-17/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..bb89de9b9d92e8570165ed3a120ea084724d1fd5 GIT binary patch literal 408 zc-p&ic+)~A1{MYw`2U}Q;R%r5lk*`nJ%O1)1IPwpR}jU>z~I34z52ikMn)iJV!6c7 z&cML@0;Dg1Nr8dc529}|ZhcH3y$tO@oeb<3fO=mB2q`f9&VlH=NSu8yfqE|n2mtlv zLiGIx>YD)6GXbJ+0#u(cR(%o*4AUAJ7+8S<0zmZ{K+FhoKiKzD3}tmj4E)fr0MRi( zXvkm=#ClNDg24nxngMwXP`x1B^0S^15r+T&i~NG{LGJTSBq}^EGBB_Ng8c<_8~`B^ BRc!zO literal 0 Hc-jL100001 diff --git a/tests/dcerpc/dcerpc-dcepayload-17/test.rules b/tests/dcerpc/dcerpc-dcepayload-17/test.rules new file mode 100644 index 000000000..cb5552618 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-17/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (msg:"DcePayloadTest17 sig1"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_test:2,=,55,0,relative,big; sid:1;) +alert tcp any any -> any any (msg:"DcePayloadTest17 sig2"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_test:2,=,46,5,relative,little; sid:2;) diff --git a/tests/dcerpc/dcerpc-dcepayload-17/test.yaml b/tests/dcerpc/dcerpc-dcepayload-17/test.yaml new file mode 100644 index 000000000..1b2592ad2 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-17/test.yaml @@ -0,0 +1,16 @@ +args: +- -k none --set stream.inline=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + pcap_cnt: 4 diff --git a/tests/dcerpc/dcerpc-dcepayload-18/input.pcap b/tests/dcerpc/dcerpc-dcepayload-18/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..38f149386a09725a508bfdeee98ed55d10a250b1 GIT binary patch literal 408 zc-p&ic+)~A1{MYw`2U}Q;R%r5lk*`nI+dA01IPwpR}jU>z~I34z52ikMn)iJV!6c7 z&cML@0;Dg1Nr8dc529}>ZhcH3y$tO@oeb<3fO=mB2q`f9&VlGVOq_i$fqE|n2mtlv zLiD`>>YD)6GXbJ+0#u(cR(%o*4F9Sb7+8S<0zmZ{K+FhoKiKzD3}tmj4E)fr0MRi( zXvoaK%)p?>V9sC&BrO3=r<01nCOCZ=^ HK*s?93Yb+s literal 0 Hc-jL100001 diff --git a/tests/dcerpc/dcerpc-dcepayload-18/test.rules b/tests/dcerpc/dcerpc-dcepayload-18/test.rules new file mode 100644 index 000000000..98ba33c32 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-18/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (msg:"DcePayloadTest18 sig1"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_jump:2,0,relative,dce; byte_test:2,=,46,0,relative,dce; sid:1;) +alert tcp any any -> any any (msg:"DcePayloadTest18 sig2"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_jump:2,2,relative,dce; byte_test:2,=,14080,0,relative; sid:2;) diff --git a/tests/dcerpc/dcerpc-dcepayload-18/test.yaml b/tests/dcerpc/dcerpc-dcepayload-18/test.yaml new file mode 100644 index 000000000..1b2592ad2 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-18/test.yaml @@ -0,0 +1,16 @@ +args: +- -k none --set stream.inline=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + pcap_cnt: 4 diff --git a/tests/dcerpc/dcerpc-dcepayload-19/input.pcap b/tests/dcerpc/dcerpc-dcepayload-19/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..031a73377bc453bccee3bf3f2193672bd3448537 GIT binary patch literal 408 zc-p&ic+)~A1{MYw`2U}Q;R%r5lk*{SR|YeK29OQHt{{q$fx&_8d-Z`8jEq3c#BzzD zoq>V*1xQ~2lL7;?A4K0f-1?Y6dKub*IvLn60QJ5M5K>_HodeM)kx7(&FM)b51_%K4 zX`u1Hvy_o7^^-B1%@Au3=FJ50Rf=;3?OC%xgYF%DTcB-BL;qGSb*pl zAT(rP20}dsb0ABP!GggANSXn83{brw-14)Y5fO&}|BL*B@ImgIoJmx8Tx4Ki2?YBK G=r{oCP*n*4 literal 0 Hc-jL100001 diff --git a/tests/dcerpc/dcerpc-dcepayload-19/test.rules b/tests/dcerpc/dcerpc-dcepayload-19/test.rules new file mode 100644 index 000000000..c1aba2a94 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-19/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (msg:"DcePayloadTest19 sig1"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_jump:2,0,relative; byte_test:2,=,46,0,relative,dce; sid:1;) +alert tcp any any -> any any (msg:"DcePayloadTest19 sig2"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_jump:2,2,relative; byte_test:2,=,14080,0,relative; sid:2;) diff --git a/tests/dcerpc/dcerpc-dcepayload-19/test.yaml b/tests/dcerpc/dcerpc-dcepayload-19/test.yaml new file mode 100644 index 000000000..1b2592ad2 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-19/test.yaml @@ -0,0 +1,16 @@ +args: +- -k none --set stream.inline=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + pcap_cnt: 4 diff --git a/tests/dcerpc/dcerpc-dcepayload-20/input.pcap b/tests/dcerpc/dcerpc-dcepayload-20/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..b8c8d7f3e6dc884bf87ec93e3350a0f229071f93 GIT binary patch literal 408 zc-p&ic+)~A1{MYw`2U}Q;R%r5lk*{yD~Fju1IPwpR}jU>z~I34z52ikMn)iJV!6c7 z&cML@0;Dg1Nr8dc52DWjw>~D2UWRs{P6qZ1K)o*mgcKNl=Rouo5@+8_px%oC0ziGa z5Pfrj`X&JNOn~T{0M#dqRi6Ysm9~u@QItB<0 z8JL+F81xv-fh;`+3kDM)X$IsmK=p!f%g=g7L>T`6FY*h*2f6P9ap7^1fq^9u>@T3> E0M%wx%>V!Z literal 0 Hc-jL100001 diff --git a/tests/dcerpc/dcerpc-dcepayload-20/test.rules b/tests/dcerpc/dcerpc-dcepayload-20/test.rules new file mode 100644 index 000000000..e918b884e --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-20/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (msg:"DcePayloadTest20 sig1"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_jump:2,0,relative,big; byte_test:2,=,46,0,relative,dce; sid:1;) +alert tcp any any -> any any (msg:"DcePayloadTest20 sig2"; dce_stub_data; content:"|5c 00 5c 00 31|"; distance:0; byte_jump:2,2,little,relative; byte_test:2,=,14080,0,relative; sid:2;) diff --git a/tests/dcerpc/dcerpc-dcepayload-20/test.yaml b/tests/dcerpc/dcerpc-dcepayload-20/test.yaml new file mode 100644 index 000000000..1b2592ad2 --- /dev/null +++ b/tests/dcerpc/dcerpc-dcepayload-20/test.yaml @@ -0,0 +1,16 @@ +args: +- -k none --set stream.inline=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + pcap_cnt: 4 -- 2.47.3