From 1133c923a649f663fe35872287037877f6cba216 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Fri, 29 Nov 2024 18:51:31 +0100 Subject: [PATCH] tests: verify valid json on long message --- tests/test-valid-json/pawpatrules.rules | 1 + tests/test-valid-json/suricata.yaml | 16 ++++++++++++++++ tests/test-valid-json/test.yaml | 19 +++++++++++++++++++ 3 files changed, 36 insertions(+) create mode 100644 tests/test-valid-json/pawpatrules.rules create mode 100644 tests/test-valid-json/suricata.yaml create mode 100644 tests/test-valid-json/test.yaml diff --git a/tests/test-valid-json/pawpatrules.rules b/tests/test-valid-json/pawpatrules.rules new file mode 100644 index 000000000..e41fa7890 --- /dev/null +++ b/tests/test-valid-json/pawpatrules.rules @@ -0,0 +1 @@ +alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Possible Windows Installer or Bitsadmin TLSv1.2 connection to FQDN - T1105"; flow:to_server, stateless; ja3.hash; content:"bd0bf25947d4a37404f0424edf4db9ad"; fast_pattern; tls_sni; content:!"microsoft.com"; endswith; nocase; content:!"live.com"; endswith; nocase; content:!"google.com"; endswith; nocase; content:!".ms"; endswith; nocase; content:!"libreoffice.org"; endswith; nocase; content:!"skype.com"; endswith; nocase; content:!"windows.net"; endswith; nocase; content:!"googleapis.com"; endswith; nocase; content:!"office.com"; endswith; nocase; content:!"azureedge.net"; endswith; nocase; content:!"sophosupd.com"; endswith; nocase; content:!"sophosxl.net"; endswith; nocase; content:!"sophos.com"; endswith; nocase; content:!"office.net"; endswith; nocase; content:!"jive.com"; endswith; nocase; content:!"adobe.com"; endswith; nocase; content:!"avast.com"; endswith; nocase; content:!"mozilla.org"; endswith; nocase; content:!".microsoft"; nocase; endswith; content:!".gvt1.com"; nocase; endswith; content:!".msedge.net"; nocase; endswith; content:!".msn.com"; nocase; endswith; content:!".microsoftonline.com"; nocase; endswith; content:!".windows.com"; nocase; endswith; content:!".bing.com"; nocase; endswith; content:!".mozilla.net; nocase; endswith; reference:url,https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/#download; reference:url,https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/#download; reference:url,https://www.senseon.io/resource/resurgent-usb-malware-battling-raspberry-robin/; target:src_ip; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer, created_at 2023_05_18, updated_at 2024_09_05; sid:3300209; rev:18; classtype:policy-violation;) diff --git a/tests/test-valid-json/suricata.yaml b/tests/test-valid-json/suricata.yaml new file mode 100644 index 000000000..c2fa64e94 --- /dev/null +++ b/tests/test-valid-json/suricata.yaml @@ -0,0 +1,16 @@ +%YAML 1.1 +--- + +logging: + default-log-level: info + outputs: + - file: + enabled: yes + filename: eve.json + type: json + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + EXTERNAL_NET: "!$HOME_NET" diff --git a/tests/test-valid-json/test.yaml b/tests/test-valid-json/test.yaml new file mode 100644 index 000000000..e49b1bb9c --- /dev/null +++ b/tests/test-valid-json/test.yaml @@ -0,0 +1,19 @@ +requires: + min-version: 8 + +args: + - -T + +pcap: false + +exit-code: 1 + +checks: + # check that we have the following entries in eve.json + # match rule load failure reason as it is super long + - filter: + count: 2 + match: + event_type: engine + engine.module: detect +