From be142e42768cfbf81bdf9a4872d0b6e7d70451b6 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Sat, 27 Jul 2024 10:09:20 -0400 Subject: [PATCH] test/linktype: Expand linktype_name coverage Issue: 4974 This commit extends the linktype_name validation across the existing tests so that more linktype name values are checked: - C_HDLC - PPP - IPV4 - IPV6 - RAW - EN10B - LINUX_SLL Some existing tests required suricata.yaml configuration to enable the packet values to be in the alerts. --- tests/decode-chdlc-01/test.yaml | 59 +++++++++-------- tests/decode-chdlc-02/README.md | 3 + tests/decode-chdlc-02/suricata.yaml | 24 +++++++ tests/decode-chdlc-02/test.rules | 1 + tests/decode-chdlc-02/test.yaml | 38 +++++++++++ .../defrag/bug-6887-defrag-ipv6-tcp/test.yaml | 10 +++ tests/detect-ipopts-02/README | 13 ++++ tests/detect-ipopts-02/suricata.yaml | 11 ++++ tests/detect-ipopts-02/test.rules | 10 +++ tests/detect-ipopts-02/test.yaml | 64 +++++++++++++++++++ tests/dnp3-dnp3_obj-alert/test.yaml | 8 +++ tests/tcp-fastopen-12/suricata.yaml | 12 ++++ tests/tcp-fastopen-12/test.rules | 1 + tests/tcp-fastopen-12/test.yaml | 20 ++++++ tests/vxlan-decoder-04/README.md | 7 ++ tests/vxlan-decoder-04/suricata.yaml | 12 ++++ tests/vxlan-decoder-04/test.rules | 1 + tests/vxlan-decoder-04/test.yaml | 27 ++++++++ 18 files changed, 291 insertions(+), 30 deletions(-) create mode 100644 tests/decode-chdlc-02/README.md create mode 100644 tests/decode-chdlc-02/suricata.yaml create mode 100644 tests/decode-chdlc-02/test.rules create mode 100644 tests/decode-chdlc-02/test.yaml create mode 100644 tests/detect-ipopts-02/README create mode 100644 tests/detect-ipopts-02/suricata.yaml create mode 100644 tests/detect-ipopts-02/test.rules create mode 100644 tests/detect-ipopts-02/test.yaml create mode 100644 tests/tcp-fastopen-12/suricata.yaml create mode 100644 tests/tcp-fastopen-12/test.rules create mode 100644 tests/tcp-fastopen-12/test.yaml create mode 100644 tests/vxlan-decoder-04/README.md create mode 100644 tests/vxlan-decoder-04/suricata.yaml create mode 100644 tests/vxlan-decoder-04/test.rules create mode 100644 tests/vxlan-decoder-04/test.yaml diff --git a/tests/decode-chdlc-01/test.yaml b/tests/decode-chdlc-01/test.yaml index 0d40b8851..813bb896d 100644 --- a/tests/decode-chdlc-01/test.yaml +++ b/tests/decode-chdlc-01/test.yaml @@ -2,35 +2,34 @@ requires: min-version: 6.0.0 - checks: - - filter: - count: 1 - match: - event_type: http - http.hostname: "view.atdmt.com" - http.status: 200 - http.length: 8079 - - - filter: - count: 1 - match: - event_type: fileinfo - fileinfo.state: CLOSED - - - filter: - count: 1 - match: - event_type: alert - alert.signature_id: 666 - - - filter: - count: 1 - match: - event_type: flow - proto: TCP - - - stats: - decoder.ipv4: 17 - decoder.chdlc: 17 + - filter: + count: 1 + match: + event_type: http + http.hostname: "view.atdmt.com" + http.status: 200 + http.length: 8079 + + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.state: CLOSED + + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 666 + + - filter: + count: 1 + match: + event_type: flow + proto: TCP + + - stats: + decoder.ipv4: 17 + decoder.chdlc: 17 diff --git a/tests/decode-chdlc-02/README.md b/tests/decode-chdlc-02/README.md new file mode 100644 index 000000000..3f08bf4a9 --- /dev/null +++ b/tests/decode-chdlc-02/README.md @@ -0,0 +1,3 @@ +Ensure Cisco HDLC packets are decoded and the linktype name is correct + + diff --git a/tests/decode-chdlc-02/suricata.yaml b/tests/decode-chdlc-02/suricata.yaml new file mode 100644 index 000000000..5ccb71d09 --- /dev/null +++ b/tests/decode-chdlc-02/suricata.yaml @@ -0,0 +1,24 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) + - http: + extended: true + - files: + force-magic: no + - flow + - stats +app-layer: + protocols: + http: + enabled: yes + libhtp: + default-config: + response-body-limit: 100kb diff --git a/tests/decode-chdlc-02/test.rules b/tests/decode-chdlc-02/test.rules new file mode 100644 index 000000000..90536fb91 --- /dev/null +++ b/tests/decode-chdlc-02/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (http.method; content:"GET"; sid:666;) diff --git a/tests/decode-chdlc-02/test.yaml b/tests/decode-chdlc-02/test.yaml new file mode 100644 index 000000000..dc6971bcd --- /dev/null +++ b/tests/decode-chdlc-02/test.yaml @@ -0,0 +1,38 @@ +requires: + + min-version: 8 + +pcap: ../decode-chdlc-01/hdlc-http_1tx.pcap + +checks: + + - filter: + count: 1 + match: + event_type: http + http.hostname: "view.atdmt.com" + http.status: 200 + http.length: 8079 + + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.state: CLOSED + + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 666 + packet_info.linktype_name: C_HDLC + + - filter: + count: 1 + match: + event_type: flow + proto: TCP + + - stats: + decoder.ipv4: 17 + decoder.chdlc: 17 diff --git a/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml b/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml index 91d4f4e29..be361ad1e 100644 --- a/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml +++ b/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml @@ -9,3 +9,13 @@ checks: alert.signature_id: 1 packet: "YAAAAAP8BkAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAATA5H5AAAAABAAAAAFAQIADIrQAAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ==" packet_info.linktype: 229 + +- filter: + count: 1 + min-version: 8 + match: + event_type: alert + alert.signature_id: 1 + packet: "YAAAAAP8BkAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAATA5H5AAAAABAAAAAFAQIADIrQAAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ==" + packet_info.linktype: 229 + packet_info.linktype_name: IPV6 diff --git a/tests/detect-ipopts-02/README b/tests/detect-ipopts-02/README new file mode 100644 index 000000000..9a608fb55 --- /dev/null +++ b/tests/detect-ipopts-02/README @@ -0,0 +1,13 @@ +Test the IP options and verify the linktype name value. + +There's already a test for the extended security option; the following IP options are tested: +- Record Route "rr" +- Loose source route "lsrr" +- EOL "eol" +- NOP "nop" +- Timestamp "ts" +- Security "sec" +- Strict source route "ssrr" +- Stream id "satid" + +The pcap was generated using detect-ipopts/ipopt.py diff --git a/tests/detect-ipopts-02/suricata.yaml b/tests/detect-ipopts-02/suricata.yaml new file mode 100644 index 000000000..159d885ba --- /dev/null +++ b/tests/detect-ipopts-02/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) diff --git a/tests/detect-ipopts-02/test.rules b/tests/detect-ipopts-02/test.rules new file mode 100644 index 000000000..9d2215a62 --- /dev/null +++ b/tests/detect-ipopts-02/test.rules @@ -0,0 +1,10 @@ +alert ip any any -> any any (msg:"RR option set"; ipopts:rr; sid: 1;) +alert ip any any -> any any (msg:"LSRR option set"; ipopts:lsrr; sid: 2;) +alert ip any any -> any any (msg:"EOL option set"; ipopts:eol; sid: 3;) +alert ip any any -> any any (msg:"NOP option set"; ipopts:nop; sid: 4;) +alert ip any any -> any any (msg:"TS option set"; ipopts:ts; sid: 5;) +alert ip any any -> any any (msg:"SEC option set"; ipopts:sec; sid: 6;) +alert ip any any -> any any (msg:"SSRR option set"; ipopts:ssrr; sid: 7;) +alert ip any any -> any any (msg:"SID option set"; ipopts:satid; sid: 8;) +# covered in ipopts-sec +#alert ip any any <> any any (msg:"ESEC option set"; ipopts:esec; sid: 42;) diff --git a/tests/detect-ipopts-02/test.yaml b/tests/detect-ipopts-02/test.yaml new file mode 100644 index 000000000..3927a3f27 --- /dev/null +++ b/tests/detect-ipopts-02/test.yaml @@ -0,0 +1,64 @@ +requires: + min-version: 8 + +args: + - --set stream.midstream=true -k none + +pcap: ../detect-ipopts/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 1 + alert.signature_id: 1 + packet_info.linktype_name: IPV4 + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 2 + alert.signature_id: 2 + packet_info.linktype_name: IPV4 + - filter: + count: 6 + match: + event_type: alert + alert.signature_id: 3 + packet_info.linktype_name: IPV4 + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 4 + alert.signature_id: 4 + packet_info.linktype_name: IPV4 + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 5 + alert.signature_id: 5 + packet_info.linktype_name: IPV4 + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 6 + packet_info.linktype_name: IPV4 + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 7 + alert.signature_id: 7 + packet_info.linktype_name: IPV4 + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 8 + alert.signature_id: 8 + packet_info.linktype_name: IPV4 diff --git a/tests/dnp3-dnp3_obj-alert/test.yaml b/tests/dnp3-dnp3_obj-alert/test.yaml index bc1dab550..afdbd3963 100644 --- a/tests/dnp3-dnp3_obj-alert/test.yaml +++ b/tests/dnp3-dnp3_obj-alert/test.yaml @@ -15,3 +15,11 @@ checks: match: event_type: alert alert.signature_id: 2 + + - filter: + count: 4 + min-version: 8 + match: + event_type: alert + alert.signature_id: 1 + packet_info.linktype_name: EN10MB diff --git a/tests/tcp-fastopen-12/suricata.yaml b/tests/tcp-fastopen-12/suricata.yaml new file mode 100644 index 000000000..100bcbe5a --- /dev/null +++ b/tests/tcp-fastopen-12/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) + - flow diff --git a/tests/tcp-fastopen-12/test.rules b/tests/tcp-fastopen-12/test.rules new file mode 100644 index 000000000..28347d0dd --- /dev/null +++ b/tests/tcp-fastopen-12/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (content:"Hello!"; sid:1;) diff --git a/tests/tcp-fastopen-12/test.yaml b/tests/tcp-fastopen-12/test.yaml new file mode 100644 index 000000000..693753c87 --- /dev/null +++ b/tests/tcp-fastopen-12/test.yaml @@ -0,0 +1,20 @@ +pcap: ../tcp-fastopen-05/tfo.pcap + +requires: + min-version: 8 + +args: + - -k none + +checks: + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 1 + packet_info.linktype_name: LINUX_SLL + - filter: + count: 2 + match: + event_type: flow + proto: TCP diff --git a/tests/vxlan-decoder-04/README.md b/tests/vxlan-decoder-04/README.md new file mode 100644 index 000000000..342ca79ab --- /dev/null +++ b/tests/vxlan-decoder-04/README.md @@ -0,0 +1,7 @@ +# Description + +Test basic VXLAN decoding + +# PCAP + +https://github.com/the-tcpdump-group/tcpdump/blob/master/tests/vxlan.pcap diff --git a/tests/vxlan-decoder-04/suricata.yaml b/tests/vxlan-decoder-04/suricata.yaml new file mode 100644 index 000000000..100bcbe5a --- /dev/null +++ b/tests/vxlan-decoder-04/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) + - flow diff --git a/tests/vxlan-decoder-04/test.rules b/tests/vxlan-decoder-04/test.rules new file mode 100644 index 000000000..c0f94ab54 --- /dev/null +++ b/tests/vxlan-decoder-04/test.rules @@ -0,0 +1 @@ +alert icmp any any -> any any (itype:8; sid:1;) diff --git a/tests/vxlan-decoder-04/test.yaml b/tests/vxlan-decoder-04/test.yaml new file mode 100644 index 000000000..9bcce7b9c --- /dev/null +++ b/tests/vxlan-decoder-04/test.yaml @@ -0,0 +1,27 @@ +requires: + min-version: 8 + +args: + - --set decoder.vxlan.enabled=true + +pcap: ../vxlan-decoder-02/vxlan.pcap + +checks: + - filter: + count: 1 + match: + event_type: flow + proto: "ICMP" + flow.pkts_toserver: 4 + flow.pkts_toclient: 4 + - filter: + count: 4 + match: + event_type: flow + dest_port: 4789 + - filter: + count: 4 + match: + event_type: alert + tunnel.dest_port: 4789 + packet_info.linktype_name: RAW