From 831118895b7dfd12d0c376f1808e9e80cf21954d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Eloy=20P=C3=A9rez=20Gonz=C3=A1lez?=
 <zer1t0ps@protonmail.com>
Date: Mon, 14 Feb 2022 10:58:34 +0100
Subject: [PATCH 1/4] smb-smb_version: new test

---
 tests/smb-smb_version/input.pcap | Bin 0 -> 4563 bytes
 tests/smb-smb_version/test.rules |   3 +++
 tests/smb-smb_version/test.yaml  |  17 +++++++++++++++++
 3 files changed, 20 insertions(+)
 create mode 100644 tests/smb-smb_version/input.pcap
 create mode 100644 tests/smb-smb_version/test.rules
 create mode 100644 tests/smb-smb_version/test.yaml

diff --git a/tests/smb-smb_version/input.pcap b/tests/smb-smb_version/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ca439fb845de3397f1e9c18a85899762b46952c4
GIT binary patch
literal 4563
zcmd5=Z)_Ar6o0d~cRfm#Yb~WJ!Xbr}g2(nOP?11OTT-BH`i}rgDW!KUHKfo&6cee}
zi$bJg2<Zo+Sgw_7GzhdnFeHV7NQm?fCA~mIYZN|cqJ$8Ue}VJ8*_-Qj?|L-xgU;sd
z%+Aidd-MDK-p=mzf8E_KfeeF128I_&TfSTK{Xq#9Vw+5A-Q{RGA^ows-!a1sc@kv!
zU(EuS3E;rQffHyS-?6hEpZ8mu46ZZxZ;m~Qvt;8@W-yo;lO^)_!y%1F?o0KndbA%P
zkKIk=jl8m+J9b-V&t&u}xk>|ptNX$|-bIhI@fXQ-F#@FeS4E6bLa!;s7Hi_zZgr*8
z`y_Z9J&@_VNYLP~h~gy~y*$8a0C|D3!iA00N@n>~i4q8WCGqz2AQhEc3kt1@E!_?h
z4!7EEiV|urSg?Qt|7X7hb_9}4g?tbumSX>s!s*(ngDC}JT3U?ZoJ-|DcJ~qb&*Duw
zF-~jfas-WRoDsmlcN}@)r_ZOEm+YUOyT9jl&Gr~R*M(=*_WUe&?W(!ViKkmG*g_So
zdEI21Zem8G<XNx0=9#C=HO1n!%-nM%X@Y4~+O~Z6odhOHytz$n#$vD9G-yW0ev+o7
zdZs>`QomtyrNdcMSMPLG*40;*F3QPBpOcxjalNx@le4m}wthpSlZ1BmR|z^W2C^_h
zTm7pe61vpZdD4mqK9w|q;)iuAf}w@+PCAL6Ag!T(eIo@VJ~m5#Lvt-j7M>c%u1Dqk
zAm{x3p`4$zBIn16^V|yVGRV1zZ;*4*^SFqKbIS-gUz#2BzvF!QUlRO?Fp!0D?(<hh
z<ovj;^VE1mFd=CLN3cW7IfIG3lTHW<FONg;=|OqG3Rn`Hh1rlF%7*#MJkOI#oL1i*
zX>w{&c|l=WSut0P(Pj38rUn}(*7Y1V$B@3u|CXQ{NhJ$=LM*c%;%a$is9H{q_jxZ=
zkiIWAlS?*DtThRsm$V{OqF?J+05kLl!_ZWtu$>RTKzs9m(tOoph-IvO=(3u>k(<wm
zg^}AhJTkF1y5H-#F~F|$-!3c>9-E*Ea`7S-s`IcKlLITE0P>&|vJw6`&|Wi)XgQRD
z0_h+_B2>ehupXSy2vuOiRu!xT15AK7U=tr>i#WnK%*+_{u9Y}JUX*W$w$rSMB(Dn<
zw$9$gxYNXooyO*n;S%CZrWYwY>#vI9CD|H3u86Q=djxU(icY~|2-ZTR!x1-Bq*;P@
zXm_)DikoG2xLJnmW{O~r{3hd3gLO9^O;{)5k%e_E9_3h@@mP&D6$L$#gd?%i2pf=_
zI;aowXIH00IOj{ZGPVxHmwvi&Zb{taM@|-uQ!taTy<}V0{bkE&>VK;b5j^SS-3A$2
zu!BsWny}S=m>BL(ADWuIi+$d{dzhN>b91<_lA#PUpj4wW9K#Q;9e8;CT<wMPduw)=
z_L<t$)EouvF^Z8AlfPH2YnI_4Iw8}G4?O<0k;K<`4<+12p(Ul^G=R<8&<vU<q<D#Z
zocPqxX22>uqNnF7SPaFO_9;C2bhivUFaWYJVBfNLMFh6Z=k+#F^a-sLJQVAr7uwfG
zPkqCsjs>Nra902UHjxqKzqiWKcAn};xOy89*IO8wCDP6_I`k~YL<;^I;TkQnmvCGw
zGeJOC=xt1;4uWrH*kKvmrsNUuKpd#A%Flc#gB#mqVJvL6cXJjpb@IOD^ZLfoT9v~%
z4L1$Jf&mvqYZbB<Yo&Ek8IA>!4ty_cli>>-OBSZ;y?#d|^nK%Oou}t>^rzDAz(x@f
zU1(K}UpTysOx39)QngTY$-bzHKEkn_ITXv&^AXDyiu~oPJg{LEt&N;;9S%#2Mr%UR
z@A%|so1HTvrY(r+ZrtoFVzYbrP=*Agl1$GGll?VOyii_zz}I(0%ZyPItNI-RK+Hs2
zALRuO2`es2f?y%NO+uqwaiOU%gS1IGfIg=zK+lI{J|j23KJ?0houQJ9EisNd3%6uf
zi<{d1l0|h6>L=~ad=xdCjuJxMvvmsCEfnyCs(?^7O_88?G<yCw+4N#ShBSnOOrPIu
zy!{wOr2qCjJ>c_RtVK<ZsjcHHzNzPo@TD?R&Q{`Bn$z{$`Oi)i^t0SalWt$DxE!i)
z?3}`{Llg$7#5Y-9sGfxm$j2<SJ!r(K6-{tq#<rFt)IRnM-nU{~aHT$%jF9tD-&q=?
zFT`ajA~zdvkm=M;e?`<1a-jRW<YKL@^UNj8nI}cg?2?SpysV4jB@uHR|IqjcC%?w<

literal 0
HcmV?d00001

diff --git a/tests/smb-smb_version/test.rules b/tests/smb-smb_version/test.rules
new file mode 100644
index 000000000..f03fbc1d1
--- /dev/null
+++ b/tests/smb-smb_version/test.rules
@@ -0,0 +1,3 @@
+
+alert tcp any any -> any any (msg:"SMB1 Request";flow:to_server;smb.version:1;sid:1;)
+alert tcp any any -> any any (msg:"SMB2 Request";flow:to_server;smb.version:2;sid:2;)
diff --git a/tests/smb-smb_version/test.yaml b/tests/smb-smb_version/test.yaml
new file mode 100644
index 000000000..94f5a8efb
--- /dev/null
+++ b/tests/smb-smb_version/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  min-version: 7
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 7
+    match:
+      event_type: alert
+      alert.signature_id: 2

From 6fbb0113ef77497dde65b72ef86c8baef10a6c3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Eloy=20P=C3=A9rez=20Gonz=C3=A1lez?=
 <zer1t0ps@protonmail.com>
Date: Tue, 1 Mar 2022 15:56:06 +0100
Subject: [PATCH 2/4] smb-smb_version: update test to match also responses

---
 tests/smb-smb_version/test.rules | 4 ++--
 tests/smb-smb_version/test.yaml  | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/tests/smb-smb_version/test.rules b/tests/smb-smb_version/test.rules
index f03fbc1d1..466ffd712 100644
--- a/tests/smb-smb_version/test.rules
+++ b/tests/smb-smb_version/test.rules
@@ -1,3 +1,3 @@
 
-alert tcp any any -> any any (msg:"SMB1 Request";flow:to_server;smb.version:1;sid:1;)
-alert tcp any any -> any any (msg:"SMB2 Request";flow:to_server;smb.version:2;sid:2;)
+alert tcp any any -> any any (msg:"SMB1 Request"; smb.version:1;sid:1;)
+alert tcp any any -> any any (msg:"SMB2 Request"; smb.version:2;sid:2;)
diff --git a/tests/smb-smb_version/test.yaml b/tests/smb-smb_version/test.yaml
index 94f5a8efb..5996be71c 100644
--- a/tests/smb-smb_version/test.yaml
+++ b/tests/smb-smb_version/test.yaml
@@ -6,12 +6,12 @@ args:
 
 checks:
 - filter:
-    count: 1
+    count: 2
     match:
       event_type: alert
       alert.signature_id: 1
 - filter:
-    count: 7
+    count: 14
     match:
       event_type: alert
       alert.signature_id: 2

From 6c6cf2aa632c449214b88b31c861b31eb4d34cf2 Mon Sep 17 00:00:00 2001
From: jason taylor <jtfas90@gmail.com>
Date: Mon, 28 Aug 2023 21:43:10 +0000
Subject: [PATCH 3/4] tests: update tests for smb.version keyword

Signed-off-by: jason taylor <jtfas90@gmail.com>
---
 tests/smb-smb_version/test.rules                  |   3 ---
 tests/smb-version-keyword-invalid/README.md       |   4 ++++
 tests/smb-version-keyword-invalid/test.rules      |   1 +
 tests/smb-version-keyword-invalid/test.yaml       |  14 ++++++++++++++
 tests/smb-version-keyword/README.md               |  14 ++++++++++++++
 .../input.pcap                                    | Bin
 tests/smb-version-keyword/test.rules              |   2 ++
 .../test.yaml                                     |   0
 8 files changed, 35 insertions(+), 3 deletions(-)
 delete mode 100644 tests/smb-smb_version/test.rules
 create mode 100644 tests/smb-version-keyword-invalid/README.md
 create mode 100644 tests/smb-version-keyword-invalid/test.rules
 create mode 100644 tests/smb-version-keyword-invalid/test.yaml
 create mode 100644 tests/smb-version-keyword/README.md
 rename tests/{smb-smb_version => smb-version-keyword}/input.pcap (100%)
 create mode 100644 tests/smb-version-keyword/test.rules
 rename tests/{smb-smb_version => smb-version-keyword}/test.yaml (100%)

diff --git a/tests/smb-smb_version/test.rules b/tests/smb-smb_version/test.rules
deleted file mode 100644
index 466ffd712..000000000
--- a/tests/smb-smb_version/test.rules
+++ /dev/null
@@ -1,3 +0,0 @@
-
-alert tcp any any -> any any (msg:"SMB1 Request"; smb.version:1;sid:1;)
-alert tcp any any -> any any (msg:"SMB2 Request"; smb.version:2;sid:2;)
diff --git a/tests/smb-version-keyword-invalid/README.md b/tests/smb-version-keyword-invalid/README.md
new file mode 100644
index 000000000..5acc65322
--- /dev/null
+++ b/tests/smb-version-keyword-invalid/README.md
@@ -0,0 +1,4 @@
+TEST
+====
+
+Test invalid smb.version keyword syntax in signature
diff --git a/tests/smb-version-keyword-invalid/test.rules b/tests/smb-version-keyword-invalid/test.rules
new file mode 100644
index 000000000..3127cfb7a
--- /dev/null
+++ b/tests/smb-version-keyword-invalid/test.rules
@@ -0,0 +1 @@
+alert smb any any -> any any (msg:"Two smb version declarations"; flow:established; smb.version:2; smb.version:1; sid:1;)
diff --git a/tests/smb-version-keyword-invalid/test.yaml b/tests/smb-version-keyword-invalid/test.yaml
new file mode 100644
index 000000000..a59b32cba
--- /dev/null
+++ b/tests/smb-version-keyword-invalid/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 7
+
+args:
+- -k none
+
+pcap: ../smb-version-keyword/input.pcap
+
+checks:
+- shell:
+    args: grep "Can't use 2 or more smb.version declarations" suricata.log | wc -l | xargs
+    expect: 1
+
+exit-code: 1
diff --git a/tests/smb-version-keyword/README.md b/tests/smb-version-keyword/README.md
new file mode 100644
index 000000000..6a0625c7d
--- /dev/null
+++ b/tests/smb-version-keyword/README.md
@@ -0,0 +1,14 @@
+Test
+====
+
+Test alerts with the smb.version keyword
+
+PCAP
+----
+
+The pcap is a sample of network traffic provided by the original author.
+
+Related Issues
+--------------
+
+https://redmine.openinfosecfoundation.org/issues/5075
diff --git a/tests/smb-smb_version/input.pcap b/tests/smb-version-keyword/input.pcap
similarity index 100%
rename from tests/smb-smb_version/input.pcap
rename to tests/smb-version-keyword/input.pcap
diff --git a/tests/smb-version-keyword/test.rules b/tests/smb-version-keyword/test.rules
new file mode 100644
index 000000000..02617e9a0
--- /dev/null
+++ b/tests/smb-version-keyword/test.rules
@@ -0,0 +1,2 @@
+alert smb any any -> any any (msg:"SMBv1 Request"; smb.version:1; sid:1;)
+alert smb any any -> any any (msg:"SMBv2 Request"; smb.version:2; sid:2;)
diff --git a/tests/smb-smb_version/test.yaml b/tests/smb-version-keyword/test.yaml
similarity index 100%
rename from tests/smb-smb_version/test.yaml
rename to tests/smb-version-keyword/test.yaml

From 949eb1657338bcf51bb5a5857f982caa9b4e9c48 Mon Sep 17 00:00:00 2001
From: jason taylor <jtfas90@gmail.com>
Date: Wed, 29 Nov 2023 18:35:31 +0000
Subject: [PATCH 4/4] tests: update smb.keyword min suri version

Signed-off-by: jason taylor <jtfas90@gmail.com>
---
 tests/smb-version-keyword-invalid/test.yaml | 2 +-
 tests/smb-version-keyword/test.yaml         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/smb-version-keyword-invalid/test.yaml b/tests/smb-version-keyword-invalid/test.yaml
index a59b32cba..7f9f8ed8c 100644
--- a/tests/smb-version-keyword-invalid/test.yaml
+++ b/tests/smb-version-keyword-invalid/test.yaml
@@ -1,5 +1,5 @@
 requires:
-  min-version: 7
+  min-version: 8
 
 args:
 - -k none
diff --git a/tests/smb-version-keyword/test.yaml b/tests/smb-version-keyword/test.yaml
index 5996be71c..8098cadd0 100644
--- a/tests/smb-version-keyword/test.yaml
+++ b/tests/smb-version-keyword/test.yaml
@@ -1,5 +1,5 @@
 requires:
-  min-version: 7
+  min-version: 8
 
 args:
 - -k none