diff --git a/tests/bug-6207-1/input.pcap b/tests/bug-6207-1/input.pcap index 26fafb50f..ebae12bf2 100644 Binary files a/tests/bug-6207-1/input.pcap and b/tests/bug-6207-1/input.pcap differ diff --git a/tests/bug-6207-1/test.yaml b/tests/bug-6207-1/test.yaml index c750cbc07..2f76b55d9 100644 --- a/tests/bug-6207-1/test.yaml +++ b/tests/bug-6207-1/test.yaml @@ -9,7 +9,6 @@ checks: match: app_proto: smtp email.attachment[0]: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip - email.status: BODY_END_BOUND event_type: fileinfo fileinfo.filename: smtptest-2021-02-25T13-54-22Z-aefb2fc1308d62f4b6c74769f69b13ddf80e995fd98ae442f3be499ea928c67f..zip fileinfo.size: 286 diff --git a/tests/bug-6207-2/input.pcap b/tests/bug-6207-2/input.pcap index 89ac39c67..36e376e5b 100644 Binary files a/tests/bug-6207-2/input.pcap and b/tests/bug-6207-2/input.pcap differ diff --git a/tests/filestore-filecontainer-smb1-padding/smb_bug_padding.pcap b/tests/filestore-filecontainer-smb1-padding/smb_bug_padding.pcap new file mode 100644 index 000000000..288e3d150 Binary files /dev/null and b/tests/filestore-filecontainer-smb1-padding/smb_bug_padding.pcap differ diff --git a/tests/filestore-filecontainer-smb1-padding/suricata.yaml b/tests/filestore-filecontainer-smb1-padding/suricata.yaml new file mode 100644 index 000000000..c2aa2e4a7 --- /dev/null +++ b/tests/filestore-filecontainer-smb1-padding/suricata.yaml @@ -0,0 +1,22 @@ +%YAML 1.1 +--- +pcap-file: + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: Suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have checksum tested + checksum-checks: no +outputs: + - eve-log: + enabled: yes + types: + - files + - stats + - file-store: + version: 2 + enabled: yes + stream-depth: 0 + write-fileinfo: true + force-filestore: yes diff --git a/tests/filestore-filecontainer-smb1-padding/test.yaml b/tests/filestore-filecontainer-smb1-padding/test.yaml new file mode 100644 index 000000000..c6fb544ee --- /dev/null +++ b/tests/filestore-filecontainer-smb1-padding/test.yaml @@ -0,0 +1,20 @@ +requires: + features: + - HAVE_NSS + - MAGIC + - RUST + files: + - src/output-filestore.c + min-version: 7 + +args: + - --set pcap-file.checksum-checks=no +checks: + - filter: + count: 1 + match: + fileinfo.sha256: 04f93fbae50680991af90eb8a5a447d7b353d9c09097b3a905745d285d7ba634 + - filter: + count: 1 + match: + fileinfo.sha256: 81ef17f513f4959ba2a8243fa1412fa11b7d8f2c064da1f7ae98429188b6229c diff --git a/tests/mime/mime-dec-parse-full-msg-test01/README.md b/tests/mime/mime-dec-parse-full-msg-test01/README.md new file mode 100644 index 000000000..4f2d42d1a --- /dev/null +++ b/tests/mime/mime-dec-parse-full-msg-test01/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseFullMsgTest01. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-full-msg-test01/input.pcap b/tests/mime/mime-dec-parse-full-msg-test01/input.pcap new file mode 100644 index 000000000..5e9e92d80 Binary files /dev/null and b/tests/mime/mime-dec-parse-full-msg-test01/input.pcap differ diff --git a/tests/mime/mime-dec-parse-full-msg-test01/test.yaml b/tests/mime/mime-dec-parse-full-msg-test01/test.yaml new file mode 100644 index 000000000..f9049447d --- /dev/null +++ b/tests/mime/mime-dec-parse-full-msg-test01/test.yaml @@ -0,0 +1,46 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-full-msg-test02/README.md b/tests/mime/mime-dec-parse-full-msg-test02/README.md new file mode 100644 index 000000000..b1f1cc9fc --- /dev/null +++ b/tests/mime/mime-dec-parse-full-msg-test02/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseFullMsgTest02. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-full-msg-test02/input.pcap b/tests/mime/mime-dec-parse-full-msg-test02/input.pcap new file mode 100644 index 000000000..fa58468f2 Binary files /dev/null and b/tests/mime/mime-dec-parse-full-msg-test02/input.pcap differ diff --git a/tests/mime/mime-dec-parse-full-msg-test02/test.yaml b/tests/mime/mime-dec-parse-full-msg-test02/test.yaml new file mode 100644 index 000000000..f9049447d --- /dev/null +++ b/tests/mime/mime-dec-parse-full-msg-test02/test.yaml @@ -0,0 +1,46 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-line-test01/README.md b/tests/mime/mime-dec-parse-line-test01/README.md new file mode 100644 index 000000000..1d926984e --- /dev/null +++ b/tests/mime/mime-dec-parse-line-test01/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseLineTest01. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-line-test01/input.pcap b/tests/mime/mime-dec-parse-line-test01/input.pcap new file mode 100644 index 000000000..3e8bb266b Binary files /dev/null and b/tests/mime/mime-dec-parse-line-test01/input.pcap differ diff --git a/tests/mime/mime-dec-parse-line-test01/test.yaml b/tests/mime/mime-dec-parse-line-test01/test.yaml new file mode 100644 index 000000000..f9049447d --- /dev/null +++ b/tests/mime/mime-dec-parse-line-test01/test.yaml @@ -0,0 +1,46 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-line-test02/README.md b/tests/mime/mime-dec-parse-line-test02/README.md new file mode 100644 index 000000000..07ee83aa3 --- /dev/null +++ b/tests/mime/mime-dec-parse-line-test02/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseLineTest02. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-line-test02/input.pcap b/tests/mime/mime-dec-parse-line-test02/input.pcap new file mode 100644 index 000000000..56fc12bf4 Binary files /dev/null and b/tests/mime/mime-dec-parse-line-test02/input.pcap differ diff --git a/tests/mime/mime-dec-parse-line-test02/test.yaml b/tests/mime/mime-dec-parse-line-test02/test.yaml new file mode 100644 index 000000000..3b802ce14 --- /dev/null +++ b/tests/mime/mime-dec-parse-line-test02/test.yaml @@ -0,0 +1,47 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + email.url[0]: www.test.com/malware.exe?hahah + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-long-filename01/README.md b/tests/mime/mime-dec-parse-long-filename01/README.md new file mode 100644 index 000000000..158ae9697 --- /dev/null +++ b/tests/mime/mime-dec-parse-long-filename01/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseLongFilename01. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-long-filename01/input.pcap b/tests/mime/mime-dec-parse-long-filename01/input.pcap new file mode 100644 index 000000000..770719109 Binary files /dev/null and b/tests/mime/mime-dec-parse-long-filename01/input.pcap differ diff --git a/tests/mime/mime-dec-parse-long-filename01/test.yaml b/tests/mime/mime-dec-parse-long-filename01/test.yaml new file mode 100644 index 000000000..701e46805 --- /dev/null +++ b/tests/mime/mime-dec-parse-long-filename01/test.yaml @@ -0,0 +1,86 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: MIME_LONG_FILENAME + anomaly.layer: proto_parser + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 14 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.attachment[0]: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + app_proto: smtp + dest_ip: 127.0.0.1 + dest_port: 25 + email.attachment[0]: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: fileinfo + fileinfo.filename: 12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12characters12c + fileinfo.gaps: false + fileinfo.size: 25 + fileinfo.state: CLOSED + fileinfo.stored: false + fileinfo.tx_id: 0 + pcap_cnt: 15 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-long-filename02/README.md b/tests/mime/mime-dec-parse-long-filename02/README.md new file mode 100644 index 000000000..4821e2937 --- /dev/null +++ b/tests/mime/mime-dec-parse-long-filename02/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseLongFilename02. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-long-filename02/input.pcap b/tests/mime/mime-dec-parse-long-filename02/input.pcap new file mode 100644 index 000000000..91cd1f346 Binary files /dev/null and b/tests/mime/mime-dec-parse-long-filename02/input.pcap differ diff --git a/tests/mime/mime-dec-parse-long-filename02/test.yaml b/tests/mime/mime-dec-parse-long-filename02/test.yaml new file mode 100644 index 000000000..aa1581fe8 --- /dev/null +++ b/tests/mime/mime-dec-parse-long-filename02/test.yaml @@ -0,0 +1,71 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.attachment[0]: 12characters12characters12characters.exe + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + app_proto: smtp + dest_ip: 127.0.0.1 + dest_port: 25 + email.attachment[0]: 12characters12characters12characters.exe + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: fileinfo + fileinfo.filename: 12characters12characters12characters.exe + fileinfo.gaps: false + fileinfo.size: 25 + fileinfo.state: CLOSED + fileinfo.stored: false + fileinfo.tx_id: 0 + pcap_cnt: 15 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-odd-len/README.md b/tests/mime/mime-dec-parse-odd-len/README.md new file mode 100644 index 000000000..b5f1032a6 --- /dev/null +++ b/tests/mime/mime-dec-parse-odd-len/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseOddLen. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-odd-len/input.pcap b/tests/mime/mime-dec-parse-odd-len/input.pcap new file mode 100644 index 000000000..e1b7326cb Binary files /dev/null and b/tests/mime/mime-dec-parse-odd-len/input.pcap differ diff --git a/tests/mime/mime-dec-parse-odd-len/test.yaml b/tests/mime/mime-dec-parse-odd-len/test.yaml new file mode 100644 index 000000000..f9049447d --- /dev/null +++ b/tests/mime/mime-dec-parse-odd-len/test.yaml @@ -0,0 +1,46 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-rem-sp/README.md b/tests/mime/mime-dec-parse-rem-sp/README.md new file mode 100644 index 000000000..e70e497d4 --- /dev/null +++ b/tests/mime/mime-dec-parse-rem-sp/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseRemSp. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-rem-sp/input.pcap b/tests/mime/mime-dec-parse-rem-sp/input.pcap new file mode 100644 index 000000000..a4c573113 Binary files /dev/null and b/tests/mime/mime-dec-parse-rem-sp/input.pcap differ diff --git a/tests/mime/mime-dec-parse-rem-sp/test.yaml b/tests/mime/mime-dec-parse-rem-sp/test.yaml new file mode 100644 index 000000000..f9049447d --- /dev/null +++ b/tests/mime/mime-dec-parse-rem-sp/test.yaml @@ -0,0 +1,46 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-parse-small-rem-inp/README.md b/tests/mime/mime-dec-parse-small-rem-inp/README.md new file mode 100644 index 000000000..ca2e72536 --- /dev/null +++ b/tests/mime/mime-dec-parse-small-rem-inp/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecParseSmallRemInp. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-parse-small-rem-inp/input.pcap b/tests/mime/mime-dec-parse-small-rem-inp/input.pcap new file mode 100644 index 000000000..1b4b1bed3 Binary files /dev/null and b/tests/mime/mime-dec-parse-small-rem-inp/input.pcap differ diff --git a/tests/mime/mime-dec-parse-small-rem-inp/test.yaml b/tests/mime/mime-dec-parse-small-rem-inp/test.yaml new file mode 100644 index 000000000..f9049447d --- /dev/null +++ b/tests/mime/mime-dec-parse-small-rem-inp/test.yaml @@ -0,0 +1,46 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mime/mime-dec-very-small-inp/README.md b/tests/mime/mime-dec-very-small-inp/README.md new file mode 100644 index 000000000..2a5c41e3e --- /dev/null +++ b/tests/mime/mime-dec-very-small-inp/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test some mime processing + +## PCAP + +Adapted using data from a previous specific unit test for MIME in Suricata MimeDecVerySmallInp. + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/3487 diff --git a/tests/mime/mime-dec-very-small-inp/input.pcap b/tests/mime/mime-dec-very-small-inp/input.pcap new file mode 100644 index 000000000..d217b5124 Binary files /dev/null and b/tests/mime/mime-dec-very-small-inp/input.pcap differ diff --git a/tests/mime/mime-dec-very-small-inp/test.yaml b/tests/mime/mime-dec-very-small-inp/test.yaml new file mode 100644 index 000000000..f9049447d --- /dev/null +++ b/tests/mime/mime-dec-very-small-inp/test.yaml @@ -0,0 +1,46 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + anomaly.app_proto: smtp + anomaly.event: APPLAYER_DETECT_PROTOCOL_ONLY_ONE_DIRECTION + anomaly.layer: proto_detect + anomaly.type: applayer + dest_ip: 127.0.0.1 + dest_port: 39202 + event_type: anomaly + pcap_cnt: 6 + proto: TCP + src_ip: 127.0.0.1 + src_port: 25 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + email.from: toto + email.status: PARSE_DONE + email.to[0]: 172.16.92.2@linuxbox + event_type: smtp + pcap_cnt: 14 + proto: TCP + smtp.helo: linuxbox + smtp.mail_from: + smtp.rcpt_to[0]: <172.16.92.2@linuxbox> + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 0 +- filter: + count: 1 + match: + dest_ip: 127.0.0.1 + dest_port: 25 + event_type: smtp + proto: TCP + smtp.helo: linuxbox + src_ip: 127.0.0.1 + src_port: 39202 + tx_id: 1 diff --git a/tests/mqtt-frames-truncated/README.md b/tests/mqtt-frames-truncated/README.md new file mode 100644 index 000000000..453e33df7 --- /dev/null +++ b/tests/mqtt-frames-truncated/README.md @@ -0,0 +1,11 @@ +Description +=========== +Test MQTT frames[Pdu, Header, Data] for truncated messages where msg_len > max_msg_size. + +PCAP +==== +PCAP was shared by Sascha Steinbiss and was generated by setting up a Mosquitto server and recording communication between `mosquitto_sub` client and `local_broker` via a script. + +Redmine ticket +============== +https://redmine.openinfosecfoundation.org/issues/5731 \ No newline at end of file diff --git a/tests/mqtt-frames-truncated/input.pcap b/tests/mqtt-frames-truncated/input.pcap new file mode 100644 index 000000000..1ac1c2ac4 Binary files /dev/null and b/tests/mqtt-frames-truncated/input.pcap differ diff --git a/tests/mqtt-frames-truncated/suricata.yaml b/tests/mqtt-frames-truncated/suricata.yaml new file mode 100644 index 000000000..5d5fbdbe7 --- /dev/null +++ b/tests/mqtt-frames-truncated/suricata.yaml @@ -0,0 +1,18 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + - alert + - frame + +app-layer: + protocols: + mqtt: + enabled: yes + max-msg-length: 60 \ No newline at end of file diff --git a/tests/mqtt-frames-truncated/test.rules b/tests/mqtt-frames-truncated/test.rules new file mode 100644 index 000000000..e3d5eda6c --- /dev/null +++ b/tests/mqtt-frames-truncated/test.rules @@ -0,0 +1,17 @@ +alert mqtt any any -> any any (msg:"mqtt Frame 1"; frame:pdu; content:"|10 1c|"; startswith; sid:1;) +alert mqtt any any -> any any (msg:"mqtt Frame 2"; frame:pdu; content:"|14|"; endswith; sid:2;) + +alert mqtt any any -> any any (msg:"mqtt Frame 3"; frame:header; content:"|10|"; sid:3;) +alert mqtt any any -> any any (msg:"mqtt Frame 4"; frame:header; content:"|10 1c|"; sid:4;) + +alert mqtt any any -> any any (msg:"mqtt Frame 5"; frame:pdu; content:"|17 0C E2|"; sid:5;) +alert mqtt any any -> any any (msg:"mqtt Frame 6"; frame:pdu; content:"|00 00 54 46|"; sid:6;) + +# pre-boundary test for truncated data +alert mqtt any any -> any any (msg:"mqtt Frame 7"; frame:data; content:"|0a|"; sid:7;) + +# At boundary test for truncated data +alert mqtt any any -> any any (msg:"mqtt Frame 8"; frame:data; content:"|00 04 4d 51 54 54 05|"; sid:8;) + +# post-boundary test for truncated data +alert mqtt any any -> any any (msg:"mqtt Frame 9"; frame:data; content:"|c1 90 34|"; sid:9;) diff --git a/tests/mqtt-frames-truncated/test.yaml b/tests/mqtt-frames-truncated/test.yaml new file mode 100644 index 000000000..9c2048713 --- /dev/null +++ b/tests/mqtt-frames-truncated/test.yaml @@ -0,0 +1,51 @@ +requires: + min-version: 7 + +args: + - -k none + +checks: +- filter: + count: 1 + match: + alert.signature_id: 1 + frame.type: "pdu" +- filter: + count: 1 + match: + alert.signature_id: 2 + frame.type: "pdu" + frame.complete: true +- filter: + count: 1 + match: + alert.signature_id: 3 + frame.type: "header" + frame.complete: true +- filter: + count: 1 + match: + alert.signature_id: 4 + frame.type: "header" + frame.length: 2 + frame.complete: true +- filter: + count: 0 + match: + alert.signature_id: 5 +- filter: + count: 0 + match: + alert.signature_id: 6 +- filter: + count: 1 + match: + alert.signature_id: 7 +- filter: + count: 1 + match: + alert.signature_id: 8 +- filter: + count: 0 + match: + alert.signature_id: 9 \ No newline at end of file diff --git a/tests/mqtt-frames/README.md b/tests/mqtt-frames/README.md new file mode 100644 index 000000000..4ebd816ed --- /dev/null +++ b/tests/mqtt-frames/README.md @@ -0,0 +1,11 @@ +Description +=========== +Test MQTT frames[Pdu, Header, Data]. + +PCAP +==== +PCAP comes from the suricata verify test[mqtt5-pub-userpass] + +Redmine ticket +============== +https://redmine.openinfosecfoundation.org/issues/5731 \ No newline at end of file diff --git a/tests/mqtt-frames/test.rules b/tests/mqtt-frames/test.rules new file mode 100644 index 000000000..f3b053b3d --- /dev/null +++ b/tests/mqtt-frames/test.rules @@ -0,0 +1,11 @@ +alert mqtt any any -> any any (msg:"mqtt Frame 1"; frame:pdu; content:"|10 2f 00|"; startswith; sid:1;) +alert mqtt any any -> any any (msg:"mqtt Frame 2"; frame:pdu; content:"|61 73 73|"; endswith; sid:2;) + +alert mqtt any any -> any any (msg:"mqtt Frame 3"; flow:to_server; frame:header; content:"|10|"; sid:3;) +alert mqtt any any -> any any (msg:"mqtt Frame 4"; frame:header; content:"|20|"; sid:4;) + +alert mqtt any any -> any any (msg:"mqtt Frame 5"; frame:pdu; content:"|17 0C E2|"; sid:5;) +alert mqtt any any -> any any (msg:"mqtt Frame 6"; frame:pdu; content:"|00 00 54 46|"; sid:6;) + +alert mqtt any any -> any any (msg:"mqtt Frame 7"; frame:data; content:"|00 00 03 22|"; startswith; sid:7;) +alert mqtt any any -> any any (msg:"mqtt Frame 8"; frame:data; content:"|00 06|"; sid:8;) \ No newline at end of file diff --git a/tests/mqtt-frames/test.yaml b/tests/mqtt-frames/test.yaml new file mode 100644 index 000000000..85ad1e2c2 --- /dev/null +++ b/tests/mqtt-frames/test.yaml @@ -0,0 +1,54 @@ +pcap: ../mqtt5-pub-userpass/input.pcap + +requires: + min-version: 7 + +args: + - -k none + +checks: +- filter: + count: 1 + match: + alert.signature_id: 1 + frame.type: "pdu" + frame.length: 49 +- filter: + count: 1 + match: + alert.signature_id: 2 + frame.type: "pdu" + frame.complete: true +- filter: + count: 1 + match: + alert.signature_id: 3 + frame.type: "header" + frame.complete: true +- filter: + count: 1 + match: + alert.signature_id: 4 + frame.type: "header" + frame.length: 2 + frame.complete: true +- filter: + count: 0 + match: + alert.signature_id: 5 +- filter: + count: 0 + match: + alert.signature_id: 6 +- filter: + count: 1 + match: + alert.signature_id: 7 + frame.type: "data" + frame.complete: true +- filter: + count: 1 + match: + alert.signature_id: 8 + frame.type: "data" + frame.complete: true \ No newline at end of file