diff --git a/tests/uricontent/detect-uricontent-01/README.md b/tests/uricontent/detect-uricontent-01/README.md new file mode 100644 index 000000000..6e1f3faf9 --- /dev/null +++ b/tests/uricontent/detect-uricontent-01/README.md @@ -0,0 +1 @@ +Tests the signature working to alert when http_cookie is matched diff --git a/tests/uricontent/detect-uricontent-01/input.pcap b/tests/uricontent/detect-uricontent-01/input.pcap new file mode 100644 index 000000000..8f7a9e756 Binary files /dev/null and b/tests/uricontent/detect-uricontent-01/input.pcap differ diff --git a/tests/uricontent/detect-uricontent-01/test.rules b/tests/uricontent/detect-uricontent-01/test.rules new file mode 100644 index 000000000..01c5c535e --- /dev/null +++ b/tests/uricontent/detect-uricontent-01/test.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any any (msg:"Test uricontent"; content:"foo"; http_uri; sid:1;) +alert tcp any any -> any any (msg:"Test uricontent"; content:"one"; http_uri; sid:2;) +alert tcp any any -> any any (msg:"Test uricontent"; content:"oisf"; http_uri; sid:3;) diff --git a/tests/uricontent/detect-uricontent-01/test.yaml b/tests/uricontent/detect-uricontent-01/test.yaml new file mode 100644 index 000000000..7c4d72c86 --- /dev/null +++ b/tests/uricontent/detect-uricontent-01/test.yaml @@ -0,0 +1,31 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: http diff --git a/tests/uricontent/detect-uricontent-01/writepcap.py b/tests/uricontent/detect-uricontent-01/writepcap.py new file mode 100644 index 000000000..6a49a10be --- /dev/null +++ b/tests/uricontent/detect-uricontent-01/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"POST /one HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie: hellocatch\r\n\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/uricontent/detect-uricontent-02/README.md b/tests/uricontent/detect-uricontent-02/README.md new file mode 100644 index 000000000..15189412d --- /dev/null +++ b/tests/uricontent/detect-uricontent-02/README.md @@ -0,0 +1 @@ +Tests the working of search once per packet only in applayer match diff --git a/tests/uricontent/detect-uricontent-02/input.pcap b/tests/uricontent/detect-uricontent-02/input.pcap new file mode 100644 index 000000000..55153fb51 Binary files /dev/null and b/tests/uricontent/detect-uricontent-02/input.pcap differ diff --git a/tests/uricontent/detect-uricontent-02/test.rules b/tests/uricontent/detect-uricontent-02/test.rules new file mode 100644 index 000000000..33103bfd2 --- /dev/null +++ b/tests/uricontent/detect-uricontent-02/test.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any any (msg:"Test uricontent"; content:"foo"; http_uri; sid:1;) +alert tcp any any -> any any (msg:"Test uricontent"; content:"one"; http_uri; sid:2;) +alert tcp any any -> any any (msg:"Test uricontent"; content:"self"; http_uri; sid:3;) \ No newline at end of file diff --git a/tests/uricontent/detect-uricontent-02/test.yaml b/tests/uricontent/detect-uricontent-02/test.yaml new file mode 100644 index 000000000..788ea52be --- /dev/null +++ b/tests/uricontent/detect-uricontent-02/test.yaml @@ -0,0 +1,31 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 2 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 2 + match: + event_type: http diff --git a/tests/uricontent/detect-uricontent-02/writepcap.py b/tests/uricontent/detect-uricontent-02/writepcap.py new file mode 100644 index 000000000..92246cfbc --- /dev/null +++ b/tests/uricontent/detect-uricontent-02/writepcap.py @@ -0,0 +1,13 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"POST /one HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie: hellocatch\r\n\r\n" +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=53, flags='P''A')/"POST /oneself HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie: hellocatch\r\n\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/uricontent/detect-uricontent-03/README.md b/tests/uricontent/detect-uricontent-03/README.md new file mode 100644 index 000000000..3e29b8cf8 --- /dev/null +++ b/tests/uricontent/detect-uricontent-03/README.md @@ -0,0 +1 @@ +Tests the modifiers for uricontent and content match diff --git a/tests/uricontent/detect-uricontent-03/input.pcap b/tests/uricontent/detect-uricontent-03/input.pcap new file mode 100644 index 000000000..0d6ead78c Binary files /dev/null and b/tests/uricontent/detect-uricontent-03/input.pcap differ diff --git a/tests/uricontent/detect-uricontent-03/test.rules b/tests/uricontent/detect-uricontent-03/test.rules new file mode 100644 index 000000000..341ae032d --- /dev/null +++ b/tests/uricontent/detect-uricontent-03/test.rules @@ -0,0 +1,4 @@ +alert tcp any any -> any any (msg:"Test uricontent"; content:"foo"; http_uri; content:"bar"; sid:1;) +alert tcp any any -> any any (msg:"Test uricontent"; content:"one"; http_uri; offset:1; depth:10; content:"one"; offset:1; depth:10; content:"two"; http_uri; distance:3; within: 4; content:"two"; distance:1; within: 4; content:"three"; http_uri; distance:1; within: 6; content:"/three"; distance:0; within: 7; sid:2;) +alert tcp any any -> any any (msg:"Test uricontent"; content:"one"; http_uri; offset:1; depth:10; content:"two"; http_uri; distance:1; within: 4; content:"three"; http_uri; distance:1; within: 6; sid:3;) +alert tcp any any -> any any (msg:"test"; content:"one"; http_uri; sid:4;) diff --git a/tests/uricontent/detect-uricontent-03/test.yaml b/tests/uricontent/detect-uricontent-03/test.yaml new file mode 100644 index 000000000..dd04841f5 --- /dev/null +++ b/tests/uricontent/detect-uricontent-03/test.yaml @@ -0,0 +1,37 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 1 + match: + event_type: http + \ No newline at end of file diff --git a/tests/uricontent/detect-uricontent-03/writepcap.py b/tests/uricontent/detect-uricontent-03/writepcap.py new file mode 100644 index 000000000..aadb1ac5d --- /dev/null +++ b/tests/uricontent/detect-uricontent-03/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, flags='P''A')/"POST /one/two/three/six HTTP/1.0\r\nUser-Agent: Mozilla/1.0\r\nCookie: hellocatch\r\n\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/uricontent/detect-uricontent-04/README.md b/tests/uricontent/detect-uricontent-04/README.md new file mode 100644 index 000000000..979c58016 --- /dev/null +++ b/tests/uricontent/detect-uricontent-04/README.md @@ -0,0 +1,10 @@ +Test +==== + +Tests a case where path traversal is sent as a path string in the HTTP URL and +normalized path string is checked. + +Pcap +==== + +Created using Scapy and based on unit test content. diff --git a/tests/uricontent/detect-uricontent-04/input.pcap b/tests/uricontent/detect-uricontent-04/input.pcap new file mode 100644 index 000000000..cf4374517 Binary files /dev/null and b/tests/uricontent/detect-uricontent-04/input.pcap differ diff --git a/tests/uricontent/detect-uricontent-04/test.rules b/tests/uricontent/detect-uricontent-04/test.rules new file mode 100644 index 000000000..541e38507 --- /dev/null +++ b/tests/uricontent/detect-uricontent-04/test.rules @@ -0,0 +1,4 @@ +alert http any any -> any any (msg:"Former HttpUriTest01"; http.method; content:"GET"; sid:1;) +alert tcp any any -> any any (msg:"Check hostname"; http.host; content:"www.example.com"; sid:2;) +alert http any any -> any any (msg:"Check http.uri"; http.uri; content:"/images.gif"; sid:3;) +alert tcp any any -> any any (msg:"Check uricontent"; uricontent:"images.gif"; sid:4;) diff --git a/tests/uricontent/detect-uricontent-04/test.yaml b/tests/uricontent/detect-uricontent-04/test.yaml new file mode 100644 index 000000000..a1a64a912 --- /dev/null +++ b/tests/uricontent/detect-uricontent-04/test.yaml @@ -0,0 +1,27 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: http +- filter: + count: 1 + match: + event_type: flow diff --git a/tests/uricontent/detect-uricontent-04/writepcap.py b/tests/uricontent/detect-uricontent-04/writepcap.py new file mode 100644 index 000000000..c467b9a09 --- /dev/null +++ b/tests/uricontent/detect-uricontent-04/writepcap.py @@ -0,0 +1,9 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=53, dport=80, flags='P''A')/"GET /../../images.gif HTTP/1.1\r\nHost: www.ExAmPlE.cOM\r\n\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/uricontent/detect-uricontent-05/README.md b/tests/uricontent/detect-uricontent-05/README.md new file mode 100644 index 000000000..0efd3f8f8 --- /dev/null +++ b/tests/uricontent/detect-uricontent-05/README.md @@ -0,0 +1,10 @@ +Test +==== + +Tests a case where path traversal is sent in special characters in HEX coding in +the HTTP URL and normalized path string is checked. + +Pcap +==== + +Created using Scapy and based on unit test content. diff --git a/tests/uricontent/detect-uricontent-05/input.pcap b/tests/uricontent/detect-uricontent-05/input.pcap new file mode 100644 index 000000000..90e7a5d8b Binary files /dev/null and b/tests/uricontent/detect-uricontent-05/input.pcap differ diff --git a/tests/uricontent/detect-uricontent-05/test.rules b/tests/uricontent/detect-uricontent-05/test.rules new file mode 100644 index 000000000..38822f6ee --- /dev/null +++ b/tests/uricontent/detect-uricontent-05/test.rules @@ -0,0 +1,4 @@ +alert http any any -> any any (msg:"Former HttpUriTest02"; http.method; content:"GET"; sid:1;) +alert http any any -> any any (msg:"Test http.host"; http.host; content:"www.example.com"; sid:2;) +alert tcp any any -> any any (msg:"Test uricontent"; uricontent:"images.gif"; sid:3;) +alert http any any -> any any (msg:"Test http.url"; http.uri; content:"images.gif"; sid:4;) diff --git a/tests/uricontent/detect-uricontent-05/test.yaml b/tests/uricontent/detect-uricontent-05/test.yaml new file mode 100644 index 000000000..3ace6efe1 --- /dev/null +++ b/tests/uricontent/detect-uricontent-05/test.yaml @@ -0,0 +1,32 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 1 + match: + event_type: http +- filter: + count: 1 + match: + event_type: flow diff --git a/tests/uricontent/detect-uricontent-05/writepcap.py b/tests/uricontent/detect-uricontent-05/writepcap.py new file mode 100644 index 000000000..850192a08 --- /dev/null +++ b/tests/uricontent/detect-uricontent-05/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=53, dport=80, + flags='P''A')/"GET /%2e%2e/images.gif HTTP/1.1\r\nHost: www.ExAmPlE.cOM\r\n\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/uricontent/detect-uricontent-06/README.md b/tests/uricontent/detect-uricontent-06/README.md new file mode 100644 index 000000000..166b0e33f --- /dev/null +++ b/tests/uricontent/detect-uricontent-06/README.md @@ -0,0 +1,18 @@ +Test +==== + +Tests a case where the NULL character is sent in HEX coding in the HTTP URL and +normalized path string is checked. + +Behavior +======== + +The null character will lead to no http traffic being recognzied by the stream, +and therefore no rule matching on HTTP traffic will be triggered. We have a +single simple TCP rule to confirm that Suricata indeed sees the stream and is +generating alerts. + +Pcap +==== + +Created using Scapy and based on unit test content. diff --git a/tests/uricontent/detect-uricontent-06/input.pcap b/tests/uricontent/detect-uricontent-06/input.pcap new file mode 100644 index 000000000..b97a59d54 Binary files /dev/null and b/tests/uricontent/detect-uricontent-06/input.pcap differ diff --git a/tests/uricontent/detect-uricontent-06/test.rules b/tests/uricontent/detect-uricontent-06/test.rules new file mode 100644 index 000000000..553537e97 --- /dev/null +++ b/tests/uricontent/detect-uricontent-06/test.rules @@ -0,0 +1,5 @@ +alert http any any -> any any (msg:"Former HttpUriTest03"; http.method; content:"GET"; sid:1;) +alert http any any -> any any (msg:"Test http.host"; http.host; content:"www.example.com"; sid:2;) +alert tcp any any -> any any (msg:"Test uricontent"; uricontent:"images.gif"; sid:3;) +alert http any any -> any any (msg:"Test http.url"; http.uri; content:"images.gif"; sid:4;) +alert tcp any any -> any any (msg:"Test uricontent"; sid:5;) diff --git a/tests/uricontent/detect-uricontent-06/test.yaml b/tests/uricontent/detect-uricontent-06/test.yaml new file mode 100644 index 000000000..51c98c98f --- /dev/null +++ b/tests/uricontent/detect-uricontent-06/test.yaml @@ -0,0 +1,37 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 5 +- filter: + count: 0 + match: + event_type: http +- filter: + count: 1 + match: + event_type: flow diff --git a/tests/uricontent/detect-uricontent-06/writepcap.py b/tests/uricontent/detect-uricontent-06/writepcap.py new file mode 100644 index 000000000..28a2f9ea2 --- /dev/null +++ b/tests/uricontent/detect-uricontent-06/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=53, dport=80, + flags='P''A')/"GET%00 /images.gif HTTP/1.1\r\nHost: www.ExAmPlE.cOM\r\n\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/uricontent/detect-uricontent-07/README.md b/tests/uricontent/detect-uricontent-07/README.md new file mode 100644 index 000000000..fba01baca --- /dev/null +++ b/tests/uricontent/detect-uricontent-07/README.md @@ -0,0 +1,10 @@ +Test +==== + +Tests a case where a self referencing directory request is sent in the HTTP URL +and normalized path string is checked. + +Pcap +==== + +Created using Scapy and based on unit test content. diff --git a/tests/uricontent/detect-uricontent-07/input.pcap b/tests/uricontent/detect-uricontent-07/input.pcap new file mode 100644 index 000000000..f237bd1d8 Binary files /dev/null and b/tests/uricontent/detect-uricontent-07/input.pcap differ diff --git a/tests/uricontent/detect-uricontent-07/test.rules b/tests/uricontent/detect-uricontent-07/test.rules new file mode 100644 index 000000000..38822f6ee --- /dev/null +++ b/tests/uricontent/detect-uricontent-07/test.rules @@ -0,0 +1,4 @@ +alert http any any -> any any (msg:"Former HttpUriTest02"; http.method; content:"GET"; sid:1;) +alert http any any -> any any (msg:"Test http.host"; http.host; content:"www.example.com"; sid:2;) +alert tcp any any -> any any (msg:"Test uricontent"; uricontent:"images.gif"; sid:3;) +alert http any any -> any any (msg:"Test http.url"; http.uri; content:"images.gif"; sid:4;) diff --git a/tests/uricontent/detect-uricontent-07/test.yaml b/tests/uricontent/detect-uricontent-07/test.yaml new file mode 100644 index 000000000..3ace6efe1 --- /dev/null +++ b/tests/uricontent/detect-uricontent-07/test.yaml @@ -0,0 +1,32 @@ +args: +- --set stream.midstream=true + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 1 + match: + event_type: http +- filter: + count: 1 + match: + event_type: flow diff --git a/tests/uricontent/detect-uricontent-07/writepcap.py b/tests/uricontent/detect-uricontent-07/writepcap.py new file mode 100644 index 000000000..56d370a21 --- /dev/null +++ b/tests/uricontent/detect-uricontent-07/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=53, dport=80, + flags='P''A')/"GET /./././images.gif HTTP/1.1\r\nHost: www.ExAmPlE.cOM\r\n\r\n" + +wrpcap('input.pcap', pkts)