diff --git a/tests/decode-chdlc-01/test.yaml b/tests/decode-chdlc-01/test.yaml index 0d40b8851..813bb896d 100644 --- a/tests/decode-chdlc-01/test.yaml +++ b/tests/decode-chdlc-01/test.yaml @@ -2,35 +2,34 @@ requires: min-version: 6.0.0 - checks: - - filter: - count: 1 - match: - event_type: http - http.hostname: "view.atdmt.com" - http.status: 200 - http.length: 8079 - - - filter: - count: 1 - match: - event_type: fileinfo - fileinfo.state: CLOSED - - - filter: - count: 1 - match: - event_type: alert - alert.signature_id: 666 - - - filter: - count: 1 - match: - event_type: flow - proto: TCP - - - stats: - decoder.ipv4: 17 - decoder.chdlc: 17 + - filter: + count: 1 + match: + event_type: http + http.hostname: "view.atdmt.com" + http.status: 200 + http.length: 8079 + + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.state: CLOSED + + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 666 + + - filter: + count: 1 + match: + event_type: flow + proto: TCP + + - stats: + decoder.ipv4: 17 + decoder.chdlc: 17 diff --git a/tests/decode-chdlc-02/README.md b/tests/decode-chdlc-02/README.md new file mode 100644 index 000000000..3f08bf4a9 --- /dev/null +++ b/tests/decode-chdlc-02/README.md @@ -0,0 +1,3 @@ +Ensure Cisco HDLC packets are decoded and the linktype name is correct + + diff --git a/tests/decode-chdlc-02/suricata.yaml b/tests/decode-chdlc-02/suricata.yaml new file mode 100644 index 000000000..5ccb71d09 --- /dev/null +++ b/tests/decode-chdlc-02/suricata.yaml @@ -0,0 +1,24 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) + - http: + extended: true + - files: + force-magic: no + - flow + - stats +app-layer: + protocols: + http: + enabled: yes + libhtp: + default-config: + response-body-limit: 100kb diff --git a/tests/decode-chdlc-02/test.rules b/tests/decode-chdlc-02/test.rules new file mode 100644 index 000000000..90536fb91 --- /dev/null +++ b/tests/decode-chdlc-02/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (http.method; content:"GET"; sid:666;) diff --git a/tests/decode-chdlc-02/test.yaml b/tests/decode-chdlc-02/test.yaml new file mode 100644 index 000000000..dc6971bcd --- /dev/null +++ b/tests/decode-chdlc-02/test.yaml @@ -0,0 +1,38 @@ +requires: + + min-version: 8 + +pcap: ../decode-chdlc-01/hdlc-http_1tx.pcap + +checks: + + - filter: + count: 1 + match: + event_type: http + http.hostname: "view.atdmt.com" + http.status: 200 + http.length: 8079 + + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.state: CLOSED + + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 666 + packet_info.linktype_name: C_HDLC + + - filter: + count: 1 + match: + event_type: flow + proto: TCP + + - stats: + decoder.ipv4: 17 + decoder.chdlc: 17 diff --git a/tests/defrag/bug-6887-defrag-ipv6-tcp-02/suricata.yaml b/tests/defrag/bug-6887-defrag-ipv6-tcp-02/suricata.yaml new file mode 100644 index 000000000..159d885ba --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ipv6-tcp-02/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) diff --git a/tests/defrag/bug-6887-defrag-ipv6-tcp-02/test.rules b/tests/defrag/bug-6887-defrag-ipv6-tcp-02/test.rules new file mode 100644 index 000000000..714e46a3d --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ipv6-tcp-02/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (dsize:1000; sid:1;) diff --git a/tests/defrag/bug-6887-defrag-ipv6-tcp-02/test.yaml b/tests/defrag/bug-6887-defrag-ipv6-tcp-02/test.yaml new file mode 100644 index 000000000..24d4576ca --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ipv6-tcp-02/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 8 + +pcap: ../bug-6887-defrag-ipv6-tcp/frag-ip-tcp.pcap + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + packet: "YAAAAAP8BkAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAATA5H5AAAAABAAAAAFAQIADIrQAAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ==" + packet_info.linktype: 229 + packet_info.linktype_name: IPV6 diff --git a/tests/detect-ipopts-02/README b/tests/detect-ipopts-02/README new file mode 100644 index 000000000..9a608fb55 --- /dev/null +++ b/tests/detect-ipopts-02/README @@ -0,0 +1,13 @@ +Test the IP options and verify the linktype name value. + +There's already a test for the extended security option; the following IP options are tested: +- Record Route "rr" +- Loose source route "lsrr" +- EOL "eol" +- NOP "nop" +- Timestamp "ts" +- Security "sec" +- Strict source route "ssrr" +- Stream id "satid" + +The pcap was generated using detect-ipopts/ipopt.py diff --git a/tests/detect-ipopts-02/suricata.yaml b/tests/detect-ipopts-02/suricata.yaml new file mode 100644 index 000000000..159d885ba --- /dev/null +++ b/tests/detect-ipopts-02/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) diff --git a/tests/detect-ipopts-02/test.rules b/tests/detect-ipopts-02/test.rules new file mode 100644 index 000000000..9d2215a62 --- /dev/null +++ b/tests/detect-ipopts-02/test.rules @@ -0,0 +1,10 @@ +alert ip any any -> any any (msg:"RR option set"; ipopts:rr; sid: 1;) +alert ip any any -> any any (msg:"LSRR option set"; ipopts:lsrr; sid: 2;) +alert ip any any -> any any (msg:"EOL option set"; ipopts:eol; sid: 3;) +alert ip any any -> any any (msg:"NOP option set"; ipopts:nop; sid: 4;) +alert ip any any -> any any (msg:"TS option set"; ipopts:ts; sid: 5;) +alert ip any any -> any any (msg:"SEC option set"; ipopts:sec; sid: 6;) +alert ip any any -> any any (msg:"SSRR option set"; ipopts:ssrr; sid: 7;) +alert ip any any -> any any (msg:"SID option set"; ipopts:satid; sid: 8;) +# covered in ipopts-sec +#alert ip any any <> any any (msg:"ESEC option set"; ipopts:esec; sid: 42;) diff --git a/tests/detect-ipopts-02/test.yaml b/tests/detect-ipopts-02/test.yaml new file mode 100644 index 000000000..3927a3f27 --- /dev/null +++ b/tests/detect-ipopts-02/test.yaml @@ -0,0 +1,64 @@ +requires: + min-version: 8 + +args: + - --set stream.midstream=true -k none + +pcap: ../detect-ipopts/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 1 + alert.signature_id: 1 + packet_info.linktype_name: IPV4 + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 2 + alert.signature_id: 2 + packet_info.linktype_name: IPV4 + - filter: + count: 6 + match: + event_type: alert + alert.signature_id: 3 + packet_info.linktype_name: IPV4 + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 4 + alert.signature_id: 4 + packet_info.linktype_name: IPV4 + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 5 + alert.signature_id: 5 + packet_info.linktype_name: IPV4 + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 6 + packet_info.linktype_name: IPV4 + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 7 + alert.signature_id: 7 + packet_info.linktype_name: IPV4 + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 8 + alert.signature_id: 8 + packet_info.linktype_name: IPV4 diff --git a/tests/dnp3-dnp3_obj-alert-02/README.md b/tests/dnp3-dnp3_obj-alert-02/README.md new file mode 100644 index 000000000..6230248b3 --- /dev/null +++ b/tests/dnp3-dnp3_obj-alert-02/README.md @@ -0,0 +1,7 @@ +# Description + +Test dnp3_obj rule keyword and that the linktype name is valid. + +# PCAP + +The pcap comes from dnp3-dnp3_data-alert diff --git a/tests/dnp3-dnp3_obj-alert-02/suricata.yaml b/tests/dnp3-dnp3_obj-alert-02/suricata.yaml new file mode 100644 index 000000000..3011d88dc --- /dev/null +++ b/tests/dnp3-dnp3_obj-alert-02/suricata.yaml @@ -0,0 +1,20 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + payload: yes + packet: yes + dnp3: yes + +app-layer: + protocols: + dnp3: + enabled: yes + detection-ports: + dp: 20000 diff --git a/tests/dnp3-dnp3_obj-alert-02/test.rules b/tests/dnp3-dnp3_obj-alert-02/test.rules new file mode 100644 index 000000000..349a282e9 --- /dev/null +++ b/tests/dnp3-dnp3_obj-alert-02/test.rules @@ -0,0 +1,2 @@ +alert dnp3 any any -> any any (msg:"SURICATA DNP3 Object Test"; dnp3_obj:22,01; sid:1; rev:1;) +alert dnp3 any any -> any any (msg:"SURICATA DNP3 Object Test"; dnp3_obj:29,01; sid:2; rev:1;) diff --git a/tests/dnp3-dnp3_obj-alert-02/test.yaml b/tests/dnp3-dnp3_obj-alert-02/test.yaml new file mode 100644 index 000000000..5054e5a16 --- /dev/null +++ b/tests/dnp3-dnp3_obj-alert-02/test.yaml @@ -0,0 +1,17 @@ +pcap: ../dnp3-eve/input.pcap + +requires: + min-version: 8 + +checks: + - filter: + count: 4 + match: + event_type: alert + alert.signature_id: 1 + packet_info.linktype_name: EN10MB + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/linktype_name/test.rules b/tests/linktype_name/test.rules new file mode 100644 index 000000000..f2edf25e5 --- /dev/null +++ b/tests/linktype_name/test.rules @@ -0,0 +1 @@ +alert http $HOME_NET any -> any 443 (msg:"ET POLICY HTTP traffic on port 443 (CONNECT)"; flow:to_server,established; content:"CONNECT"; http_method; classtype:bad-unknown; sid:2013933; rev:4; metadata:created_at 2011_11_17, updated_at 2011_11_17;) diff --git a/tests/linktype_name/test.yaml b/tests/linktype_name/test.yaml new file mode 100644 index 000000000..4c1f80da5 --- /dev/null +++ b/tests/linktype_name/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 8 + +pcap: ../bug-2482-01/proxyCONNECT_443.pcap + +args: +- -k none --set outputs.1.eve-log.types.0.alert.packet=yes + +checks: + - filter: + count: 86 + match: + event_type: alert + packet_info.linktype_name: RAW diff --git a/tests/tcp-fastopen-12/suricata.yaml b/tests/tcp-fastopen-12/suricata.yaml new file mode 100644 index 000000000..100bcbe5a --- /dev/null +++ b/tests/tcp-fastopen-12/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) + - flow diff --git a/tests/tcp-fastopen-12/test.rules b/tests/tcp-fastopen-12/test.rules new file mode 100644 index 000000000..28347d0dd --- /dev/null +++ b/tests/tcp-fastopen-12/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (content:"Hello!"; sid:1;) diff --git a/tests/tcp-fastopen-12/test.yaml b/tests/tcp-fastopen-12/test.yaml new file mode 100644 index 000000000..693753c87 --- /dev/null +++ b/tests/tcp-fastopen-12/test.yaml @@ -0,0 +1,20 @@ +pcap: ../tcp-fastopen-05/tfo.pcap + +requires: + min-version: 8 + +args: + - -k none + +checks: + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 1 + packet_info.linktype_name: LINUX_SLL + - filter: + count: 2 + match: + event_type: flow + proto: TCP diff --git a/tests/vxlan-decoder-04/README.md b/tests/vxlan-decoder-04/README.md new file mode 100644 index 000000000..342ca79ab --- /dev/null +++ b/tests/vxlan-decoder-04/README.md @@ -0,0 +1,7 @@ +# Description + +Test basic VXLAN decoding + +# PCAP + +https://github.com/the-tcpdump-group/tcpdump/blob/master/tests/vxlan.pcap diff --git a/tests/vxlan-decoder-04/suricata.yaml b/tests/vxlan-decoder-04/suricata.yaml new file mode 100644 index 000000000..100bcbe5a --- /dev/null +++ b/tests/vxlan-decoder-04/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) + - flow diff --git a/tests/vxlan-decoder-04/test.rules b/tests/vxlan-decoder-04/test.rules new file mode 100644 index 000000000..c0f94ab54 --- /dev/null +++ b/tests/vxlan-decoder-04/test.rules @@ -0,0 +1 @@ +alert icmp any any -> any any (itype:8; sid:1;) diff --git a/tests/vxlan-decoder-04/test.yaml b/tests/vxlan-decoder-04/test.yaml new file mode 100644 index 000000000..9bcce7b9c --- /dev/null +++ b/tests/vxlan-decoder-04/test.yaml @@ -0,0 +1,27 @@ +requires: + min-version: 8 + +args: + - --set decoder.vxlan.enabled=true + +pcap: ../vxlan-decoder-02/vxlan.pcap + +checks: + - filter: + count: 1 + match: + event_type: flow + proto: "ICMP" + flow.pkts_toserver: 4 + flow.pkts_toclient: 4 + - filter: + count: 4 + match: + event_type: flow + dest_port: 4789 + - filter: + count: 4 + match: + event_type: alert + tunnel.dest_port: 4789 + packet_info.linktype_name: RAW