diff --git a/tests/bug-5443/README.md b/tests/bug-5443/README.md new file mode 100644 index 000000000..3db91c65b --- /dev/null +++ b/tests/bug-5443/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +https://redmine.openinfosecfoundation.org/issues/5443 diff --git a/tests/bug-5443/input.pcap b/tests/bug-5443/input.pcap new file mode 100644 index 000000000..438bf751d Binary files /dev/null and b/tests/bug-5443/input.pcap differ diff --git a/tests/bug-5443/test.yaml b/tests/bug-5443/test.yaml new file mode 100644 index 000000000..597482562 --- /dev/null +++ b/tests/bug-5443/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 7 + #features: + #- TLC + +args: +- -k none +- --runmode=single +- --set stream.midstream=true + +# 2 or 3 flows depending on tcp reuse behavior, see ticket 5843 +checks: + - filter: + lt-version: 7 + count: 3 + match: + event_type: flow + - filter: + min-version: 8 + count: 3 + match: + event_type: flow diff --git a/tests/bug-5464-verdict-06/test.yaml b/tests/bug-5464-verdict-06/test.yaml index c70ad7b23..972a66cd7 100644 --- a/tests/bug-5464-verdict-06/test.yaml +++ b/tests/bug-5464-verdict-06/test.yaml @@ -9,6 +9,22 @@ args: checks: - filter: + min-version: 8 + count: 25 + match: + event_type: alert + alert.signature_id: 1 + verdict.action: alert + - filter: + min-version: 8 + count: 0 + match: + event_type: alert + alert.signature_id: 1 + verdict.action: alert + has-not-key: pcap_cnt + - filter: + lt-version: 7 count: 28 match: event_type: alert diff --git a/tests/detect-alproto-04-unacked-data/input.pcap b/tests/detect-alproto-04-unacked-data/input.pcap new file mode 100644 index 000000000..37f5f0e0a Binary files /dev/null and b/tests/detect-alproto-04-unacked-data/input.pcap differ diff --git a/tests/detect-alproto-04-unacked-data/test.rules b/tests/detect-alproto-04-unacked-data/test.rules new file mode 100644 index 000000000..88a51e9c2 --- /dev/null +++ b/tests/detect-alproto-04-unacked-data/test.rules @@ -0,0 +1,2 @@ +alert http any any -> any any (sid:1;) +alert ssh any any -> any any (sid:2;) diff --git a/tests/detect-alproto-04-unacked-data/test.yaml b/tests/detect-alproto-04-unacked-data/test.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/tests/detect-alproto-04-unacked-data/writepcap.py b/tests/detect-alproto-04-unacked-data/writepcap.py new file mode 100755 index 000000000..a8baec80a --- /dev/null +++ b/tests/detect-alproto-04-unacked-data/writepcap.py @@ -0,0 +1,12 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)]) +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535) +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535) +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='A',seq=1001,ack=2,window=65535)/"GET / HTTP/1.0\r\n\r\n" +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)/"SSH-2.0 XXX\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/firewall/firewall-06-tls-sni-enforce/test.yaml b/tests/firewall/firewall-06-tls-sni-enforce/test.yaml index 0c54b3cba..d817112fb 100644 --- a/tests/firewall/firewall-06-tls-sni-enforce/test.yaml +++ b/tests/firewall/firewall-06-tls-sni-enforce/test.yaml @@ -6,11 +6,24 @@ args: checks: - filter: + min-version: 8 + count: 24 + match: + event_type: alert + alert.signature_id: 3 +- filter: + min-version: 8 + count: 24 + match: + event_type: alert +- filter: + lt-version: 7 count: 26 match: event_type: alert alert.signature_id: 3 - filter: + lt-version: 7 count: 26 match: event_type: alert @@ -31,6 +44,13 @@ checks: match: event_type: drop - filter: + min-version: 8 + count: 0 + match: + event_type: alert + pkt_src: "stream (flow timeout)" +- filter: + lt-version: 7 count: 2 match: event_type: alert diff --git a/tests/tls-extra-alert-app/test.rules b/tests/tls-extra-alert-app/test.rules new file mode 100644 index 000000000..5a4a4f253 --- /dev/null +++ b/tests/tls-extra-alert-app/test.rules @@ -0,0 +1,5 @@ +alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; ) +alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; ) +alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; ) +alert tcp any any -> any 443 (app-layer-protocol:tls; flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; ) +alert tcp any 443 -> any any (app-layer-protocol:tls; flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; ) diff --git a/tests/tls-extra-alert-app/test.yaml b/tests/tls-extra-alert-app/test.yaml new file mode 100644 index 000000000..19e010621 --- /dev/null +++ b/tests/tls-extra-alert-app/test.yaml @@ -0,0 +1,19 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 9901033 + pkt_src: wire/pcap +- filter: + count: 0 + match: + event_type: alert + not-has-key: pcap_cnt diff --git a/tests/tls-extra-alert-app3/test.rules b/tests/tls-extra-alert-app3/test.rules new file mode 100644 index 000000000..a7fdcaa1b --- /dev/null +++ b/tests/tls-extra-alert-app3/test.rules @@ -0,0 +1,5 @@ +alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; ) +alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; ) +alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; ) +alert tls any any -> any 443 (flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; ) +alert tls any 443 -> any any (flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; ) diff --git a/tests/tls-extra-alert-app3/test.yaml b/tests/tls-extra-alert-app3/test.yaml new file mode 100644 index 000000000..19e010621 --- /dev/null +++ b/tests/tls-extra-alert-app3/test.yaml @@ -0,0 +1,19 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 9901033 + pkt_src: wire/pcap +- filter: + count: 0 + match: + event_type: alert + not-has-key: pcap_cnt diff --git a/tests/tls-extra-alert-app4/test.rules b/tests/tls-extra-alert-app4/test.rules new file mode 100644 index 000000000..27210c774 --- /dev/null +++ b/tests/tls-extra-alert-app4/test.rules @@ -0,0 +1,5 @@ +alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; ) +alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; ) +alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; ) +alert tls any any -> any 443 (sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; ) +alert tls any 443 -> any any (sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; ) diff --git a/tests/tls-extra-alert-app4/test.yaml b/tests/tls-extra-alert-app4/test.yaml new file mode 100644 index 000000000..4c4c7f873 --- /dev/null +++ b/tests/tls-extra-alert-app4/test.yaml @@ -0,0 +1,19 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 9901033 + pkt_src: wire/pcap +- filter: + count: 0 + match: + event_type: alert + not-has-key: pcap_cnt diff --git a/tests/tls-extra-alert-engine-analysis/README.md b/tests/tls-extra-alert-engine-analysis/README.md new file mode 100644 index 000000000..8ecc1cb62 --- /dev/null +++ b/tests/tls-extra-alert-engine-analysis/README.md @@ -0,0 +1,7 @@ +# Test Description + +engine analysis complementary test for tls-extra-alert. + +## Related issues + +None so far. State: Trying to establish what's the issue. diff --git a/tests/tls-extra-alert-engine-analysis/test.rules b/tests/tls-extra-alert-engine-analysis/test.rules new file mode 100644 index 000000000..88c750a9a --- /dev/null +++ b/tests/tls-extra-alert-engine-analysis/test.rules @@ -0,0 +1,5 @@ +alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; ) +alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; ) +alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; ) +alert tcp any any -> any 443 (flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; ) +alert tcp any 443 -> any any (flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; ) diff --git a/tests/tls-extra-alert-engine-analysis/test.yaml b/tests/tls-extra-alert-engine-analysis/test.yaml new file mode 100644 index 000000000..f440d0bce --- /dev/null +++ b/tests/tls-extra-alert-engine-analysis/test.yaml @@ -0,0 +1,229 @@ +requires: + min-version: 8 + +args: + - --simulate-ips + - --engine-analysis + +pcap: false + +checks: +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - sp_any + - noalert + - need_packet + - toserver + id: 9901001 + lists: + packet: + matches: + - name: tcp.flags + postmatch: + matches: + - flowbits: + cmd: set + names: + - tls_tracker + name: flowbits + pkt_engines: + - is_mpm: false + name: packet + requirements: + - tcp_flags_init_deinit + - real_pkt + type: pkt + +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - sp_any + - need_packet + - need_stream + - need_flowvar + - toserver + - toclient + - prefilter + id: 9901031 + lists: + packet: + matches: + - flowbits: + cmd: isset + names: + - tls_tracker + name: flowbits + payload: + matches: + - content: + depth: 6 + ends_with: false + fast_pattern: false + is_mpm: true + length: 6 + negated: false + no_double_inspect: false + nocase: false + pattern: '|15 03 01 00 02 02|' + relative_next: false + starts_with: true + name: content + postmatch: + matches: + - flowbits: + cmd: set + names: + - tls_error + name: flowbits + mpm: + buffer: payload + depth: 6 + ends_with: false + fast_pattern: false + is_mpm: true + length: 6 + negated: false + no_double_inspect: false + nocase: false + pattern: '|15 03 01 00 02 02|' + relative_next: false + starts_with: true + pkt_engines: + - is_mpm: true + name: payload + - is_mpm: false + name: packet + requirements: + - payload + - flow + type: pkt_stream + +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - dp_any + - need_packet + - need_stream + - need_flowvar + - toserver + - toclient + - prefilter + id: 9901032 + lists: + packet: + matches: + - flowbits: + cmd: isset + names: + - tls_tracker + name: flowbits + payload: + matches: + - content: + depth: 6 + ends_with: false + fast_pattern: false + is_mpm: true + length: 6 + negated: false + no_double_inspect: false + nocase: false + pattern: '|15 03 01 00 02 02|' + relative_next: false + starts_with: true + name: content + postmatch: + matches: + - flowbits: + cmd: set + names: + - tls_error + name: flowbits + mpm: + buffer: payload + depth: 6 + ends_with: false + fast_pattern: false + is_mpm: true + length: 6 + negated: false + no_double_inspect: false + nocase: false + pattern: '|15 03 01 00 02 02|' + relative_next: false + starts_with: true + pkt_engines: + - is_mpm: true + name: payload + - is_mpm: false + name: packet + requirements: + - payload + - flow + type: pkt_stream + +# Following is the signature of interest +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - sp_any + - need_flowvar + - toserver + id: 9901033 + lists: + packet: + matches: + - flowbits: + cmd: isset + names: + - tls_error + name: flowbits + pkt_engines: + - is_mpm: false + name: packet + requirements: + - flow + type: pkt + +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - dp_any + - need_flowvar + - toclient + id: 9901034 + lists: + packet: + matches: + - flowbits: + cmd: isset + names: + - tls_error + name: flowbits + pkt_engines: + - is_mpm: false + name: packet + requirements: + - flow + type: pkt diff --git a/tests/tls-extra-alert/README.md b/tests/tls-extra-alert/README.md new file mode 100644 index 000000000..d913ee642 --- /dev/null +++ b/tests/tls-extra-alert/README.md @@ -0,0 +1,12 @@ +# Test Description + +This test shows that Suricata generates an additional alert for TLS +for the given PCAP which shouldn't be there. + +## PCAP + +Internal. + +## Related issues + +None so far. State: Trying to establish what's the issue. diff --git a/tests/tls-extra-alert/input.pcap b/tests/tls-extra-alert/input.pcap new file mode 100644 index 000000000..01c918c36 Binary files /dev/null and b/tests/tls-extra-alert/input.pcap differ diff --git a/tests/tls-extra-alert/test.rules b/tests/tls-extra-alert/test.rules new file mode 100644 index 000000000..88c750a9a --- /dev/null +++ b/tests/tls-extra-alert/test.rules @@ -0,0 +1,5 @@ +alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; ) +alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; ) +alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; ) +alert tcp any any -> any 443 (flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; ) +alert tcp any 443 -> any any (flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; ) diff --git a/tests/tls-extra-alert/test.yaml b/tests/tls-extra-alert/test.yaml new file mode 100644 index 000000000..19e010621 --- /dev/null +++ b/tests/tls-extra-alert/test.yaml @@ -0,0 +1,19 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 9901033 + pkt_src: wire/pcap +- filter: + count: 0 + match: + event_type: alert + not-has-key: pcap_cnt