Bug 7318/v3

tests/bug-5443/README.md

@@ -0,0 +1,4 @@
+PCAP
+====
+
+https://redmine.openinfosecfoundation.org/issues/5443

tests/bug-5443/test.yaml

@@ -0,0 +1,22 @@
+requires:
+  min-version: 7
+  #features:
+  #- TLC
+
+args:
+- -k none
+- --runmode=single
+- --set stream.midstream=true
+
+# 2 or 3 flows depending on tcp reuse behavior, see ticket 5843
+checks:
+  - filter:
+      lt-version: 7
+      count: 3
+      match:
+        event_type: flow
+  - filter:
+      min-version: 8
+      count: 3
+      match:
+        event_type: flow

tests/bug-5464-verdict-06/test.yaml

@@ -9,6 +9,22 @@ args:
 
 checks:
   - filter:
+      min-version: 8
+      count: 25
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        verdict.action: alert
+  - filter:
+      min-version: 8
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        verdict.action: alert
+        has-not-key: pcap_cnt
+  - filter:
+      lt-version: 7
       count: 28
       match:
         event_type: alert

tests/detect-alproto-04-unacked-data/test.rules

@@ -0,0 +1,2 @@
+alert http any any -> any any (sid:1;)
+alert ssh any any -> any any (sid:2;)

tests/detect-alproto-04-unacked-data/writepcap.py

@@ -0,0 +1,12 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535)
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='A',seq=1001,ack=2,window=65535)/"GET / HTTP/1.0\r\n\r\n"
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)/"SSH-2.0 XXX\r\n"
+
+wrpcap('input.pcap', pkts)

tests/firewall/firewall-06-tls-sni-enforce/test.yaml

@@ -6,11 +6,24 @@ args:
 
 checks:
 - filter:
+    min-version: 8
+    count: 24
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    min-version: 8
+    count: 24
+    match:
+      event_type: alert
+- filter:
+    lt-version: 7
     count: 26
     match:
       event_type: alert
       alert.signature_id: 3
 - filter:
+    lt-version: 7
     count: 26
     match:
       event_type: alert
@@ -31,6 +44,13 @@ checks:
     match:
       event_type: drop
 - filter:
+    min-version: 8
+    count: 0
+    match:
+      event_type: alert
+      pkt_src: "stream (flow timeout)"
+- filter:
+    lt-version: 7
     count: 2
     match:
       event_type: alert

tests/tls-extra-alert-app/test.rules

@@ -0,0 +1,5 @@
+alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; )
+alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; )
+alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; )
+alert tcp any any -> any 443 (app-layer-protocol:tls; flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; )
+alert tcp any 443 -> any any (app-layer-protocol:tls; flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; )

tests/tls-extra-alert-app/test.yaml

@@ -0,0 +1,19 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 9901033
+      pkt_src: wire/pcap
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      not-has-key: pcap_cnt

tests/tls-extra-alert-app3/test.rules

@@ -0,0 +1,5 @@
+alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; )
+alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; )
+alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; )
+alert tls any any -> any 443 (flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; )
+alert tls any 443 -> any any (flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; )

tests/tls-extra-alert-app3/test.yaml

@@ -0,0 +1,19 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 9901033
+      pkt_src: wire/pcap
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      not-has-key: pcap_cnt

tests/tls-extra-alert-app4/test.rules

@@ -0,0 +1,5 @@
+alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; )
+alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; )
+alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; )
+alert tls any any -> any 443 (sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; )
+alert tls any 443 -> any any (sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; )

tests/tls-extra-alert-app4/test.yaml

@@ -0,0 +1,19 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 9901033
+      pkt_src: wire/pcap
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      not-has-key: pcap_cnt

tests/tls-extra-alert-engine-analysis/README.md

@@ -0,0 +1,7 @@
+# Test Description
+
+engine analysis complementary test for tls-extra-alert.
+
+## Related issues
+
+None so far. State: Trying to establish what's the issue.

tests/tls-extra-alert-engine-analysis/test.rules

@@ -0,0 +1,5 @@
+alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; )
+alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; )
+alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; )
+alert tcp any any -> any 443 (flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; )
+alert tcp any 443 -> any any (flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; )