From 42ee87008aafd50f161cce362b503d9c7648c0c5 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 4 Dec 2024 09:27:22 +0100 Subject: [PATCH] tests: add test for 7414 and 7433 --- tests/bug-7414-decoder-event-01/README.md | 5 ++ .../decoder-event.rules | 1 + .../bug-7414-decoder-event-01/ip_secopt.pcap | Bin 0 -> 310 bytes tests/bug-7414-decoder-event-01/suricata.yaml | 41 ++++++++++++ tests/bug-7414-decoder-event-01/test.yaml | 45 +++++++++++++ tests/bug-7414-decoder-event-02-ips/README.md | 5 ++ .../decoder-event.rules | 1 + .../suricata.yaml | 43 ++++++++++++ tests/bug-7414-decoder-event-02-ips/test.yaml | 61 ++++++++++++++++++ 9 files changed, 202 insertions(+) create mode 100644 tests/bug-7414-decoder-event-01/README.md create mode 100644 tests/bug-7414-decoder-event-01/decoder-event.rules create mode 100644 tests/bug-7414-decoder-event-01/ip_secopt.pcap create mode 100644 tests/bug-7414-decoder-event-01/suricata.yaml create mode 100644 tests/bug-7414-decoder-event-01/test.yaml create mode 100644 tests/bug-7414-decoder-event-02-ips/README.md create mode 100644 tests/bug-7414-decoder-event-02-ips/decoder-event.rules create mode 100644 tests/bug-7414-decoder-event-02-ips/suricata.yaml create mode 100644 tests/bug-7414-decoder-event-02-ips/test.yaml diff --git a/tests/bug-7414-decoder-event-01/README.md b/tests/bug-7414-decoder-event-01/README.md new file mode 100644 index 000000000..25df5be6d --- /dev/null +++ b/tests/bug-7414-decoder-event-01/README.md @@ -0,0 +1,5 @@ +PCAP +==== + +Pcap from https://redmine.openinfosecfoundation.org/issues/7414 + diff --git a/tests/bug-7414-decoder-event-01/decoder-event.rules b/tests/bug-7414-decoder-event-01/decoder-event.rules new file mode 100644 index 000000000..08c033724 --- /dev/null +++ b/tests/bug-7414-decoder-event-01/decoder-event.rules @@ -0,0 +1 @@ +drop pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;) diff --git a/tests/bug-7414-decoder-event-01/ip_secopt.pcap b/tests/bug-7414-decoder-event-01/ip_secopt.pcap new file mode 100644 index 0000000000000000000000000000000000000000..61be1670facbea1ae0687882bbb9bba40e014a77 GIT binary patch literal 310 zcmca|c+)~A1{MYcU}0bcayHL!O?QuHW3U0TLHM8U`L!A$->g_P)XF&+Tp1Yj)P)@w z90b>U$N_-}5C|U;KEfcimOa=r01a&cnx(V=VHU&`h=~xhj_e1SB{&CU4#+&*W^DtS zC9K28PzH1p2&1~ogMlFflswd!2w6pOps K2WxMczXAX@`dyp= literal 0 HcmV?d00001 diff --git a/tests/bug-7414-decoder-event-01/suricata.yaml b/tests/bug-7414-decoder-event-01/suricata.yaml new file mode 100644 index 000000000..69c2f1c57 --- /dev/null +++ b/tests/bug-7414-decoder-event-01/suricata.yaml @@ -0,0 +1,41 @@ +%YAML 1.1 +--- + +# Global stats configuration +stats: + enabled: yes + # The interval field (in seconds) controls the interval at + # which stats are updated in the log. + interval: 8 + # Add decode events to stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + #decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + exception-policy: + #per-app-proto-errors: false # default: false. True will log errors for + # each app-proto. Warning: VERY verbose + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + ethernet: true + pcap-file: true + + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) + verdict: yes + - anomaly: + enabled: yes + types: + decode: true + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values diff --git a/tests/bug-7414-decoder-event-01/test.yaml b/tests/bug-7414-decoder-event-01/test.yaml new file mode 100644 index 000000000..451079170 --- /dev/null +++ b/tests/bug-7414-decoder-event-01/test.yaml @@ -0,0 +1,45 @@ +requires: + min-version: 8 + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200005 + pcap_cnt: 3 + pkt_src: "wire/pcap" + ether.src_mac: "f6:3a:04:28:26:77" + ether.dest_mac: "fe:2d:cf:ad:28:54" + alert.action: "allowed" + packet: "/i3PrShU9joEKCZ3CABIAABoAAEAAEARWEoeHh4eFBQUFIIC8TUAAN6tvu+qABPEE8QASB76g3Jy/3MMn6/gl+2PaHNYfvkOoBoRYsUb5ZV3mCocwk9Xbm1VI6ZMlgQ+xZbugYD/RB0xtXrOiZQ43SvBfdo36g==" + verdict.action: "alert" + pcap_filename.__endswith: "ip_secopt.pcap" + - filter: + count: 1 + match: + event_type: stats + stats.decoder.invalid: 1 + + - filter: + count: 1 + match: + pcap_cnt: 3 + event_type: "anomaly" + pkt_src: "wire/pcap" + ether.src_mac: "f6:3a:04:28:26:77" + ether.dest_mac: "fe:2d:cf:ad:28:54" + anomaly.type: "decode" + anomaly.event: "decoder.ipv4.opt_pad_required" + pcap_filename.__endswith: "ip_secopt.pcap" + - filter: + count: 2 + match: + pcap_cnt: 3 + event_type: "anomaly" + pkt_src: "wire/pcap" + ether.src_mac: "f6:3a:04:28:26:77" + ether.dest_mac: "fe:2d:cf:ad:28:54" + anomaly.type: "decode" + anomaly.event: "decoder.ipv4.opt_invalid_len" + pcap_filename.__endswith: "ip_secopt.pcap" diff --git a/tests/bug-7414-decoder-event-02-ips/README.md b/tests/bug-7414-decoder-event-02-ips/README.md new file mode 100644 index 000000000..25df5be6d --- /dev/null +++ b/tests/bug-7414-decoder-event-02-ips/README.md @@ -0,0 +1,5 @@ +PCAP +==== + +Pcap from https://redmine.openinfosecfoundation.org/issues/7414 + diff --git a/tests/bug-7414-decoder-event-02-ips/decoder-event.rules b/tests/bug-7414-decoder-event-02-ips/decoder-event.rules new file mode 100644 index 000000000..08c033724 --- /dev/null +++ b/tests/bug-7414-decoder-event-02-ips/decoder-event.rules @@ -0,0 +1 @@ +drop pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;) diff --git a/tests/bug-7414-decoder-event-02-ips/suricata.yaml b/tests/bug-7414-decoder-event-02-ips/suricata.yaml new file mode 100644 index 000000000..263c9fca0 --- /dev/null +++ b/tests/bug-7414-decoder-event-02-ips/suricata.yaml @@ -0,0 +1,43 @@ +%YAML 1.1 +--- + +# Global stats configuration +stats: + enabled: yes + # The interval field (in seconds) controls the interval at + # which stats are updated in the log. + interval: 8 + # Add decode events to stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + #decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + exception-policy: + #per-app-proto-errors: false # default: false. True will log errors for + # each app-proto. Warning: VERY verbose + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + ethernet: true + pcap-file: true + + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) + verdict: yes + - anomaly: + enabled: yes + types: + decode: true + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + - drop: + alerts: yes # log alerts that caused drops diff --git a/tests/bug-7414-decoder-event-02-ips/test.yaml b/tests/bug-7414-decoder-event-02-ips/test.yaml new file mode 100644 index 000000000..13676210f --- /dev/null +++ b/tests/bug-7414-decoder-event-02-ips/test.yaml @@ -0,0 +1,61 @@ +pcap: ../bug-7414-decoder-event-01/ip_secopt.pcap + +requires: + min-version: 8 + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200005 + pcap_cnt: 3 + pkt_src: "wire/pcap" + ether.src_mac: "f6:3a:04:28:26:77" + ether.dest_mac: "fe:2d:cf:ad:28:54" + alert.action: "blocked" + packet: "/i3PrShU9joEKCZ3CABIAABoAAEAAEARWEoeHh4eFBQUFIIC8TUAAN6tvu+qABPEE8QASB76g3Jy/3MMn6/gl+2PaHNYfvkOoBoRYsUb5ZV3mCocwk9Xbm1VI6ZMlgQ+xZbugYD/RB0xtXrOiZQ43SvBfdo36g==" + verdict.action: "drop" + pcap_filename.__endswith: "ip_secopt.pcap" + - filter: + count: 1 + match: + event_type: stats + stats.decoder.invalid: 1 + stats.ips.accepted: 2 + stats.ips.blocked: 1 + stats.ips.drop_reason.rules: 1 + - filter: + count: 1 + match: + pcap_cnt: 3 + event_type: "anomaly" + pkt_src: "wire/pcap" + ether.src_mac: "f6:3a:04:28:26:77" + ether.dest_mac: "fe:2d:cf:ad:28:54" + anomaly.type: "decode" + anomaly.event: "decoder.ipv4.opt_pad_required" + pcap_filename.__endswith: "ip_secopt.pcap" + - filter: + count: 2 + match: + pcap_cnt: 3 + event_type: "anomaly" + pkt_src: "wire/pcap" + ether.src_mac: "f6:3a:04:28:26:77" + ether.dest_mac: "fe:2d:cf:ad:28:54" + anomaly.type: "decode" + anomaly.event: "decoder.ipv4.opt_invalid_len" + pcap_filename.__endswith: "ip_secopt.pcap" + - filter: + count: 1 + match: + event_type: drop + alert.signature_id: 2200005 + pcap_cnt: 3 + pkt_src: "wire/pcap" + ether.src_mac: "f6:3a:04:28:26:77" + ether.dest_mac: "fe:2d:cf:ad:28:54" + alert.action: "blocked" + pcap_filename.__endswith: "ip_secopt.pcap" + drop.reason: "rules"