From 8b812987c483e05970bada85689d7188ec995717 Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Fri, 27 Sep 2024 17:55:50 -0300 Subject: [PATCH 1/6] tests: add test for bug-7199 More of a change in behavior than a bug, but important to be documented Related to Bug https://redmine.openinfosecfoundation.org/issues/7199 --- tests/bug-7199/README.md | 15 +++++++++ tests/bug-7199/TLPW-curl-http-suricata.pcap | Bin 0 -> 1219 bytes tests/bug-7199/suricata.yaml | 22 +++++++++++++ tests/bug-7199/test.rules | 3 ++ tests/bug-7199/test.yaml | 33 ++++++++++++++++++++ 5 files changed, 73 insertions(+) create mode 100644 tests/bug-7199/README.md create mode 100644 tests/bug-7199/TLPW-curl-http-suricata.pcap create mode 100644 tests/bug-7199/suricata.yaml create mode 100644 tests/bug-7199/test.rules create mode 100644 tests/bug-7199/test.yaml diff --git a/tests/bug-7199/README.md b/tests/bug-7199/README.md new file mode 100644 index 000000000..b8ac42937 --- /dev/null +++ b/tests/bug-7199/README.md @@ -0,0 +1,15 @@ +# Test + +Showcase change of behavior from Suricata-7.0.5 to Suricata-7.0.6. +Before, a non-stream rule that matched traffic associated with an app-layer +transaction would result in app-layer metadata being logged with the alert, if +metadata was enabled. Starting with 7.0.6, this will only be achieved if the +rule is an app-layer/stream one. + +### Pcap + +Packet capture resulting of a curl to suricata.io. + +### Ticket + +https://redmine.openinfosecfoundation.org/issues/7199 diff --git a/tests/bug-7199/TLPW-curl-http-suricata.pcap b/tests/bug-7199/TLPW-curl-http-suricata.pcap new file mode 100644 index 0000000000000000000000000000000000000000..144e4fcaa6042e9ad4a2187f64700b7e7ec32d51 GIT binary patch literal 1219 zcmaKrPfXKL9LHbBVC>B%;)#QYXVeSObt?r%{lk!dV?t6wHO7l}<*_wv?d%F}{tE|< zA>nAEMxz)LW1@I4B#;=v1ig5b1TN@7NbqJ%;4ow2dtDeX7Mi}K{k`_n@Avonc4_hb z3m0&Mox=?na`Wu_=J3(y9uOthbWMJl`58@Jz3sglJ5dd~05}b=he5dN{DV)gf%o_l zXjlycIdJ(;l9Hxe`QK|l0C2f0XWXu8c;9^UmDZVx3J)b;oc0#U1!jR?AOjEv*Q!qX zD3#KIyc+gQM7jt)HFe}4Xn*ODCn;I0Kif>{+vHb-e2#pHu6>$Cm~}KiDbbuF^zQM) z%+}g6(a2D}Z)HlRT0g(@f=Nm%N4x`b4pA;ktYx;=j}?gnl-SdyARa{&MdpM4APXaA z#+FcK)Y3K8R{grk!V4K}aqV$zkPU6rO7bCplRv=1c1^=+Qmfa%u9gjk7kNPO7@Gv(tx-xSf!YAUZVzYqoA05*ooc&8bO! z470G$B>i@(3ENI*B%a?j1HLd9E`rq|Dla68K_L`~1+>N{Ev5y7V#{zSrna_*)TZV} zwS|S3IN36@Ij%$15}4~XhD`}|DiRqm3#oT*zk6qZe@VL!i0cg}T#rk_HS3w^)yM!h zcg1yu3~_-D@Y}+H#G4NBQCVV5dE&=4wy3c*5d;28s~`Xp}nrBu~y#}{SSC any any (msg: "Reject by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; flow: to_server, established; sid: 1;) +pass http any any -> any any (msg: "Allow http by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; http.uri; content:"/api/v2/"; startswith; http.method; content:"GET"; http.host; content:"foo.bar.com"; startswith; endswith; sid: 2;) +alert http any any -> any any (msg: "Alert by AntreaNetworkPolicy:default/ingress-allow-http-request-to-api-v2"; http.uri; content:!"/api/v2/"; sid: 3;) diff --git a/tests/bug-7199/test.yaml b/tests/bug-7199/test.yaml new file mode 100644 index 000000000..510fe6017 --- /dev/null +++ b/tests/bug-7199/test.yaml @@ -0,0 +1,33 @@ +requires: + features: + - LIBNET1.1 + +args: +- -k none +- --set stream.midstream=true +- --simulate-ips + +checks: + - filter: + count: 4 + match: + event_type: alert + alert.signature_id: 1 + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + alert.signature_id: 1 + has-key: http + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + has-key: http From c17f10e96e449f1e8204a2f353878e9c701c7810 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 28 Nov 2024 11:19:15 +0100 Subject: [PATCH 2/6] output: use detect.guess-applayer-tx for http-ish content test Ticket: 7199 --- tests/bug-130/test.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/bug-130/test.yaml b/tests/bug-130/test.yaml index 36fe83840..44855137f 100644 --- a/tests/bug-130/test.yaml +++ b/tests/bug-130/test.yaml @@ -1,10 +1,8 @@ requires: min-version: 5.0.0 - features: - - HAVE_LIBJANSSON args: - - -k none + - -k none --set detect.guess-applayer-tx=true checks: - filter: From 0832c8ec43c0369a4a8e4dfcc757d2106af18c1c Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 28 Nov 2024 13:37:47 +0100 Subject: [PATCH 3/6] pgsql: use detect.guess-applayer-tx for content test Ticket: 7199 --- tests/pgsql/pgsql-7000-ids/suricata.yaml | 3 +++ tests/pgsql/pgsql-7000-ids/test.yaml | 17 ++++++++++------- tests/pgsql/pgsql-bug-6983-ips/suricata.yaml | 3 +++ tests/pgsql/pgsql-bug-6983-ips/test.yaml | 4 +++- 4 files changed, 19 insertions(+), 8 deletions(-) diff --git a/tests/pgsql/pgsql-7000-ids/suricata.yaml b/tests/pgsql/pgsql-7000-ids/suricata.yaml index aac151f99..ce7444717 100644 --- a/tests/pgsql/pgsql-7000-ids/suricata.yaml +++ b/tests/pgsql/pgsql-7000-ids/suricata.yaml @@ -15,3 +15,6 @@ app-layer: protocols: pgsql: enabled: yes + +detect: + guess-applayer-tx: true \ No newline at end of file diff --git a/tests/pgsql/pgsql-7000-ids/test.yaml b/tests/pgsql/pgsql-7000-ids/test.yaml index 0e5d976c6..8f680ae0e 100644 --- a/tests/pgsql/pgsql-7000-ids/test.yaml +++ b/tests/pgsql/pgsql-7000-ids/test.yaml @@ -1,3 +1,5 @@ +requires: + min-version: 8 args: - -k none @@ -24,6 +26,7 @@ checks: pgsql.tx_id: 6 stream: 1 tx_id: 5 + tx_guessed: true # check 3 - filter: count: 1 @@ -40,6 +43,7 @@ checks: pgsql.tx_id: 7 stream: 1 tx_id: 6 + tx_guessed: true # check 4 - filter: count: 1 @@ -56,6 +60,7 @@ checks: pgsql.tx_id: 8 stream: 1 tx_id: 7 + tx_guessed: true # check 5 - filter: count: 1 @@ -72,6 +77,7 @@ checks: pgsql.tx_id: 9 stream: 1 tx_id: 8 + tx_guessed: true # check 6 - filter: count: 1 @@ -94,6 +100,7 @@ checks: pgsql.tx_id: 14 stream: 1 tx_id: 13 + tx_guessed: true # check 7 - filter: count: 1 @@ -117,6 +124,7 @@ checks: pgsql.tx_id: 17 stream: 1 tx_id: 16 + tx_guessed: true # check 8 - filter: count: 1 @@ -139,6 +147,7 @@ checks: pgsql.tx_id: 23 stream: 1 tx_id: 22 + tx_guessed: true # check 9 - filter: count: 1 @@ -158,6 +167,7 @@ checks: pgsql.tx_id: 26 stream: 1 tx_id: 25 + tx_guessed: true # check 10 - filter: count: 1 @@ -171,11 +181,4 @@ checks: Dumbledore....prof_dumbledore@gmail.comD...2.....\nMcGonagall....prof_mc.gonagall@gmail.comD...'......Rogue....prof_rogue@yahoo.comD...)......Hagrid....prof_hagrid@gmail.comD...,......Hermione....prof_gramger@gmail.comD...'......Remus....prof_lupin@gmail.comD...)......Maugre....prof_folloy@gmail.comD...-......Londubat....prof_londubat@gmail.comC...\r\ SELECT 8.Z....I" pcap_cnt: 87 - pgsql.request.simple_query: SELECT * FROM new_table; - pgsql.response.command_completed: SELECT 8 - pgsql.response.data_rows: 8 - pgsql.response.data_size: 236 - pgsql.response.field_count: 2 - pgsql.tx_id: 26 stream: 1 - tx_id: 25 diff --git a/tests/pgsql/pgsql-bug-6983-ips/suricata.yaml b/tests/pgsql/pgsql-bug-6983-ips/suricata.yaml index b1049819c..1c856f05f 100755 --- a/tests/pgsql/pgsql-bug-6983-ips/suricata.yaml +++ b/tests/pgsql/pgsql-bug-6983-ips/suricata.yaml @@ -16,3 +16,6 @@ app-layer: protocols: pgsql: enabled: yes + +detect: + guess-applayer-tx: true \ No newline at end of file diff --git a/tests/pgsql/pgsql-bug-6983-ips/test.yaml b/tests/pgsql/pgsql-bug-6983-ips/test.yaml index 2ee0eaaf7..956431bf0 100644 --- a/tests/pgsql/pgsql-bug-6983-ips/test.yaml +++ b/tests/pgsql/pgsql-bug-6983-ips/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 7.0 + min-version: 8.0 pcap: ../pgsql-ssl-rejected-md5-auth-simple-query/input.pcap @@ -19,9 +19,11 @@ checks: match: event_type: alert alert.signature_id: 1 + tx_guessed: true - filter: count: 1 match: event_type: alert alert.signature_id: 1 + tx_guessed: true pgsql.request.simple_query: "select * from rules where sid = 2021701;" From c134f6b11462cab69165961801e3c0d8f2e30982 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 2 Dec 2024 11:18:29 +0100 Subject: [PATCH 4/6] tls: add check for catch-all rule logging app-layer metadata Ticket: 7530 --- tests/firewall/firewall-06-tls-sni-enforce/suricata.yaml | 4 ++++ tests/firewall/firewall-06-tls-sni-enforce/test.yaml | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/tests/firewall/firewall-06-tls-sni-enforce/suricata.yaml b/tests/firewall/firewall-06-tls-sni-enforce/suricata.yaml index b67886b55..3770357fd 100644 --- a/tests/firewall/firewall-06-tls-sni-enforce/suricata.yaml +++ b/tests/firewall/firewall-06-tls-sni-enforce/suricata.yaml @@ -15,6 +15,10 @@ stats: # Add stream events as stats. #stream-events: false +detect: + stream-tx-log-limit: 4 + guess-applayer-tx: true + # Configure the type of alert (and other) logging you would like. outputs: - eve-log: diff --git a/tests/firewall/firewall-06-tls-sni-enforce/test.yaml b/tests/firewall/firewall-06-tls-sni-enforce/test.yaml index 0c54b3cba..b61b85c40 100644 --- a/tests/firewall/firewall-06-tls-sni-enforce/test.yaml +++ b/tests/firewall/firewall-06-tls-sni-enforce/test.yaml @@ -14,6 +14,14 @@ checks: count: 26 match: event_type: alert +- filter: + min-version: 8 + # check for https://redmine.openinfosecfoundation.org/issues/7350 + count: 4 + match: + event_type: alert + alert.signature_id: 3 + tls.sni: raw.githubusercontent.com - filter: count: 1 match: From f9717f5213cffe0a5e669c71a6522d3cf8f68097 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Thu, 28 Nov 2024 11:41:16 +0100 Subject: [PATCH 5/6] tests: update firewall test for pkt sigs not alerting on ffr packets --- .../firewall-06-tls-sni-enforce/test.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/firewall/firewall-06-tls-sni-enforce/test.yaml b/tests/firewall/firewall-06-tls-sni-enforce/test.yaml index b61b85c40..7002fd186 100644 --- a/tests/firewall/firewall-06-tls-sni-enforce/test.yaml +++ b/tests/firewall/firewall-06-tls-sni-enforce/test.yaml @@ -6,11 +6,24 @@ args: checks: - filter: + min-version: 8 + count: 24 + match: + event_type: alert + alert.signature_id: 3 +- filter: + min-version: 8 + count: 24 + match: + event_type: alert +- filter: + lt-version: 7 count: 26 match: event_type: alert alert.signature_id: 3 - filter: + lt-version: 7 count: 26 match: event_type: alert @@ -39,6 +52,13 @@ checks: match: event_type: drop - filter: + min-version: 8 + count: 0 + match: + event_type: alert + pkt_src: "stream (flow timeout)" +- filter: + lt-version: 7 count: 2 match: event_type: alert From 4a9d6ad707b069d5445660a0a5a2df87f8fb89c1 Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Mon, 7 Oct 2024 13:54:16 +0530 Subject: [PATCH 6/6] add test for extra tls alert --- .../tls-extra-alert-engine-analysis/README.md | 7 + .../test.rules | 5 + .../tls-extra-alert-engine-analysis/test.yaml | 229 ++++++++++++++++++ tests/tls-extra-alert/README.md | 12 + tests/tls-extra-alert/input.pcap | Bin 0 -> 1525 bytes tests/tls-extra-alert/test.rules | 5 + tests/tls-extra-alert/test.yaml | 19 ++ 7 files changed, 277 insertions(+) create mode 100644 tests/tls-extra-alert-engine-analysis/README.md create mode 100644 tests/tls-extra-alert-engine-analysis/test.rules create mode 100644 tests/tls-extra-alert-engine-analysis/test.yaml create mode 100644 tests/tls-extra-alert/README.md create mode 100644 tests/tls-extra-alert/input.pcap create mode 100644 tests/tls-extra-alert/test.rules create mode 100644 tests/tls-extra-alert/test.yaml diff --git a/tests/tls-extra-alert-engine-analysis/README.md b/tests/tls-extra-alert-engine-analysis/README.md new file mode 100644 index 000000000..8ecc1cb62 --- /dev/null +++ b/tests/tls-extra-alert-engine-analysis/README.md @@ -0,0 +1,7 @@ +# Test Description + +engine analysis complementary test for tls-extra-alert. + +## Related issues + +None so far. State: Trying to establish what's the issue. diff --git a/tests/tls-extra-alert-engine-analysis/test.rules b/tests/tls-extra-alert-engine-analysis/test.rules new file mode 100644 index 000000000..88c750a9a --- /dev/null +++ b/tests/tls-extra-alert-engine-analysis/test.rules @@ -0,0 +1,5 @@ +alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; ) +alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; ) +alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; ) +alert tcp any any -> any 443 (flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; ) +alert tcp any 443 -> any any (flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; ) diff --git a/tests/tls-extra-alert-engine-analysis/test.yaml b/tests/tls-extra-alert-engine-analysis/test.yaml new file mode 100644 index 000000000..f440d0bce --- /dev/null +++ b/tests/tls-extra-alert-engine-analysis/test.yaml @@ -0,0 +1,229 @@ +requires: + min-version: 8 + +args: + - --simulate-ips + - --engine-analysis + +pcap: false + +checks: +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - sp_any + - noalert + - need_packet + - toserver + id: 9901001 + lists: + packet: + matches: + - name: tcp.flags + postmatch: + matches: + - flowbits: + cmd: set + names: + - tls_tracker + name: flowbits + pkt_engines: + - is_mpm: false + name: packet + requirements: + - tcp_flags_init_deinit + - real_pkt + type: pkt + +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - sp_any + - need_packet + - need_stream + - need_flowvar + - toserver + - toclient + - prefilter + id: 9901031 + lists: + packet: + matches: + - flowbits: + cmd: isset + names: + - tls_tracker + name: flowbits + payload: + matches: + - content: + depth: 6 + ends_with: false + fast_pattern: false + is_mpm: true + length: 6 + negated: false + no_double_inspect: false + nocase: false + pattern: '|15 03 01 00 02 02|' + relative_next: false + starts_with: true + name: content + postmatch: + matches: + - flowbits: + cmd: set + names: + - tls_error + name: flowbits + mpm: + buffer: payload + depth: 6 + ends_with: false + fast_pattern: false + is_mpm: true + length: 6 + negated: false + no_double_inspect: false + nocase: false + pattern: '|15 03 01 00 02 02|' + relative_next: false + starts_with: true + pkt_engines: + - is_mpm: true + name: payload + - is_mpm: false + name: packet + requirements: + - payload + - flow + type: pkt_stream + +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - dp_any + - need_packet + - need_stream + - need_flowvar + - toserver + - toclient + - prefilter + id: 9901032 + lists: + packet: + matches: + - flowbits: + cmd: isset + names: + - tls_tracker + name: flowbits + payload: + matches: + - content: + depth: 6 + ends_with: false + fast_pattern: false + is_mpm: true + length: 6 + negated: false + no_double_inspect: false + nocase: false + pattern: '|15 03 01 00 02 02|' + relative_next: false + starts_with: true + name: content + postmatch: + matches: + - flowbits: + cmd: set + names: + - tls_error + name: flowbits + mpm: + buffer: payload + depth: 6 + ends_with: false + fast_pattern: false + is_mpm: true + length: 6 + negated: false + no_double_inspect: false + nocase: false + pattern: '|15 03 01 00 02 02|' + relative_next: false + starts_with: true + pkt_engines: + - is_mpm: true + name: payload + - is_mpm: false + name: packet + requirements: + - payload + - flow + type: pkt_stream + +# Following is the signature of interest +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - sp_any + - need_flowvar + - toserver + id: 9901033 + lists: + packet: + matches: + - flowbits: + cmd: isset + names: + - tls_error + name: flowbits + pkt_engines: + - is_mpm: false + name: packet + requirements: + - flow + type: pkt + +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - dp_any + - need_flowvar + - toclient + id: 9901034 + lists: + packet: + matches: + - flowbits: + cmd: isset + names: + - tls_error + name: flowbits + pkt_engines: + - is_mpm: false + name: packet + requirements: + - flow + type: pkt diff --git a/tests/tls-extra-alert/README.md b/tests/tls-extra-alert/README.md new file mode 100644 index 000000000..d913ee642 --- /dev/null +++ b/tests/tls-extra-alert/README.md @@ -0,0 +1,12 @@ +# Test Description + +This test shows that Suricata generates an additional alert for TLS +for the given PCAP which shouldn't be there. + +## PCAP + +Internal. + +## Related issues + +None so far. State: Trying to establish what's the issue. diff --git a/tests/tls-extra-alert/input.pcap b/tests/tls-extra-alert/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..01c918c36e4a6cf4ce2797eba0c7c5eae1540432 GIT binary patch literal 1525 zcmbu9T}YE*6vxl=zVGI<`N4F$&6c*DbDHM-Ov)KjO613#lsG9`Hia$}KQ2o{B9I_K zB*gjAMZ?0Pv^#H}2yfDgEGt49bP=H!`GJs;+IikF=QfeR2M)aN3+H$K|8vgsetb3Y zKmZ8>M*@N`j$*H?AuAdx@R^5TtuMOOB9wbGDz8!~2e3OEN}*HPHqOS>3*y*?&c0eQ z)jUvjkCR4)^$5#X%#zGR5~#Xt@L?kVPDC-H9?1>|36N!`kMAP`l){?Qso_*kCsTd3 zGy3ICr1y@-ZEtICaj;Ftu6vl*b*LL#4V?b6I*}oNi>k9H1`g1lM{6!foUYY6vZE_A73CmjD0h1&uM5Rb0D5WZ@rjb;l3aXTdf+(@sBH_J>pO*sN4xMAc^e@0U zE~JOdajSWtx~@wD-FCCDH&q*Nr*MXwoS5=Sg7YYWhi}_i+v*;;CpRy@pzuTy&&%(N3RDdBP;T>-u?c4J${!x8Ur4GAE@F#t^%d9 literal 0 HcmV?d00001 diff --git a/tests/tls-extra-alert/test.rules b/tests/tls-extra-alert/test.rules new file mode 100644 index 000000000..88c750a9a --- /dev/null +++ b/tests/tls-extra-alert/test.rules @@ -0,0 +1,5 @@ +alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; ) +alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; ) +alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; ) +alert tcp any any -> any 443 (flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; ) +alert tcp any 443 -> any any (flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; ) diff --git a/tests/tls-extra-alert/test.yaml b/tests/tls-extra-alert/test.yaml new file mode 100644 index 000000000..19e010621 --- /dev/null +++ b/tests/tls-extra-alert/test.yaml @@ -0,0 +1,19 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 9901033 + pkt_src: wire/pcap +- filter: + count: 0 + match: + event_type: alert + not-has-key: pcap_cnt