diff --git a/tests/detect-absent-file-multi/README.md b/tests/detect-absent-file-multi/README.md new file mode 100644 index 000000000..fd2738782 --- /dev/null +++ b/tests/detect-absent-file-multi/README.md @@ -0,0 +1,18 @@ +# Test Description + +Test `absent` keyword with files + +## PCAP + +Manually crafted with input +``` +GET /noheaders HTTP/1.0 + +HTTP/1.0 500 BAD +Header1: value1 + +``` + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/2224 diff --git a/tests/detect-absent-file-multi/input.pcap b/tests/detect-absent-file-multi/input.pcap new file mode 100644 index 000000000..7cb40ca98 Binary files /dev/null and b/tests/detect-absent-file-multi/input.pcap differ diff --git a/tests/detect-absent-file-multi/test.rules b/tests/detect-absent-file-multi/test.rules new file mode 100644 index 000000000..87ab2a630 --- /dev/null +++ b/tests/detect-absent-file-multi/test.rules @@ -0,0 +1,10 @@ +alert http any any -> any any (msg:"no file data"; flow:established,to_client; file.data; absent; http.stat_code; content: "500"; sid:1;) +alert http any any -> any any (msg:"no file data, no alert"; flow:established,to_client; file.data; bsize: >0; http.stat_code; content: "500"; sid:2;) +alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_client; file.data; absent: or_else; content: !"abc"; http.stat_code; content: "500"; sid:3;) +alert http any any -> any any (msg:"not abc, no alert"; flow:established,to_client; file.data; content: !"abc"; http.stat_code; content: "500"; sid:4;) +alert http any any -> any any (msg:"alert on only stat code"; flow:established,to_client; http.stat_code; content: "500"; sid:5;) +alert http any any -> any any (msg:"no file data"; flow:established,to_client; file.data; absent; sid:6;) +alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_client; file.data; absent: or_else; content: !"abc"; sid:7;) + +alert http any any -> any any (msg:"no request headers or not abc"; flow:established,to_server; http.request_header; absent: or_else; content: !"abc"; sid:10;) +alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_server; http.request_header; absent; http.uri; content: "noheaders"; sid:11;) diff --git a/tests/detect-absent-file-multi/test.yaml b/tests/detect-absent-file-multi/test.yaml new file mode 100644 index 000000000..9d374042f --- /dev/null +++ b/tests/detect-absent-file-multi/test.yaml @@ -0,0 +1,52 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 6 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 7 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 10 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 11 diff --git a/tests/detect-absent-http-request-body/README.md b/tests/detect-absent-http-request-body/README.md new file mode 100644 index 000000000..d9cb67210 --- /dev/null +++ b/tests/detect-absent-http-request-body/README.md @@ -0,0 +1,14 @@ +# Test Description + +Test `absent` keyword with `http.request_body` + +## PCAP + +Manually crafted with server +`python3 -m http.server` +and client +`curl -X POST http://127.0.0.1:8000/toto` + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/2224 diff --git a/tests/detect-absent-http-request-body/input.pcap b/tests/detect-absent-http-request-body/input.pcap new file mode 100644 index 000000000..9ff30de13 Binary files /dev/null and b/tests/detect-absent-http-request-body/input.pcap differ diff --git a/tests/detect-absent-http-request-body/test.rules b/tests/detect-absent-http-request-body/test.rules new file mode 100644 index 000000000..b368a6087 --- /dev/null +++ b/tests/detect-absent-http-request-body/test.rules @@ -0,0 +1,6 @@ +alert http any any -> any any (msg:"no request body"; flow:established,to_server; http.request_body; absent; http.method; content: "POST"; sid:1;) +alert http any any -> any any (msg:"no request body, no alert"; flow:established,to_server; http.request_body; bsize: >0; http.method; content: "POST"; sid:2;) +alert http any any -> any any (msg:"no request body or not abc"; flow:established,to_server; http.request_body; absent: or_else; content: !"abc"; http.method; content: "POST"; sid:3;) +alert http any any -> any any (msg:"not abc, no alert"; flow:established,to_server; http.request_body; content: !"abc"; http.method; content: "POST"; sid:4;) +alert http any any -> any any (msg:"no request body"; flow:established,to_server; http.request_body; absent; sid:5;) +alert http any any -> any any (msg:"no request body or not abc"; flow:established,to_server; http.request_body; absent: or_else; content: !"abc"; sid:6;) diff --git a/tests/detect-absent-http-request-body/test.yaml b/tests/detect-absent-http-request-body/test.yaml new file mode 100644 index 000000000..549bf9ce4 --- /dev/null +++ b/tests/detect-absent-http-request-body/test.yaml @@ -0,0 +1,37 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 6 diff --git a/tests/detect-absent-negated-content/README.md b/tests/detect-absent-negated-content/README.md new file mode 100644 index 000000000..a5b9b8e39 --- /dev/null +++ b/tests/detect-absent-negated-content/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test rules with negated content on buffers that are absent + +## PCAP + +From the issue https://redmine.openinfosecfoundation.org/issues/2224 + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/2224 diff --git a/tests/detect-absent-negated-content/no_referer.pcap b/tests/detect-absent-negated-content/no_referer.pcap new file mode 100644 index 000000000..0ef6c2e98 Binary files /dev/null and b/tests/detect-absent-negated-content/no_referer.pcap differ diff --git a/tests/detect-absent-negated-content/test.rules b/tests/detect-absent-negated-content/test.rules new file mode 100644 index 000000000..aec7ce329 --- /dev/null +++ b/tests/detect-absent-negated-content/test.rules @@ -0,0 +1,17 @@ +# This signature should alert with _any_ pcap +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for URI"; flow:established,to_server; http.uri; bsize:1; content:"/"; sid:1;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"No match without `absent` and negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; content:!"example"; sid:5;) + +# Positive tests about alerts +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:!"example"; sid:6;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated pcre"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else ; pcre:!"/example/"; sid:7;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent; sid:8;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content to fast_pattern"; flow:established,to_server; http.referer; absent; sid:9;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or positive content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:"example"; sid:10;) + +# reference test with positive and negated content +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for UA"; flow:established,to_server; http.user_agent; content:"foo"; content:!"bar"; sid:20;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent or negated content matches on the negated content"; flow:established,to_server; http.user_agent; absent: or_else; content:!"bar"; sid:21;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only does not match"; flow:established,to_server; http.user_agent; absent; sid:22;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent or positive content matches on the positive content"; flow:established,to_server; http.user_agent; absent: or_else; content:"foo"; sid:23;) diff --git a/tests/detect-absent-negated-content/test.yaml b/tests/detect-absent-negated-content/test.yaml new file mode 100644 index 000000000..a2921b99b --- /dev/null +++ b/tests/detect-absent-negated-content/test.yaml @@ -0,0 +1,62 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 5 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 6 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 7 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 8 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 9 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 20 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 21 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 22 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 23 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 10 diff --git a/tests/rules/absent/README.md b/tests/rules/absent/README.md new file mode 100644 index 000000000..40150cdd5 --- /dev/null +++ b/tests/rules/absent/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test `absent` keyword rule analysis + +## PCAP + +From the issue https://redmine.openinfosecfoundation.org/issues/2224 + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/2224 diff --git a/tests/rules/absent/test.rules b/tests/rules/absent/test.rules new file mode 100644 index 000000000..a095e1393 --- /dev/null +++ b/tests/rules/absent/test.rules @@ -0,0 +1,3 @@ +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:!"example"; sid:6;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated pcre"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else ; pcre:!"/example/"; sid:7;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent; sid:8;) diff --git a/tests/rules/absent/test.yaml b/tests/rules/absent/test.yaml new file mode 100644 index 000000000..69e3bd443 --- /dev/null +++ b/tests/rules/absent/test.yaml @@ -0,0 +1,37 @@ +requires: + min-version: 8 + pcap: false + +args: + - --engine-analysis + +checks: +- filter: + filename: rules.json + count: 1 + match: + id: 6 + engines[2].name: "http_referer" + engines[2].matches[0].name: "absent" + engines[2].matches[0].absent.or_else: true + engines[2].matches[1].name: "content" + engines[2].matches[1].content.negated: true +- filter: + filename: rules.json + count: 1 + match: + id: 7 + engines[2].name: "http_referer" + engines[2].matches[0].name: "absent" + engines[2].matches[0].absent.or_else: true + engines[2].matches[1].name: "pcre" + engines[2].matches[1].pcre.negated: true +- filter: + filename: rules.json + count: 1 + match: + id: 8 + engines[2].name: "http_referer" + engines[2].matches[0].name: "absent" + engines[2].matches[0].absent.or_else: false + engines[2].matches.__len: 1