From a4c53c898dc5f036f3f9f2d2bd6e97079254fa4f Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 30 Nov 2023 14:46:04 +0100
Subject: [PATCH] Adds tests for negated content and absent keyword

Ticket: 2224
---
 tests/detect-absent-file-multi/README.md      |  18 +++++
 tests/detect-absent-file-multi/input.pcap     | Bin 0 -> 1387 bytes
 tests/detect-absent-file-multi/test.rules     |  10 +++
 tests/detect-absent-file-multi/test.yaml      |  52 +++++++++++++++
 .../detect-absent-http-request-body/README.md |  14 ++++
 .../input.pcap                                | Bin 0 -> 1806 bytes
 .../test.rules                                |   6 ++
 .../detect-absent-http-request-body/test.yaml |  37 +++++++++++
 tests/detect-absent-negated-content/README.md |  11 ++++
 .../no_referer.pcap                           | Bin 0 -> 617 bytes
 .../detect-absent-negated-content/test.rules  |  17 +++++
 tests/detect-absent-negated-content/test.yaml |  62 ++++++++++++++++++
 tests/rules/absent/README.md                  |  11 ++++
 tests/rules/absent/test.rules                 |   3 +
 tests/rules/absent/test.yaml                  |  37 +++++++++++
 15 files changed, 278 insertions(+)
 create mode 100644 tests/detect-absent-file-multi/README.md
 create mode 100644 tests/detect-absent-file-multi/input.pcap
 create mode 100644 tests/detect-absent-file-multi/test.rules
 create mode 100644 tests/detect-absent-file-multi/test.yaml
 create mode 100644 tests/detect-absent-http-request-body/README.md
 create mode 100644 tests/detect-absent-http-request-body/input.pcap
 create mode 100644 tests/detect-absent-http-request-body/test.rules
 create mode 100644 tests/detect-absent-http-request-body/test.yaml
 create mode 100644 tests/detect-absent-negated-content/README.md
 create mode 100644 tests/detect-absent-negated-content/no_referer.pcap
 create mode 100644 tests/detect-absent-negated-content/test.rules
 create mode 100644 tests/detect-absent-negated-content/test.yaml
 create mode 100644 tests/rules/absent/README.md
 create mode 100644 tests/rules/absent/test.rules
 create mode 100644 tests/rules/absent/test.yaml

diff --git a/tests/detect-absent-file-multi/README.md b/tests/detect-absent-file-multi/README.md
new file mode 100644
index 000000000..fd2738782
--- /dev/null
+++ b/tests/detect-absent-file-multi/README.md
@@ -0,0 +1,18 @@
+# Test Description
+
+Test `absent` keyword with files
+
+## PCAP
+
+Manually crafted with input
+```
+GET /noheaders HTTP/1.0
+
+HTTP/1.0 500 BAD
+Header1: value1
+
+```
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2224
diff --git a/tests/detect-absent-file-multi/input.pcap b/tests/detect-absent-file-multi/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..7cb40ca984f13698a48e2390526026a0aaaade94
GIT binary patch
literal 1387
zcmbW0y-LGS6vuDU4<tji4%!aVbkoJQ(1MMFv9$PsLxsFR!H8N>P%0Jzc5rPrAHX*#
z4i4gChAN8A;w!jxv198w*L&?%8%cV|fk49V{LVi&+2^ZEnFPt8zV2V_-R-w_h!o)g
zHZK`&N`&Zm>0v_72$8TIGf@~XU#s|DOYZl3SwiIC(yJ5*ge7TAxsx_O@L3Q5$d255
zXD14d*;%jc0YBNA{L8i;;-|>x>}g;xz$|QD%p0tRdMANjZA`@8d$X_%^F=PY&iLRl
z*DAV-Jno3R^T!Y=gBUh1=C|>$Ukv>8Z@(@wS4xJOIyl@hD_iE#vASv)<y2-qt>By+
znBz4E!8`xUyAIiQk>>y}55m~In0L;_J5O^(@3|k|bt>2%O;B?a>;P{K%&>VeL3(Dz
z11l`7HBb<?!VeFj(uH}FYA&5t3(G|+9DeeiDElKcNWc<>F-;tTiAI3uQ`mx&HC&h;
zfsCe}RQ79TMxnw{AHpn=CLItR{0ck~6rS?I69Q<u1rQ&NXS?w(M&$|niXZ6K2an}v
LLw<{*AJ6X-zQ!xU

literal 0
HcmV?d00001

diff --git a/tests/detect-absent-file-multi/test.rules b/tests/detect-absent-file-multi/test.rules
new file mode 100644
index 000000000..87ab2a630
--- /dev/null
+++ b/tests/detect-absent-file-multi/test.rules
@@ -0,0 +1,10 @@
+alert http any any -> any any (msg:"no file data"; flow:established,to_client; file.data; absent; http.stat_code; content: "500"; sid:1;)
+alert http any any -> any any (msg:"no file data, no alert"; flow:established,to_client; file.data; bsize: >0; http.stat_code; content: "500"; sid:2;)
+alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_client; file.data; absent: or_else; content: !"abc"; http.stat_code; content: "500"; sid:3;)
+alert http any any -> any any (msg:"not abc, no alert"; flow:established,to_client; file.data; content: !"abc"; http.stat_code; content: "500"; sid:4;)
+alert http any any -> any any (msg:"alert on only stat code"; flow:established,to_client; http.stat_code; content: "500"; sid:5;)
+alert http any any -> any any (msg:"no file data"; flow:established,to_client; file.data; absent; sid:6;)
+alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_client; file.data; absent: or_else; content: !"abc"; sid:7;)
+
+alert http any any -> any any (msg:"no request headers or not abc"; flow:established,to_server; http.request_header; absent: or_else; content: !"abc"; sid:10;)
+alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_server; http.request_header; absent; http.uri; content: "noheaders"; sid:11;)
diff --git a/tests/detect-absent-file-multi/test.yaml b/tests/detect-absent-file-multi/test.yaml
new file mode 100644
index 000000000..9d374042f
--- /dev/null
+++ b/tests/detect-absent-file-multi/test.yaml
@@ -0,0 +1,52 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 5
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 7
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 10
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 11
diff --git a/tests/detect-absent-http-request-body/README.md b/tests/detect-absent-http-request-body/README.md
new file mode 100644
index 000000000..d9cb67210
--- /dev/null
+++ b/tests/detect-absent-http-request-body/README.md
@@ -0,0 +1,14 @@
+# Test Description
+
+Test `absent` keyword with `http.request_body`
+
+## PCAP
+
+Manually crafted with server
+`python3 -m http.server`
+and client
+`curl -X POST http://127.0.0.1:8000/toto`
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2224
diff --git a/tests/detect-absent-http-request-body/input.pcap b/tests/detect-absent-http-request-body/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..9ff30de138e7f0a040343abba4bbe23ac0a6d6f3
GIT binary patch
literal 1806
zcmbVNO-ma=7~V}JDGLjYB6xG^p;~G7BOe;JYmBH=O2mLGBKDFdW0Jb=EW4AUv{1oA
z3#C7xlpYHG0n&T*)MF35lwLfww6=x*fF4ZW*$-kgmBvY4*vvcg<awTXCdqtw`#Qq)
zaqZzh7oRpZjI}s72Mt!?h`_@<#}(MS5aYPV9LKXd9vChh#WU~Ny8TG2b&}z@NZ<5l
zJ{pbj{1svS&8J<~>jMCWeb@u`aN&4h@Q|Md{Db}e^Vl!n7r!z55c?xw=is|og(Kh%
zth(|(0Q|!4)uCS}V<0Br%WxUjqaN@AuFQ*r(|93AhWC9v&OHNStiloSdvYPaA>jA0
zlV53R*+4QSl%NH}D9Ng%ioybMsfN_lq@=)0)pClWh{B4Co#adnThOaC9aEl^vN;JF
zGnERqVRBp^7X?vZ6bJ79zlCkd*#t=b8CrN+^7V~4cLG{jg(Hys=d9!oydl8*?Mnu{
zAMBU|oeIh-Dq6AJrfn04;wsw0v`(sMY?PTYdP5YJvGV{s8d`2_*(Ub(DbfTg?Z7%q
zPD^S^N{hl=nPLsC;_6MX4Bcs3D5az_NL97;gqF#m+lz)M%o5AO71|&cm}e3fds7t5
zOd2~j?5B8}%5}PB-m28gj*ID3lWrt)?PW!5)o5Kq>Fi|a@+!E}TTru!!NW)lTs{t6
z21oXoGwjqb;JxBGuR2}kUvzgl5<7~+se#L_=N&HZ>DT6#W{tJdJmhMzm=|=W4Vh)D
zHZ_8+k-UIl=yhDK`j6g6IDs+>^^bT41S`EZZBP^E=N*SQ$ic2nEEnstKkMVkZ9x4V
zsqUP@uB+#E!j!ko1Gj^Ag;e1<ARD@DceEF=>y~TKyC5^t*-buKhKcaD4f4x=23Yoz
z$PXB*66_+2P!wbl(R#y0#Kw-dx(%w!z9`*GO5VF__b(NK=q7~VOScd>J>dCQExPH2
uAklGk*;U(Pp?cH<p8qevLK-#y#qaB7@e<wjwtBz|^qQcz|IAO7r}r;m&Z;*6

literal 0
HcmV?d00001

diff --git a/tests/detect-absent-http-request-body/test.rules b/tests/detect-absent-http-request-body/test.rules
new file mode 100644
index 000000000..b368a6087
--- /dev/null
+++ b/tests/detect-absent-http-request-body/test.rules
@@ -0,0 +1,6 @@
+alert http any any -> any any (msg:"no request body"; flow:established,to_server; http.request_body; absent; http.method; content: "POST"; sid:1;)
+alert http any any -> any any (msg:"no request body, no alert"; flow:established,to_server; http.request_body; bsize: >0; http.method; content: "POST"; sid:2;)
+alert http any any -> any any (msg:"no request body or not abc"; flow:established,to_server; http.request_body; absent: or_else; content: !"abc"; http.method; content: "POST"; sid:3;)
+alert http any any -> any any (msg:"not abc, no alert"; flow:established,to_server; http.request_body; content: !"abc"; http.method; content: "POST"; sid:4;)
+alert http any any -> any any (msg:"no request body"; flow:established,to_server; http.request_body; absent; sid:5;)
+alert http any any -> any any (msg:"no request body or not abc"; flow:established,to_server; http.request_body; absent: or_else; content: !"abc"; sid:6;)
diff --git a/tests/detect-absent-http-request-body/test.yaml b/tests/detect-absent-http-request-body/test.yaml
new file mode 100644
index 000000000..549bf9ce4
--- /dev/null
+++ b/tests/detect-absent-http-request-body/test.yaml
@@ -0,0 +1,37 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 5
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6
diff --git a/tests/detect-absent-negated-content/README.md b/tests/detect-absent-negated-content/README.md
new file mode 100644
index 000000000..a5b9b8e39
--- /dev/null
+++ b/tests/detect-absent-negated-content/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test rules with negated content on buffers that are absent
+
+## PCAP
+
+From the issue https://redmine.openinfosecfoundation.org/issues/2224
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2224
diff --git a/tests/detect-absent-negated-content/no_referer.pcap b/tests/detect-absent-negated-content/no_referer.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0ef6c2e989b92da480aadfd77977e9f59f0d1545
GIT binary patch
literal 617
zcmca|c+)~A1{MYw`2U}Qff2}Y%?(NkXkcS71F}Ilv7&XK>vFU2g4+7Q91N}u3>qM1
z4r~tG2UdJZ;1Q@?efb<i08k+p5HkcYDKIpAg_u&?j4<WRlbF|~jv6y2nmv?4H3eh>
z$RvgUpg9Z-DL~8}AOtj}0b+`38^V+uPhyNaRSPAj9_+k^Y6_ZLxPhjm1_%I6X@r<k
z+{MPA33N9IpQ-Gt-@b32*W&!!8$hNoN<(~PFM-t*2?d7WDGUtmt|1Eg3LYUL0s4k|
zhP+%J`Nbtx3aJ%|xdl0?ddc~@yj-EhsYSYu>8W`@iM0HDUM|Pv<kSKnrzEwaL|;os
zA+ew!Co?&*Br`uxUkfI!>ywz5UYeMm3N$TGx3m~8?wXgJpOTrEZl#c3m06&pkdm5~
zlUS0<%jKM(R|2#|H>9!vs0rE7tm6DUuzX%>GRPJy1@F|<0$s<P%rYc>KB;->B^g!<
zh6V;e#fixosk$H|i}G`<6!P+QlR+Z9T)bSMq`=dQ2>zhROC9PHTgq4Ro_&uR{AiJw
P3Jm^#py03XV_*OPgu1Oz

literal 0
HcmV?d00001

diff --git a/tests/detect-absent-negated-content/test.rules b/tests/detect-absent-negated-content/test.rules
new file mode 100644
index 000000000..aec7ce329
--- /dev/null
+++ b/tests/detect-absent-negated-content/test.rules
@@ -0,0 +1,17 @@
+# This signature should alert with _any_  pcap
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for URI"; flow:established,to_server; http.uri; bsize:1; content:"/"; sid:1;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"No match without `absent` and negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; content:!"example"; sid:5;)
+
+# Positive tests about alerts
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:!"example"; sid:6;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated pcre"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else ; pcre:!"/example/"; sid:7;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent; sid:8;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content to fast_pattern"; flow:established,to_server; http.referer; absent; sid:9;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or positive content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:"example"; sid:10;)
+
+# reference test with positive and negated content
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for UA"; flow:established,to_server; http.user_agent; content:"foo"; content:!"bar"; sid:20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent or negated content matches on the negated content"; flow:established,to_server; http.user_agent; absent: or_else; content:!"bar"; sid:21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only does not match"; flow:established,to_server; http.user_agent; absent; sid:22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent or positive content matches on the positive content"; flow:established,to_server; http.user_agent; absent: or_else; content:"foo"; sid:23;)
diff --git a/tests/detect-absent-negated-content/test.yaml b/tests/detect-absent-negated-content/test.yaml
new file mode 100644
index 000000000..a2921b99b
--- /dev/null
+++ b/tests/detect-absent-negated-content/test.yaml
@@ -0,0 +1,62 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 5
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 7
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 8
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 9
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 20
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 21
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 22
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 23
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 10
diff --git a/tests/rules/absent/README.md b/tests/rules/absent/README.md
new file mode 100644
index 000000000..40150cdd5
--- /dev/null
+++ b/tests/rules/absent/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test `absent` keyword rule analysis
+
+## PCAP
+
+From the issue https://redmine.openinfosecfoundation.org/issues/2224
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2224
diff --git a/tests/rules/absent/test.rules b/tests/rules/absent/test.rules
new file mode 100644
index 000000000..a095e1393
--- /dev/null
+++ b/tests/rules/absent/test.rules
@@ -0,0 +1,3 @@
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:!"example"; sid:6;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated pcre"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else ; pcre:!"/example/"; sid:7;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent; sid:8;)
diff --git a/tests/rules/absent/test.yaml b/tests/rules/absent/test.yaml
new file mode 100644
index 000000000..69e3bd443
--- /dev/null
+++ b/tests/rules/absent/test.yaml
@@ -0,0 +1,37 @@
+requires:
+    min-version: 8
+    pcap: false
+
+args:
+    - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 6
+      engines[2].name: "http_referer"
+      engines[2].matches[0].name: "absent"
+      engines[2].matches[0].absent.or_else: true
+      engines[2].matches[1].name: "content"
+      engines[2].matches[1].content.negated: true
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 7
+      engines[2].name: "http_referer"
+      engines[2].matches[0].name: "absent"
+      engines[2].matches[0].absent.or_else: true
+      engines[2].matches[1].name: "pcre"
+      engines[2].matches[1].pcre.negated: true
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 8
+      engines[2].name: "http_referer"
+      engines[2].matches[0].name: "absent"
+      engines[2].matches[0].absent.or_else: false
+      engines[2].matches.__len: 1