-
Notifications
You must be signed in to change notification settings - Fork 90
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adds tests for negated content and absent keyword
Ticket: 2224
- Loading branch information
1 parent
cad15fb
commit 2f97c25
Showing
15 changed files
with
278 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# Test Description | ||
|
||
Test `absent` keyword with files | ||
|
||
## PCAP | ||
|
||
Manually crafted with input | ||
``` | ||
GET /noheaders HTTP/1.0 | ||
HTTP/1.0 500 BAD | ||
Header1: value1 | ||
``` | ||
|
||
## Related issues | ||
|
||
https://redmine.openinfosecfoundation.org/issues/2224 |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
alert http any any -> any any (msg:"no file data"; flow:established,to_client; file.data; absent; http.stat_code; content: "500"; sid:1;) | ||
alert http any any -> any any (msg:"no file data, no alert"; flow:established,to_client; file.data; bsize: >0; http.stat_code; content: "500"; sid:2;) | ||
alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_client; file.data; absent: or_else; content: !"abc"; http.stat_code; content: "500"; sid:3;) | ||
alert http any any -> any any (msg:"not abc, no alert"; flow:established,to_client; file.data; content: !"abc"; http.stat_code; content: "500"; sid:4;) | ||
alert http any any -> any any (msg:"alert on only stat code"; flow:established,to_client; http.stat_code; content: "500"; sid:5;) | ||
alert http any any -> any any (msg:"no file data"; flow:established,to_client; file.data; absent; sid:6;) | ||
alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_client; file.data; absent: or_else; content: !"abc"; sid:7;) | ||
|
||
alert http any any -> any any (msg:"no request headers or not abc"; flow:established,to_server; http.request_header; absent: or_else; content: !"abc"; sid:10;) | ||
alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_server; http.request_header; absent; http.uri; content: "noheaders"; sid:11;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
requires: | ||
min-version: 8 | ||
|
||
args: | ||
- -k none | ||
|
||
checks: | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 1 | ||
- filter: | ||
count: 0 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 2 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 3 | ||
- filter: | ||
count: 0 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 4 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 5 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 6 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 7 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 10 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 11 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# Test Description | ||
|
||
Test `absent` keyword with `http.request_body` | ||
|
||
## PCAP | ||
|
||
Manually crafted with server | ||
`python3 -m http.server` | ||
and client | ||
`curl -X POST http://127.0.0.1:8000/toto` | ||
|
||
## Related issues | ||
|
||
https://redmine.openinfosecfoundation.org/issues/2224 |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
alert http any any -> any any (msg:"no request body"; flow:established,to_server; http.request_body; absent; http.method; content: "POST"; sid:1;) | ||
alert http any any -> any any (msg:"no request body, no alert"; flow:established,to_server; http.request_body; bsize: >0; http.method; content: "POST"; sid:2;) | ||
alert http any any -> any any (msg:"no request body or not abc"; flow:established,to_server; http.request_body; absent: or_else; content: !"abc"; http.method; content: "POST"; sid:3;) | ||
alert http any any -> any any (msg:"not abc, no alert"; flow:established,to_server; http.request_body; content: !"abc"; http.method; content: "POST"; sid:4;) | ||
alert http any any -> any any (msg:"no request body"; flow:established,to_server; http.request_body; absent; sid:5;) | ||
alert http any any -> any any (msg:"no request body or not abc"; flow:established,to_server; http.request_body; absent: or_else; content: !"abc"; sid:6;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
requires: | ||
min-version: 8 | ||
|
||
args: | ||
- -k none | ||
|
||
checks: | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 1 | ||
- filter: | ||
count: 0 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 2 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 3 | ||
- filter: | ||
count: 0 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 4 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 5 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 6 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# Test Description | ||
|
||
Test rules with negated content on buffers that are absent | ||
|
||
## PCAP | ||
|
||
From the issue https://redmine.openinfosecfoundation.org/issues/2224 | ||
|
||
## Related issues | ||
|
||
https://redmine.openinfosecfoundation.org/issues/2224 |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# This signature should alert with _any_ pcap | ||
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for URI"; flow:established,to_server; http.uri; bsize:1; content:"/"; sid:1;) | ||
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"No match without `absent` and negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; content:!"example"; sid:5;) | ||
|
||
# Positive tests about alerts | ||
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:!"example"; sid:6;) | ||
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated pcre"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else ; pcre:!"/example/"; sid:7;) | ||
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent; sid:8;) | ||
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content to fast_pattern"; flow:established,to_server; http.referer; absent; sid:9;) | ||
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or positive content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:"example"; sid:10;) | ||
|
||
# reference test with positive and negated content | ||
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for UA"; flow:established,to_server; http.user_agent; content:"foo"; content:!"bar"; sid:20;) | ||
|
||
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent or negated content matches on the negated content"; flow:established,to_server; http.user_agent; absent: or_else; content:!"bar"; sid:21;) | ||
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only does not match"; flow:established,to_server; http.user_agent; absent; sid:22;) | ||
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent or positive content matches on the positive content"; flow:established,to_server; http.user_agent; absent: or_else; content:"foo"; sid:23;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
requires: | ||
min-version: 8 | ||
|
||
args: | ||
- -k none | ||
|
||
checks: | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 1 | ||
- filter: | ||
count: 0 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 5 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 6 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 7 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 8 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 9 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 20 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 21 | ||
- filter: | ||
count: 0 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 22 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 23 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 10 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# Test Description | ||
|
||
Test `absent` keyword rule analysis | ||
|
||
## PCAP | ||
|
||
From the issue https://redmine.openinfosecfoundation.org/issues/2224 | ||
|
||
## Related issues | ||
|
||
https://redmine.openinfosecfoundation.org/issues/2224 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:!"example"; sid:6;) | ||
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated pcre"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else ; pcre:!"/example/"; sid:7;) | ||
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent; sid:8;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
requires: | ||
min-version: 8 | ||
pcap: false | ||
|
||
args: | ||
- --engine-analysis | ||
|
||
checks: | ||
- filter: | ||
filename: rules.json | ||
count: 1 | ||
match: | ||
id: 6 | ||
engines[2].name: "http_referer" | ||
engines[2].matches[0].name: "absent" | ||
engines[2].matches[0].absent.or_else: true | ||
engines[2].matches[1].name: "content" | ||
engines[2].matches[1].content.negated: true | ||
- filter: | ||
filename: rules.json | ||
count: 1 | ||
match: | ||
id: 7 | ||
engines[2].name: "http_referer" | ||
engines[2].matches[0].name: "absent" | ||
engines[2].matches[0].absent.or_else: true | ||
engines[2].matches[1].name: "pcre" | ||
engines[2].matches[1].pcre.negated: true | ||
- filter: | ||
filename: rules.json | ||
count: 1 | ||
match: | ||
id: 8 | ||
engines[2].name: "http_referer" | ||
engines[2].matches[0].name: "absent" | ||
engines[2].matches[0].absent.or_else: false | ||
engines[2].matches.__len: 1 |