Skip to content

Commit

Permalink
Adds tests for negated content and absent keyword
Browse files Browse the repository at this point in the history
Ticket: 2224
  • Loading branch information
catenacyber authored and victorjulien committed Nov 28, 2024
1 parent cad15fb commit 2f97c25
Show file tree
Hide file tree
Showing 15 changed files with 278 additions and 0 deletions.
18 changes: 18 additions & 0 deletions tests/detect-absent-file-multi/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Test Description

Test `absent` keyword with files

## PCAP

Manually crafted with input
```
GET /noheaders HTTP/1.0
HTTP/1.0 500 BAD
Header1: value1
```

## Related issues

https://redmine.openinfosecfoundation.org/issues/2224
Binary file added tests/detect-absent-file-multi/input.pcap
Binary file not shown.
10 changes: 10 additions & 0 deletions tests/detect-absent-file-multi/test.rules
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
alert http any any -> any any (msg:"no file data"; flow:established,to_client; file.data; absent; http.stat_code; content: "500"; sid:1;)
alert http any any -> any any (msg:"no file data, no alert"; flow:established,to_client; file.data; bsize: >0; http.stat_code; content: "500"; sid:2;)
alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_client; file.data; absent: or_else; content: !"abc"; http.stat_code; content: "500"; sid:3;)
alert http any any -> any any (msg:"not abc, no alert"; flow:established,to_client; file.data; content: !"abc"; http.stat_code; content: "500"; sid:4;)
alert http any any -> any any (msg:"alert on only stat code"; flow:established,to_client; http.stat_code; content: "500"; sid:5;)
alert http any any -> any any (msg:"no file data"; flow:established,to_client; file.data; absent; sid:6;)
alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_client; file.data; absent: or_else; content: !"abc"; sid:7;)

alert http any any -> any any (msg:"no request headers or not abc"; flow:established,to_server; http.request_header; absent: or_else; content: !"abc"; sid:10;)
alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_server; http.request_header; absent; http.uri; content: "noheaders"; sid:11;)
52 changes: 52 additions & 0 deletions tests/detect-absent-file-multi/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
requires:
min-version: 8

args:
- -k none

checks:
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 1
- filter:
count: 0
match:
event_type: alert
alert.signature_id: 2
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 3
- filter:
count: 0
match:
event_type: alert
alert.signature_id: 4
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 5
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 6
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 7
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 10
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 11
14 changes: 14 additions & 0 deletions tests/detect-absent-http-request-body/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Test Description

Test `absent` keyword with `http.request_body`

## PCAP

Manually crafted with server
`python3 -m http.server`
and client
`curl -X POST http://127.0.0.1:8000/toto`

## Related issues

https://redmine.openinfosecfoundation.org/issues/2224
Binary file added tests/detect-absent-http-request-body/input.pcap
Binary file not shown.
6 changes: 6 additions & 0 deletions tests/detect-absent-http-request-body/test.rules
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
alert http any any -> any any (msg:"no request body"; flow:established,to_server; http.request_body; absent; http.method; content: "POST"; sid:1;)
alert http any any -> any any (msg:"no request body, no alert"; flow:established,to_server; http.request_body; bsize: >0; http.method; content: "POST"; sid:2;)
alert http any any -> any any (msg:"no request body or not abc"; flow:established,to_server; http.request_body; absent: or_else; content: !"abc"; http.method; content: "POST"; sid:3;)
alert http any any -> any any (msg:"not abc, no alert"; flow:established,to_server; http.request_body; content: !"abc"; http.method; content: "POST"; sid:4;)
alert http any any -> any any (msg:"no request body"; flow:established,to_server; http.request_body; absent; sid:5;)
alert http any any -> any any (msg:"no request body or not abc"; flow:established,to_server; http.request_body; absent: or_else; content: !"abc"; sid:6;)
37 changes: 37 additions & 0 deletions tests/detect-absent-http-request-body/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
requires:
min-version: 8

args:
- -k none

checks:
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 1
- filter:
count: 0
match:
event_type: alert
alert.signature_id: 2
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 3
- filter:
count: 0
match:
event_type: alert
alert.signature_id: 4
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 5
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 6
11 changes: 11 additions & 0 deletions tests/detect-absent-negated-content/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Test Description

Test rules with negated content on buffers that are absent

## PCAP

From the issue https://redmine.openinfosecfoundation.org/issues/2224

## Related issues

https://redmine.openinfosecfoundation.org/issues/2224
Binary file added tests/detect-absent-negated-content/no_referer.pcap
Binary file not shown.
17 changes: 17 additions & 0 deletions tests/detect-absent-negated-content/test.rules
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# This signature should alert with _any_ pcap
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for URI"; flow:established,to_server; http.uri; bsize:1; content:"/"; sid:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"No match without `absent` and negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; content:!"example"; sid:5;)

# Positive tests about alerts
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:!"example"; sid:6;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated pcre"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else ; pcre:!"/example/"; sid:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent; sid:8;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content to fast_pattern"; flow:established,to_server; http.referer; absent; sid:9;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or positive content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:"example"; sid:10;)

# reference test with positive and negated content
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for UA"; flow:established,to_server; http.user_agent; content:"foo"; content:!"bar"; sid:20;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent or negated content matches on the negated content"; flow:established,to_server; http.user_agent; absent: or_else; content:!"bar"; sid:21;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only does not match"; flow:established,to_server; http.user_agent; absent; sid:22;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent or positive content matches on the positive content"; flow:established,to_server; http.user_agent; absent: or_else; content:"foo"; sid:23;)
62 changes: 62 additions & 0 deletions tests/detect-absent-negated-content/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
requires:
min-version: 8

args:
- -k none

checks:
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 1
- filter:
count: 0
match:
event_type: alert
alert.signature_id: 5
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 6
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 7
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 8
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 9
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 20
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 21
- filter:
count: 0
match:
event_type: alert
alert.signature_id: 22
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 23
- filter:
count: 1
match:
event_type: alert
alert.signature_id: 10
11 changes: 11 additions & 0 deletions tests/rules/absent/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Test Description

Test `absent` keyword rule analysis

## PCAP

From the issue https://redmine.openinfosecfoundation.org/issues/2224

## Related issues

https://redmine.openinfosecfoundation.org/issues/2224
3 changes: 3 additions & 0 deletions tests/rules/absent/test.rules
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:!"example"; sid:6;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated pcre"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else ; pcre:!"/example/"; sid:7;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent; sid:8;)
37 changes: 37 additions & 0 deletions tests/rules/absent/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
requires:
min-version: 8
pcap: false

args:
- --engine-analysis

checks:
- filter:
filename: rules.json
count: 1
match:
id: 6
engines[2].name: "http_referer"
engines[2].matches[0].name: "absent"
engines[2].matches[0].absent.or_else: true
engines[2].matches[1].name: "content"
engines[2].matches[1].content.negated: true
- filter:
filename: rules.json
count: 1
match:
id: 7
engines[2].name: "http_referer"
engines[2].matches[0].name: "absent"
engines[2].matches[0].absent.or_else: true
engines[2].matches[1].name: "pcre"
engines[2].matches[1].pcre.negated: true
- filter:
filename: rules.json
count: 1
match:
id: 8
engines[2].name: "http_referer"
engines[2].matches[0].name: "absent"
engines[2].matches[0].absent.or_else: false
engines[2].matches.__len: 1

0 comments on commit 2f97c25

Please sign in to comment.