diff --git a/tests/tls-extra-alert-engine-analysis/README.md b/tests/tls-extra-alert-engine-analysis/README.md new file mode 100644 index 000000000..8ecc1cb62 --- /dev/null +++ b/tests/tls-extra-alert-engine-analysis/README.md @@ -0,0 +1,7 @@ +# Test Description + +engine analysis complementary test for tls-extra-alert. + +## Related issues + +None so far. State: Trying to establish what's the issue. diff --git a/tests/tls-extra-alert-engine-analysis/test.rules b/tests/tls-extra-alert-engine-analysis/test.rules new file mode 100644 index 000000000..88c750a9a --- /dev/null +++ b/tests/tls-extra-alert-engine-analysis/test.rules @@ -0,0 +1,5 @@ +alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; ) +alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; ) +alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; ) +alert tcp any any -> any 443 (flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; ) +alert tcp any 443 -> any any (flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; ) diff --git a/tests/tls-extra-alert-engine-analysis/test.yaml b/tests/tls-extra-alert-engine-analysis/test.yaml new file mode 100644 index 000000000..f440d0bce --- /dev/null +++ b/tests/tls-extra-alert-engine-analysis/test.yaml @@ -0,0 +1,229 @@ +requires: + min-version: 8 + +args: + - --simulate-ips + - --engine-analysis + +pcap: false + +checks: +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - sp_any + - noalert + - need_packet + - toserver + id: 9901001 + lists: + packet: + matches: + - name: tcp.flags + postmatch: + matches: + - flowbits: + cmd: set + names: + - tls_tracker + name: flowbits + pkt_engines: + - is_mpm: false + name: packet + requirements: + - tcp_flags_init_deinit + - real_pkt + type: pkt + +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - sp_any + - need_packet + - need_stream + - need_flowvar + - toserver + - toclient + - prefilter + id: 9901031 + lists: + packet: + matches: + - flowbits: + cmd: isset + names: + - tls_tracker + name: flowbits + payload: + matches: + - content: + depth: 6 + ends_with: false + fast_pattern: false + is_mpm: true + length: 6 + negated: false + no_double_inspect: false + nocase: false + pattern: '|15 03 01 00 02 02|' + relative_next: false + starts_with: true + name: content + postmatch: + matches: + - flowbits: + cmd: set + names: + - tls_error + name: flowbits + mpm: + buffer: payload + depth: 6 + ends_with: false + fast_pattern: false + is_mpm: true + length: 6 + negated: false + no_double_inspect: false + nocase: false + pattern: '|15 03 01 00 02 02|' + relative_next: false + starts_with: true + pkt_engines: + - is_mpm: true + name: payload + - is_mpm: false + name: packet + requirements: + - payload + - flow + type: pkt_stream + +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - dp_any + - need_packet + - need_stream + - need_flowvar + - toserver + - toclient + - prefilter + id: 9901032 + lists: + packet: + matches: + - flowbits: + cmd: isset + names: + - tls_tracker + name: flowbits + payload: + matches: + - content: + depth: 6 + ends_with: false + fast_pattern: false + is_mpm: true + length: 6 + negated: false + no_double_inspect: false + nocase: false + pattern: '|15 03 01 00 02 02|' + relative_next: false + starts_with: true + name: content + postmatch: + matches: + - flowbits: + cmd: set + names: + - tls_error + name: flowbits + mpm: + buffer: payload + depth: 6 + ends_with: false + fast_pattern: false + is_mpm: true + length: 6 + negated: false + no_double_inspect: false + nocase: false + pattern: '|15 03 01 00 02 02|' + relative_next: false + starts_with: true + pkt_engines: + - is_mpm: true + name: payload + - is_mpm: false + name: packet + requirements: + - payload + - flow + type: pkt_stream + +# Following is the signature of interest +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - sp_any + - need_flowvar + - toserver + id: 9901033 + lists: + packet: + matches: + - flowbits: + cmd: isset + names: + - tls_error + name: flowbits + pkt_engines: + - is_mpm: false + name: packet + requirements: + - flow + type: pkt + +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - dp_any + - need_flowvar + - toclient + id: 9901034 + lists: + packet: + matches: + - flowbits: + cmd: isset + names: + - tls_error + name: flowbits + pkt_engines: + - is_mpm: false + name: packet + requirements: + - flow + type: pkt diff --git a/tests/tls-extra-alert/README.md b/tests/tls-extra-alert/README.md new file mode 100644 index 000000000..d913ee642 --- /dev/null +++ b/tests/tls-extra-alert/README.md @@ -0,0 +1,12 @@ +# Test Description + +This test shows that Suricata generates an additional alert for TLS +for the given PCAP which shouldn't be there. + +## PCAP + +Internal. + +## Related issues + +None so far. State: Trying to establish what's the issue. diff --git a/tests/tls-extra-alert/input.pcap b/tests/tls-extra-alert/input.pcap new file mode 100644 index 000000000..01c918c36 Binary files /dev/null and b/tests/tls-extra-alert/input.pcap differ diff --git a/tests/tls-extra-alert/test.rules b/tests/tls-extra-alert/test.rules new file mode 100644 index 000000000..88c750a9a --- /dev/null +++ b/tests/tls-extra-alert/test.rules @@ -0,0 +1,5 @@ +alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; ) +alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; ) +alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; ) +alert tcp any any -> any 443 (flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; ) +alert tcp any 443 -> any any (flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; ) diff --git a/tests/tls-extra-alert/test.yaml b/tests/tls-extra-alert/test.yaml new file mode 100644 index 000000000..19e010621 --- /dev/null +++ b/tests/tls-extra-alert/test.yaml @@ -0,0 +1,19 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 9901033 + pkt_src: wire/pcap +- filter: + count: 0 + match: + event_type: alert + not-has-key: pcap_cnt