From 4a9d6ad707b069d5445660a0a5a2df87f8fb89c1 Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Mon, 7 Oct 2024 13:54:16 +0530 Subject: [PATCH] add test for extra tls alert --- .../tls-extra-alert-engine-analysis/README.md | 7 + .../test.rules | 5 + .../tls-extra-alert-engine-analysis/test.yaml | 229 ++++++++++++++++++ tests/tls-extra-alert/README.md | 12 + tests/tls-extra-alert/input.pcap | Bin 0 -> 1525 bytes tests/tls-extra-alert/test.rules | 5 + tests/tls-extra-alert/test.yaml | 19 ++ 7 files changed, 277 insertions(+) create mode 100644 tests/tls-extra-alert-engine-analysis/README.md create mode 100644 tests/tls-extra-alert-engine-analysis/test.rules create mode 100644 tests/tls-extra-alert-engine-analysis/test.yaml create mode 100644 tests/tls-extra-alert/README.md create mode 100644 tests/tls-extra-alert/input.pcap create mode 100644 tests/tls-extra-alert/test.rules create mode 100644 tests/tls-extra-alert/test.yaml diff --git a/tests/tls-extra-alert-engine-analysis/README.md b/tests/tls-extra-alert-engine-analysis/README.md new file mode 100644 index 000000000..8ecc1cb62 --- /dev/null +++ b/tests/tls-extra-alert-engine-analysis/README.md @@ -0,0 +1,7 @@ +# Test Description + +engine analysis complementary test for tls-extra-alert. + +## Related issues + +None so far. State: Trying to establish what's the issue. diff --git a/tests/tls-extra-alert-engine-analysis/test.rules b/tests/tls-extra-alert-engine-analysis/test.rules new file mode 100644 index 000000000..88c750a9a --- /dev/null +++ b/tests/tls-extra-alert-engine-analysis/test.rules @@ -0,0 +1,5 @@ +alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; ) +alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; ) +alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; ) +alert tcp any any -> any 443 (flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; ) +alert tcp any 443 -> any any (flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; ) diff --git a/tests/tls-extra-alert-engine-analysis/test.yaml b/tests/tls-extra-alert-engine-analysis/test.yaml new file mode 100644 index 000000000..f440d0bce --- /dev/null +++ b/tests/tls-extra-alert-engine-analysis/test.yaml @@ -0,0 +1,229 @@ +requires: + min-version: 8 + +args: + - --simulate-ips + - --engine-analysis + +pcap: false + +checks: +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - sp_any + - noalert + - need_packet + - toserver + id: 9901001 + lists: + packet: + matches: + - name: tcp.flags + postmatch: + matches: + - flowbits: + cmd: set + names: + - tls_tracker + name: flowbits + pkt_engines: + - is_mpm: false + name: packet + requirements: + - tcp_flags_init_deinit + - real_pkt + type: pkt + +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - sp_any + - need_packet + - need_stream + - need_flowvar + - toserver + - toclient + - prefilter + id: 9901031 + lists: + packet: + matches: + - flowbits: + cmd: isset + names: + - tls_tracker + name: flowbits + payload: + matches: + - content: + depth: 6 + ends_with: false + fast_pattern: false + is_mpm: true + length: 6 + negated: false + no_double_inspect: false + nocase: false + pattern: '|15 03 01 00 02 02|' + relative_next: false + starts_with: true + name: content + postmatch: + matches: + - flowbits: + cmd: set + names: + - tls_error + name: flowbits + mpm: + buffer: payload + depth: 6 + ends_with: false + fast_pattern: false + is_mpm: true + length: 6 + negated: false + no_double_inspect: false + nocase: false + pattern: '|15 03 01 00 02 02|' + relative_next: false + starts_with: true + pkt_engines: + - is_mpm: true + name: payload + - is_mpm: false + name: packet + requirements: + - payload + - flow + type: pkt_stream + +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - dp_any + - need_packet + - need_stream + - need_flowvar + - toserver + - toclient + - prefilter + id: 9901032 + lists: + packet: + matches: + - flowbits: + cmd: isset + names: + - tls_tracker + name: flowbits + payload: + matches: + - content: + depth: 6 + ends_with: false + fast_pattern: false + is_mpm: true + length: 6 + negated: false + no_double_inspect: false + nocase: false + pattern: '|15 03 01 00 02 02|' + relative_next: false + starts_with: true + name: content + postmatch: + matches: + - flowbits: + cmd: set + names: + - tls_error + name: flowbits + mpm: + buffer: payload + depth: 6 + ends_with: false + fast_pattern: false + is_mpm: true + length: 6 + negated: false + no_double_inspect: false + nocase: false + pattern: '|15 03 01 00 02 02|' + relative_next: false + starts_with: true + pkt_engines: + - is_mpm: true + name: payload + - is_mpm: false + name: packet + requirements: + - payload + - flow + type: pkt_stream + +# Following is the signature of interest +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - sp_any + - need_flowvar + - toserver + id: 9901033 + lists: + packet: + matches: + - flowbits: + cmd: isset + names: + - tls_error + name: flowbits + pkt_engines: + - is_mpm: false + name: packet + requirements: + - flow + type: pkt + +- filter: + filename: rules.json + count: 1 + match: + flags: + - src_any + - dst_any + - dp_any + - need_flowvar + - toclient + id: 9901034 + lists: + packet: + matches: + - flowbits: + cmd: isset + names: + - tls_error + name: flowbits + pkt_engines: + - is_mpm: false + name: packet + requirements: + - flow + type: pkt diff --git a/tests/tls-extra-alert/README.md b/tests/tls-extra-alert/README.md new file mode 100644 index 000000000..d913ee642 --- /dev/null +++ b/tests/tls-extra-alert/README.md @@ -0,0 +1,12 @@ +# Test Description + +This test shows that Suricata generates an additional alert for TLS +for the given PCAP which shouldn't be there. + +## PCAP + +Internal. + +## Related issues + +None so far. State: Trying to establish what's the issue. diff --git a/tests/tls-extra-alert/input.pcap b/tests/tls-extra-alert/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..01c918c36e4a6cf4ce2797eba0c7c5eae1540432 GIT binary patch literal 1525 zcmbu9T}YE*6vxl=zVGI<`N4F$&6c*DbDHM-Ov)KjO613#lsG9`Hia$}KQ2o{B9I_K zB*gjAMZ?0Pv^#H}2yfDgEGt49bP=H!`GJs;+IikF=QfeR2M)aN3+H$K|8vgsetb3Y zKmZ8>M*@N`j$*H?AuAdx@R^5TtuMOOB9wbGDz8!~2e3OEN}*HPHqOS>3*y*?&c0eQ z)jUvjkCR4)^$5#X%#zGR5~#Xt@L?kVPDC-H9?1>|36N!`kMAP`l){?Qso_*kCsTd3 zGy3ICr1y@-ZEtICaj;Ftu6vl*b*LL#4V?b6I*}oNi>k9H1`g1lM{6!foUYY6vZE_A73CmjD0h1&uM5Rb0D5WZ@rjb;l3aXTdf+(@sBH_J>pO*sN4xMAc^e@0U zE~JOdajSWtx~@wD-FCCDH&q*Nr*MXwoS5=Sg7YYWhi}_i+v*;;CpRy@pzuTy&&%(N3RDdBP;T>-u?c4J${!x8Ur4GAE@F#t^%d9 literal 0 HcmV?d00001 diff --git a/tests/tls-extra-alert/test.rules b/tests/tls-extra-alert/test.rules new file mode 100644 index 000000000..88c750a9a --- /dev/null +++ b/tests/tls-extra-alert/test.rules @@ -0,0 +1,5 @@ +alert tcp any any -> any 443 (flow: to_server; flags: S,CE; flowbits:set, tls_tracker; flowbits: noalert; sid:09901001; ) +alert tcp any any -> any 443 (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901031; rev:1; msg:"TLS 1.2 Fatal Alert (outgoing packet)"; ) +alert tcp any 443 -> any any (flowbits:isset, tls_tracker; content: "|15 03 01 00 02 02|"; startswith; flowbits:set, tls_error; sid:09901032; rev:1; msg:"TLS 1.2 Fatal Alert (incoming packet)"; ) +alert tcp any any -> any 443 (flow: to_server; flowbits:isset, tls_error; sid:09901033; rev:1; msg:"Allow TLS error handling (outgoing packet)"; ) +alert tcp any 443 -> any any (flow: to_client; flowbits:isset, tls_error; sid:09901034; rev:1; msg:"Allow TLS error handling (incoming packet)"; ) diff --git a/tests/tls-extra-alert/test.yaml b/tests/tls-extra-alert/test.yaml new file mode 100644 index 000000000..19e010621 --- /dev/null +++ b/tests/tls-extra-alert/test.yaml @@ -0,0 +1,19 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 9901033 + pkt_src: wire/pcap +- filter: + count: 0 + match: + event_type: alert + not-has-key: pcap_cnt