From ad11bc10856cccd978e4c00419a6b7e1417c1b9c Mon Sep 17 00:00:00 2001 From: Cole Dishington Date: Mon, 31 Jul 2023 14:47:01 +1200 Subject: [PATCH] iprep: test reputation & category file newline handling The commit e7c0f0ad9 src: remove multiple uses of atoi caused a regression in parsing of ip-rep reputation config files. Previously, due to the use of atoi() in parsing ip-rep values, when the line was split by SRepSplitLine the \r at following the reputation score was ignored. Bug: #6243 --- tests/reputation-config/README.md | 0 tests/reputation-config/iprep-categories.txt | 2 ++ .../reputation-config-cr-lf/iprep-data.txt | 3 +++ .../reputation-config-cr-lf/test.yaml | 24 +++++++++++++++++++ .../reputation-config-cr/iprep-data.txt | 1 + .../reputation-config-cr/test.yaml | 24 +++++++++++++++++++ .../reputation-config-lf/iprep-data.txt | 3 +++ .../reputation-config-lf/test.yaml | 24 +++++++++++++++++++ tests/reputation-config/test.py | 20 ++++++++++++++++ tests/reputation-config/test.rules | 2 ++ tests/reputation-config/threshold.config | 0 11 files changed, 103 insertions(+) create mode 100644 tests/reputation-config/README.md create mode 100644 tests/reputation-config/iprep-categories.txt create mode 100644 tests/reputation-config/reputation-config-cr-lf/iprep-data.txt create mode 100644 tests/reputation-config/reputation-config-cr-lf/test.yaml create mode 100644 tests/reputation-config/reputation-config-cr/iprep-data.txt create mode 100644 tests/reputation-config/reputation-config-cr/test.yaml create mode 100644 tests/reputation-config/reputation-config-lf/iprep-data.txt create mode 100644 tests/reputation-config/reputation-config-lf/test.yaml create mode 100644 tests/reputation-config/test.py create mode 100644 tests/reputation-config/test.rules create mode 100644 tests/reputation-config/threshold.config diff --git a/tests/reputation-config/README.md b/tests/reputation-config/README.md new file mode 100644 index 000000000..e69de29bb diff --git a/tests/reputation-config/iprep-categories.txt b/tests/reputation-config/iprep-categories.txt new file mode 100644 index 000000000..0597ff453 --- /dev/null +++ b/tests/reputation-config/iprep-categories.txt @@ -0,0 +1,2 @@ +1,BadHosts,Known bad hosts +2,Google,Known google host diff --git a/tests/reputation-config/reputation-config-cr-lf/iprep-data.txt b/tests/reputation-config/reputation-config-cr-lf/iprep-data.txt new file mode 100644 index 000000000..a9e6fb3bf --- /dev/null +++ b/tests/reputation-config/reputation-config-cr-lf/iprep-data.txt @@ -0,0 +1,3 @@ +1.2.3.4,1,101 +1.2.3.5,1,101 +1.1.1.0/24,6,88 diff --git a/tests/reputation-config/reputation-config-cr-lf/test.yaml b/tests/reputation-config/reputation-config-cr-lf/test.yaml new file mode 100644 index 000000000..d38fadeb3 --- /dev/null +++ b/tests/reputation-config/reputation-config-cr-lf/test.yaml @@ -0,0 +1,24 @@ +command: | + ${SRCDIR}/src/suricata -c "${SRCDIR}/suricata.yaml" -l "${OUTPUT_DIR}" \ + --set "threshold-file=${TEST_DIR}/../threshold.config" \ + --set "classification-file="${SRCDIR}`[ -f ${SRCDIR}/etc/classification.config ] && printf '/etc'`/classification.config \ + --set "reference-config-file="${SRCDIR}`[ -f ${SRCDIR}/etc/reference.config ] && printf '/etc'`/reference.config \ + -S "${TEST_DIR}/../test.rules" \ + --set "reputation-categories-file=${TEST_DIR}/../iprep-categories.txt" \ + --set "default-reputation-path=$TEST_DIR" \ + --set "reputation-files.0=${TEST_DIR}/iprep-data.txt" \ + --engine-analysis + +checks: + - shell: + args: grep 'Loading reputation file' suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep '1 rule files processed. 2 rules successfully loaded, 0 rules failed' suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep '2 signatures processed' suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep 'Error[:]' suricata.log | wc -l | xargs + expect: 0 diff --git a/tests/reputation-config/reputation-config-cr/iprep-data.txt b/tests/reputation-config/reputation-config-cr/iprep-data.txt new file mode 100644 index 000000000..d133ba667 --- /dev/null +++ b/tests/reputation-config/reputation-config-cr/iprep-data.txt @@ -0,0 +1 @@ +1.2.3.4,1,101 1.2.3.5,1,101 1.1.1.0/24,6,88 \ No newline at end of file diff --git a/tests/reputation-config/reputation-config-cr/test.yaml b/tests/reputation-config/reputation-config-cr/test.yaml new file mode 100644 index 000000000..d38fadeb3 --- /dev/null +++ b/tests/reputation-config/reputation-config-cr/test.yaml @@ -0,0 +1,24 @@ +command: | + ${SRCDIR}/src/suricata -c "${SRCDIR}/suricata.yaml" -l "${OUTPUT_DIR}" \ + --set "threshold-file=${TEST_DIR}/../threshold.config" \ + --set "classification-file="${SRCDIR}`[ -f ${SRCDIR}/etc/classification.config ] && printf '/etc'`/classification.config \ + --set "reference-config-file="${SRCDIR}`[ -f ${SRCDIR}/etc/reference.config ] && printf '/etc'`/reference.config \ + -S "${TEST_DIR}/../test.rules" \ + --set "reputation-categories-file=${TEST_DIR}/../iprep-categories.txt" \ + --set "default-reputation-path=$TEST_DIR" \ + --set "reputation-files.0=${TEST_DIR}/iprep-data.txt" \ + --engine-analysis + +checks: + - shell: + args: grep 'Loading reputation file' suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep '1 rule files processed. 2 rules successfully loaded, 0 rules failed' suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep '2 signatures processed' suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep 'Error[:]' suricata.log | wc -l | xargs + expect: 0 diff --git a/tests/reputation-config/reputation-config-lf/iprep-data.txt b/tests/reputation-config/reputation-config-lf/iprep-data.txt new file mode 100644 index 000000000..352a68927 --- /dev/null +++ b/tests/reputation-config/reputation-config-lf/iprep-data.txt @@ -0,0 +1,3 @@ +1.2.3.4,1,101 +1.2.3.5,1,101 +1.1.1.0/24,6,88 diff --git a/tests/reputation-config/reputation-config-lf/test.yaml b/tests/reputation-config/reputation-config-lf/test.yaml new file mode 100644 index 000000000..d38fadeb3 --- /dev/null +++ b/tests/reputation-config/reputation-config-lf/test.yaml @@ -0,0 +1,24 @@ +command: | + ${SRCDIR}/src/suricata -c "${SRCDIR}/suricata.yaml" -l "${OUTPUT_DIR}" \ + --set "threshold-file=${TEST_DIR}/../threshold.config" \ + --set "classification-file="${SRCDIR}`[ -f ${SRCDIR}/etc/classification.config ] && printf '/etc'`/classification.config \ + --set "reference-config-file="${SRCDIR}`[ -f ${SRCDIR}/etc/reference.config ] && printf '/etc'`/reference.config \ + -S "${TEST_DIR}/../test.rules" \ + --set "reputation-categories-file=${TEST_DIR}/../iprep-categories.txt" \ + --set "default-reputation-path=$TEST_DIR" \ + --set "reputation-files.0=${TEST_DIR}/iprep-data.txt" \ + --engine-analysis + +checks: + - shell: + args: grep 'Loading reputation file' suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep '1 rule files processed. 2 rules successfully loaded, 0 rules failed' suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep '2 signatures processed' suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep 'Error[:]' suricata.log | wc -l | xargs + expect: 0 diff --git a/tests/reputation-config/test.py b/tests/reputation-config/test.py new file mode 100644 index 000000000..db399ffae --- /dev/null +++ b/tests/reputation-config/test.py @@ -0,0 +1,20 @@ +from pathlib import Path + +# Create config files with a mix syntax +test = 'reputation-config' +test_options = [ + { 'path': f'{test}-lf', 'eol': '\n' }, + { 'path': f'{test}-cr', 'eol': '\r' }, + { 'path': f'{test}-cr-lf', 'eol': '\r\n' }, +] + +# Categories and IPs from +# https://docs.suricata.io/en/suricata-6.0.0/reputation/ipreputation/ip-reputation-format.html + +for test in test_options: + path, eol = Path(test['path']), test['eol'] + + with open(path / 'iprep-data.txt', 'w') as rep_cfg: + rep_cfg.write(f'1.2.3.4,1,101{eol}') + rep_cfg.write(f'1.2.3.5,1,101{eol}') + rep_cfg.write(f'1.1.1.0/24,6,88{eol}') diff --git a/tests/reputation-config/test.rules b/tests/reputation-config/test.rules new file mode 100644 index 000000000..3e2a37a0a --- /dev/null +++ b/tests/reputation-config/test.rules @@ -0,0 +1,2 @@ +alert ip any any -> any any (msg:"BadHosts: Some bad hosts have been detected"; iprep:any,BadHosts,>,30; sid:1; rev:1;) +alert ip any any -> any any (msg:"Google: Some google host has been detected"; iprep:any,Google,>,30; sid:2; rev:1;) \ No newline at end of file diff --git a/tests/reputation-config/threshold.config b/tests/reputation-config/threshold.config new file mode 100644 index 000000000..e69de29bb