From a6a9a98040da8bb8fbdc2f6081f90b0e44b370cb Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 30 Nov 2023 14:46:04 +0100 Subject: [PATCH] Adds tests for negated content and absent keyword Ticket: 2224 --- tests/detect-absent-file-multi/README.md | 18 +++++ tests/detect-absent-file-multi/input.pcap | Bin 0 -> 1259 bytes tests/detect-absent-file-multi/test.rules | 10 +++ tests/detect-absent-file-multi/test.yaml | 52 +++++++++++++++ .../detect-absent-http-request-body/README.md | 14 ++++ .../input.pcap | Bin 0 -> 1694 bytes .../test.rules | 6 ++ .../detect-absent-http-request-body/test.yaml | 37 +++++++++++ tests/detect-absent-negated-content/README.md | 11 ++++ .../no_referer.pcap | Bin 0 -> 617 bytes .../detect-absent-negated-content/test.rules | 17 +++++ tests/detect-absent-negated-content/test.yaml | 62 ++++++++++++++++++ tests/rules/absent/README.md | 11 ++++ tests/rules/absent/test.rules | 3 + tests/rules/absent/test.yaml | 37 +++++++++++ 15 files changed, 278 insertions(+) create mode 100644 tests/detect-absent-file-multi/README.md create mode 100644 tests/detect-absent-file-multi/input.pcap create mode 100644 tests/detect-absent-file-multi/test.rules create mode 100644 tests/detect-absent-file-multi/test.yaml create mode 100644 tests/detect-absent-http-request-body/README.md create mode 100644 tests/detect-absent-http-request-body/input.pcap create mode 100644 tests/detect-absent-http-request-body/test.rules create mode 100644 tests/detect-absent-http-request-body/test.yaml create mode 100644 tests/detect-absent-negated-content/README.md create mode 100644 tests/detect-absent-negated-content/no_referer.pcap create mode 100644 tests/detect-absent-negated-content/test.rules create mode 100644 tests/detect-absent-negated-content/test.yaml create mode 100644 tests/rules/absent/README.md create mode 100644 tests/rules/absent/test.rules create mode 100644 tests/rules/absent/test.yaml diff --git a/tests/detect-absent-file-multi/README.md b/tests/detect-absent-file-multi/README.md new file mode 100644 index 000000000..fd2738782 --- /dev/null +++ b/tests/detect-absent-file-multi/README.md @@ -0,0 +1,18 @@ +# Test Description + +Test `absent` keyword with files + +## PCAP + +Manually crafted with input +``` +GET /noheaders HTTP/1.0 + +HTTP/1.0 500 BAD +Header1: value1 + +``` + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/2224 diff --git a/tests/detect-absent-file-multi/input.pcap b/tests/detect-absent-file-multi/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..724dfefd8a47ff2b8e59a1e2ded9c8dbde04813f GIT binary patch literal 1259 zcmb7?%}N4M7>3XIN6f;qMd>0OceP1{gq#+cDE-jFU~WKYqB05!BSFYTTita5-GQ`d z5p6QCC}`Cpx`j4wa;d%F=}ex=$#Iwu2F~!z^S<-F++AL{n1}VQujl95&emJg%Q85i zabdEIrRYxi7&~Q5p=p@m^l0u%!!fJ7y4}tk-t{cLDsHz=QAX5TW#fa+JOB{We?OQR zPB+ZfT5%WLNPYY-v-}V`A+E)o1altWpb?(1=<68)w@?`izIUb}FZ_r{Zc`38!mU7V zGRJZv&e@}v<={dieAfT<3Bo7!?b9aKa@NqI`v==*e$zZW(pC&37md%xRN`NQKPa!{ znf&EhLU(QAG{8y1kw$nXY&?^^H}ahM;aTEB&EbS}JE0ahtB|1)LVV}sg_DBm6%v9y z{YaF?gIP^!iC9caFJ-u(?`d#jVv}_wEz5$`7Qv}8KR6Br%h-_qg8Y}pb?rF6S2W`) z7YsNM6v?X`9O$jEm7D}89B`zdRlA^};W#xr&iSw$DVJRQjRTJ8r-ptOWFM=aPkM+f ASO5S3 literal 0 HcmV?d00001 diff --git a/tests/detect-absent-file-multi/test.rules b/tests/detect-absent-file-multi/test.rules new file mode 100644 index 000000000..87ab2a630 --- /dev/null +++ b/tests/detect-absent-file-multi/test.rules @@ -0,0 +1,10 @@ +alert http any any -> any any (msg:"no file data"; flow:established,to_client; file.data; absent; http.stat_code; content: "500"; sid:1;) +alert http any any -> any any (msg:"no file data, no alert"; flow:established,to_client; file.data; bsize: >0; http.stat_code; content: "500"; sid:2;) +alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_client; file.data; absent: or_else; content: !"abc"; http.stat_code; content: "500"; sid:3;) +alert http any any -> any any (msg:"not abc, no alert"; flow:established,to_client; file.data; content: !"abc"; http.stat_code; content: "500"; sid:4;) +alert http any any -> any any (msg:"alert on only stat code"; flow:established,to_client; http.stat_code; content: "500"; sid:5;) +alert http any any -> any any (msg:"no file data"; flow:established,to_client; file.data; absent; sid:6;) +alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_client; file.data; absent: or_else; content: !"abc"; sid:7;) + +alert http any any -> any any (msg:"no request headers or not abc"; flow:established,to_server; http.request_header; absent: or_else; content: !"abc"; sid:10;) +alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_server; http.request_header; absent; http.uri; content: "noheaders"; sid:11;) diff --git a/tests/detect-absent-file-multi/test.yaml b/tests/detect-absent-file-multi/test.yaml new file mode 100644 index 000000000..9d374042f --- /dev/null +++ b/tests/detect-absent-file-multi/test.yaml @@ -0,0 +1,52 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 6 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 7 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 10 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 11 diff --git a/tests/detect-absent-http-request-body/README.md b/tests/detect-absent-http-request-body/README.md new file mode 100644 index 000000000..d9cb67210 --- /dev/null +++ b/tests/detect-absent-http-request-body/README.md @@ -0,0 +1,14 @@ +# Test Description + +Test `absent` keyword with `http.request_body` + +## PCAP + +Manually crafted with server +`python3 -m http.server` +and client +`curl -X POST http://127.0.0.1:8000/toto` + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/2224 diff --git a/tests/detect-absent-http-request-body/input.pcap b/tests/detect-absent-http-request-body/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..1e4de3a6f5cae7a972fa0aee65baa3f6fec12876 GIT binary patch literal 1694 zcmb7^Uu)A)7{=3fv=Ru|4PkdX?!wJs^QV8d60@#j8xHAMVHso0o7kQ;by-eGPGv*E z!7dcU4*Ly2a9?^-U)NU?+$h{BlTxFY)&;~e*h<05Pv4Ga|z6WO;==Juk^=5ZG0_Dy|` z#A5MC+f8rzap&^juj5e=AL?T~rtPo?PN7FZC~h1 zMmbqQ%eL2W9O6=3MVpwKq>4sISO_E61%3&;_pz&@rTV60VSk-0j-&E6%(JD8sHDY= zz|R^Kt7rvRZ$L!ocEd(#Ih{p{qGra`Y!=;G&;@>m*fy@vI(K{W7gn3m4{Gm$=Bqo$Ha)fhoBpNSrn^0Gf}<4M@Hai#aU|JM o+GWl2um?`?wq{Kjv;L*$>qR-q?!KBma6(@e`079Ps_}jO1#Snb%>V!Z literal 0 HcmV?d00001 diff --git a/tests/detect-absent-http-request-body/test.rules b/tests/detect-absent-http-request-body/test.rules new file mode 100644 index 000000000..b368a6087 --- /dev/null +++ b/tests/detect-absent-http-request-body/test.rules @@ -0,0 +1,6 @@ +alert http any any -> any any (msg:"no request body"; flow:established,to_server; http.request_body; absent; http.method; content: "POST"; sid:1;) +alert http any any -> any any (msg:"no request body, no alert"; flow:established,to_server; http.request_body; bsize: >0; http.method; content: "POST"; sid:2;) +alert http any any -> any any (msg:"no request body or not abc"; flow:established,to_server; http.request_body; absent: or_else; content: !"abc"; http.method; content: "POST"; sid:3;) +alert http any any -> any any (msg:"not abc, no alert"; flow:established,to_server; http.request_body; content: !"abc"; http.method; content: "POST"; sid:4;) +alert http any any -> any any (msg:"no request body"; flow:established,to_server; http.request_body; absent; sid:5;) +alert http any any -> any any (msg:"no request body or not abc"; flow:established,to_server; http.request_body; absent: or_else; content: !"abc"; sid:6;) diff --git a/tests/detect-absent-http-request-body/test.yaml b/tests/detect-absent-http-request-body/test.yaml new file mode 100644 index 000000000..549bf9ce4 --- /dev/null +++ b/tests/detect-absent-http-request-body/test.yaml @@ -0,0 +1,37 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 6 diff --git a/tests/detect-absent-negated-content/README.md b/tests/detect-absent-negated-content/README.md new file mode 100644 index 000000000..a5b9b8e39 --- /dev/null +++ b/tests/detect-absent-negated-content/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test rules with negated content on buffers that are absent + +## PCAP + +From the issue https://redmine.openinfosecfoundation.org/issues/2224 + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/2224 diff --git a/tests/detect-absent-negated-content/no_referer.pcap b/tests/detect-absent-negated-content/no_referer.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0ef6c2e989b92da480aadfd77977e9f59f0d1545 GIT binary patch literal 617 zcmca|c+)~A1{MYw`2U}Qff2}Y%?(NkXkcS71F}Ilv7&XK>vFU2g4+7Q91N}u3>qM1 z4r~tG2UdJZ;1Q@?efb z$RvgUpg9Z-DL~8}AOtj}0b+`38^V+uPhyNaRSPAj9_+k^Y6_ZLxPhjm1_%I6X@r8W`@iM0HDUM|Pvywz5UYeMm3N$TGx3m~8?wXgJpOTrEZl#c3m06&pkdm5~ zlUS0<%jKM(R|2#|H>9!vs0rE7tm6DUuzX%>GRPJy1@F|<0$sKB;->B^g!< zh6V;e#fixosk$H|i}G`<6!P+QlR+Z9T)bSMq`=dQ2>zhROC9PHTgq4Ro_&uR{AiJw P3Jm^#py03XV_*OPgu1Oz literal 0 HcmV?d00001 diff --git a/tests/detect-absent-negated-content/test.rules b/tests/detect-absent-negated-content/test.rules new file mode 100644 index 000000000..aec7ce329 --- /dev/null +++ b/tests/detect-absent-negated-content/test.rules @@ -0,0 +1,17 @@ +# This signature should alert with _any_ pcap +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for URI"; flow:established,to_server; http.uri; bsize:1; content:"/"; sid:1;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"No match without `absent` and negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; content:!"example"; sid:5;) + +# Positive tests about alerts +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:!"example"; sid:6;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated pcre"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else ; pcre:!"/example/"; sid:7;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent; sid:8;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content to fast_pattern"; flow:established,to_server; http.referer; absent; sid:9;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or positive content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:"example"; sid:10;) + +# reference test with positive and negated content +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for UA"; flow:established,to_server; http.user_agent; content:"foo"; content:!"bar"; sid:20;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent or negated content matches on the negated content"; flow:established,to_server; http.user_agent; absent: or_else; content:!"bar"; sid:21;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only does not match"; flow:established,to_server; http.user_agent; absent; sid:22;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent or positive content matches on the positive content"; flow:established,to_server; http.user_agent; absent: or_else; content:"foo"; sid:23;) diff --git a/tests/detect-absent-negated-content/test.yaml b/tests/detect-absent-negated-content/test.yaml new file mode 100644 index 000000000..a2921b99b --- /dev/null +++ b/tests/detect-absent-negated-content/test.yaml @@ -0,0 +1,62 @@ +requires: + min-version: 8 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 5 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 6 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 7 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 8 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 9 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 20 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 21 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 22 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 23 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 10 diff --git a/tests/rules/absent/README.md b/tests/rules/absent/README.md new file mode 100644 index 000000000..40150cdd5 --- /dev/null +++ b/tests/rules/absent/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test `absent` keyword rule analysis + +## PCAP + +From the issue https://redmine.openinfosecfoundation.org/issues/2224 + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/2224 diff --git a/tests/rules/absent/test.rules b/tests/rules/absent/test.rules new file mode 100644 index 000000000..a095e1393 --- /dev/null +++ b/tests/rules/absent/test.rules @@ -0,0 +1,3 @@ +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:!"example"; sid:6;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated pcre"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else ; pcre:!"/example/"; sid:7;) +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent; sid:8;) diff --git a/tests/rules/absent/test.yaml b/tests/rules/absent/test.yaml new file mode 100644 index 000000000..69e3bd443 --- /dev/null +++ b/tests/rules/absent/test.yaml @@ -0,0 +1,37 @@ +requires: + min-version: 8 + pcap: false + +args: + - --engine-analysis + +checks: +- filter: + filename: rules.json + count: 1 + match: + id: 6 + engines[2].name: "http_referer" + engines[2].matches[0].name: "absent" + engines[2].matches[0].absent.or_else: true + engines[2].matches[1].name: "content" + engines[2].matches[1].content.negated: true +- filter: + filename: rules.json + count: 1 + match: + id: 7 + engines[2].name: "http_referer" + engines[2].matches[0].name: "absent" + engines[2].matches[0].absent.or_else: true + engines[2].matches[1].name: "pcre" + engines[2].matches[1].pcre.negated: true +- filter: + filename: rules.json + count: 1 + match: + id: 8 + engines[2].name: "http_referer" + engines[2].matches[0].name: "absent" + engines[2].matches[0].absent.or_else: false + engines[2].matches.__len: 1