diff --git a/tests/from_base64-01/README.md b/tests/from_base64-01/README.md new file mode 100644 index 000000000..d1024db4c --- /dev/null +++ b/tests/from_base64-01/README.md @@ -0,0 +1 @@ +from_base64 transform tests diff --git a/tests/from_base64-01/test.rules b/tests/from_base64-01/test.rules new file mode 100644 index 000000000..7bca58931 --- /dev/null +++ b/tests/from_base64-01/test.rules @@ -0,0 +1,8 @@ +# input pcap contains a query to http://home.regit.org/?arg=dGhpc2lzYXRlc3QK +# "dGhpc2lzYXRlc3QK" is "thisisatest" +alert http any any -> any any (msg:"from_base64: offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6 ; content:"thisisatest"; sid:1; rev:1;) +alert http any any -> any any (msg:"from_base64: offset #2 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 10 ; content:"sisatest"; sid:2; rev:1;) +alert http any any -> any any (msg:"from_base64: bytes, offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: bytes 6, offset 6 ; content:"this"; sid:3; rev:1;) +alert http any any -> any any (msg:"from_base64: offset #3, mode rfc2045 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc2045 ; content:"thisisatest"; sid:4; rev:1;) +alert http any any -> any any (msg:"from_base64: offset #3, mode rfc4648 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc4648 ; content:"thisisatest"; sid:5; rev:1;) +alert http any any -> any any (msg:"from_base64: offset #4, mode strict - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode strict ; content:"thisisatest"; sid:6; rev:1;) diff --git a/tests/from_base64-01/test.yaml b/tests/from_base64-01/test.yaml new file mode 100644 index 000000000..97deff62f --- /dev/null +++ b/tests/from_base64-01/test.yaml @@ -0,0 +1,34 @@ +requires: + min-version: 8 + +pcap: ../base64/input.pcap + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5 diff --git a/tests/from_base64-02/README.md b/tests/from_base64-02/README.md new file mode 100644 index 000000000..2b080d7c0 --- /dev/null +++ b/tests/from_base64-02/README.md @@ -0,0 +1 @@ +Match on base64 operations using rfc2045 URI diff --git a/tests/from_base64-02/input.pcap b/tests/from_base64-02/input.pcap new file mode 100644 index 000000000..ae79adf10 Binary files /dev/null and b/tests/from_base64-02/input.pcap differ diff --git a/tests/from_base64-02/test.rules b/tests/from_base64-02/test.rules new file mode 100644 index 000000000..258013404 --- /dev/null +++ b/tests/from_base64-02/test.rules @@ -0,0 +1,4 @@ +# "Zm 9v Ym Fy" is "foobar" with mode RFC2045 +alert http any any -> any any (msg:"from_base64: RFC2045 - will succeed"; http.uri; content:"/?arg=Zm 9v Ym Fy"; from_base64: offset 6, mode rfc2045; content:"foobar"; sid:1; rev:1;) +alert http any any -> any any (msg:"from_base64: mode strict - will fail"; http.uri; content:"/?arg=Zm 9v Ym Fy"; from_base64: offset 6, mode strict; content:"foobar"; sid:2; rev:1;) +alert http any any -> any any (msg:"from_base64: mode RFC4658 - will fail"; http.uri; content:"/?arg=Zm 9v Ym Fy"; from_base64: offset 6, mode rfc4648; content:"foobar"; sid:3; rev:1;) diff --git a/tests/from_base64-02/test.yaml b/tests/from_base64-02/test.yaml new file mode 100644 index 000000000..190f846d6 --- /dev/null +++ b/tests/from_base64-02/test.yaml @@ -0,0 +1,24 @@ +requires: + min-version: 8 + +args: + - -k none + +pcap: input.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 diff --git a/tests/from_base64-03/README.md b/tests/from_base64-03/README.md new file mode 100644 index 000000000..cfb70fcb0 --- /dev/null +++ b/tests/from_base64-03/README.md @@ -0,0 +1 @@ +from_base64 transform tests that assign fast-pattern to the post-transform content diff --git a/tests/from_base64-03/test.rules b/tests/from_base64-03/test.rules new file mode 100644 index 000000000..b07e32c80 --- /dev/null +++ b/tests/from_base64-03/test.rules @@ -0,0 +1,8 @@ +# input pcap contains a query to http://home.regit.org/?arg=dGhpc2lzYXRlc3QK +# "dGhpc2lzYXRlc3QK" is "thisisatest" +alert http any any -> any any (msg:"from_base64: offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6 ; content:"thisisatest"; fast_pattern; sid:1; rev:1;) +alert http any any -> any any (msg:"from_base64: offset #2 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 10 ; content:"sisatest"; fast_pattern; sid:2; rev:1;) +alert http any any -> any any (msg:"from_base64: bytes, offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: bytes 6, offset 6 ; content:"this"; fast_pattern; sid:3; rev:1;) +alert http any any -> any any (msg:"from_base64: offset #3, mode rfc2045 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc2045 ; content:"thisisatest"; fast_pattern; sid:4; rev:1;) +alert http any any -> any any (msg:"from_base64: offset #3, mode rfc4648 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc4648 ; content:"thisisatest"; fast_pattern; sid:5; rev:1;) +alert http any any -> any any (msg:"from_base64: offset #4, mode strict - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode strict ; content:"thisisatest"; fast_pattern; sid:6; rev:1;) diff --git a/tests/from_base64-03/test.yaml b/tests/from_base64-03/test.yaml new file mode 100644 index 000000000..97deff62f --- /dev/null +++ b/tests/from_base64-03/test.yaml @@ -0,0 +1,34 @@ +requires: + min-version: 8 + +pcap: ../base64/input.pcap + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 5