From b5662b59de831c32d1d590967f657ef43f1a647f Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Tue, 27 Feb 2024 09:02:35 -0500
Subject: [PATCH] tests/transform: from_base64 test

Issue: 6487

Test cases for the from_base64 transform
- Case 01 tests RFC4648 (default) with various offsets
- Case 02 tests RFC2045 and verifies success and failure case
  (with other modes)
- Case 03 -- case 01 with fast_pattern associated with the
  post transform content.
---
 tests/from_base64-01/README.md  |   1 +
 tests/from_base64-01/test.rules |   8 ++++++++
 tests/from_base64-01/test.yaml  |  34 ++++++++++++++++++++++++++++++++
 tests/from_base64-02/README.md  |   1 +
 tests/from_base64-02/input.pcap | Bin 0 -> 3296 bytes
 tests/from_base64-02/test.rules |   4 ++++
 tests/from_base64-02/test.yaml  |  24 ++++++++++++++++++++++
 tests/from_base64-03/README.md  |   1 +
 tests/from_base64-03/test.rules |   8 ++++++++
 tests/from_base64-03/test.yaml  |  34 ++++++++++++++++++++++++++++++++
 10 files changed, 115 insertions(+)
 create mode 100644 tests/from_base64-01/README.md
 create mode 100644 tests/from_base64-01/test.rules
 create mode 100644 tests/from_base64-01/test.yaml
 create mode 100644 tests/from_base64-02/README.md
 create mode 100644 tests/from_base64-02/input.pcap
 create mode 100644 tests/from_base64-02/test.rules
 create mode 100644 tests/from_base64-02/test.yaml
 create mode 100644 tests/from_base64-03/README.md
 create mode 100644 tests/from_base64-03/test.rules
 create mode 100644 tests/from_base64-03/test.yaml

diff --git a/tests/from_base64-01/README.md b/tests/from_base64-01/README.md
new file mode 100644
index 000000000..d1024db4c
--- /dev/null
+++ b/tests/from_base64-01/README.md
@@ -0,0 +1 @@
+from_base64 transform tests
diff --git a/tests/from_base64-01/test.rules b/tests/from_base64-01/test.rules
new file mode 100644
index 000000000..7bca58931
--- /dev/null
+++ b/tests/from_base64-01/test.rules
@@ -0,0 +1,8 @@
+# input pcap contains a query to http://home.regit.org/?arg=dGhpc2lzYXRlc3QK
+# "dGhpc2lzYXRlc3QK" is "thisisatest"
+alert http any any -> any any (msg:"from_base64: offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6 ; content:"thisisatest"; sid:1; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #2 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 10 ; content:"sisatest"; sid:2; rev:1;)
+alert http any any -> any any (msg:"from_base64: bytes, offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: bytes 6, offset 6 ; content:"this"; sid:3; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #3, mode rfc2045 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc2045 ; content:"thisisatest"; sid:4; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #3, mode rfc4648 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc4648 ; content:"thisisatest"; sid:5; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #4, mode strict - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode strict ; content:"thisisatest"; sid:6; rev:1;)
diff --git a/tests/from_base64-01/test.yaml b/tests/from_base64-01/test.yaml
new file mode 100644
index 000000000..97deff62f
--- /dev/null
+++ b/tests/from_base64-01/test.yaml
@@ -0,0 +1,34 @@
+requires:
+  min-version: 8
+
+pcap: ../base64/input.pcap
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 5
diff --git a/tests/from_base64-02/README.md b/tests/from_base64-02/README.md
new file mode 100644
index 000000000..2b080d7c0
--- /dev/null
+++ b/tests/from_base64-02/README.md
@@ -0,0 +1 @@
+Match on base64 operations using rfc2045 URI
diff --git a/tests/from_base64-02/input.pcap b/tests/from_base64-02/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ae79adf10749120c4bb572f265ea2ebab220c0f0
GIT binary patch
literal 3296
zcmeHJOK1~87~Z5cmW4p|<V8A-2qH~plho2|)7nSU`e?OiYH4mU8Iy%1n{FnlLBv8)
z5GnTHtt#r>gC0e#k7A3Dq9TX~3+>V5EC{vnpGh`NOB+0-Ak<-JcV~Cz<C|~3|DXBt
z`tg0EP%EsJTEPH~_dk~i-ER_3z&oqurB3h)f_rYIQ|L6&XIBKl!0N=ChN<b9rSGig
zJ!Agssw4=;+WgmAW1ZMmKly`wH`LVZX2_Se4f#ezWI<q@-A{DR4O0_u>K2A}0q@0o
zd-Lx$a%Q}B&Xe1QJPpX*pbo3$h3nir_nYfHt8*^uya>Ea<Ml>i^$_T4C}_<1GJWq<
z9dQm2zX3T`%M0iDZf=!xY}%CLKHxZ0;+SO|`@BAcj|Q}GyFYf&A-U3U8)0v~8Fb9&
z8^m^--7FqclT=1gH5iCS*lVlQDw)NhB+;y0VG@Ub!(l?9uLCZ#*cA+t1bjS<59<x9
zHy%_&N<1thB?KcBnlXz#YCKMYR8iwHI!Q>v+7(sO#4MUcCf(beGSN>JJ>qX=E4qAL
zU(sTun5JizQ{(l9e3|Rmie{N~pR0~|v(Y3hg56jxFWhw>{Vv9FDYq#{=DOK+uFDpk
zB_W3-q0=YL;#s1li6*17N-Pm2{I_IlL4z3@QRCQYvr9HR7|Ro&L`J=u(u5>C8VG0r
z;AlqnBeK&aA8A2-13vC53J$Z<OaeMna*^T)jYZo~FcQ#`gtn*X1#9bCzkU)A(};|m
z4wr7dTRUpDw_&ywvR<BNlvn!N7P8)Q3bNjVt^9Yl>WH&|cmuXWR?7?XpW(7!=Kkx@
zITmB&0gn;zUw*XYzZ{DZccbTYk8fnq3ps9}9}Nz5_aE;;7AwZX&K`_CK2PCCvrV#N
z>^)^cmI$Q@8RN0BG258arfOmAJHvg|jFVJTg47nGAxnqoW?o|t5(vQ~MrZ)Bu~ssg
zQqt`f$a&nIK5(Z61q-cq%T_jJh>$F!q{E|VkSkR!gQ7~3LMBBQRIQY|kt>ZxVyHLc
z#)a;p8y6{@S3?;_$o}^b&=&@1a7(edV1DOqTtwqj@8EfQ{{Pbat4s5tVjRx%GZ=lT
zN6lJfpUXmI|1R5ESk&a$&azN-#9tK={cU{ryQXt2ME1EXkL*3`&RivqD^*8)c%V{-
uoHy_c`9kMdrekh=3yzPfj`*}9qTkJRysC37>X-u^(;LpNB^{qv74Z*S?TDWM

literal 0
HcmV?d00001

diff --git a/tests/from_base64-02/test.rules b/tests/from_base64-02/test.rules
new file mode 100644
index 000000000..258013404
--- /dev/null
+++ b/tests/from_base64-02/test.rules
@@ -0,0 +1,4 @@
+# "Zm 9v Ym Fy" is "foobar" with mode RFC2045
+alert http any any -> any any (msg:"from_base64: RFC2045 - will succeed"; http.uri; content:"/?arg=Zm 9v Ym Fy"; from_base64: offset 6, mode rfc2045; content:"foobar"; sid:1; rev:1;)
+alert http any any -> any any (msg:"from_base64: mode strict - will fail"; http.uri; content:"/?arg=Zm 9v Ym Fy"; from_base64: offset 6, mode strict; content:"foobar"; sid:2; rev:1;)
+alert http any any -> any any (msg:"from_base64: mode RFC4658 - will fail"; http.uri; content:"/?arg=Zm 9v Ym Fy"; from_base64: offset 6, mode rfc4648; content:"foobar"; sid:3; rev:1;)
diff --git a/tests/from_base64-02/test.yaml b/tests/from_base64-02/test.yaml
new file mode 100644
index 000000000..190f846d6
--- /dev/null
+++ b/tests/from_base64-02/test.yaml
@@ -0,0 +1,24 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+         event_type: alert
+         alert.signature_id: 2
+  - filter:
+      count: 0
+      match:
+         event_type: alert
+         alert.signature_id: 2
diff --git a/tests/from_base64-03/README.md b/tests/from_base64-03/README.md
new file mode 100644
index 000000000..cfb70fcb0
--- /dev/null
+++ b/tests/from_base64-03/README.md
@@ -0,0 +1 @@
+from_base64 transform tests that assign fast-pattern to the post-transform content
diff --git a/tests/from_base64-03/test.rules b/tests/from_base64-03/test.rules
new file mode 100644
index 000000000..b07e32c80
--- /dev/null
+++ b/tests/from_base64-03/test.rules
@@ -0,0 +1,8 @@
+# input pcap contains a query to http://home.regit.org/?arg=dGhpc2lzYXRlc3QK
+# "dGhpc2lzYXRlc3QK" is "thisisatest"
+alert http any any -> any any (msg:"from_base64: offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6 ; content:"thisisatest"; fast_pattern; sid:1; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #2 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 10 ; content:"sisatest"; fast_pattern; sid:2; rev:1;)
+alert http any any -> any any (msg:"from_base64: bytes, offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: bytes 6, offset 6 ; content:"this"; fast_pattern; sid:3; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #3, mode rfc2045 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc2045 ; content:"thisisatest"; fast_pattern; sid:4; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #3, mode rfc4648 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc4648 ; content:"thisisatest"; fast_pattern; sid:5; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #4, mode strict - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode strict ; content:"thisisatest"; fast_pattern; sid:6; rev:1;)
diff --git a/tests/from_base64-03/test.yaml b/tests/from_base64-03/test.yaml
new file mode 100644
index 000000000..97deff62f
--- /dev/null
+++ b/tests/from_base64-03/test.yaml
@@ -0,0 +1,34 @@
+requires:
+  min-version: 8
+
+pcap: ../base64/input.pcap
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 5