-
Notifications
You must be signed in to change notification settings - Fork 89
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Ticket: 5665 Both positive and negative tests (impossible to load rules) Matching and not matching tests
- Loading branch information
1 parent
e8a1d72
commit c558b9f
Showing
11 changed files
with
177 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| # Description | ||
|
|
||
| Test bidirection matching with a real life example | ||
| https://redmine.openinfosecfoundation.org/issues/5665 | ||
|
|
||
| # PCAP | ||
|
|
||
| Crafted from the rules | ||
| Client is | ||
| `curl -d '"goog:chromeOptions";"binary";"args":["' -X POST 127.0.0.1:8080/wd/hub/session` | ||
| Server is server.go |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| package main | ||
|
|
||
| import ( | ||
| "fmt" | ||
| "net/http" | ||
| ) | ||
|
|
||
| func main() { | ||
| handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | ||
| w.Header().Set("Server", "Jetty") | ||
| w.WriteHeader(http.StatusInternalServerError) | ||
| content := "org.openqa.selenium.WebDriverException: unknown error: Chrome failed to start: exited normally." | ||
| content = content + `unknown error: DevToolsActivePort file doesn't exist)\n (The process started from chrome location` | ||
| n, err := w.Write([]byte(content)) | ||
| fmt.Printf("lola %v %v\n", n, err) | ||
| }) | ||
|
|
||
| server := &http.Server{ | ||
| Addr: "0.0.0.0:8080", | ||
| Handler: handler, | ||
| } | ||
|
|
||
| fmt.Printf("Listening [0.0.0.0:8080]...\n") | ||
| err := server.ListenAndServe() | ||
| fmt.Printf("lol %s", err) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| #flowbits version | ||
| alert http any any -> any any (msg:"ET EXPLOIT Selenium Server Chrome 3.141.59 Remote Code Execution"; flow:established,to_server; flowbits:set,ET.Selenium314159.RCE; urilen:15; http.method; content:"POST"; http.uri; content:"/wd/hub/session"; fast_pattern; http.request_body; content:"|22|goog|3a|chromeOptions|22|"; content:"|22|binary|22|"; content:"|22|args|22|"; content:"|5b 22|"; within:5; reference:url,github.com/BoredHackerBlog/selenium_code_exec_notes; classtype:attempted-admin; sid:2052319; rev:2; metadata:attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_05_01, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_05_02; target:dest_ip;) | ||
| alert http any any -> any any (msg:"ET EXPLOIT Selenium Server Grid Chrome 3.141.59 Remote Code Execution - Successful"; flow:established,to_client; flowbits:isset,ET.Selenium314159.RCE; http.stat_code; content:"500"; http.server; content:"Jetty"; startswith; file.data; content:"org|2e|openqa|2e|selenium|2e|WebDriverException|3a 20|unknown|20|error|3a 20|Chrome|20|failed|20|to|20|start|3a 20|exited|20|normally|2e|"; content:"unknown|20|error|3a 20|DevToolsActivePort|20|file|20|doesn|27|t|20|exist|29 5c|n|20 20 28|The|20|process|20|started|20|from|20|chrome|20|location"; fast_pattern; reference:url,github.com/BoredHackerBlog/selenium_code_exec_notes; classtype:successful-admin; sid:2052359; rev:1; metadata:attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_05_02, deployment Perimeter, deployment Internal, former_category EXPLOIT, confidence High, signature_severity Critical, updated_at 2024_05_02; target:src_ip;) | ||
|
|
||
| # and now the bidir version | ||
| alert http any any => any any (msg:"ET EXPLOIT Selenium Server Chrome 3.141.59 Remote Code Execution"; urilen:15; http.method; content:"POST"; http.uri; content:"/wd/hub/session"; fast_pattern; http.request_body; content:"|22|goog|3a|chromeOptions|22|"; content:"|22|binary|22|"; content:"|22|args|22|"; content:"|5b 22|"; within:5; http.stat_code; content:"500"; http.server; content:"Jetty"; startswith; bidir.toclient; file.data; content:"org|2e|openqa|2e|selenium|2e|WebDriverException|3a 20|unknown|20|error|3a 20|Chrome|20|failed|20|to|20|start|3a 20|exited|20|normally|2e|"; content:"unknown|20|error|3a 20|DevToolsActivePort|20|file|20|doesn|27|t|20|exist|29 5c|n|20 20 28|The|20|process|20|started|20|from|20|chrome|20|location"; reference:url,github.com/BoredHackerBlog/selenium_code_exec_notes; classtype:attempted-admin; sid:1; metadata:attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_05_01, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_05_02; target:dest_ip;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| requires: | ||
| min-version: 8 | ||
|
|
||
| args: | ||
| - -k none | ||
|
|
||
| checks: | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 1 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 2052359 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Description | ||
|
|
||
| Test invalid rules for bidirection matching | ||
| https://redmine.openinfosecfoundation.org/issues/5665 | ||
|
|
||
| # PCAP | ||
|
|
||
| Reusing a pcap, but does not matter |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| alert http any any => any any (msg:"matching both uri and status"; sid: 11; http.uri; content: "/download"; http.stat_code; content: "200"; flow: to_server;) | ||
| alert http any any => any any (msg:"matching only uri"; sid: 2; http.uri; content: "/download"; ) | ||
| alert http any any => any any (msg:"matching only status"; sid: 3; http.stat_code; content: "200";) | ||
| alert http any any => any any (msg:"matching connection, but from ambiguous direction"; sid: 4; http.uri; content: "/download"; http.stat_code; content: "200"; http.connection; content: "eep";) | ||
| alert http any any => any any (msg:"stream rule"; sid: 5; content: "/download"; content: "200";) | ||
| alert http any any => any any (msg:"stream rule"; sid: 6; bidir.toserver; content: "/download"; bidir.toclient; content: "200";) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| requires: | ||
| min-version: 8 | ||
|
|
||
| pcap: ../http-all-headers/input.pcap | ||
|
|
||
| exit-code: 1 | ||
|
|
||
| checks: | ||
| - shell: | ||
| args: grep -c 'error parsing signature' suricata.log | ||
| expect: 6 | ||
| - shell: | ||
| args: grep -c 'rule 2 should use both directions, but does not' suricata.log | ||
| expect: 1 | ||
| - shell: | ||
| args: grep -c 'rule 3 should use both directions, but does not' suricata.log | ||
| expect: 1 | ||
| - shell: | ||
| args: grep -c 'rule 4 means to use both directions, cannot have keywords ambiguous about directions' suricata.log | ||
| expect: 1 | ||
| - shell: | ||
| args: grep -c 'rule 5 should use both directions, but does not' suricata.log | ||
| expect: 1 | ||
| - shell: | ||
| args: grep -c 'rule 6 should use both directions, but does not' suricata.log | ||
| expect: 1 | ||
| - shell: | ||
| args: grep -c 'rule 11 means to use both directions, cannot specify a flow direction' suricata.log | ||
| expect: 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Description | ||
|
|
||
| Test bidirection matching | ||
| https://redmine.openinfosecfoundation.org/issues/5665 | ||
|
|
||
| # PCAP | ||
|
|
||
| Reusing pcap from http-all-headers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| alert http any any => any any (msg:"matching both uri and status"; sid: 1; http.uri; content: "/download"; http.stat_code; content: "200";) | ||
| alert http any any => any any (msg:"not matching both uri and status"; sid: 2; http.uri; content: "/download"; http.stat_code; content: "404";) | ||
| alert http any any => any any (msg:"not matching both uri and status"; sid: 3; http.uri; content: "/upload"; http.stat_code; content: "200";) | ||
| alert http any any => any any (msg:"fast_pattern on to_client side"; sid: 7; http.uri; content: "down"; http.server; content: "Apache"; fast_pattern;) | ||
| alert http any any => any any (msg:"fast_pattern on to_client side but not matching"; sid: 8; http.uri; content: "upload"; http.server; content: "Apache"; fast_pattern;) | ||
| alert http any any => any any (msg:"disambiguated toclient"; sid: 11; http.uri; content: "/download"; http.stat_code; content: "200"; bidir.toclient; http.connection; content: "eep";) | ||
| alert http any any => any any (msg:"disambiguated toserver"; sid: 12; http.uri; content: "/download"; bidir.toserver; http.connection; content: "eep"; bidir.toclient; http.stat_code; content: "200";) | ||
| alert http any any => any any (msg:"disambiguated toclient, without other toclient"; sid: 13; http.uri; content: "/download"; bidir.toclient; http.connection; content: "eep";) | ||
| alert http any any => any any (msg:"disambiguated both sides"; sid: 14; bidir.toclient; http.connection; content: "eep"; bidir.toserver; http.connection; content: "eep";) | ||
| alert http any any => any any (msg:"toclient, followed by http.uri implicitly toserver"; sid: 15; bidir.toclient; http.connection; content: "eep"; http.uri; content: "/download"; ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| requires: | ||
| min-version: 8 | ||
|
|
||
| pcap: ../http-all-headers/input.pcap | ||
|
|
||
| checks: | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 1 | ||
| - filter: | ||
| count: 0 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 2 | ||
| - filter: | ||
| count: 0 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 3 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 7 | ||
| - filter: | ||
| count: 0 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 8 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 11 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 12 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 13 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 14 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 15 |