From 8ce08a9630da2a42a8278bfa8677d19ccac6f364 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 26 Jul 2024 14:52:41 +0200 Subject: [PATCH 1/2] detect: adds check for stream-event with prefilter Ticket: 6728 --- tests/stream-depth-reached-event/test.rules | 1 + tests/stream-depth-reached-event/test.yaml | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/tests/stream-depth-reached-event/test.rules b/tests/stream-depth-reached-event/test.rules index af8bae2f3..8bf2ddc15 100644 --- a/tests/stream-depth-reached-event/test.rules +++ b/tests/stream-depth-reached-event/test.rules @@ -1 +1,2 @@ alert tcp any any -> any any (msg:"SURICATA STREAM reassembly depth reached"; stream-event:reassembly_depth_reached; classtype:protocol-command-decode; sid:2210062; rev:1;) +alert tcp any any -> any any (msg:"SURICATA STREAM reassembly depth reached"; stream-event:reassembly_depth_reached; prefilter; classtype:protocol-command-decode; requires: version >= 8; sid:2210062; rev:2;) diff --git a/tests/stream-depth-reached-event/test.yaml b/tests/stream-depth-reached-event/test.yaml index 1e37bb6a3..4d8ae5af5 100644 --- a/tests/stream-depth-reached-event/test.yaml +++ b/tests/stream-depth-reached-event/test.yaml @@ -18,3 +18,11 @@ checks: match: event_type: alert alert.signature_id: 2210062 + + - filter: + min-version: 8 + count: 2 + match: + event_type: alert + alert.signature_id: 2210062 + alert.rev: 2 From 4e4dafdb611364d3e97d358b817ee7a69023d1e2 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 26 Jul 2024 14:54:53 +0200 Subject: [PATCH 2/2] detect: adds check for decode-event with prefilter Ticket: 6728 --- tests/decode-too-small/test.rules | 1 + tests/decode-too-small/test.yaml | 12 ++++++++++++ 2 files changed, 13 insertions(+) diff --git a/tests/decode-too-small/test.rules b/tests/decode-too-small/test.rules index 399d4cd4d..8cb197256 100644 --- a/tests/decode-too-small/test.rules +++ b/tests/decode-too-small/test.rules @@ -1,3 +1,4 @@ alert tcp any any -> any any (msg:"TCP packet too small"; decode-event:tcp.pkt_too_small; sid:1;) +alert tcp any any -> any any (msg:"TCP packet too small"; decode-event:tcp.pkt_too_small; prefilter; requires: version >= 8; sid:1; rev: 2;) alert udp any any -> any any (msg:"UDP packet too small"; decode-event:udp.hlen_too_small; sid:2;) alert ip any any -> any any (msg:"GRE packet too small"; decode-event:gre.pkt_too_small; sid:3;) diff --git a/tests/decode-too-small/test.yaml b/tests/decode-too-small/test.yaml index ffbcfd880..8f91f91cb 100644 --- a/tests/decode-too-small/test.yaml +++ b/tests/decode-too-small/test.yaml @@ -1,3 +1,6 @@ +requires: + min-version: 7 + checks: # Look for IPv4 TCP too small - filter: @@ -7,6 +10,15 @@ checks: src_ip: 1.1.1.1 alert.signature_id: 1 + - filter: + min-version: 8 + count: 1 + match: + event_type: alert + src_ip: 1.1.1.1 + alert.signature_id: 1 + alert.rev: 2 + # Look for IPv6 TCP too small - filter: count: 1