forked from OISF/suricata-verify
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tests: showcase endswith, distance + within usage
Suricata docs state that `endswith` cannot be mixed with `offset`, `within` or `distance` for the same pattern, but apparently, at least from Suricata 7 on, this seems possible. Tests created based on material and scenarios provided by Brandon Murphy in the Redmine ticket. Related to Task #5030
- Loading branch information
1 parent
4dcc8ff
commit 5b813ce
Showing
8 changed files
with
57 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| # Test | ||
|
|
||
| Showcase the usage of `distance`, `within` and `endswith`, as proposed | ||
| in https://redmine.openinfosecfoundation.org/issues/5030. | ||
|
|
||
| ## Behavior | ||
|
|
||
| There should be an alert. "The distance and within effectively limit how much | ||
| of a payload can be present while ensuring the packet still "endswith" the | ||
| desired content." This happens for this pcap. | ||
|
|
||
| ## Pcap | ||
|
|
||
| 35_bytes.pcap Shared by Brandon Murphy in the aforementioned ticket. | ||
|
|
||
| ## Redmine ticket | ||
|
|
||
| https://redmine.openinfosecfoundation.org/issues/5030 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| alert tcp any any -> any any (msg:"Test"; content:"yYYYYYYYYYYYYYYYY"; distance:9; within:29; endswith; sid:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| args: | ||
| - -k none | ||
|
|
||
| checks: | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 1 |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| # Test | ||
|
|
||
| Showcase the usage of `distance`, `within` and `endswith`, as proposed | ||
| in https://redmine.openinfosecfoundation.org/issues/5030. | ||
|
|
||
| ## Behavior | ||
|
|
||
| There should be no alert. "The distance and within effectively limit how much | ||
| of a payload can be present while ensuring the packet still "endswith" the | ||
| desired content." As the content is greater than the 38 bytes limit (9+29) set | ||
| by the rule, the signature isn't fired.. | ||
|
|
||
| ## Pcap | ||
|
|
||
| 39_bytes.pcap shared by Brandon Murphy in the aforementioned ticket. | ||
|
|
||
| ## Redmine ticket | ||
|
|
||
| https://redmine.openinfosecfoundation.org/issues/5030 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| alert tcp any any -> any any (msg:"Test"; content:"yYYYYYYYYYYYYYYYY"; distance:9; within:29; endswith; sid:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| args: | ||
| - -k none | ||
|
|
||
| checks: | ||
| - filter: | ||
| count: 0 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 1 |