tests/transform: from_base64 test

Issue: 6487

Test cases for the from_base64 transform
- Case 01 tests RFC4648 (default) with various offsets
- Case 02 tests RFC2045 and verifies success and failure case
  (with other modes)
- Case 03 -- case 01 with fast_pattern associated with the
  post transform content.

tests/from_base64-01/README.md

@@ -0,0 +1 @@
+from_base64 transform tests

tests/from_base64-01/test.rules

@@ -0,0 +1,8 @@
+# input pcap contains a query to http://home.regit.org/?arg=dGhpc2lzYXRlc3QK
+# "dGhpc2lzYXRlc3QK" is "thisisatest\n"
+alert http any any -> any any (msg:"from_base64: offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6 ; content:"thisisatest"; sid:1; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #2 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 10 ; content:"sisatest"; sid:2; rev:1;)
+alert http any any -> any any (msg:"from_base64: bytes, offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: bytes 6, offset 6 ; content:"this"; sid:3; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #3, mode rfc2045 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc2045 ; content:"thisisatest"; sid:4; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #3, mode rfc4648 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc4648 ; content:"thisisatest"; sid:5; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #4, mode strict - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode strict ; content:"thisisatest"; sid:6; rev:1;)

tests/from_base64-01/test.yaml

@@ -0,0 +1,34 @@
+requires:
+  min-version: 8
+
+pcap: ../base64/input.pcap
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 5

tests/from_base64-02/README.md

@@ -0,0 +1 @@
+Match on base64 operations using rfc2045 URI

tests/from_base64-02/test.rules

@@ -0,0 +1,4 @@
+# "Zm 9v Ym Fy" is "foobar" with mode RFC2045
+alert http any any -> any any (msg:"from_base64: RFC2045 - will succeed"; http.uri; content:"/?arg=Zm 9v Ym Fy"; from_base64: offset 6, mode rfc2045; content:"foobar"; sid:1; rev:1;)
+alert http any any -> any any (msg:"from_base64: mode strict - will fail"; http.uri; content:"/?arg=Zm 9v Ym Fy"; from_base64: offset 6, mode strict; content:"foobar"; sid:2; rev:1;)
+alert http any any -> any any (msg:"from_base64: mode RFC4648 - will fail"; http.uri; content:"/?arg=Zm 9v Ym Fy"; from_base64: offset 6, mode rfc4648; content:"foobar"; sid:3; rev:1;)

tests/from_base64-02/test.yaml

@@ -0,0 +1,24 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+         event_type: alert
+         alert.signature_id: 2
+  - filter:
+      count: 0
+      match:
+         event_type: alert
+         alert.signature_id: 2

tests/from_base64-03/README.md

@@ -0,0 +1 @@
+from_base64 transform tests that assign fast-pattern to the post-transform content

tests/from_base64-03/test.rules

@@ -0,0 +1,8 @@
+# input pcap contains a query to http://home.regit.org/?arg=dGhpc2lzYXRlc3QK
+# "dGhpc2lzYXRlc3QK" is "thisisatest"
+alert http any any -> any any (msg:"from_base64: offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6 ; content:"thisisatest"; fast_pattern; sid:1; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #2 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 10 ; content:"sisatest"; fast_pattern; sid:2; rev:1;)
+alert http any any -> any any (msg:"from_base64: bytes, offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: bytes 6, offset 6 ; content:"this"; fast_pattern; sid:3; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #3, mode rfc2045 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc2045 ; content:"thisisatest"; fast_pattern; sid:4; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #3, mode rfc4648 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc4648 ; content:"thisisatest"; fast_pattern; sid:5; rev:1;)
+alert http any any -> any any (msg:"from_base64: offset #4, mode strict - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode strict ; content:"thisisatest"; fast_pattern; sid:6; rev:1;)

tests/from_base64-03/test.yaml

@@ -0,0 +1,34 @@
+requires:
+  min-version: 8
+
+pcap: ../base64/input.pcap
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 5