forked from OISF/suricata-verify
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Issue: 6487 Test cases for the from_base64 transform - Case 01 tests RFC4648 (default) with various offsets - Case 02 tests RFC2045 and verifies success and failure case (with other modes) - Case 03 -- case 01 with fast_pattern associated with the post transform content.
- Loading branch information
1 parent
032fded
commit e49965f
Showing
10 changed files
with
115 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
from_base64 transform tests |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
# input pcap contains a query to http://home.regit.org/?arg=dGhpc2lzYXRlc3QK | ||
# "dGhpc2lzYXRlc3QK" is "thisisatest\n" | ||
alert http any any -> any any (msg:"from_base64: offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6 ; content:"thisisatest"; sid:1; rev:1;) | ||
alert http any any -> any any (msg:"from_base64: offset #2 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 10 ; content:"sisatest"; sid:2; rev:1;) | ||
alert http any any -> any any (msg:"from_base64: bytes, offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: bytes 6, offset 6 ; content:"this"; sid:3; rev:1;) | ||
alert http any any -> any any (msg:"from_base64: offset #3, mode rfc2045 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc2045 ; content:"thisisatest"; sid:4; rev:1;) | ||
alert http any any -> any any (msg:"from_base64: offset #3, mode rfc4648 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc4648 ; content:"thisisatest"; sid:5; rev:1;) | ||
alert http any any -> any any (msg:"from_base64: offset #4, mode strict - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode strict ; content:"thisisatest"; sid:6; rev:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
requires: | ||
min-version: 8 | ||
|
||
pcap: ../base64/input.pcap | ||
|
||
args: | ||
- -k none | ||
|
||
checks: | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 1 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 2 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 3 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 4 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 5 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Match on base64 operations using rfc2045 URI |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
# "Zm 9v Ym Fy" is "foobar" with mode RFC2045 | ||
alert http any any -> any any (msg:"from_base64: RFC2045 - will succeed"; http.uri; content:"/?arg=Zm 9v Ym Fy"; from_base64: offset 6, mode rfc2045; content:"foobar"; sid:1; rev:1;) | ||
alert http any any -> any any (msg:"from_base64: mode strict - will fail"; http.uri; content:"/?arg=Zm 9v Ym Fy"; from_base64: offset 6, mode strict; content:"foobar"; sid:2; rev:1;) | ||
alert http any any -> any any (msg:"from_base64: mode RFC4648 - will fail"; http.uri; content:"/?arg=Zm 9v Ym Fy"; from_base64: offset 6, mode rfc4648; content:"foobar"; sid:3; rev:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
requires: | ||
min-version: 8 | ||
|
||
args: | ||
- -k none | ||
|
||
pcap: input.pcap | ||
|
||
checks: | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 1 | ||
- filter: | ||
count: 0 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 2 | ||
- filter: | ||
count: 0 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
from_base64 transform tests that assign fast-pattern to the post-transform content |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
# input pcap contains a query to http://home.regit.org/?arg=dGhpc2lzYXRlc3QK | ||
# "dGhpc2lzYXRlc3QK" is "thisisatest" | ||
alert http any any -> any any (msg:"from_base64: offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6 ; content:"thisisatest"; fast_pattern; sid:1; rev:1;) | ||
alert http any any -> any any (msg:"from_base64: offset #2 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 10 ; content:"sisatest"; fast_pattern; sid:2; rev:1;) | ||
alert http any any -> any any (msg:"from_base64: bytes, offset #1 [mode rfc4648]"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: bytes 6, offset 6 ; content:"this"; fast_pattern; sid:3; rev:1;) | ||
alert http any any -> any any (msg:"from_base64: offset #3, mode rfc2045 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc2045 ; content:"thisisatest"; fast_pattern; sid:4; rev:1;) | ||
alert http any any -> any any (msg:"from_base64: offset #3, mode rfc4648 - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode rfc4648 ; content:"thisisatest"; fast_pattern; sid:5; rev:1;) | ||
alert http any any -> any any (msg:"from_base64: offset #4, mode strict - will succeed"; http.uri; content:"/?arg=dGhpc2lzYXRlc3QK"; from_base64: offset 6, mode strict ; content:"thisisatest"; fast_pattern; sid:6; rev:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
requires: | ||
min-version: 8 | ||
|
||
pcap: ../base64/input.pcap | ||
|
||
args: | ||
- -k none | ||
|
||
checks: | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 1 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 2 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 3 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 4 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 5 |