diff --git a/tests/bug-4903/bug-4903-01/test.yaml b/tests/bug-4903/bug-4903-01/test.yaml index 61ef84932..0c0b4e3f2 100644 --- a/tests/bug-4903/bug-4903-01/test.yaml +++ b/tests/bug-4903/bug-4903-01/test.yaml @@ -54,12 +54,8 @@ checks: - filter: count: 1 match: - dest_ip: 192.168.200.1 - dest_port: 22 event_type: ssh proto: TCP - src_ip: 192.168.100.1 - src_port: 10000 ssh.server.proto_version: '1.99' ssh.server.software_version: Cisco_server-1.24 - filter: diff --git a/tests/bug-4903/bug-4903-02/test.yaml b/tests/bug-4903/bug-4903-02/test.yaml index 562558f25..56e891d7f 100644 --- a/tests/bug-4903/bug-4903-02/test.yaml +++ b/tests/bug-4903/bug-4903-02/test.yaml @@ -54,12 +54,8 @@ checks: - filter: count: 1 match: - dest_ip: 192.168.200.1 - dest_port: 22 event_type: ssh proto: TCP - src_ip: 192.168.100.1 - src_port: 10001 ssh.server.proto_version: '1.99' ssh.server.software_version: Cisco_server-1.24 - filter: diff --git a/tests/bug-4903/bug-4903-04/test.yaml b/tests/bug-4903/bug-4903-04/test.yaml index 4ef142345..6d3b4cc35 100644 --- a/tests/bug-4903/bug-4903-04/test.yaml +++ b/tests/bug-4903/bug-4903-04/test.yaml @@ -60,13 +60,9 @@ checks: - filter: count: 1 match: - dest_ip: 192.168.200.1 - dest_port: 22 event_type: ssh pcap_cnt: 6 proto: TCP - src_ip: 192.168.100.1 - src_port: 10003 ssh.client.proto_version: '2.0' ssh.client.software_version: Cisco_client-1.25 ssh.server.proto_version: '1.99' diff --git a/tests/ftp/ftp-too-long-command/test.yaml b/tests/ftp/ftp-too-long-command/test.yaml index 3336d8883..f1df7213d 100644 --- a/tests/ftp/ftp-too-long-command/test.yaml +++ b/tests/ftp/ftp-too-long-command/test.yaml @@ -34,3 +34,4 @@ checks: match: event_type: alert alert.signature_id: 2232000 + ftp.command: "RETR" diff --git a/tests/krb5-kerberoasting/test.yaml b/tests/krb5-kerberoasting/test.yaml index bd5ba8a3f..783640d4e 100644 --- a/tests/krb5-kerberoasting/test.yaml +++ b/tests/krb5-kerberoasting/test.yaml @@ -21,6 +21,7 @@ checks: match: event_type: alert alert.signature_id: 1 + krb5.msg_type: KRB_TGS_REP - filter: count: 1 match: diff --git a/tests/mqtt-connect-rules/mqtt5_pub_jpeg.pcap b/tests/mqtt-connect-rules/mqtt5_pub_jpeg.pcap new file mode 100644 index 000000000..fd6e90509 Binary files /dev/null and b/tests/mqtt-connect-rules/mqtt5_pub_jpeg.pcap differ diff --git a/tests/mqtt-connect-rules/suricata.yaml b/tests/mqtt-connect-rules/suricata.yaml new file mode 100644 index 000000000..6fb68aab1 --- /dev/null +++ b/tests/mqtt-connect-rules/suricata.yaml @@ -0,0 +1,16 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - mqtt + - alert + +app-layer: + protocols: + mqtt: + enabled: yes \ No newline at end of file diff --git a/tests/mqtt-connect-rules/test.rules b/tests/mqtt-connect-rules/test.rules new file mode 100644 index 000000000..4668f5cb6 --- /dev/null +++ b/tests/mqtt-connect-rules/test.rules @@ -0,0 +1,4 @@ +alert mqtt any any -> any any (msg:"MQTT CONNECT protocol string SUCCESS"; mqtt.connect.protocol_string; content:"MQTT"; sid:1;) +alert mqtt any any -> any any (msg:"MQTT CONNECT protocol string SUCCESS2"; mqtt.connect.protocol_string; content:"M"; sid:2;) +alert mqtt any any -> any any (msg:"MQTT CONNECT protocol string FAIL"; mqtt.connect.protocol_string; content:"Foobar"; sid:3;) + diff --git a/tests/mqtt-connect-rules/test.yaml b/tests/mqtt-connect-rules/test.yaml new file mode 100644 index 000000000..191314072 --- /dev/null +++ b/tests/mqtt-connect-rules/test.yaml @@ -0,0 +1,63 @@ +requires: + files: + - src/detect-mqtt-connect-protocol-string.c + +args: + - -k none + +checks: + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.connect.protocol_string: MQTT + mqtt.connect.protocol_version: 5 + mqtt.connect.flags.username: true + mqtt.connect.flags.password: true + mqtt.connect.flags.will: false + mqtt.connect.flags.will_retain: false + mqtt.connect.flags.clean_session: true + mqtt.connect.client_id: "" + mqtt.connect.username: user + mqtt.connect.password: pass + mqtt.connect.properties.receive_maximum: 20 + mqtt.connack.session_present: false + mqtt.connack.return_code: 0 + mqtt.connack.properties.topic_alias_maximum: 10 + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.publish.qos: 0 + mqtt.publish.retain: false + mqtt.publish.dup: false + mqtt.publish.topic: topicX + + - filter: + count: 1 + match: + event_type: mqtt + mqtt.disconnect.qos: 0 + mqtt.disconnect.retain: false + mqtt.disconnect.dup: false + mqtt.disconnect.reason_code: 0 + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT CONNECT protocol string SUCCESS + + - filter: + count: 1 + match: + event_type: alert + alert.signature: MQTT CONNECT protocol string SUCCESS2 + + - filter: + count: 0 + match: + event_type: alert + alert.signature: MQTT CONNECT protocol string FAIL diff --git a/tests/output-eve-tftp-01/test.yaml b/tests/output-eve-tftp-01/test.yaml index b83cefc3e..802379136 100644 --- a/tests/output-eve-tftp-01/test.yaml +++ b/tests/output-eve-tftp-01/test.yaml @@ -15,3 +15,9 @@ checks: count: 1 match: event_type: alert +- filter: + min-version: 7 + count: 1 + match: + event_type: alert + tftp.packet: "read"