diff --git a/tests/bug-2576-01-ips/md5list.2576 b/tests/bug-2576-01-ips/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-01-ips/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-01-ips/suricata.yaml b/tests/bug-2576-01-ips/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-01-ips/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-01-ips/temp6.pcap b/tests/bug-2576-01-ips/temp6.pcap new file mode 100644 index 000000000..cdaa6625d Binary files /dev/null and b/tests/bug-2576-01-ips/temp6.pcap differ diff --git a/tests/bug-2576-01-ips/test.rules b/tests/bug-2576-01-ips/test.rules new file mode 100644 index 000000000..8c2aa9218 --- /dev/null +++ b/tests/bug-2576-01-ips/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;) diff --git a/tests/bug-2576-01-ips/test.yaml b/tests/bug-2576-01-ips/test.yaml new file mode 100644 index 000000000..8663071fc --- /dev/null +++ b/tests/bug-2576-01-ips/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-01/md5list.2576 b/tests/bug-2576-01/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-01/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-01/suricata.yaml b/tests/bug-2576-01/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-01/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-01/temp6.pcap b/tests/bug-2576-01/temp6.pcap new file mode 100644 index 000000000..cdaa6625d Binary files /dev/null and b/tests/bug-2576-01/temp6.pcap differ diff --git a/tests/bug-2576-01/test.rules b/tests/bug-2576-01/test.rules new file mode 100644 index 000000000..8c2aa9218 --- /dev/null +++ b/tests/bug-2576-01/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;) diff --git a/tests/bug-2576-01/test.yaml b/tests/bug-2576-01/test.yaml new file mode 100644 index 000000000..8663071fc --- /dev/null +++ b/tests/bug-2576-01/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-02-ips/md5list.2576 b/tests/bug-2576-02-ips/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-02-ips/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-02-ips/suricata.yaml b/tests/bug-2576-02-ips/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-02-ips/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-02-ips/temp1.pcap b/tests/bug-2576-02-ips/temp1.pcap new file mode 100644 index 000000000..9550b4f2b Binary files /dev/null and b/tests/bug-2576-02-ips/temp1.pcap differ diff --git a/tests/bug-2576-02-ips/test.rules b/tests/bug-2576-02-ips/test.rules new file mode 100644 index 000000000..8c2aa9218 --- /dev/null +++ b/tests/bug-2576-02-ips/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;) diff --git a/tests/bug-2576-02-ips/test.yaml b/tests/bug-2576-02-ips/test.yaml new file mode 100644 index 000000000..8663071fc --- /dev/null +++ b/tests/bug-2576-02-ips/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-02/md5list.2576 b/tests/bug-2576-02/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-02/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-02/suricata.yaml b/tests/bug-2576-02/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-02/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-02/temp1.pcap b/tests/bug-2576-02/temp1.pcap new file mode 100644 index 000000000..9550b4f2b Binary files /dev/null and b/tests/bug-2576-02/temp1.pcap differ diff --git a/tests/bug-2576-02/test.rules b/tests/bug-2576-02/test.rules new file mode 100644 index 000000000..8c2aa9218 --- /dev/null +++ b/tests/bug-2576-02/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;) diff --git a/tests/bug-2576-02/test.yaml b/tests/bug-2576-02/test.yaml new file mode 100644 index 000000000..8663071fc --- /dev/null +++ b/tests/bug-2576-02/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-03-ips/md5list.2576 b/tests/bug-2576-03-ips/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-03-ips/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-03-ips/suricata.yaml b/tests/bug-2576-03-ips/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-03-ips/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-03-ips/temp6.pcap b/tests/bug-2576-03-ips/temp6.pcap new file mode 100644 index 000000000..cdaa6625d Binary files /dev/null and b/tests/bug-2576-03-ips/temp6.pcap differ diff --git a/tests/bug-2576-03-ips/test.rules b/tests/bug-2576-03-ips/test.rules new file mode 100644 index 000000000..4840cdb97 --- /dev/null +++ b/tests/bug-2576-03-ips/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;) diff --git a/tests/bug-2576-03-ips/test.yaml b/tests/bug-2576-03-ips/test.yaml new file mode 100644 index 000000000..8663071fc --- /dev/null +++ b/tests/bug-2576-03-ips/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-03/md5list.2576 b/tests/bug-2576-03/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-03/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-03/suricata.yaml b/tests/bug-2576-03/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-03/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-03/temp6.pcap b/tests/bug-2576-03/temp6.pcap new file mode 100644 index 000000000..cdaa6625d Binary files /dev/null and b/tests/bug-2576-03/temp6.pcap differ diff --git a/tests/bug-2576-03/test.rules b/tests/bug-2576-03/test.rules new file mode 100644 index 000000000..4840cdb97 --- /dev/null +++ b/tests/bug-2576-03/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;) diff --git a/tests/bug-2576-03/test.yaml b/tests/bug-2576-03/test.yaml new file mode 100644 index 000000000..8663071fc --- /dev/null +++ b/tests/bug-2576-03/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-04-ips/md5list.2576 b/tests/bug-2576-04-ips/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-04-ips/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-04-ips/suricata.yaml b/tests/bug-2576-04-ips/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-04-ips/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-04-ips/temp6.pcap b/tests/bug-2576-04-ips/temp6.pcap new file mode 100644 index 000000000..cdaa6625d Binary files /dev/null and b/tests/bug-2576-04-ips/temp6.pcap differ diff --git a/tests/bug-2576-04-ips/test.rules b/tests/bug-2576-04-ips/test.rules new file mode 100644 index 000000000..2a16eefd7 --- /dev/null +++ b/tests/bug-2576-04-ips/test.rules @@ -0,0 +1,2 @@ +alert ip any any -> any any (msg:"file_data"; file_data; content:"content=IE=Edge"; sid: 3; rev: 1;) +alert ip any any -> any any (msg:"mix stream with file_data"; content:"content=IE=Edge"; file_data; content:"content=IE=Edge"; sid: 4; rev: 1;) diff --git a/tests/bug-2576-04-ips/test.yaml b/tests/bug-2576-04-ips/test.yaml new file mode 100644 index 000000000..2e65954ff --- /dev/null +++ b/tests/bug-2576-04-ips/test.yaml @@ -0,0 +1,22 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-04/md5list.2576 b/tests/bug-2576-04/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-04/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-04/suricata.yaml b/tests/bug-2576-04/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-04/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-04/temp6.pcap b/tests/bug-2576-04/temp6.pcap new file mode 100644 index 000000000..cdaa6625d Binary files /dev/null and b/tests/bug-2576-04/temp6.pcap differ diff --git a/tests/bug-2576-04/test.rules b/tests/bug-2576-04/test.rules new file mode 100644 index 000000000..2a16eefd7 --- /dev/null +++ b/tests/bug-2576-04/test.rules @@ -0,0 +1,2 @@ +alert ip any any -> any any (msg:"file_data"; file_data; content:"content=IE=Edge"; sid: 3; rev: 1;) +alert ip any any -> any any (msg:"mix stream with file_data"; content:"content=IE=Edge"; file_data; content:"content=IE=Edge"; sid: 4; rev: 1;) diff --git a/tests/bug-2576-04/test.yaml b/tests/bug-2576-04/test.yaml new file mode 100644 index 000000000..2e65954ff --- /dev/null +++ b/tests/bug-2576-04/test.yaml @@ -0,0 +1,22 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 +