diff --git a/tests/bug-4903/bug-4903-04/test.yaml b/tests/bug-4903/bug-4903-04/test.yaml index 4ef142345..3a807c5a2 100644 --- a/tests/bug-4903/bug-4903-04/test.yaml +++ b/tests/bug-4903/bug-4903-04/test.yaml @@ -89,7 +89,6 @@ checks: flow.bytes_toserver: 336 flow.pkts_toclient: 3 flow.pkts_toserver: 4 - pcap_cnt: 7 proto: TCP src_ip: 192.168.100.1 src_port: 10003 @@ -115,7 +114,6 @@ checks: flow.bytes_toserver: 336 flow.pkts_toclient: 3 flow.pkts_toserver: 4 - pcap_cnt: 7 proto: TCP src_ip: 192.168.100.1 src_port: 10003 diff --git a/tests/http-chunked/README.md b/tests/http-chunked/README.md new file mode 100644 index 000000000..35e629b16 --- /dev/null +++ b/tests/http-chunked/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test that we handle Transfer-Encoding when `chunked` is one token + +## PCAP + +From https://redmine.openinfosecfoundation.org/issues/6415 + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6415 diff --git a/tests/http-chunked/input.pcap b/tests/http-chunked/input.pcap new file mode 100644 index 000000000..298d3a56d Binary files /dev/null and b/tests/http-chunked/input.pcap differ diff --git a/tests/http-chunked/test.rules b/tests/http-chunked/test.rules new file mode 100644 index 000000000..a30fa6c01 --- /dev/null +++ b/tests/http-chunked/test.rules @@ -0,0 +1,28 @@ +alert http any any -> any any (msg:"Test Usage of Unbuffered Content"; flow:established,to_server; content:"Host"; fast_pattern; classtype:web-application-attack; sid:11; rev:1;) +alert http any any -> any any (msg:"Test Usage of Unbuffered Content"; flow:established,to_server; content:"Cookie"; fast_pattern; classtype:web-application-attack; sid:12; rev:1;) +alert http any any -> any any (msg:"Test Usage of Unbuffered Content"; flow:established,to_server; content:"X-Qlik-User"; fast_pattern; classtype:web-application-attack; sid:13; rev:1;) +alert http any any -> any any (msg:"Test Usage of Unbuffered Content"; flow:established,to_server; content:"User-Agent"; fast_pattern; classtype:web-application-attack; sid:14; rev:1;) +alert http any any -> any any (msg:"Test Usage of Unbuffered Content"; flow:established,to_server; content:"Content-Length"; fast_pattern; classtype:web-application-attack; sid:15; rev:1;) +alert http any any -> any any (msg:"Test Usage of Unbuffered Content"; flow:established,to_server; content:"Transfer-Encoding"; fast_pattern; classtype:web-application-attack; sid:16; rev:1;) + +alert http any any -> any any (msg:"Test Usage of http.header"; flow:established,to_server; http.header; content:"Host"; fast_pattern; classtype:web-application-attack; sid:21; rev:1;) +# does not work cf http.cookie keyword and http.header doc expliciting this exclusion +alert http any any -> any any (msg:"Test Usage of http.header"; flow:established,to_server; http.header; content:"Cookie"; fast_pattern; classtype:web-application-attack; sid:22; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.header"; flow:established,to_server; http.header; content:"X-Qlik-User"; fast_pattern; classtype:web-application-attack; sid:23; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.header"; flow:established,to_server; http.header; content:"User-Agent"; fast_pattern; classtype:web-application-attack; sid:24; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.header"; flow:established,to_server; http.header; content:"Content-Length"; fast_pattern; classtype:web-application-attack; sid:25; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.header"; flow:established,to_server; http.header; content:"Transfer-Encoding"; fast_pattern; classtype:web-application-attack; sid:26; rev:1;) + +alert http any any -> any any (msg:"Test Usage of http.header.raw"; flow:established,to_server; http.header.raw; content:"Host"; fast_pattern; classtype:web-application-attack; sid:31; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.header.raw"; flow:established,to_server; http.header.raw; content:"Cookie"; fast_pattern; classtype:web-application-attack; sid:32; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.header.raw"; flow:established,to_server; http.header.raw; content:"X-Qlik-User"; fast_pattern; classtype:web-application-attack; sid:33; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.header.raw"; flow:established,to_server; http.header.raw; content:"User-Agent"; fast_pattern; classtype:web-application-attack; sid:34; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.header.raw"; flow:established,to_server; http.header.raw; content:"Content-Length"; fast_pattern; classtype:web-application-attack; sid:35; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.header.raw"; flow:established,to_server; http.header.raw; content:"Transfer-Encoding"; fast_pattern; classtype:web-application-attack; sid:36; rev:1;) + +alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Host"; fast_pattern; classtype:web-application-attack; sid:41; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Cookie"; fast_pattern; classtype:web-application-attack; sid:42; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"X-Qlik-User"; fast_pattern; classtype:web-application-attack; sid:43; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"User-Agent"; fast_pattern; classtype:web-application-attack; sid:44; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Content-Length"; fast_pattern; classtype:web-application-attack; sid:45; rev:1;) +alert http any any -> any any (msg:"Test Usage of http.request_header"; flow:established,to_server; http.request_header; content:"Transfer-Encoding"; fast_pattern; classtype:web-application-attack; sid:46; rev:1;) diff --git a/tests/http-chunked/test.yaml b/tests/http-chunked/test.yaml new file mode 100644 index 000000000..c8b043e1d --- /dev/null +++ b/tests/http-chunked/test.yaml @@ -0,0 +1,122 @@ +requires: + min-version: 7 + +args: + - -k none --set packet-alert-max=32 + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 11 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 12 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 13 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 14 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 15 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 16 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 21 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 23 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 24 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 25 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 26 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 31 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 32 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 33 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 34 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 35 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 36 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 41 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 42 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 43 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 44 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 45 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 46 diff --git a/tests/http-request-header-multi/README.md b/tests/http-request-header-multi/README.md new file mode 100644 index 000000000..96f720d0d --- /dev/null +++ b/tests/http-request-header-multi/README.md @@ -0,0 +1,12 @@ +# Test Description + +Test `http.request_header` keywords with multiple rules + +## PCAP + +From https://redmine.openinfosecfoundation.org/issues/6483 + + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6483 diff --git a/tests/http-request-header-multi/input.pcap b/tests/http-request-header-multi/input.pcap new file mode 100644 index 000000000..50283dde5 Binary files /dev/null and b/tests/http-request-header-multi/input.pcap differ diff --git a/tests/http-request-header-multi/test.rules b/tests/http-request-header-multi/test.rules new file mode 100644 index 000000000..6e4d2a0db --- /dev/null +++ b/tests/http-request-header-multi/test.rules @@ -0,0 +1,6 @@ +## contains trailing |0d 0a| in pcre and does not fire, and should not fire, but when this rule is enabled, causes sid:3 to not fire +alert http any any -> any any (flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ws"; endswith; http.user_agent; content:"Go|2d|http|2d|client|2f|1|2e|1"; http.connection; content:"Upgrade"; bsize:7; http.request_header; content:"Key|3a 20|"; startswith; pcre:"/^(?:[a-z0-9]{64})\x0d\x0a/R"; sid:2;) + +## doesn't contain |0d 0a|, should fire and fires by itself, but not when above rule is enabled. +alert http any any -> any any (flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ws"; endswith; http.user_agent; content:"Go|2d|http|2d|client|2f|1|2e|1"; http.connection; content:"Upgrade"; bsize:7; http.request_header; bsize:69; content:"Key|3a 20|"; startswith; pcre:"/^(?:[a-z0-9]{64})$/R"; sid:3;) + diff --git a/tests/http-request-header-multi/test.yaml b/tests/http-request-header-multi/test.yaml new file mode 100644 index 000000000..69e580059 --- /dev/null +++ b/tests/http-request-header-multi/test.yaml @@ -0,0 +1,17 @@ +requires: + min-version: 7 + +args: + - -k none + +checks: + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/http2-continuation/README.md b/tests/http2-continuation/README.md new file mode 100644 index 000000000..f8f2717b1 --- /dev/null +++ b/tests/http2-continuation/README.md @@ -0,0 +1,9 @@ +# Description + +Test http2 reassembly of header + continuation frames + +https://redmine.openinfosecfoundation.org/issues/5926 + +# PCAP + +The pcap was produced with a crafted client against a go server diff --git a/tests/http2-continuation/input.pcap b/tests/http2-continuation/input.pcap new file mode 100644 index 000000000..8aa3823de Binary files /dev/null and b/tests/http2-continuation/input.pcap differ diff --git a/tests/http2-continuation/test.yaml b/tests/http2-continuation/test.yaml new file mode 100644 index 000000000..ce0e27ccf --- /dev/null +++ b/tests/http2-continuation/test.yaml @@ -0,0 +1,17 @@ +requires: + min-version: 7 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: http + http.request_headers[6].name: namenamenamenamenamenamenamenamenamename + http.request_headers[6].value: valuevaluevaluevaluevaluevaluevaluevaluevaluevaluevaluevaluevaluevaluevaluevaluevaluevaluevaluevalue +- filter: + count: 0 + match: + event_type: anomaly