From 001d0e27de1208e8736688220de670075f80bb45 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Tue, 30 Jan 2024 20:14:58 +0100 Subject: [PATCH] tests: add bug 2576 tests --- tests/bug-2576-01-ips/md5list.2576 | 1 + tests/bug-2576-01-ips/suricata.yaml | 146 ++++++++++++++++++++++++++++ tests/bug-2576-01-ips/temp6.pcap | Bin 0 -> 4594 bytes tests/bug-2576-01-ips/test.rules | 1 + tests/bug-2576-01-ips/test.yaml | 17 ++++ tests/bug-2576-01/md5list.2576 | 1 + tests/bug-2576-01/suricata.yaml | 146 ++++++++++++++++++++++++++++ tests/bug-2576-01/temp6.pcap | Bin 0 -> 4594 bytes tests/bug-2576-01/test.rules | 1 + tests/bug-2576-01/test.yaml | 17 ++++ tests/bug-2576-02-ips/md5list.2576 | 1 + tests/bug-2576-02-ips/suricata.yaml | 146 ++++++++++++++++++++++++++++ tests/bug-2576-02-ips/temp1.pcap | Bin 0 -> 6155 bytes tests/bug-2576-02-ips/test.rules | 1 + tests/bug-2576-02-ips/test.yaml | 17 ++++ tests/bug-2576-02/md5list.2576 | 1 + tests/bug-2576-02/suricata.yaml | 146 ++++++++++++++++++++++++++++ tests/bug-2576-02/temp1.pcap | Bin 0 -> 6155 bytes tests/bug-2576-02/test.rules | 1 + tests/bug-2576-02/test.yaml | 17 ++++ tests/bug-2576-03-ips/md5list.2576 | 1 + tests/bug-2576-03-ips/suricata.yaml | 146 ++++++++++++++++++++++++++++ tests/bug-2576-03-ips/temp6.pcap | Bin 0 -> 4594 bytes tests/bug-2576-03-ips/test.rules | 1 + tests/bug-2576-03-ips/test.yaml | 17 ++++ tests/bug-2576-03/md5list.2576 | 1 + tests/bug-2576-03/suricata.yaml | 146 ++++++++++++++++++++++++++++ tests/bug-2576-03/temp6.pcap | Bin 0 -> 4594 bytes tests/bug-2576-03/test.rules | 1 + tests/bug-2576-03/test.yaml | 17 ++++ tests/bug-2576-04-ips/md5list.2576 | 1 + tests/bug-2576-04-ips/suricata.yaml | 146 ++++++++++++++++++++++++++++ tests/bug-2576-04-ips/temp6.pcap | Bin 0 -> 4594 bytes tests/bug-2576-04-ips/test.rules | 2 + tests/bug-2576-04-ips/test.yaml | 22 +++++ tests/bug-2576-04/md5list.2576 | 1 + tests/bug-2576-04/suricata.yaml | 146 ++++++++++++++++++++++++++++ tests/bug-2576-04/temp6.pcap | Bin 0 -> 4594 bytes tests/bug-2576-04/test.rules | 2 + tests/bug-2576-04/test.yaml | 22 +++++ 40 files changed, 1332 insertions(+) create mode 100644 tests/bug-2576-01-ips/md5list.2576 create mode 100644 tests/bug-2576-01-ips/suricata.yaml create mode 100644 tests/bug-2576-01-ips/temp6.pcap create mode 100644 tests/bug-2576-01-ips/test.rules create mode 100644 tests/bug-2576-01-ips/test.yaml create mode 100644 tests/bug-2576-01/md5list.2576 create mode 100644 tests/bug-2576-01/suricata.yaml create mode 100644 tests/bug-2576-01/temp6.pcap create mode 100644 tests/bug-2576-01/test.rules create mode 100644 tests/bug-2576-01/test.yaml create mode 100644 tests/bug-2576-02-ips/md5list.2576 create mode 100644 tests/bug-2576-02-ips/suricata.yaml create mode 100644 tests/bug-2576-02-ips/temp1.pcap create mode 100644 tests/bug-2576-02-ips/test.rules create mode 100644 tests/bug-2576-02-ips/test.yaml create mode 100644 tests/bug-2576-02/md5list.2576 create mode 100644 tests/bug-2576-02/suricata.yaml create mode 100644 tests/bug-2576-02/temp1.pcap create mode 100644 tests/bug-2576-02/test.rules create mode 100644 tests/bug-2576-02/test.yaml create mode 100644 tests/bug-2576-03-ips/md5list.2576 create mode 100644 tests/bug-2576-03-ips/suricata.yaml create mode 100644 tests/bug-2576-03-ips/temp6.pcap create mode 100644 tests/bug-2576-03-ips/test.rules create mode 100644 tests/bug-2576-03-ips/test.yaml create mode 100644 tests/bug-2576-03/md5list.2576 create mode 100644 tests/bug-2576-03/suricata.yaml create mode 100644 tests/bug-2576-03/temp6.pcap create mode 100644 tests/bug-2576-03/test.rules create mode 100644 tests/bug-2576-03/test.yaml create mode 100644 tests/bug-2576-04-ips/md5list.2576 create mode 100644 tests/bug-2576-04-ips/suricata.yaml create mode 100644 tests/bug-2576-04-ips/temp6.pcap create mode 100644 tests/bug-2576-04-ips/test.rules create mode 100644 tests/bug-2576-04-ips/test.yaml create mode 100644 tests/bug-2576-04/md5list.2576 create mode 100644 tests/bug-2576-04/suricata.yaml create mode 100644 tests/bug-2576-04/temp6.pcap create mode 100644 tests/bug-2576-04/test.rules create mode 100644 tests/bug-2576-04/test.yaml diff --git a/tests/bug-2576-01-ips/md5list.2576 b/tests/bug-2576-01-ips/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-01-ips/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-01-ips/suricata.yaml b/tests/bug-2576-01-ips/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-01-ips/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-01-ips/temp6.pcap b/tests/bug-2576-01-ips/temp6.pcap new file mode 100644 index 0000000000000000000000000000000000000000..cdaa6625d7e47e4631d0001882f0cbcf1edf75e4 GIT binary patch literal 4594 zcma)9Yi!%r6=wX%S}huqJ>X*9f?I92m4`%0wi8Dd6}yhxc#RV+R@UqhxDbW4=W=~i@ZEM-#Op8_k5Q(e*N<|TDUf@aDVd!nu7A_% zF~|k^r8zggjci9z!4Iz8ag1Wq7`Vj3Mt_IZ0x|TR{UqX^EtK)sR2>vQ0{Gv6c<5P| z|6cFm|092Y$KP1~uh-+>;|o#G~EGWP%R|!(Pt;3!8zV4Aw{#J)OaXj`kwIs%ZJ?Kt{`N@_L3O z2^;WuGr!sE*{xe}Su7TVDN&L0K}pYfJ;S=DVTmZZ7DZ2CYy^f>rGUL2uZPm8{c#z}zlf0R0>2StqDSjSz0 zWa(Lp*nY+AhF>n+SJWcp4$*Eq?E^r-1PngP96b_-Gd)9h(BrvASN?O5k6piWHRzO2v5;f{$I|}zi zBio~W+iV{RQ_SSV=t{0$&p0*<*aULY7$#dN*dGk{(@_Ep=~D`X_4uxR`@becw)cel z22f6%4u}~n^l$48g$9tU=R`#lDzk3@86wFFJe_T^$9C--PJT5pf@qd;IuHnqCx?;; z#-TicKs?6AQ7nr^IUdVlB7!9`0{C!VDF~9oApy3Kb0e&fHXvn1)51i^lXRfJ{_TT- z14EEP4#H7VYQ@3mh%h2&u=7IMt*92o84GD*4htquW7EWDJO;~d3Yl0HEHa~FD~mBf zG#Wb!$+A!uj0GBVl;^E*FeO_A@Fcnpd6S2A$+IcNr)1rHmbcevPSJw!ZahX5qT=|S zSKlvPJHLE&cKPb}KYZ`l^3vJT<+tv&FjI0FlvQM$)}_29 z5HpXFWl921^R3JT9?T%`302SN;h>>qP*IU#YDBh&P!=nhED^$y9pH|K5aEZ$KoeoV ztPp7=vMyHV*>W;U)1Vd2$U9|$pk%DsRb-4$KpilG#hb@Mcy(K)Y-7)*Reh!%SN*HI zGOfZy%6Kp&wNvEj2OAR2v0;-Z9;h9sSL6v6oWvWd~t^eU~sBvQ&5y0LuO>V zp$k}LO-YFK^&v4&bl}KPF~NeK2F784)ioaDY41)z?`|TxuQDN2-Mza`2>l%&F(G`d zMhMUOJEq4I>&dNekJ>ts1gt9{5%jFp3GTf26jP>8xv}b$X?BjII`OA}RqMp`I8&xa zp1HsCcN|A4Y(Qj+Xl^3eLbvj%oI>cdwDL|J-0QWf5Gl&n8_oHeXM9b%b7;WV-x*)0 z8}N0J@-_Dto391HdJ#00p0#|nf5&^8>1wYVtCp|!Lvw4Gu0C4B*TphlU;Yfo5e;S+ z&sc-i>hua{)jB^;6Ux&?22I@66*XM6Dow$jm}GK-nDl|eUrrMX@!LPTeDCDDF_N8^d!&(*oMbN7Do zVj~Ac!6~t!6ZWLa$(1Xm7ZzXK2?JK0s2m@@{5p$a*T zUFMlqb@mK(MxKDbs(#%WNq6?7D{Zs0M-H!W&Ad4gswvQ{cS}pJ*zxhM0G&u>5QZFV ze}Y9*A=uwto)SJsDXVZ-iQI`gFLZA~Sd(-aAJ{)S46RDnz_Y)oXtG`ms=5Svt7}0z z<+h-@VGE0>Q zO6ef9kJIlACorRoBpLB8NjGK&=$5lfOIgMMv$HSDAJ1<|b11UX! zymbBO-8We;uszf^l}Sa^W|T^7yhE&H1kxDGDN&k=-~R52yNh$B6UXnJ{~nFk_OyKM z(&%vF?wfO=9tgFkbmE;d0^QZDwvEYHbWK6FJWaW}66HI(H=_@oy)G4l<2Rd%=W9$1 zsy?+Eh`~RY7|hp;!I4{u_1~H`KWB@skllVP1|h_wN*9<{MHeAC

*7eEin any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;) diff --git a/tests/bug-2576-01-ips/test.yaml b/tests/bug-2576-01-ips/test.yaml new file mode 100644 index 000000000..8663071fc --- /dev/null +++ b/tests/bug-2576-01-ips/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-01/md5list.2576 b/tests/bug-2576-01/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-01/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-01/suricata.yaml b/tests/bug-2576-01/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-01/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-01/temp6.pcap b/tests/bug-2576-01/temp6.pcap new file mode 100644 index 0000000000000000000000000000000000000000..cdaa6625d7e47e4631d0001882f0cbcf1edf75e4 GIT binary patch literal 4594 zcma)9Yi!%r6=wX%S}huqJ>X*9f?I92m4`%0wi8Dd6}yhxc#RV+R@UqhxDbW4=W=~i@ZEM-#Op8_k5Q(e*N<|TDUf@aDVd!nu7A_% zF~|k^r8zggjci9z!4Iz8ag1Wq7`Vj3Mt_IZ0x|TR{UqX^EtK)sR2>vQ0{Gv6c<5P| z|6cFm|092Y$KP1~uh-+>;|o#G~EGWP%R|!(Pt;3!8zV4Aw{#J)OaXj`kwIs%ZJ?Kt{`N@_L3O z2^;WuGr!sE*{xe}Su7TVDN&L0K}pYfJ;S=DVTmZZ7DZ2CYy^f>rGUL2uZPm8{c#z}zlf0R0>2StqDSjSz0 zWa(Lp*nY+AhF>n+SJWcp4$*Eq?E^r-1PngP96b_-Gd)9h(BrvASN?O5k6piWHRzO2v5;f{$I|}zi zBio~W+iV{RQ_SSV=t{0$&p0*<*aULY7$#dN*dGk{(@_Ep=~D`X_4uxR`@becw)cel z22f6%4u}~n^l$48g$9tU=R`#lDzk3@86wFFJe_T^$9C--PJT5pf@qd;IuHnqCx?;; z#-TicKs?6AQ7nr^IUdVlB7!9`0{C!VDF~9oApy3Kb0e&fHXvn1)51i^lXRfJ{_TT- z14EEP4#H7VYQ@3mh%h2&u=7IMt*92o84GD*4htquW7EWDJO;~d3Yl0HEHa~FD~mBf zG#Wb!$+A!uj0GBVl;^E*FeO_A@Fcnpd6S2A$+IcNr)1rHmbcevPSJw!ZahX5qT=|S zSKlvPJHLE&cKPb}KYZ`l^3vJT<+tv&FjI0FlvQM$)}_29 z5HpXFWl921^R3JT9?T%`302SN;h>>qP*IU#YDBh&P!=nhED^$y9pH|K5aEZ$KoeoV ztPp7=vMyHV*>W;U)1Vd2$U9|$pk%DsRb-4$KpilG#hb@Mcy(K)Y-7)*Reh!%SN*HI zGOfZy%6Kp&wNvEj2OAR2v0;-Z9;h9sSL6v6oWvWd~t^eU~sBvQ&5y0LuO>V zp$k}LO-YFK^&v4&bl}KPF~NeK2F784)ioaDY41)z?`|TxuQDN2-Mza`2>l%&F(G`d zMhMUOJEq4I>&dNekJ>ts1gt9{5%jFp3GTf26jP>8xv}b$X?BjII`OA}RqMp`I8&xa zp1HsCcN|A4Y(Qj+Xl^3eLbvj%oI>cdwDL|J-0QWf5Gl&n8_oHeXM9b%b7;WV-x*)0 z8}N0J@-_Dto391HdJ#00p0#|nf5&^8>1wYVtCp|!Lvw4Gu0C4B*TphlU;Yfo5e;S+ z&sc-i>hua{)jB^;6Ux&?22I@66*XM6Dow$jm}GK-nDl|eUrrMX@!LPTeDCDDF_N8^d!&(*oMbN7Do zVj~Ac!6~t!6ZWLa$(1Xm7ZzXK2?JK0s2m@@{5p$a*T zUFMlqb@mK(MxKDbs(#%WNq6?7D{Zs0M-H!W&Ad4gswvQ{cS}pJ*zxhM0G&u>5QZFV ze}Y9*A=uwto)SJsDXVZ-iQI`gFLZA~Sd(-aAJ{)S46RDnz_Y)oXtG`ms=5Svt7}0z z<+h-@VGE0>Q zO6ef9kJIlACorRoBpLB8NjGK&=$5lfOIgMMv$HSDAJ1<|b11UX! zymbBO-8We;uszf^l}Sa^W|T^7yhE&H1kxDGDN&k=-~R52yNh$B6UXnJ{~nFk_OyKM z(&%vF?wfO=9tgFkbmE;d0^QZDwvEYHbWK6FJWaW}66HI(H=_@oy)G4l<2Rd%=W9$1 zsy?+Eh`~RY7|hp;!I4{u_1~H`KWB@skllVP1|h_wN*9<{MHeAC

*7eEin any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;) diff --git a/tests/bug-2576-01/test.yaml b/tests/bug-2576-01/test.yaml new file mode 100644 index 000000000..8663071fc --- /dev/null +++ b/tests/bug-2576-01/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-02-ips/md5list.2576 b/tests/bug-2576-02-ips/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-02-ips/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-02-ips/suricata.yaml b/tests/bug-2576-02-ips/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-02-ips/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-02-ips/temp1.pcap b/tests/bug-2576-02-ips/temp1.pcap new file mode 100644 index 0000000000000000000000000000000000000000..9550b4f2ba02ffa6494cf044032e7e96701eaba9 GIT binary patch literal 6155 zcmeHLZEPGz8D4*d_Q;`x54ma~njYA`eBABb*-o7E?ZvL+Hl}fW#10LG$lcqWyIXs2 zce6WpXBS1-Kq@K{($bdDI89R&$0>{@zI;NPVpg%{zkt=M zwnLuL&*USKru_Xso}_bNPwAzoPwh4GkZo_^q2( z*TOe?xFA12?Z&r}?I@P;gR8b4qS!PBE-|~#-)z-G44o%GiMXfpCH%T&7sZbN{?{NL z+A8wj<=y{38^;>|UtpaP_Yci}axO1)G`e^fQ zhQ(LKdSI;QY7@sj)<1%Hv}0r>!H0ukuV;^i%|LG&Yb1)ENMk~KJCI*hwA@4>t>xBx zJ-w2I4S2nQ-{AG^&@H$v6biwlsK~jXq-VXJK3&tWL=;_%qQ@~d0==q|$6k-uLuu6h zu$oIkR5HsU?n!)@T-&$v@78^#{aKlN|0T6JZ(Y#1A07*8eEJav2KAazbJiWt4J znmY%{(pHYxbi(^Xiums5Y9TgFO#O!<{=R-C#QPD)m1snfPzVh@UZN_nTh!9nilXEs z!4}XXN*Npgl8C9RQDm4(UL<%E()55tU$Hxj=qB75ramzlFmYZ~6}eKz6#uoG)(l8K^7dl!susdr@3z)?i-1mQCzt9m`#!F3cpYATyhID~q0X-Fa5g+g1S z9g!&9JT^Gu_4E@l9Ywy*uCC3Y4p|Cp?T~$5&rZ=Ifk9nXQVN!%Xi(QS0UG+Es8JtV zP`EuB*%IyCZ2L%{8;=o% zs5pM(<@bu0PA^=XTDbV#58pksFn_Xm{>>Y&&fc1SA;#M#F`hAmVo6<|L^LYl^C7q- zDUM>Yl1GXx6im@DAn3&o=M(x`Qbo%WXvgSsGy8=#N++}PrMs)l8c@_Um?_yb$|y2U z=~B)Th?&F4G9`hh`7X@_9?T%`QB_at;h>?VQ9+SmYDBh#PzEdM3=zVSt>BJ_5aEZ$ zKoeoVY#>rdWL2!fv*l!zqCqQ~k#mLxf|9Xjk0N7y6vhD~SiCtbgjcpzN;dXfTG409 zan-f5E7Qu4CXKs8QaeSSxVs_I92+)y;xWsBm2D4_FPTQxsA3QpCtutl0vH@G*c23G z$B-G>Zs-D5Sy2)qot;R`5gj-(R7|j-r+{(jVB;E(@w9d)pmx^~-ItjVs_xodA%y^hJrhU_OOjjQ&UX6T7FHldNb|4Fme!4vNRm7iZq9<{)47^E}i+-RC7StuJq_(lURxxXI z6GIiU8oSLgt!ioSZHYVz|CZJ3mPo3lJ+)LeTiWIDBG=5D6QP;}&3dOe|B@Xa?+Va~ zR0d(l!uBUvFcpIRZKWyUbChx!?h27RQRjrVjR4>w&4*wQ)#_Wn5&4#K6~eTm&1dK9gZar4_Bk2* z)TGaqbKClESPo@_Qm%ek*gx`%{3T6AfxU*~51tU)QV2d-u?$t5g#8z!GT!ZrU!S>9 zJaug0(p>R{X@_82AFD376zS77m>JIcV~+)RHfYIGGZk|t1A4eL1>?noKU=u;J-eb+ zo3e`OGVV?4AheIrbA}U`Q9_c8c&nrvlihU7*{UTiqnp{;x255)I{I>sO!D!C`O7z6 zJYxq^eD-kh^1+*Luv%byC@(5wil|L0OR@0|v62x;VJs&_X*_=Y+edEBO&5ez$dZK$X`qJ6!QZYDu zwWfH!!o*1LvP^pu%uv*K%Pva1Bl*v-EF^&&|=K=tU7u} w#72fVSQT+CAfC4IY{a(!vBrt`BI9<@jab30|KaVF+jYCDaQguh^#?ibzpzCf>;M1& literal 0 HcmV?d00001 diff --git a/tests/bug-2576-02-ips/test.rules b/tests/bug-2576-02-ips/test.rules new file mode 100644 index 000000000..8c2aa9218 --- /dev/null +++ b/tests/bug-2576-02-ips/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;) diff --git a/tests/bug-2576-02-ips/test.yaml b/tests/bug-2576-02-ips/test.yaml new file mode 100644 index 000000000..8663071fc --- /dev/null +++ b/tests/bug-2576-02-ips/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-02/md5list.2576 b/tests/bug-2576-02/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-02/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-02/suricata.yaml b/tests/bug-2576-02/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-02/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-02/temp1.pcap b/tests/bug-2576-02/temp1.pcap new file mode 100644 index 0000000000000000000000000000000000000000..9550b4f2ba02ffa6494cf044032e7e96701eaba9 GIT binary patch literal 6155 zcmeHLZEPGz8D4*d_Q;`x54ma~njYA`eBABb*-o7E?ZvL+Hl}fW#10LG$lcqWyIXs2 zce6WpXBS1-Kq@K{($bdDI89R&$0>{@zI;NPVpg%{zkt=M zwnLuL&*USKru_Xso}_bNPwAzoPwh4GkZo_^q2( z*TOe?xFA12?Z&r}?I@P;gR8b4qS!PBE-|~#-)z-G44o%GiMXfpCH%T&7sZbN{?{NL z+A8wj<=y{38^;>|UtpaP_Yci}axO1)G`e^fQ zhQ(LKdSI;QY7@sj)<1%Hv}0r>!H0ukuV;^i%|LG&Yb1)ENMk~KJCI*hwA@4>t>xBx zJ-w2I4S2nQ-{AG^&@H$v6biwlsK~jXq-VXJK3&tWL=;_%qQ@~d0==q|$6k-uLuu6h zu$oIkR5HsU?n!)@T-&$v@78^#{aKlN|0T6JZ(Y#1A07*8eEJav2KAazbJiWt4J znmY%{(pHYxbi(^Xiums5Y9TgFO#O!<{=R-C#QPD)m1snfPzVh@UZN_nTh!9nilXEs z!4}XXN*Npgl8C9RQDm4(UL<%E()55tU$Hxj=qB75ramzlFmYZ~6}eKz6#uoG)(l8K^7dl!susdr@3z)?i-1mQCzt9m`#!F3cpYATyhID~q0X-Fa5g+g1S z9g!&9JT^Gu_4E@l9Ywy*uCC3Y4p|Cp?T~$5&rZ=Ifk9nXQVN!%Xi(QS0UG+Es8JtV zP`EuB*%IyCZ2L%{8;=o% zs5pM(<@bu0PA^=XTDbV#58pksFn_Xm{>>Y&&fc1SA;#M#F`hAmVo6<|L^LYl^C7q- zDUM>Yl1GXx6im@DAn3&o=M(x`Qbo%WXvgSsGy8=#N++}PrMs)l8c@_Um?_yb$|y2U z=~B)Th?&F4G9`hh`7X@_9?T%`QB_at;h>?VQ9+SmYDBh#PzEdM3=zVSt>BJ_5aEZ$ zKoeoVY#>rdWL2!fv*l!zqCqQ~k#mLxf|9Xjk0N7y6vhD~SiCtbgjcpzN;dXfTG409 zan-f5E7Qu4CXKs8QaeSSxVs_I92+)y;xWsBm2D4_FPTQxsA3QpCtutl0vH@G*c23G z$B-G>Zs-D5Sy2)qot;R`5gj-(R7|j-r+{(jVB;E(@w9d)pmx^~-ItjVs_xodA%y^hJrhU_OOjjQ&UX6T7FHldNb|4Fme!4vNRm7iZq9<{)47^E}i+-RC7StuJq_(lURxxXI z6GIiU8oSLgt!ioSZHYVz|CZJ3mPo3lJ+)LeTiWIDBG=5D6QP;}&3dOe|B@Xa?+Va~ zR0d(l!uBUvFcpIRZKWyUbChx!?h27RQRjrVjR4>w&4*wQ)#_Wn5&4#K6~eTm&1dK9gZar4_Bk2* z)TGaqbKClESPo@_Qm%ek*gx`%{3T6AfxU*~51tU)QV2d-u?$t5g#8z!GT!ZrU!S>9 zJaug0(p>R{X@_82AFD376zS77m>JIcV~+)RHfYIGGZk|t1A4eL1>?noKU=u;J-eb+ zo3e`OGVV?4AheIrbA}U`Q9_c8c&nrvlihU7*{UTiqnp{;x255)I{I>sO!D!C`O7z6 zJYxq^eD-kh^1+*Luv%byC@(5wil|L0OR@0|v62x;VJs&_X*_=Y+edEBO&5ez$dZK$X`qJ6!QZYDu zwWfH!!o*1LvP^pu%uv*K%Pva1Bl*v-EF^&&|=K=tU7u} w#72fVSQT+CAfC4IY{a(!vBrt`BI9<@jab30|KaVF+jYCDaQguh^#?ibzpzCf>;M1& literal 0 HcmV?d00001 diff --git a/tests/bug-2576-02/test.rules b/tests/bug-2576-02/test.rules new file mode 100644 index 000000000..8c2aa9218 --- /dev/null +++ b/tests/bug-2576-02/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;) diff --git a/tests/bug-2576-02/test.yaml b/tests/bug-2576-02/test.yaml new file mode 100644 index 000000000..8663071fc --- /dev/null +++ b/tests/bug-2576-02/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-03-ips/md5list.2576 b/tests/bug-2576-03-ips/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-03-ips/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-03-ips/suricata.yaml b/tests/bug-2576-03-ips/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-03-ips/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-03-ips/temp6.pcap b/tests/bug-2576-03-ips/temp6.pcap new file mode 100644 index 0000000000000000000000000000000000000000..cdaa6625d7e47e4631d0001882f0cbcf1edf75e4 GIT binary patch literal 4594 zcma)9Yi!%r6=wX%S}huqJ>X*9f?I92m4`%0wi8Dd6}yhxc#RV+R@UqhxDbW4=W=~i@ZEM-#Op8_k5Q(e*N<|TDUf@aDVd!nu7A_% zF~|k^r8zggjci9z!4Iz8ag1Wq7`Vj3Mt_IZ0x|TR{UqX^EtK)sR2>vQ0{Gv6c<5P| z|6cFm|092Y$KP1~uh-+>;|o#G~EGWP%R|!(Pt;3!8zV4Aw{#J)OaXj`kwIs%ZJ?Kt{`N@_L3O z2^;WuGr!sE*{xe}Su7TVDN&L0K}pYfJ;S=DVTmZZ7DZ2CYy^f>rGUL2uZPm8{c#z}zlf0R0>2StqDSjSz0 zWa(Lp*nY+AhF>n+SJWcp4$*Eq?E^r-1PngP96b_-Gd)9h(BrvASN?O5k6piWHRzO2v5;f{$I|}zi zBio~W+iV{RQ_SSV=t{0$&p0*<*aULY7$#dN*dGk{(@_Ep=~D`X_4uxR`@becw)cel z22f6%4u}~n^l$48g$9tU=R`#lDzk3@86wFFJe_T^$9C--PJT5pf@qd;IuHnqCx?;; z#-TicKs?6AQ7nr^IUdVlB7!9`0{C!VDF~9oApy3Kb0e&fHXvn1)51i^lXRfJ{_TT- z14EEP4#H7VYQ@3mh%h2&u=7IMt*92o84GD*4htquW7EWDJO;~d3Yl0HEHa~FD~mBf zG#Wb!$+A!uj0GBVl;^E*FeO_A@Fcnpd6S2A$+IcNr)1rHmbcevPSJw!ZahX5qT=|S zSKlvPJHLE&cKPb}KYZ`l^3vJT<+tv&FjI0FlvQM$)}_29 z5HpXFWl921^R3JT9?T%`302SN;h>>qP*IU#YDBh&P!=nhED^$y9pH|K5aEZ$KoeoV ztPp7=vMyHV*>W;U)1Vd2$U9|$pk%DsRb-4$KpilG#hb@Mcy(K)Y-7)*Reh!%SN*HI zGOfZy%6Kp&wNvEj2OAR2v0;-Z9;h9sSL6v6oWvWd~t^eU~sBvQ&5y0LuO>V zp$k}LO-YFK^&v4&bl}KPF~NeK2F784)ioaDY41)z?`|TxuQDN2-Mza`2>l%&F(G`d zMhMUOJEq4I>&dNekJ>ts1gt9{5%jFp3GTf26jP>8xv}b$X?BjII`OA}RqMp`I8&xa zp1HsCcN|A4Y(Qj+Xl^3eLbvj%oI>cdwDL|J-0QWf5Gl&n8_oHeXM9b%b7;WV-x*)0 z8}N0J@-_Dto391HdJ#00p0#|nf5&^8>1wYVtCp|!Lvw4Gu0C4B*TphlU;Yfo5e;S+ z&sc-i>hua{)jB^;6Ux&?22I@66*XM6Dow$jm}GK-nDl|eUrrMX@!LPTeDCDDF_N8^d!&(*oMbN7Do zVj~Ac!6~t!6ZWLa$(1Xm7ZzXK2?JK0s2m@@{5p$a*T zUFMlqb@mK(MxKDbs(#%WNq6?7D{Zs0M-H!W&Ad4gswvQ{cS}pJ*zxhM0G&u>5QZFV ze}Y9*A=uwto)SJsDXVZ-iQI`gFLZA~Sd(-aAJ{)S46RDnz_Y)oXtG`ms=5Svt7}0z z<+h-@VGE0>Q zO6ef9kJIlACorRoBpLB8NjGK&=$5lfOIgMMv$HSDAJ1<|b11UX! zymbBO-8We;uszf^l}Sa^W|T^7yhE&H1kxDGDN&k=-~R52yNh$B6UXnJ{~nFk_OyKM z(&%vF?wfO=9tgFkbmE;d0^QZDwvEYHbWK6FJWaW}66HI(H=_@oy)G4l<2Rd%=W9$1 zsy?+Eh`~RY7|hp;!I4{u_1~H`KWB@skllVP1|h_wN*9<{MHeAC

*7eEin any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;) diff --git a/tests/bug-2576-03-ips/test.yaml b/tests/bug-2576-03-ips/test.yaml new file mode 100644 index 000000000..8663071fc --- /dev/null +++ b/tests/bug-2576-03-ips/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-03/md5list.2576 b/tests/bug-2576-03/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-03/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-03/suricata.yaml b/tests/bug-2576-03/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-03/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-03/temp6.pcap b/tests/bug-2576-03/temp6.pcap new file mode 100644 index 0000000000000000000000000000000000000000..cdaa6625d7e47e4631d0001882f0cbcf1edf75e4 GIT binary patch literal 4594 zcma)9Yi!%r6=wX%S}huqJ>X*9f?I92m4`%0wi8Dd6}yhxc#RV+R@UqhxDbW4=W=~i@ZEM-#Op8_k5Q(e*N<|TDUf@aDVd!nu7A_% zF~|k^r8zggjci9z!4Iz8ag1Wq7`Vj3Mt_IZ0x|TR{UqX^EtK)sR2>vQ0{Gv6c<5P| z|6cFm|092Y$KP1~uh-+>;|o#G~EGWP%R|!(Pt;3!8zV4Aw{#J)OaXj`kwIs%ZJ?Kt{`N@_L3O z2^;WuGr!sE*{xe}Su7TVDN&L0K}pYfJ;S=DVTmZZ7DZ2CYy^f>rGUL2uZPm8{c#z}zlf0R0>2StqDSjSz0 zWa(Lp*nY+AhF>n+SJWcp4$*Eq?E^r-1PngP96b_-Gd)9h(BrvASN?O5k6piWHRzO2v5;f{$I|}zi zBio~W+iV{RQ_SSV=t{0$&p0*<*aULY7$#dN*dGk{(@_Ep=~D`X_4uxR`@becw)cel z22f6%4u}~n^l$48g$9tU=R`#lDzk3@86wFFJe_T^$9C--PJT5pf@qd;IuHnqCx?;; z#-TicKs?6AQ7nr^IUdVlB7!9`0{C!VDF~9oApy3Kb0e&fHXvn1)51i^lXRfJ{_TT- z14EEP4#H7VYQ@3mh%h2&u=7IMt*92o84GD*4htquW7EWDJO;~d3Yl0HEHa~FD~mBf zG#Wb!$+A!uj0GBVl;^E*FeO_A@Fcnpd6S2A$+IcNr)1rHmbcevPSJw!ZahX5qT=|S zSKlvPJHLE&cKPb}KYZ`l^3vJT<+tv&FjI0FlvQM$)}_29 z5HpXFWl921^R3JT9?T%`302SN;h>>qP*IU#YDBh&P!=nhED^$y9pH|K5aEZ$KoeoV ztPp7=vMyHV*>W;U)1Vd2$U9|$pk%DsRb-4$KpilG#hb@Mcy(K)Y-7)*Reh!%SN*HI zGOfZy%6Kp&wNvEj2OAR2v0;-Z9;h9sSL6v6oWvWd~t^eU~sBvQ&5y0LuO>V zp$k}LO-YFK^&v4&bl}KPF~NeK2F784)ioaDY41)z?`|TxuQDN2-Mza`2>l%&F(G`d zMhMUOJEq4I>&dNekJ>ts1gt9{5%jFp3GTf26jP>8xv}b$X?BjII`OA}RqMp`I8&xa zp1HsCcN|A4Y(Qj+Xl^3eLbvj%oI>cdwDL|J-0QWf5Gl&n8_oHeXM9b%b7;WV-x*)0 z8}N0J@-_Dto391HdJ#00p0#|nf5&^8>1wYVtCp|!Lvw4Gu0C4B*TphlU;Yfo5e;S+ z&sc-i>hua{)jB^;6Ux&?22I@66*XM6Dow$jm}GK-nDl|eUrrMX@!LPTeDCDDF_N8^d!&(*oMbN7Do zVj~Ac!6~t!6ZWLa$(1Xm7ZzXK2?JK0s2m@@{5p$a*T zUFMlqb@mK(MxKDbs(#%WNq6?7D{Zs0M-H!W&Ad4gswvQ{cS}pJ*zxhM0G&u>5QZFV ze}Y9*A=uwto)SJsDXVZ-iQI`gFLZA~Sd(-aAJ{)S46RDnz_Y)oXtG`ms=5Svt7}0z z<+h-@VGE0>Q zO6ef9kJIlACorRoBpLB8NjGK&=$5lfOIgMMv$HSDAJ1<|b11UX! zymbBO-8We;uszf^l}Sa^W|T^7yhE&H1kxDGDN&k=-~R52yNh$B6UXnJ{~nFk_OyKM z(&%vF?wfO=9tgFkbmE;d0^QZDwvEYHbWK6FJWaW}66HI(H=_@oy)G4l<2Rd%=W9$1 zsy?+Eh`~RY7|hp;!I4{u_1~H`KWB@skllVP1|h_wN*9<{MHeAC

*7eEin any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;) diff --git a/tests/bug-2576-03/test.yaml b/tests/bug-2576-03/test.yaml new file mode 100644 index 000000000..8663071fc --- /dev/null +++ b/tests/bug-2576-03/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-04-ips/md5list.2576 b/tests/bug-2576-04-ips/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-04-ips/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-04-ips/suricata.yaml b/tests/bug-2576-04-ips/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-04-ips/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-04-ips/temp6.pcap b/tests/bug-2576-04-ips/temp6.pcap new file mode 100644 index 0000000000000000000000000000000000000000..cdaa6625d7e47e4631d0001882f0cbcf1edf75e4 GIT binary patch literal 4594 zcma)9Yi!%r6=wX%S}huqJ>X*9f?I92m4`%0wi8Dd6}yhxc#RV+R@UqhxDbW4=W=~i@ZEM-#Op8_k5Q(e*N<|TDUf@aDVd!nu7A_% zF~|k^r8zggjci9z!4Iz8ag1Wq7`Vj3Mt_IZ0x|TR{UqX^EtK)sR2>vQ0{Gv6c<5P| z|6cFm|092Y$KP1~uh-+>;|o#G~EGWP%R|!(Pt;3!8zV4Aw{#J)OaXj`kwIs%ZJ?Kt{`N@_L3O z2^;WuGr!sE*{xe}Su7TVDN&L0K}pYfJ;S=DVTmZZ7DZ2CYy^f>rGUL2uZPm8{c#z}zlf0R0>2StqDSjSz0 zWa(Lp*nY+AhF>n+SJWcp4$*Eq?E^r-1PngP96b_-Gd)9h(BrvASN?O5k6piWHRzO2v5;f{$I|}zi zBio~W+iV{RQ_SSV=t{0$&p0*<*aULY7$#dN*dGk{(@_Ep=~D`X_4uxR`@becw)cel z22f6%4u}~n^l$48g$9tU=R`#lDzk3@86wFFJe_T^$9C--PJT5pf@qd;IuHnqCx?;; z#-TicKs?6AQ7nr^IUdVlB7!9`0{C!VDF~9oApy3Kb0e&fHXvn1)51i^lXRfJ{_TT- z14EEP4#H7VYQ@3mh%h2&u=7IMt*92o84GD*4htquW7EWDJO;~d3Yl0HEHa~FD~mBf zG#Wb!$+A!uj0GBVl;^E*FeO_A@Fcnpd6S2A$+IcNr)1rHmbcevPSJw!ZahX5qT=|S zSKlvPJHLE&cKPb}KYZ`l^3vJT<+tv&FjI0FlvQM$)}_29 z5HpXFWl921^R3JT9?T%`302SN;h>>qP*IU#YDBh&P!=nhED^$y9pH|K5aEZ$KoeoV ztPp7=vMyHV*>W;U)1Vd2$U9|$pk%DsRb-4$KpilG#hb@Mcy(K)Y-7)*Reh!%SN*HI zGOfZy%6Kp&wNvEj2OAR2v0;-Z9;h9sSL6v6oWvWd~t^eU~sBvQ&5y0LuO>V zp$k}LO-YFK^&v4&bl}KPF~NeK2F784)ioaDY41)z?`|TxuQDN2-Mza`2>l%&F(G`d zMhMUOJEq4I>&dNekJ>ts1gt9{5%jFp3GTf26jP>8xv}b$X?BjII`OA}RqMp`I8&xa zp1HsCcN|A4Y(Qj+Xl^3eLbvj%oI>cdwDL|J-0QWf5Gl&n8_oHeXM9b%b7;WV-x*)0 z8}N0J@-_Dto391HdJ#00p0#|nf5&^8>1wYVtCp|!Lvw4Gu0C4B*TphlU;Yfo5e;S+ z&sc-i>hua{)jB^;6Ux&?22I@66*XM6Dow$jm}GK-nDl|eUrrMX@!LPTeDCDDF_N8^d!&(*oMbN7Do zVj~Ac!6~t!6ZWLa$(1Xm7ZzXK2?JK0s2m@@{5p$a*T zUFMlqb@mK(MxKDbs(#%WNq6?7D{Zs0M-H!W&Ad4gswvQ{cS}pJ*zxhM0G&u>5QZFV ze}Y9*A=uwto)SJsDXVZ-iQI`gFLZA~Sd(-aAJ{)S46RDnz_Y)oXtG`ms=5Svt7}0z z<+h-@VGE0>Q zO6ef9kJIlACorRoBpLB8NjGK&=$5lfOIgMMv$HSDAJ1<|b11UX! zymbBO-8We;uszf^l}Sa^W|T^7yhE&H1kxDGDN&k=-~R52yNh$B6UXnJ{~nFk_OyKM z(&%vF?wfO=9tgFkbmE;d0^QZDwvEYHbWK6FJWaW}66HI(H=_@oy)G4l<2Rd%=W9$1 zsy?+Eh`~RY7|hp;!I4{u_1~H`KWB@skllVP1|h_wN*9<{MHeAC

*7eEin any any (msg:"file_data"; file_data; content:"content=IE=Edge"; sid: 3; rev: 1;) +alert ip any any -> any any (msg:"mix stream with file_data"; content:"content=IE=Edge"; file_data; content:"content=IE=Edge"; sid: 4; rev: 1;) diff --git a/tests/bug-2576-04-ips/test.yaml b/tests/bug-2576-04-ips/test.yaml new file mode 100644 index 000000000..2e65954ff --- /dev/null +++ b/tests/bug-2576-04-ips/test.yaml @@ -0,0 +1,22 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-04/md5list.2576 b/tests/bug-2576-04/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-04/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-04/suricata.yaml b/tests/bug-2576-04/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-04/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-04/temp6.pcap b/tests/bug-2576-04/temp6.pcap new file mode 100644 index 0000000000000000000000000000000000000000..cdaa6625d7e47e4631d0001882f0cbcf1edf75e4 GIT binary patch literal 4594 zcma)9Yi!%r6=wX%S}huqJ>X*9f?I92m4`%0wi8Dd6}yhxc#RV+R@UqhxDbW4=W=~i@ZEM-#Op8_k5Q(e*N<|TDUf@aDVd!nu7A_% zF~|k^r8zggjci9z!4Iz8ag1Wq7`Vj3Mt_IZ0x|TR{UqX^EtK)sR2>vQ0{Gv6c<5P| z|6cFm|092Y$KP1~uh-+>;|o#G~EGWP%R|!(Pt;3!8zV4Aw{#J)OaXj`kwIs%ZJ?Kt{`N@_L3O z2^;WuGr!sE*{xe}Su7TVDN&L0K}pYfJ;S=DVTmZZ7DZ2CYy^f>rGUL2uZPm8{c#z}zlf0R0>2StqDSjSz0 zWa(Lp*nY+AhF>n+SJWcp4$*Eq?E^r-1PngP96b_-Gd)9h(BrvASN?O5k6piWHRzO2v5;f{$I|}zi zBio~W+iV{RQ_SSV=t{0$&p0*<*aULY7$#dN*dGk{(@_Ep=~D`X_4uxR`@becw)cel z22f6%4u}~n^l$48g$9tU=R`#lDzk3@86wFFJe_T^$9C--PJT5pf@qd;IuHnqCx?;; z#-TicKs?6AQ7nr^IUdVlB7!9`0{C!VDF~9oApy3Kb0e&fHXvn1)51i^lXRfJ{_TT- z14EEP4#H7VYQ@3mh%h2&u=7IMt*92o84GD*4htquW7EWDJO;~d3Yl0HEHa~FD~mBf zG#Wb!$+A!uj0GBVl;^E*FeO_A@Fcnpd6S2A$+IcNr)1rHmbcevPSJw!ZahX5qT=|S zSKlvPJHLE&cKPb}KYZ`l^3vJT<+tv&FjI0FlvQM$)}_29 z5HpXFWl921^R3JT9?T%`302SN;h>>qP*IU#YDBh&P!=nhED^$y9pH|K5aEZ$KoeoV ztPp7=vMyHV*>W;U)1Vd2$U9|$pk%DsRb-4$KpilG#hb@Mcy(K)Y-7)*Reh!%SN*HI zGOfZy%6Kp&wNvEj2OAR2v0;-Z9;h9sSL6v6oWvWd~t^eU~sBvQ&5y0LuO>V zp$k}LO-YFK^&v4&bl}KPF~NeK2F784)ioaDY41)z?`|TxuQDN2-Mza`2>l%&F(G`d zMhMUOJEq4I>&dNekJ>ts1gt9{5%jFp3GTf26jP>8xv}b$X?BjII`OA}RqMp`I8&xa zp1HsCcN|A4Y(Qj+Xl^3eLbvj%oI>cdwDL|J-0QWf5Gl&n8_oHeXM9b%b7;WV-x*)0 z8}N0J@-_Dto391HdJ#00p0#|nf5&^8>1wYVtCp|!Lvw4Gu0C4B*TphlU;Yfo5e;S+ z&sc-i>hua{)jB^;6Ux&?22I@66*XM6Dow$jm}GK-nDl|eUrrMX@!LPTeDCDDF_N8^d!&(*oMbN7Do zVj~Ac!6~t!6ZWLa$(1Xm7ZzXK2?JK0s2m@@{5p$a*T zUFMlqb@mK(MxKDbs(#%WNq6?7D{Zs0M-H!W&Ad4gswvQ{cS}pJ*zxhM0G&u>5QZFV ze}Y9*A=uwto)SJsDXVZ-iQI`gFLZA~Sd(-aAJ{)S46RDnz_Y)oXtG`ms=5Svt7}0z z<+h-@VGE0>Q zO6ef9kJIlACorRoBpLB8NjGK&=$5lfOIgMMv$HSDAJ1<|b11UX! zymbBO-8We;uszf^l}Sa^W|T^7yhE&H1kxDGDN&k=-~R52yNh$B6UXnJ{~nFk_OyKM z(&%vF?wfO=9tgFkbmE;d0^QZDwvEYHbWK6FJWaW}66HI(H=_@oy)G4l<2Rd%=W9$1 zsy?+Eh`~RY7|hp;!I4{u_1~H`KWB@skllVP1|h_wN*9<{MHeAC

*7eEin any any (msg:"file_data"; file_data; content:"content=IE=Edge"; sid: 3; rev: 1;) +alert ip any any -> any any (msg:"mix stream with file_data"; content:"content=IE=Edge"; file_data; content:"content=IE=Edge"; sid: 4; rev: 1;) diff --git a/tests/bug-2576-04/test.yaml b/tests/bug-2576-04/test.yaml new file mode 100644 index 000000000..2e65954ff --- /dev/null +++ b/tests/bug-2576-04/test.yaml @@ -0,0 +1,22 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 +