From e428dbd6408bbd3bf2fc1eb84410156b0f501327 Mon Sep 17 00:00:00 2001
From: Giuseppe Longo <giuseppe@glongo.it>
Date: Sun, 14 Apr 2024 14:07:10 +0200
Subject: [PATCH] sip: add tests for headers sticky buffers

Ticket #6374
---
 tests/sip-compact-form/Makefile              |   2 ++
 tests/sip-compact-form/README.md             |   7 ++++
 tests/sip-compact-form/sip_compact_form.pcap | Bin 0 -> 976 bytes
 tests/sip-compact-form/sip_compact_form.syn  |  33 ++++++++++++++++++
 tests/sip-compact-form/test.rules            |   6 ++++
 tests/sip-compact-form/test.yaml             |  34 +++++++++++++++++++
 tests/sip-content-length/README.md           |   1 +
 tests/sip-content-length/test.rules          |   2 ++
 tests/sip-content-length/test.yaml           |  19 +++++++++++
 tests/sip-content-type/README.md             |   1 +
 tests/sip-content-type/test.rules            |   2 ++
 tests/sip-content-type/test.yaml             |  19 +++++++++++
 tests/sip-from/README.md                     |   1 +
 tests/sip-from/test.rules                    |   2 ++
 tests/sip-from/test.yaml                     |  19 +++++++++++
 tests/sip-to/README.md                       |   1 +
 tests/sip-to/test.rules                      |   2 ++
 tests/sip-to/test.yaml                       |  19 +++++++++++
 tests/sip-user-agent/README.md               |   1 +
 tests/sip-user-agent/test.rules              |   1 +
 tests/sip-user-agent/test.yaml               |  14 ++++++++
 tests/sip-via/README.md                      |   1 +
 tests/sip-via/test.rules                     |   2 ++
 tests/sip-via/test.yaml                      |  19 +++++++++++
 24 files changed, 208 insertions(+)
 create mode 100644 tests/sip-compact-form/Makefile
 create mode 100644 tests/sip-compact-form/README.md
 create mode 100644 tests/sip-compact-form/sip_compact_form.pcap
 create mode 100644 tests/sip-compact-form/sip_compact_form.syn
 create mode 100644 tests/sip-compact-form/test.rules
 create mode 100644 tests/sip-compact-form/test.yaml
 create mode 100644 tests/sip-content-length/README.md
 create mode 100644 tests/sip-content-length/test.rules
 create mode 100644 tests/sip-content-length/test.yaml
 create mode 100644 tests/sip-content-type/README.md
 create mode 100644 tests/sip-content-type/test.rules
 create mode 100644 tests/sip-content-type/test.yaml
 create mode 100644 tests/sip-from/README.md
 create mode 100644 tests/sip-from/test.rules
 create mode 100644 tests/sip-from/test.yaml
 create mode 100644 tests/sip-to/README.md
 create mode 100644 tests/sip-to/test.rules
 create mode 100644 tests/sip-to/test.yaml
 create mode 100644 tests/sip-user-agent/README.md
 create mode 100644 tests/sip-user-agent/test.rules
 create mode 100644 tests/sip-user-agent/test.yaml
 create mode 100644 tests/sip-via/README.md
 create mode 100644 tests/sip-via/test.rules
 create mode 100644 tests/sip-via/test.yaml

diff --git a/tests/sip-compact-form/Makefile b/tests/sip-compact-form/Makefile
new file mode 100644
index 000000000..a646f1cde
--- /dev/null
+++ b/tests/sip-compact-form/Makefile
@@ -0,0 +1,2 @@
+sip_compact_form.pcap: sip_compact_form.syn
+	flowsynth.py -f pcap -w $@ $^
diff --git a/tests/sip-compact-form/README.md b/tests/sip-compact-form/README.md
new file mode 100644
index 000000000..1916fc171
--- /dev/null
+++ b/tests/sip-compact-form/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that SIP headers with compact form are matched.
+
+## PCAP
+
+This PCAP was generated with flowsynth.
diff --git a/tests/sip-compact-form/sip_compact_form.pcap b/tests/sip-compact-form/sip_compact_form.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..61ed2ff54c37d345ab273ad44ace4fc0aba587de
GIT binary patch
literal 976
zcmaJ<O>fgc5KUW<kR=}w;>KYp7Z8cFyIwoCi>st*3ZXQ$nzo`+FI#8RxJ}~i+G(o(
z01j~D$c-CkIC6v|2M+uNen%Pi0~M)aBwK6Go0<3C&aZEuKhBnJm9FCKtW=u8kDm`7
z_TT@$UHUXvI)C2oEDh{;kG6KdzIc77)GEz=C}8!wM{6?}vl#ck-1|QFhW==Gw%eO6
z$PyL!HD>$Fs}auY$7!OhJv}*?423n8Idt1mm083zj)SXnb!#~S>NAVFo<%JdIK(9j
zds>X+L3rv9p7Xucv7&_g9w&}n;XIaHaC)s|L90~frqK^zcV6h^aCaV_6<j>(V*I6{
zuXrpj<YGT`xoyk7ZyI@U0skNMMbl`C;jq$P4uBGe_=Gt=l5zW@Ula9fY!KL$M~H$8
zS4?9ole*H_mt!2%kvc7;M_p(~5Dn6?gl(y_Bpm}fV>uL!FpbuUO0>+d3q!XWaV!-U
z3#EohEOG=_vz{`I_=bPO09cJ7i*%fe_)6QQ71wy8qBU_+SxNO&=pK%$6_bX;bQ)YT
zFGHibT83t$(`>ye!_rQx3>&SL)<zlDqs{hur(1^3`eu7&r;HUV>!yJh8)BC<yiiye
zMIGuo=av;GhCmd~uiv<7WCb2#^w%_!uq(53JC<b@>qHf5A<}7{#wq3};ULdd7F4U#
z>C{3OELG%8Lxu-dFO_w9B1UQ`tvDUQ<Cg;cT~6f_(@^143NEdI<2V(UQ2I|c4sRm1
z7dE<q%W*|Qo7kK)+oe9(gfs3kPH}g1=o0P`0=A1U0zSbojnj~M9`iVNm<ts;0Ot9g
zhrk+wOye*_(j$dCE5b~Uds@cFrZEb|q?e@F9|JZvqiSP2!k!-ZHDF*DXq~H(PyqoI
Lk0w<djNSeK`yB)*

literal 0
HcmV?d00001

diff --git a/tests/sip-compact-form/sip_compact_form.syn b/tests/sip-compact-form/sip_compact_form.syn
new file mode 100644
index 000000000..836c048a1
--- /dev/null
+++ b/tests/sip-compact-form/sip_compact_form.syn
@@ -0,0 +1,33 @@
+flow default udp 1.1.1.1:5555 > 2.2.2.2:5060;
+default > (content:"INVITE sip:97239287044@voip.brujula.net SIP/2.0\x0d
+v: SIP/2.0/UDP 192.168.1.2:5060;branch=z9hG4bKnp104984053-44ce4a41192.168.1.2;rport\x0d
+f: \"arik\" <sip:816666@voip.brurjula.net>;tag=6433ef9\x0d
+t: <sip:97239287044@voip.brujula.net>\x0d
+Call-ID: 105090259-446faf7a@192.168.1.2\x0d
+CSeq: 1 INVITE\x0d
+User-Agent: Nero SIPPS IP Phone Version 2.0.51.16\x0d
+Expires: 120\x0d
+Accept: application/sdp\x0d
+c: application/sdp\x0d
+l: 272\x0d
+Contact: <sip:816666@192.168.1.2>\x0d
+Max-Forwards: 70\x0d
+Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, INFO\x0d
+\x0d
+v=0\x0d
+o=SIPPS 105015165 105015162 IN IP4 192.168.1.2\x0d
+s=SIP call\x0d
+i=Session Description Protocol\x0d
+u=https://www.sdp.proto\x0d
+e=j.doe@example.com (Jane Doe)\x0d
+p=+1 617 555-6011 (Jane Doe)\x0d
+c=IN IP4 192.168.1.2\x0d
+b=AS:64\x0d
+t=3034423619 3042462419\x0d
+r=604800 3600 0 90000\x0d
+z=2882844526 -1h 2898848070 0\x0d
+k=prompt\x0d
+a=sendrecv\x0d
+m=audio 30000 RTP/AVP 0 8 97 2 3\x0d
+a=rtpmap:0 pcmu/8000\x0d\x0a";);
+
diff --git a/tests/sip-compact-form/test.rules b/tests/sip-compact-form/test.rules
new file mode 100644
index 000000000..2708cc47e
--- /dev/null
+++ b/tests/sip-compact-form/test.rules
@@ -0,0 +1,6 @@
+alert sip any any -> any any (sip.from; content:"arik"; sid:1;)
+alert sip any any -> any any (sip.to; content:"sip:"; sid:2;)
+alert sip any any -> any any (sip.via; content:"SIP/2.0/UDP"; sid:3;)
+alert sip any any -> any any (sip.content_type; content:"application/sdp"; sid:4;)
+alert sip any any -> any any (sip.content_length; content:"272"; sid:5;)
+
diff --git a/tests/sip-compact-form/test.yaml b/tests/sip-compact-form/test.yaml
new file mode 100644
index 000000000..0e2dfbca6
--- /dev/null
+++ b/tests/sip-compact-form/test.yaml
@@ -0,0 +1,34 @@
+pcap: sip_compact_form.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
diff --git a/tests/sip-content-length/README.md b/tests/sip-content-length/README.md
new file mode 100644
index 000000000..dee6558b6
--- /dev/null
+++ b/tests/sip-content-length/README.md
@@ -0,0 +1 @@
+Match on SIP Content-Length header field.
diff --git a/tests/sip-content-length/test.rules b/tests/sip-content-length/test.rules
new file mode 100644
index 000000000..f556819fe
--- /dev/null
+++ b/tests/sip-content-length/test.rules
@@ -0,0 +1,2 @@
+alert sip any any -> any any (flow:to_server; sip.content_length; content:"270"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.content_length; content:"199"; sid:2;)
diff --git a/tests/sip-content-length/test.yaml b/tests/sip-content-length/test.yaml
new file mode 100644
index 000000000..9c55227d3
--- /dev/null
+++ b/tests/sip-content-length/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../sip-method/sip.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 8
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/sip-content-type/README.md b/tests/sip-content-type/README.md
new file mode 100644
index 000000000..27726535b
--- /dev/null
+++ b/tests/sip-content-type/README.md
@@ -0,0 +1 @@
+Match on SIP Content-Type header field.
diff --git a/tests/sip-content-type/test.rules b/tests/sip-content-type/test.rules
new file mode 100644
index 000000000..aaeea4076
--- /dev/null
+++ b/tests/sip-content-type/test.rules
@@ -0,0 +1,2 @@
+alert sip any any -> any any (flow:to_server; sip.content_type; content:"application/sdp"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.content_type; content:"application/sdp"; sid:2;)
diff --git a/tests/sip-content-type/test.yaml b/tests/sip-content-type/test.yaml
new file mode 100644
index 000000000..aed8a9c20
--- /dev/null
+++ b/tests/sip-content-type/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../sip-method/sip.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 11
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/sip-from/README.md b/tests/sip-from/README.md
new file mode 100644
index 000000000..5963bd767
--- /dev/null
+++ b/tests/sip-from/README.md
@@ -0,0 +1 @@
+Match on SIP From header field.
diff --git a/tests/sip-from/test.rules b/tests/sip-from/test.rules
new file mode 100644
index 000000000..f93f2597c
--- /dev/null
+++ b/tests/sip-from/test.rules
@@ -0,0 +1,2 @@
+alert sip any any -> any any (flow:to_server; sip.from; content:"sip:"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.from; content:"sip:"; sid:2;)
diff --git a/tests/sip-from/test.yaml b/tests/sip-from/test.yaml
new file mode 100644
index 000000000..aef99d853
--- /dev/null
+++ b/tests/sip-from/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../sip-method/sip.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 47
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 34
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/sip-to/README.md b/tests/sip-to/README.md
new file mode 100644
index 000000000..2936ff154
--- /dev/null
+++ b/tests/sip-to/README.md
@@ -0,0 +1 @@
+Match on SIP To header field.
diff --git a/tests/sip-to/test.rules b/tests/sip-to/test.rules
new file mode 100644
index 000000000..d8c7d86f8
--- /dev/null
+++ b/tests/sip-to/test.rules
@@ -0,0 +1,2 @@
+alert sip any any -> any any (flow:to_server; sip.to; content:"sip:"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.to; content:"sip:"; sid:2;)
diff --git a/tests/sip-to/test.yaml b/tests/sip-to/test.yaml
new file mode 100644
index 000000000..aef99d853
--- /dev/null
+++ b/tests/sip-to/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../sip-method/sip.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 47
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 34
+      match:
+        event_type: alert
+        alert.signature_id: 2
diff --git a/tests/sip-user-agent/README.md b/tests/sip-user-agent/README.md
new file mode 100644
index 000000000..9e66cd8dd
--- /dev/null
+++ b/tests/sip-user-agent/README.md
@@ -0,0 +1 @@
+Match on SIP User-Agent header field.
diff --git a/tests/sip-user-agent/test.rules b/tests/sip-user-agent/test.rules
new file mode 100644
index 000000000..a38190187
--- /dev/null
+++ b/tests/sip-user-agent/test.rules
@@ -0,0 +1 @@
+alert sip any any -> any any (flow:to_server; sip.user_agent; content:"Nero"; sid:1;)
diff --git a/tests/sip-user-agent/test.yaml b/tests/sip-user-agent/test.yaml
new file mode 100644
index 000000000..125062b7c
--- /dev/null
+++ b/tests/sip-user-agent/test.yaml
@@ -0,0 +1,14 @@
+pcap: ../sip-method/sip.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 40
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/sip-via/README.md b/tests/sip-via/README.md
new file mode 100644
index 000000000..40e60f42e
--- /dev/null
+++ b/tests/sip-via/README.md
@@ -0,0 +1 @@
+Match on SIP Via header field.
diff --git a/tests/sip-via/test.rules b/tests/sip-via/test.rules
new file mode 100644
index 000000000..cde4b4387
--- /dev/null
+++ b/tests/sip-via/test.rules
@@ -0,0 +1,2 @@
+alert sip any any -> any any (flow:to_server; sip.via; content:"SIP/2.0/UDP"; sid:1;)
+alert sip any any -> any any (flow:to_client; sip.via; content:"SIP/2.0/UDP"; sid:2;)
diff --git a/tests/sip-via/test.yaml b/tests/sip-via/test.yaml
new file mode 100644
index 000000000..aef99d853
--- /dev/null
+++ b/tests/sip-via/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../sip-method/sip.pcap
+
+args:
+- -k none
+
+requires:
+  min-version: 8.0.0
+
+checks:
+  - filter:
+      count: 47
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 34
+      match:
+        event_type: alert
+        alert.signature_id: 2