diff --git a/eve-validator/Cargo.lock b/eve-validator/Cargo.lock index 50bfc8d89..32ee8536a 100644 --- a/eve-validator/Cargo.lock +++ b/eve-validator/Cargo.lock @@ -4,25 +4,33 @@ version = 3 [[package]] name = "ahash" -version = "0.7.6" +version = "0.8.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fcb51a0695d8f838b1ee009b3fbf66bda078cd64590202a864a8f3e8c4315c47" +checksum = "e89da841a80418a9b391ebaea17f5c112ffaaa96f621d2c285b5174da76b9011" dependencies = [ + "cfg-if", "getrandom", "once_cell", "serde", "version_check", + "zerocopy", ] [[package]] name = "aho-corasick" -version = "0.7.18" +version = "1.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f" +checksum = "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916" dependencies = [ "memchr", ] +[[package]] +name = "anyhow" +version = "1.0.82" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f538837af36e6f6a9be0faa67f9a314f8119e4e4b5867c6ab40ed60360142519" + [[package]] name = "autocfg" version = "1.1.0" @@ -31,9 +39,9 @@ checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" [[package]] name = "base64" -version = "0.13.0" +version = "0.21.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "904dfeac50f3cdaba28fc6f57fdcddb75f49ed61346676a78c4ffe55877802fd" +checksum = "9d297deb1925b89f2ccc13d7635fa0714f12c87adce1c75356b39ca9b7178567" [[package]] name = "bit-set" @@ -56,6 +64,12 @@ version = "1.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" +[[package]] +name = "bumpalo" +version = "3.16.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "79296716171880943b8470b5f8d03aa55eb2e645a4874bdbb28adb49162e012c" + [[package]] name = "bytecount" version = "0.6.2" @@ -92,7 +106,7 @@ dependencies = [ "proc-macro-error", "proc-macro2", "quote", - "syn", + "syn 1.0.94", ] [[package]] @@ -115,9 +129,9 @@ dependencies = [ [[package]] name = "fancy-regex" -version = "0.7.1" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d6b8560a05112eb52f04b00e5d3790c0dd75d9d980eb8a122fb23b92a623ccf" +checksum = "b95f7c0680e4142284cf8b22c14a476e87d61b004a3a0861872b32ef7ead40a2" dependencies = [ "bit-set", "regex", @@ -135,9 +149,9 @@ dependencies = [ [[package]] name = "fraction" -version = "0.9.0" +version = "0.13.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aba3510011eee8825018be07f08d9643421de007eaf62a3bde58d89b058abfa7" +checksum = "3027ae1df8d41b4bed2241c8fdad4acc1e7af60c8e17743534b545e77182d678" dependencies = [ "lazy_static", "num", @@ -145,13 +159,15 @@ dependencies = [ [[package]] name = "getrandom" -version = "0.2.6" +version = "0.2.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9be70c98951c83b8d2f8f60d7065fa6d5146873094452a1008da8c2f1e4205ad" +checksum = "94b22e06ecb0110981051723910cbf0b5f5e09a2062dd7663334ee79a9d1286c" dependencies = [ "cfg-if", + "js-sys", "libc", "wasi", + "wasm-bindgen", ] [[package]] @@ -189,40 +205,46 @@ dependencies = [ [[package]] name = "iso8601" -version = "0.4.1" +version = "0.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0a59a3f2be6271b2a844cd0dd13bf8ccc88a9540482d872c7ce58ab1c4db9fab" +checksum = "924e5d73ea28f59011fec52a0d12185d496a9b075d360657aed2a5707f701153" dependencies = [ "nom", ] [[package]] name = "itoa" -version = "0.4.8" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b71991ff56294aa922b450139ee08b3bfc70982c6b2c7562771375cf73542dd4" +checksum = "112c678d4050afce233f4f2852bb2eb519230b3cf12f33585275537d7e41578d" [[package]] -name = "itoa" -version = "1.0.2" +name = "js-sys" +version = "0.3.69" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "112c678d4050afce233f4f2852bb2eb519230b3cf12f33585275537d7e41578d" +checksum = "29c15563dc2726973df627357ce0c9ddddbea194836909d655df6a75d2cf296d" +dependencies = [ + "wasm-bindgen", +] [[package]] name = "jsonschema" -version = "0.13.3" +version = "0.17.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "877e398ffb23c1c311c417ef5e72e8699c3822dbf835468f009c6ce91b6c206b" +checksum = "2a071f4f7efc9a9118dfb627a0a94ef247986e1ab8606a4c806ae2b3aa3b6978" dependencies = [ "ahash", + "anyhow", "base64", "bytecount", "fancy-regex", "fraction", + "getrandom", "iso8601", - "itoa 0.4.8", - "lazy_static", + "itoa", + "memchr", "num-cmp", + "once_cell", "parking_lot", "percent-encoding", "regex", @@ -241,9 +263,9 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" [[package]] name = "libc" -version = "0.2.125" +version = "0.2.153" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5916d2ae698f6de9bfb891ad7a8d65c09d232dc58cc4ac433c7da3b2fd84bc2b" +checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd" [[package]] name = "lock_api" @@ -255,6 +277,12 @@ dependencies = [ "scopeguard", ] +[[package]] +name = "log" +version = "0.4.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "90ed8c1e510134f979dbc4f070f87d4313098b704861a105fe34231c70a3901c" + [[package]] name = "matches" version = "0.1.9" @@ -285,9 +313,9 @@ dependencies = [ [[package]] name = "num" -version = "0.2.1" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b8536030f9fea7127f841b45bb6243b27255787fb4eb83958aa1ef9d2fdc0c36" +checksum = "b05180d69e3da0e530ba2a1dae5110317e49e3b7f3d41be227dc5f92e49ee7af" dependencies = [ "num-bigint", "num-complex", @@ -299,9 +327,9 @@ dependencies = [ [[package]] name = "num-bigint" -version = "0.2.6" +version = "0.4.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "090c7f9998ee0ff65aa5b723e4009f7b217707f1fb5ea551329cc4d6231fb304" +checksum = "608e7659b5c3d7cba262d894801b9ec9d00de989e8a82bd4bef91d08da45cdc0" dependencies = [ "autocfg", "num-integer", @@ -316,11 +344,10 @@ checksum = "63335b2e2c34fae2fb0aa2cecfd9f0832a1e24b3b32ecec612c3426d46dc8aaa" [[package]] name = "num-complex" -version = "0.2.4" +version = "0.4.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b6b19411a9719e753aff12e5187b74d60d3dc449ec3f4dc21e3989c3f554bc95" +checksum = "23c6602fda94a57c990fe0df199a035d83576b496aa29f4e634a8ac6004e68a6" dependencies = [ - "autocfg", "num-traits", ] @@ -347,9 +374,9 @@ dependencies = [ [[package]] name = "num-rational" -version = "0.2.4" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5c000134b5dbf44adc5cb772486d335293351644b801551abe8f75c84cfa4aef" +checksum = "0638a1c9d0a3c0914158145bc76cff373a75a627e6ecbfb71cbe6f453a5a19b0" dependencies = [ "autocfg", "num-bigint", @@ -359,9 +386,9 @@ dependencies = [ [[package]] name = "num-traits" -version = "0.2.15" +version = "0.2.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd" +checksum = "da0df0e5185db44f69b44f26786fe401b6c293d1907744beaa7fa62b2e5a517a" dependencies = [ "autocfg", ] @@ -377,9 +404,9 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.10.0" +version = "1.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "87f3e037eac156d1775da914196f0f37741a274155e34a0b7e427c35d2a2ecb9" +checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" [[package]] name = "os_str_bytes" @@ -425,7 +452,7 @@ dependencies = [ "proc-macro-error-attr", "proc-macro2", "quote", - "syn", + "syn 1.0.94", "version_check", ] @@ -442,18 +469,18 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.38" +version = "1.0.79" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9027b48e9d4c9175fa2218adf3557f91c1137021739951d4932f5f8268ac48aa" +checksum = "e835ff2298f5721608eb1a980ecaee1aef2c132bf95ecc026a11b7bf3c01c02e" dependencies = [ - "unicode-xid", + "unicode-ident", ] [[package]] name = "quote" -version = "1.0.18" +version = "1.0.36" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a1feb54ed693b93a84e14094943b84b7c4eae204c512b7ccb95ab0c66d278ad1" +checksum = "0fa76aaf39101c457836aec0ce2316dbdc3ab723cdda1c6bd4e6ad4208acaca7" dependencies = [ "proc-macro2", ] @@ -469,9 +496,21 @@ dependencies = [ [[package]] name = "regex" -version = "1.5.5" +version = "1.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a11647b6b25ff05a515cb92c365cec08801e83423a235b51e231e1808747286" +checksum = "12de2eff854e5fa4b1295edd650e227e9d8fb0c9e90b12e7f36d6a6811791a29" +dependencies = [ + "aho-corasick", + "memchr", + "regex-automata", + "regex-syntax", +] + +[[package]] +name = "regex-automata" +version = "0.3.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "49530408a136e16e5b486e883fbb6ba058e8e4e8ae6621a77b048b314336e629" dependencies = [ "aho-corasick", "memchr", @@ -480,9 +519,9 @@ dependencies = [ [[package]] name = "regex-syntax" -version = "0.6.25" +version = "0.7.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b" +checksum = "dbb5fb1acd8a1a18b3dd5be62d25485eb770e05afb408a9627d14d451bae12da" [[package]] name = "ryu" @@ -513,7 +552,7 @@ checksum = "1f26faba0c3959972377d3b2d306ee9f71faee9714294e41bb777f83f88578be" dependencies = [ "proc-macro2", "quote", - "syn", + "syn 1.0.94", ] [[package]] @@ -522,7 +561,7 @@ version = "1.0.81" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9b7ce2b32a1aed03c558dc61a5cd328f15aff2dbc17daad8fb8af04d2100e15c" dependencies = [ - "itoa 1.0.2", + "itoa", "ryu", "serde", ] @@ -544,6 +583,17 @@ dependencies = [ "unicode-xid", ] +[[package]] +name = "syn" +version = "2.0.58" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "44cfb93f38070beee36b3fef7d4f5a16f27751d94b187b666a5cc5e9b0d30687" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + [[package]] name = "textwrap" version = "0.15.0" @@ -588,6 +638,12 @@ version = "0.3.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "099b7128301d285f79ddd55b9a83d5e6b9e97c92e0ea0daebee7263e932de992" +[[package]] +name = "unicode-ident" +version = "1.0.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" + [[package]] name = "unicode-normalization" version = "0.1.19" @@ -617,9 +673,9 @@ dependencies = [ [[package]] name = "uuid" -version = "0.8.2" +version = "1.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bc5cf98d8186244414c848017f0e2676b3fcb46807f6668a97dfe67359a3c4b7" +checksum = "a183cf7feeba97b4dd1c0d46788634f6221d87fa961b305bed08c851829efcc0" [[package]] name = "version_check" @@ -629,9 +685,63 @@ checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" [[package]] name = "wasi" -version = "0.10.2+wasi-snapshot-preview1" +version = "0.11.0+wasi-snapshot-preview1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" + +[[package]] +name = "wasm-bindgen" +version = "0.2.92" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4be2531df63900aeb2bca0daaaddec08491ee64ceecbee5076636a3b026795a8" +dependencies = [ + "cfg-if", + "wasm-bindgen-macro", +] + +[[package]] +name = "wasm-bindgen-backend" +version = "0.2.92" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6" +checksum = "614d787b966d3989fa7bb98a654e369c762374fd3213d212cfc0251257e747da" +dependencies = [ + "bumpalo", + "log", + "once_cell", + "proc-macro2", + "quote", + "syn 2.0.58", + "wasm-bindgen-shared", +] + +[[package]] +name = "wasm-bindgen-macro" +version = "0.2.92" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a1f8823de937b71b9460c0c34e25f3da88250760bec0ebac694b49997550d726" +dependencies = [ + "quote", + "wasm-bindgen-macro-support", +] + +[[package]] +name = "wasm-bindgen-macro-support" +version = "0.2.92" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e94f17b526d0a461a191c78ea52bbce64071ed5c04c9ffe424dcb38f74171bb7" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.58", + "wasm-bindgen-backend", + "wasm-bindgen-shared", +] + +[[package]] +name = "wasm-bindgen-shared" +version = "0.2.92" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "af190c94f2773fdb3729c55b007a722abb5384da03bc0986df4c289bf5567e96" [[package]] name = "windows-sys" @@ -675,3 +785,23 @@ name = "windows_x86_64_msvc" version = "0.36.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c811ca4a8c853ef420abd8592ba53ddbbac90410fab6903b3e79972a631f7680" + +[[package]] +name = "zerocopy" +version = "0.7.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "74d4d3961e53fa4c9a25a8637fc2bfaf2595b3d3ae34875568a5cf64787716be" +dependencies = [ + "zerocopy-derive", +] + +[[package]] +name = "zerocopy-derive" +version = "0.7.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9ce1b18ccd8e73a9321186f97e46f9f04b778851177567b1975109d26a08d2a6" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.58", +] diff --git a/eve-validator/Cargo.toml b/eve-validator/Cargo.toml index eed0571e0..d35683f1c 100644 --- a/eve-validator/Cargo.toml +++ b/eve-validator/Cargo.toml @@ -4,6 +4,6 @@ version = "0.1.0" edition = "2018" [dependencies] -jsonschema = { version = "0.13", default_features = false } +jsonschema = { version = "0.17", default_features = false } clap = { version = "3.1.6", default_features = false, features = ["std", "derive"] } serde_json = "1" diff --git a/tests/bug-1449-01/README.md b/tests/bug-1449-01/README.md new file mode 100644 index 000000000..d15abc23f --- /dev/null +++ b/tests/bug-1449-01/README.md @@ -0,0 +1,5 @@ +PCAP +==== + +Pcap for issue https://redmine.openinfosecfoundation.org/issues/1449 was +shared at the time by Kostya Kortchinsky from the Google Security Team. diff --git a/tests/bug-1449-01/smtp-events.rules b/tests/bug-1449-01/smtp-events.rules new file mode 100644 index 000000000..89c25acbc --- /dev/null +++ b/tests/bug-1449-01/smtp-events.rules @@ -0,0 +1,32 @@ +# SMTP event rules +# +# SID's fall in the 2220000+ range. See http://doc.emergingthreats.net/bin/view/Main/SidAllocation +# +# These sigs fire at most once per connection. +# +# A flowint smtp.anomaly.count is incremented for each match. By default it will be 0. +# +alert smtp any any -> any any (msg:"SURICATA SMTP invalid reply"; flow:established,to_client; app-layer-event:smtp.invalid_reply; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220000; rev:1;) +alert smtp any any -> any any (msg:"SURICATA SMTP unable to match reply with request"; flow:established,to_client; app-layer-event:smtp.unable_to_match_reply_with_request; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220001; rev:1;) +alert smtp any any -> any any (msg:"SURICATA SMTP max command line len exceeded"; flow:established; app-layer-event:smtp.max_command_line_len_exceeded; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220002; rev:1;) +alert smtp any any -> any any (msg:"SURICATA SMTP max reply line len exceeded"; flow:established,to_client; app-layer-event:smtp.max_reply_line_len_exceeded; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220003; rev:1;) +alert smtp any any -> any any (msg:"SURICATA SMTP invalid pipelined sequence"; flow:established,to_server; app-layer-event:smtp.invalid_pipelined_sequence; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220004; rev:1;) +alert smtp any any -> any any (msg:"SURICATA SMTP bdat chunk len exceeded"; flow:established; app-layer-event:smtp.bdat_chunk_len_exceeded; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220005; rev:1;) +alert smtp any any -> any any (msg:"SURICATA SMTP no server welcome message"; flow:established,to_client; app-layer-event:smtp.no_server_welcome_message; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220006; rev:1;) +alert smtp any any -> any any (msg:"SURICATA SMTP tls rejected"; flow:established; app-layer-event:smtp.tls_rejected; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220007; rev:1;) +alert smtp any any -> any any (msg:"SURICATA SMTP data command rejected"; flow:established,to_client; app-layer-event:smtp.data_command_rejected; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220008; rev:1;) + +# SMTP MIME events +#alert smtp any any -> any any (msg:"SURICATA SMTP Mime parser failed"; flow:established; app-layer-event:smtp.mime_parse_failed; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220009; rev:1;) +#alert smtp any any -> any any (msg:"SURICATA SMTP Mime malformed message found"; flow:established; app-layer-event:smtp.mime_malformed_msg; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220010; rev:1;) +#alert smtp any any -> any any (msg:"SURICATA SMTP Mime base64-decoding failed"; flow:established; app-layer-event:smtp.mime_invalid_base64; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220011; rev:1;) +#alert smtp any any -> any any (msg:"SURICATA SMTP Mime header name len exceeded"; flow:established; app-layer-event:smtp.mime_long_header_name; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220012; rev:1;) +#alert smtp any any -> any any (msg:"SURICATA SMTP Mime header value len exceeded"; flow:established; app-layer-event:smtp.mime_long_header_value; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220013; rev:1;) +#alert smtp any any -> any any (msg:"SURICATA SMTP Mime quoted-printable-decoding failed"; flow:established; app-layer-event:smtp.mime_invalid_qp; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220014; rev:1;) +#alert smtp any any -> any any (msg:"SURICATA SMTP Mime line len exceeded"; flow:established; app-layer-event:smtp.mime_long_line; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220015; rev:1;) +#alert smtp any any -> any any (msg:"SURICATA SMTP Mime encoded line len exceeded"; flow:established; app-layer-event:smtp.mime_long_enc_line; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220016; rev:1;) +alert smtp any any -> any any (msg:"SURICATA SMTP Mime boundary length exceeded"; flow:established,to_server; app-layer-event:smtp.mime_long_boundary; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220017; rev:1;) + +alert smtp any any -> any any (msg:"SURICATA SMTP duplicate fields"; flow:established,to_server; app-layer-event:smtp.duplicate_fields; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220018; rev:1;) +alert smtp any any -> any any (msg:"SURICATA SMTP unparsable content"; flow:established,to_server; app-layer-event:smtp.unparsable_content; flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode; sid:2220019; rev:1;) +# next sid 2220020 diff --git a/tests/bug-1449-01/suricata_stackoverflow.pcap b/tests/bug-1449-01/suricata_stackoverflow.pcap new file mode 100644 index 000000000..57bde6a68 Binary files /dev/null and b/tests/bug-1449-01/suricata_stackoverflow.pcap differ diff --git a/tests/bug-1449-01/test.yaml b/tests/bug-1449-01/test.yaml new file mode 100644 index 000000000..4f0733318 --- /dev/null +++ b/tests/bug-1449-01/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2220017 + - filter: + count: 1 + match: + event_type: smtp + smtp.helo: bug.client + email.status: PARSE_ERROR + diff --git a/tests/bug-2576-01-ips/md5list.2576 b/tests/bug-2576-01-ips/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-01-ips/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-01-ips/suricata.yaml b/tests/bug-2576-01-ips/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-01-ips/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-01-ips/temp6.pcap b/tests/bug-2576-01-ips/temp6.pcap new file mode 100644 index 000000000..cdaa6625d Binary files /dev/null and b/tests/bug-2576-01-ips/temp6.pcap differ diff --git a/tests/bug-2576-01-ips/test.rules b/tests/bug-2576-01-ips/test.rules new file mode 100644 index 000000000..8c2aa9218 --- /dev/null +++ b/tests/bug-2576-01-ips/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;) diff --git a/tests/bug-2576-01-ips/test.yaml b/tests/bug-2576-01-ips/test.yaml new file mode 100644 index 000000000..8663071fc --- /dev/null +++ b/tests/bug-2576-01-ips/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-01/md5list.2576 b/tests/bug-2576-01/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-01/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-01/suricata.yaml b/tests/bug-2576-01/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-01/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-01/temp6.pcap b/tests/bug-2576-01/temp6.pcap new file mode 100644 index 000000000..cdaa6625d Binary files /dev/null and b/tests/bug-2576-01/temp6.pcap differ diff --git a/tests/bug-2576-01/test.rules b/tests/bug-2576-01/test.rules new file mode 100644 index 000000000..8c2aa9218 --- /dev/null +++ b/tests/bug-2576-01/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;) diff --git a/tests/bug-2576-01/test.yaml b/tests/bug-2576-01/test.yaml new file mode 100644 index 000000000..8663071fc --- /dev/null +++ b/tests/bug-2576-01/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-02-ips/md5list.2576 b/tests/bug-2576-02-ips/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-02-ips/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-02-ips/suricata.yaml b/tests/bug-2576-02-ips/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-02-ips/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-02-ips/temp1.pcap b/tests/bug-2576-02-ips/temp1.pcap new file mode 100644 index 000000000..9550b4f2b Binary files /dev/null and b/tests/bug-2576-02-ips/temp1.pcap differ diff --git a/tests/bug-2576-02-ips/test.rules b/tests/bug-2576-02-ips/test.rules new file mode 100644 index 000000000..8c2aa9218 --- /dev/null +++ b/tests/bug-2576-02-ips/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;) diff --git a/tests/bug-2576-02-ips/test.yaml b/tests/bug-2576-02-ips/test.yaml new file mode 100644 index 000000000..8663071fc --- /dev/null +++ b/tests/bug-2576-02-ips/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-02/md5list.2576 b/tests/bug-2576-02/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-02/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-02/suricata.yaml b/tests/bug-2576-02/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-02/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-02/temp1.pcap b/tests/bug-2576-02/temp1.pcap new file mode 100644 index 000000000..9550b4f2b Binary files /dev/null and b/tests/bug-2576-02/temp1.pcap differ diff --git a/tests/bug-2576-02/test.rules b/tests/bug-2576-02/test.rules new file mode 100644 index 000000000..8c2aa9218 --- /dev/null +++ b/tests/bug-2576-02/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;) diff --git a/tests/bug-2576-02/test.yaml b/tests/bug-2576-02/test.yaml new file mode 100644 index 000000000..8663071fc --- /dev/null +++ b/tests/bug-2576-02/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-03-ips/md5list.2576 b/tests/bug-2576-03-ips/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-03-ips/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-03-ips/suricata.yaml b/tests/bug-2576-03-ips/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-03-ips/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-03-ips/temp6.pcap b/tests/bug-2576-03-ips/temp6.pcap new file mode 100644 index 000000000..cdaa6625d Binary files /dev/null and b/tests/bug-2576-03-ips/temp6.pcap differ diff --git a/tests/bug-2576-03-ips/test.rules b/tests/bug-2576-03-ips/test.rules new file mode 100644 index 000000000..4840cdb97 --- /dev/null +++ b/tests/bug-2576-03-ips/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;) diff --git a/tests/bug-2576-03-ips/test.yaml b/tests/bug-2576-03-ips/test.yaml new file mode 100644 index 000000000..8663071fc --- /dev/null +++ b/tests/bug-2576-03-ips/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-03/md5list.2576 b/tests/bug-2576-03/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-03/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-03/suricata.yaml b/tests/bug-2576-03/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-03/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-03/temp6.pcap b/tests/bug-2576-03/temp6.pcap new file mode 100644 index 000000000..cdaa6625d Binary files /dev/null and b/tests/bug-2576-03/temp6.pcap differ diff --git a/tests/bug-2576-03/test.rules b/tests/bug-2576-03/test.rules new file mode 100644 index 000000000..4840cdb97 --- /dev/null +++ b/tests/bug-2576-03/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"filemd5"; filemd5:md5list.2576; sid: 3; rev: 1;) diff --git a/tests/bug-2576-03/test.yaml b/tests/bug-2576-03/test.yaml new file mode 100644 index 000000000..8663071fc --- /dev/null +++ b/tests/bug-2576-03/test.yaml @@ -0,0 +1,17 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-04-ips/md5list.2576 b/tests/bug-2576-04-ips/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-04-ips/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-04-ips/suricata.yaml b/tests/bug-2576-04-ips/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-04-ips/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-04-ips/temp6.pcap b/tests/bug-2576-04-ips/temp6.pcap new file mode 100644 index 000000000..cdaa6625d Binary files /dev/null and b/tests/bug-2576-04-ips/temp6.pcap differ diff --git a/tests/bug-2576-04-ips/test.rules b/tests/bug-2576-04-ips/test.rules new file mode 100644 index 000000000..2a16eefd7 --- /dev/null +++ b/tests/bug-2576-04-ips/test.rules @@ -0,0 +1,2 @@ +alert ip any any -> any any (msg:"file_data"; file_data; content:"content=IE=Edge"; sid: 3; rev: 1;) +alert ip any any -> any any (msg:"mix stream with file_data"; content:"content=IE=Edge"; file_data; content:"content=IE=Edge"; sid: 4; rev: 1;) diff --git a/tests/bug-2576-04-ips/test.yaml b/tests/bug-2576-04-ips/test.yaml new file mode 100644 index 000000000..2e65954ff --- /dev/null +++ b/tests/bug-2576-04-ips/test.yaml @@ -0,0 +1,22 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/bug-2576-04/md5list.2576 b/tests/bug-2576-04/md5list.2576 new file mode 100644 index 000000000..f754e17b2 --- /dev/null +++ b/tests/bug-2576-04/md5list.2576 @@ -0,0 +1 @@ +090fe607a5be1228362614ccaa088577 diff --git a/tests/bug-2576-04/suricata.yaml b/tests/bug-2576-04/suricata.yaml new file mode 100644 index 000000000..1e40c3aaa --- /dev/null +++ b/tests/bug-2576-04/suricata.yaml @@ -0,0 +1,146 @@ +%YAML 1.1 +--- + +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + #prefix: "@cee: " # prefix to prepend to each log entry + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + #redis: + # server: 127.0.0.1 + # port: 6379 + # async: true ## if redis replies are read asynchronously + # mode: list ## possible values: list|lpush (default), rpush, channel|publish + # ## lpush and rpush are using a Redis list. "list" is an alias for lpush + # ## publish is using a Redis channel. "channel" is an alias for publish + # key: suricata ## key or channel to use (default to suricata) + # Redis pipelining set up. This will enable to only do a query every + # 'batch-size' events. This should lower the latency induced by network + # connection at the cost of some memory. There is no flushing implemented + # so this setting as to be reserved to high traffic suricata. + # pipelining: + # enabled: yes ## set enable to yes to enable query pipelining + # batch-size: 10 ## number of entry to keep in buffer + + # Include top level metadata. Default yes. + #metadata: no + + pcap-file: false + + # HTTP X-Forwarded-For support by adding an extra field or overwriting + # the source or destination IP address (depending on flow direction) + # with the one reported in the X-Forwarded-For HTTP header. This is + # helpful when reviewing alerts for traffic that is being reverse + # or forward proxied. + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". + mode: extra-data + # Two proxy deployments are supported, "reverse" and "forward". In + # a "reverse" deployment the IP address used is the last one, in a + # "forward" deployment the first IP address is used. + deployment: reverse + # Header name where the actual IP address will be reported, if more + # than one IP address is present, the last IP address will be the + # one taken into consideration. + header: X-Forwarded-For + + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # http-body: yes # enable dumping of http body in Base64 + # http-body-printable: yes # enable dumping of http body in printable format + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns: + # This configuration uses the new DNS logging format, + # the old configuration is still available: + # http://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html#eve-extensible-event-format + # Use version 2 logging with the new format: + # DNS answers will be logged in one single event + # rather than an event for each of it. + # Without setting a version the version + # will fallback to 1 for backwards compatibility. + version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: no + + # Control logging of requests and responses: + # - requests: enable logging of DNS queries + # - responses: enable logging of DNS answers + # By default both requests and responses are logged. + #requests: no + #responses: no + + # Format of answer logging: + # - detailed: array item per answer + # - grouped: answers aggregated by type + # Default: all + #formats: [detailed, grouped] + + # Answer types to log. + # Default: all + #types: [a, aaaa, cname, mx, ns, ptr, txt] + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom allows to control which tls fields that are included + # in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + - smtp: + #extended: yes # enable this for extended logging information + # this includes: bcc, message-id, subject, x_mailer, user-agent + # custom fields logging from the list: + # reply-to, bcc, message-id, subject, x-mailer, user-agent, received, + # x-originating-ip, in-reply-to, references, importance, priority, + # sensitivity, organization, content-md5, date + #custom: [received, x-mailer, x-originating-ip, relays, reply-to, bcc] + # output md5 of fields: body, subject + # for the body you need to set app-layer.protocols.smtp.mime.body-md5 + # to yes + #md5: [body, subject] + + - ssh + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # bi-directional flows + - flow + # uni-directional flows + #- netflow + + # Metadata event type. Triggered whenever a pktvar is saved + # and will include the pktvars, flowvars, flowbits and + # flowints. + #- metadata diff --git a/tests/bug-2576-04/temp6.pcap b/tests/bug-2576-04/temp6.pcap new file mode 100644 index 000000000..cdaa6625d Binary files /dev/null and b/tests/bug-2576-04/temp6.pcap differ diff --git a/tests/bug-2576-04/test.rules b/tests/bug-2576-04/test.rules new file mode 100644 index 000000000..2a16eefd7 --- /dev/null +++ b/tests/bug-2576-04/test.rules @@ -0,0 +1,2 @@ +alert ip any any -> any any (msg:"file_data"; file_data; content:"content=IE=Edge"; sid: 3; rev: 1;) +alert ip any any -> any any (msg:"mix stream with file_data"; content:"content=IE=Edge"; file_data; content:"content=IE=Edge"; sid: 4; rev: 1;) diff --git a/tests/bug-2576-04/test.yaml b/tests/bug-2576-04/test.yaml new file mode 100644 index 000000000..2e65954ff --- /dev/null +++ b/tests/bug-2576-04/test.yaml @@ -0,0 +1,22 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.md5: 090fe607a5be1228362614ccaa088577 + diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/test.yaml b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/test.yaml index ca3b5d312..f197013b7 100644 --- a/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/test.yaml +++ b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 7 + min-version: 6 checks: - filter: diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/test.yaml b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/test.yaml index 04b41cd27..1491c2785 100644 --- a/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/test.yaml +++ b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 7 + min-version: 6 checks: - filter: diff --git a/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/test.yaml b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/test.yaml index c25c0aec7..b8d85dc1b 100644 --- a/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/test.yaml +++ b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 7 + min-version: 6 checks: - filter: diff --git a/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml b/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml index 460cbbdbe..91d4f4e29 100644 --- a/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml +++ b/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml @@ -1,5 +1,5 @@ requires: - min-version: 7 + min-version: 6 checks: - filter: diff --git a/tests/http-encoding-gzip-uncompressed/README.md b/tests/http-encoding-gzip-uncompressed/README.md new file mode 100644 index 000000000..f5db8febe --- /dev/null +++ b/tests/http-encoding-gzip-uncompressed/README.md @@ -0,0 +1,12 @@ +# Test Description + +Test that we do not wrongly decompress if we have encoding gzip but clear text + +## PCAP + +From https://redmine.openinfosecfoundation.org/issues/6959 + + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6959 diff --git a/tests/http-encoding-gzip-uncompressed/input.pcap b/tests/http-encoding-gzip-uncompressed/input.pcap new file mode 100644 index 000000000..dd66e9b6d Binary files /dev/null and b/tests/http-encoding-gzip-uncompressed/input.pcap differ diff --git a/tests/http-encoding-gzip-uncompressed/test.rules b/tests/http-encoding-gzip-uncompressed/test.rules new file mode 100644 index 000000000..8cda46105 --- /dev/null +++ b/tests/http-encoding-gzip-uncompressed/test.rules @@ -0,0 +1 @@ +alert http $HOME_NET any -> $EXTERNAL_NET 8100 (msg:"ET MOBILE_MALWARE Android Dropper Checkin Activity (POST)"; flow:established,to_server; http.request_body; content:"|22|sdk_version|22 3a|"; content:"|22|app_package|22 3a 22|"; distance:0; content:"|22|app_version|22 3a 22|"; distance:0; content:"|22|device_id|22 3a 22|"; distance:0; classtype:trojan-activity; sid:2038629; rev:1;) diff --git a/tests/http-encoding-gzip-uncompressed/test.yaml b/tests/http-encoding-gzip-uncompressed/test.yaml new file mode 100644 index 000000000..4b5bb4bc8 --- /dev/null +++ b/tests/http-encoding-gzip-uncompressed/test.yaml @@ -0,0 +1,9 @@ +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2038629 diff --git a/tests/http-not09-spaces/README.md b/tests/http-not09-spaces/README.md new file mode 100644 index 000000000..c7f7a8e47 --- /dev/null +++ b/tests/http-not09-spaces/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test that we parse weird HTTP (adding lots of whitespaces) not as HTTP/0.9 + +## PCAP + +Crafted by running server `python3 -m http.server 8000` and a dummy client sending hardcoded data + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6757 diff --git a/tests/http-not09-spaces/input.pcap b/tests/http-not09-spaces/input.pcap new file mode 100644 index 000000000..908836c94 Binary files /dev/null and b/tests/http-not09-spaces/input.pcap differ diff --git a/tests/http-not09-spaces/test.yaml b/tests/http-not09-spaces/test.yaml new file mode 100644 index 000000000..c3173e5c9 --- /dev/null +++ b/tests/http-not09-spaces/test.yaml @@ -0,0 +1,12 @@ +requires: + min-version: 8 + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: anomaly + anomaly.event: REQUEST_LINE_MISSING_PROTOCOL diff --git a/tests/snmp-community/README.md b/tests/snmp-community/README.md new file mode 100644 index 000000000..764e6b610 --- /dev/null +++ b/tests/snmp-community/README.md @@ -0,0 +1,7 @@ +# Test Purpose + +Match on SNMP community keyword + +## PCAP + +This PCAP from snmp-v2c-get is reused, as was done in DetectSNMPCommunityTest for first packet diff --git a/tests/snmp-community/test.rules b/tests/snmp-community/test.rules new file mode 100644 index 000000000..fe402de4f --- /dev/null +++ b/tests/snmp-community/test.rules @@ -0,0 +1,2 @@ +alert snmp any any -> any any (msg:"SNMP Test Rule"; snmp.community; content:"[R0_C@cti!]"; sid:1; rev:1;) +alert snmp any any -> any any (msg:"SNMP Test Rule"; snmp.community; content:"private"; sid:2; rev:1;) diff --git a/tests/snmp-community/test.yaml b/tests/snmp-community/test.yaml new file mode 100644 index 000000000..c36f37233 --- /dev/null +++ b/tests/snmp-community/test.yaml @@ -0,0 +1,14 @@ +pcap: ../snmp-v2c-get/SNMPv2c_get_requests.pcap + +checks: + - filter: + count: 8 + match: + event_type: alert + alert.signature_id: 1 + + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2