dcerpc: add test for frames

Feature 4904

tests/dcerpc/dcerpc-frames/README.md

@@ -0,0 +1,17 @@
+Description
+===========
+Test for DCERPC frames.
+Three types of frames exist for DCERPC:
+1. Hdr: Header
+2. Pdu: Protocol Data Unit
+3. Data: Data inside the PDU
+
+as per the generic PDU structure defined in https://pubs.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_01
+
+PCAP
+====
+PCAP comes from an existing test.
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/4904

tests/dcerpc/dcerpc-frames/suricata.yaml

@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - alert
+        - dcerpc
+        - frame

tests/dcerpc/dcerpc-frames/test.rules

@@ -0,0 +1,3 @@
+alert dcerpc any any -> any any (flow:established,to_server; frame:dcerpc.hdr; content:"|05 00 0b 03 10 00 00 00 74 00 00 00 1b 00 00 00|"; sid:1;)
+alert dcerpc any any -> any any (flow:established,to_server; frame:dcerpc.pdu; content:"|05 00 0b 03 10 00 00 00 74 00 00 00 1b 00 00 00 d0 16 d0 16|"; sid:2;)
+alert dcerpc any any -> any any (flow:established,to_server; frame:dcerpc.data; content:"|d0 16 d0 16|"; sid:3;)

tests/dcerpc/dcerpc-frames/test.yaml

@@ -0,0 +1,24 @@
+requires:
+  min-version: 8
+
+pcap: ../dcerpc-dce-iface-02/input.pcap
+
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3