diff --git a/tests/detect-ftp/ftp-command-01/input.rules b/tests/detect-ftp/ftp-command-01/input.rules new file mode 100644 index 000000000..120bde19f --- /dev/null +++ b/tests/detect-ftp/ftp-command-01/input.rules @@ -0,0 +1,6 @@ +alert ftp any any -> any any (msg: "Match on FTP command PASS"; flow:to_server; ftp.command; content:"PASS"; sid:1;) +alert ftp any any -> any any (msg: "Match on FTP command USER"; flow:to_server; ftp.command; content:"USER"; sid:2;) +alert ftp any any -> any any (msg: "Match on FTP command NLST"; flow:to_server; ftp.command; content:"NLST"; sid:3;) +alert ftp any any -> any any (msg: "Match on FTP command PORT"; flow:to_server; ftp.command; content:"PORT"; sid:4;) +alert ftp any any -> any any (msg: "Match on FTP command RETR"; flow:to_server; ftp.command; content:"RETR"; sid:5;) +alert ftp any any -> any any (msg: "Match on FTP command QUIT"; flow:to_server; ftp.command; content:"QUIT"; sid:6;) diff --git a/tests/detect-ftp/ftp-command-01/test.yaml b/tests/detect-ftp/ftp-command-01/test.yaml new file mode 100644 index 000000000..b5fd8058b --- /dev/null +++ b/tests/detect-ftp/ftp-command-01/test.yaml @@ -0,0 +1,49 @@ +pcap: ../../bug-3519/input.pcap + +requires: + version: 8 + + +checks: + + - filter: + count: 1 + match: + event_type: alert + ftp.command: PASS + alert.signature_id: 1 + + - filter: + count: 1 + match: + event_type: alert + ftp.command: USER + alert.signature_id: 2 + + - filter: + count: 1 + match: + event_type: alert + ftp.command: NLST + alert.signature_id: 3 + + - filter: + count: 2 + match: + event_type: alert + ftp.command: PORT + alert.signature_id: 4 + + - filter: + count: 1 + match: + event_type: alert + ftp.command: RETR + alert.signature_id: 5 + + - filter: + count: 1 + match: + event_type: alert + ftp.command: QUIT + alert.signature_id: 6 diff --git a/tests/detect-ftp/ftp-command-02/input.rules b/tests/detect-ftp/ftp-command-02/input.rules new file mode 100644 index 000000000..3b0c2c6ee --- /dev/null +++ b/tests/detect-ftp/ftp-command-02/input.rules @@ -0,0 +1,7 @@ +# Wrong direction -- won't load +alert ftp any any -> any any (flow:to_client; ftp.command; content:"PASS"; sid:10;) +alert ftp any any -> any any (flow:to_client; ftp.command; content:"USER"; sid:20;) +alert ftp any any -> any any (flow:to_client; ftp.command; content:"NLST"; sid:30;) +alert ftp any any -> any any (flow:to_client; ftp.command; content:"PORT"; sid:40;) +alert ftp any any -> any any (flow:to_client; ftp.command; content:"RETR"; sid:50;) +alert ftp any any -> any any (flow:to_client; ftp.command; content:"QUIT"; sid:60;) diff --git a/tests/detect-ftp/ftp-command-02/test.yaml b/tests/detect-ftp/ftp-command-02/test.yaml new file mode 100644 index 000000000..688161dd2 --- /dev/null +++ b/tests/detect-ftp/ftp-command-02/test.yaml @@ -0,0 +1,26 @@ +pcap: ../../bug-3519/input.pcap + +requires: + version: 8 + +exit-code: 1 + +checks: + - shell: + args: grep "rule 10 mixes keywords with conflicting directions" suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep "rule 20 mixes keywords with conflicting directions" suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep "rule 30 mixes keywords with conflicting directions" suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep "rule 40 mixes keywords with conflicting directions" suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep "rule 50 mixes keywords with conflicting directions" suricata.log | wc -l | xargs + expect: 1 + - shell: + args: grep "rule 60 mixes keywords with conflicting directions" suricata.log | wc -l | xargs + expect: 1 diff --git a/tests/smtp-keywords/README.md b/tests/smtp-keywords/README.md new file mode 100644 index 000000000..ce9cf3de0 --- /dev/null +++ b/tests/smtp-keywords/README.md @@ -0,0 +1,13 @@ +# Description + +Test smtp keywords + +# Ticket + +https://redmine.openinfosecfoundation.org/attachments/7515 +https://redmine.openinfosecfoundation.org/attachments/7516 +https://redmine.openinfosecfoundation.org/attachments/7517 + +# PCAP + +reused from bug-3616-smtp diff --git a/tests/smtp-keywords/test.rules b/tests/smtp-keywords/test.rules new file mode 100644 index 000000000..eb3973cae --- /dev/null +++ b/tests/smtp-keywords/test.rules @@ -0,0 +1,8 @@ +alert smtp any any -> any any (msg:"SMTP helo GP"; smtp.helo; content:"GP"; sid:1; rev:1;) +alert smtp any any -> any any (msg:"SMTP mail_from"; smtp.mail_from; content:""; sid:2; rev:1;) +alert smtp any any -> any any (msg:"SMTP rcpt_to"; smtp.rcpt_to; content:""; sid:3; rev:1;) + +# signatures not matching +alert smtp any any -> any any (msg:"SMTP helo not triggering"; smtp.helo; content:"not there"; sid:10; rev:1;) +alert smtp any any -> any any (msg:"SMTP not mail_from"; smtp.mail_from; content:"spammer"; sid:12; rev:1;) +alert smtp any any -> any any (msg:"SMTP no rcpt_to"; smtp.rcpt_to; content:""; sid:13; rev:1;) diff --git a/tests/smtp-keywords/test.yaml b/tests/smtp-keywords/test.yaml new file mode 100644 index 000000000..e4226da4b --- /dev/null +++ b/tests/smtp-keywords/test.yaml @@ -0,0 +1,40 @@ +pcap: ../bug-3616-smtp/input.pcap + +requires: + min-version: 8.0.0 + +checks: +- filter: + # 2 transactions, 2 alerts + count: 2 + match: + event_type: alert + smtp.helo: GP + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 10 +- filter: + count: 1 + match: + event_type: alert + smtp.mail_from: "" + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 12 +- filter: + count: 1 + match: + event_type: alert + smtp.rcpt_to[0]: "" + alert.signature_id: 3 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 13 \ No newline at end of file