rule-types: add more rules - v2

tests/iprep-12-rule-types/README.md

@@ -0,0 +1,5 @@
+# Test Description
+
+Check rule types with iprep keyword present: set, isset and isnotset options.
+
+Test setup copied and adapted from test `iprep-11-isset`.

tests/iprep-12-rule-types/iprep.rules

@@ -0,0 +1,6 @@
+alert ip any any -> any any (sid:1; iprep:dst,2402000,isset;)
+alert ip any any -> any any (sid:2; iprep:dst,2402000,isnotset;)
+alert ip any any -> any any (sid:3; iprep:dst,2402000,=,0;)
+alert http any any -> any any (sid:4; iprep:dst,2402000,=,0;)
+alert http any any -> any any (sid:5; iprep:dst,2402000,isset;)
+alert http any any -> any any (sid:6; iprep:dst,2402000,isnotset;)

tests/iprep-12-rule-types/scirius-categories.txt

@@ -0,0 +1,10 @@
+1,2520000,ET TOR Known Tor Exit Node Traffic
+2,2522000,ET TOR Known Tor Relay/Router (Not Exit) Node Traffic
+3,2403300,ET CINS Active Threat Intelligence Poor Reputation IP
+4,2525000,ET 3CORESec Poor Reputation IP
+5,2400000,ET DROP Spamhaus DROP Listed Traffic Inbound
+6,2500000,ET COMPROMISED Known Compromised or Hostile Host Traffic
+7,2404033,ET CNC Shadowserver Reported CnC Server
+8,2404000,ET CNC Shadowserver Reported CnC Server IP
+9,2404300,ET CNC Feodo Tracker Reported CnC Server
+10,2402000,ET DROP Dshield Block Listed Source

tests/iprep-12-rule-types/scirius-iprep.list

@@ -0,0 +1,15 @@
+#8.8.8.8,10,100
+4.4.4.4,10,100
+104.244.72.152,1,100
+51.210.242.169,1,100
+193.218.118.100,1,100
+51.210.242.133,1,100
+91.192.103.50,1,100
+198.251.80.157,1,100
+135.148.33.65,1,100
+199.249.230.89,1,100
+46.194.44.245,1,100
+45.153.160.137,1,100
+135.148.33.89,1,100
+185.242.113.224,1,100
+37.139.8.104,1,100

tests/iprep-12-rule-types/suricata.yaml

@@ -0,0 +1,17 @@
+%YAML 1.1
+---
+
+reputation-categories-file: scirius-categories.txt
+reputation-files:
+  - scirius-iprep.list
+
+engine-analysis:
+  # enables printing reports for each rule
+  rules: yes
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - alert

tests/iprep-12-rule-types/test.yaml

@@ -0,0 +1,44 @@
+requires:
+  min-version: 7
+  pcap: false
+
+args:
+- --engine-analysis
+
+checks:
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 1
+        type: "ip_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 2
+        type: "ip_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 3
+        type: "ip_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 4
+        type: "pkt"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 5
+        type: "pkt"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 6
+        type: "pkt"

tests/like-ip-only-01/suricata.yaml

@@ -0,0 +1,8 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert

tests/like-ip-only-01/test.rules

@@ -0,0 +1 @@
+alert tcp 192.168.51.206 any -> !192.168.51.206 any (msg:"simple negated ip test"; flow:established; sid:1001;)

tests/like-ip-only-01/test.yaml

@@ -0,0 +1,11 @@
+requires:
+  min-version: 7
+
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 17
+      match:
+        event_type: alert

tests/rules/rule-type-app-layer/test.rules

@@ -0,0 +1,5 @@
+# Application Layer Protocol Rules
+alert dns any any -> any any (msg:"app-layer, dns"; sid:404;)
+alert http any any -> any any (msg:"http, no content"; sid:601;)
+pass tls any any -> any any (msg:"tls, pkt or app-layer? pass"; sid:605;)
+alert tls any any -> any any (msg:"tls, pkt or app-layer?"; flowint:tls_error_int,=,0; sid:613;)

tests/rules/rule-type-app-layer/test.yaml

@@ -0,0 +1,25 @@
+requires:
+  min-version: 7
+  pcap: false
+args:
+- --engine-analysis
+checks:
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 404
+        type: "app_layer"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        raw: "alert http any any -> any any (msg:\"http, no content\"; sid:601;)"
+        id: 601
+        type: "app_layer"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 613
+        type: "app_layer"

tests/rules/rule-type-app-tx/test.rules

@@ -0,0 +1,5 @@
+# Application Layer Protocol Transaction Rules
+alert tcp any any -> any any (msg:"http, pos event"; app-layer-event:http.file_name_too_long; sid:501;)
+alert tcp any any -> any any (msg:"byte_extract with dce"; dcerpc.stub_data; content:"abc"; byte_extract:4,0,var,relative; byte_test:4,>,var,4,little; sid:902;)
+alert http any any -> any any (msg:"Test"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".exe"; endswith; http.host; content:!".google.com"; endswith; sid:1102;)
+alert udp any any -> any any (msg:"DNS UDP Frame"; flow:to_server; frame:dns.pdu; content:"|01 20 00 01|"; offset:2; content:"suricata"; offset:13; sid:1402; rev:1;)

tests/rules/rule-type-app-tx/test.yaml

@@ -0,0 +1,32 @@
+requires:
+  min-version: 7
+  pcap: false
+args:
+- --engine-analysis
+checks:
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        raw: "alert tcp any any -> any any (msg:\"http, pos event\"; app-layer-event:http.file_name_too_long; sid:501;)"
+        id: 501
+        type: "app_tx"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        raw: "alert tcp any any -> any any (msg:\"byte_extract with dce\"; dcerpc.stub_data; content:\"abc\"; byte_extract:4,0,var,relative; byte_test:4,>,var,4,little; sid:902;)"
+        id: 902
+        type: "app_tx"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 1102
+        type: "app_tx"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 1402
+        type: "app_tx"

tests/rules/rule-type-de-only/test.rules

@@ -0,0 +1,4 @@
+# Decoder Events Only
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Hop-By-Hop Options extension header"; decode-event:ipv6.exthdr_dupl_hh; classtype:protocol-command-decode; sid:1101;)
+drop pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;)
+

tests/rules/rule-type-de-only/test.yaml

@@ -0,0 +1,20 @@
+requires:
+    min-version: 7
+    pcap: false
+
+args:
+- --engine-analysis
+
+checks:
+    - filter:
+        filename: rules.json
+        count: 1
+        match:
+            id: 1101
+            type: de_only
+    - filter:
+        filename: rules.json
+        count: 1
+        match:
+            id: 2200005
+            type: de_only

tests/rules/rule-type-ip-only/test.rules

@@ -0,0 +1,4 @@
+# IP Only Rules
+alert tcp-stream any any -> any any (msg:"tcp-stream, no content"; sid:101;)
+alert tcp-pkt [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12] any -> any any (msg:"tcp-pkt, no content"; sid:201;)
+alert ip any any -> any any (hostbits:set,myflow2; sid:1505;)

tests/rules/rule-type-ip-only/test.yaml

@@ -0,0 +1,26 @@
+requires:
+  min-version: 7
+  pcap: false
+
+args:
+- --engine-analysis
+
+checks:
+    - filter:
+        filename: rules.json
+        count: 1
+        match:
+            id: 101
+            type: ip_only
+    - filter:
+        filename: rules.json
+        count: 1
+        match:
+            id: 201
+            type: ip_only
+    - filter:
+        filename: rules.json
+        count: 1
+        match:
+            id: 1505
+            type: ip_only

tests/rules/rule-type-like-ip-only/test.rules

@@ -0,0 +1,3 @@
+# Like IP Only Rules (IP Only with negated addresses)
+alert tcp 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 any -> ![192.168.0.0/16,10.0.0.0/8,172.16.0.0/12] any (msg:"tcp, has negated IP address"; sid:304;)
+alert tcp [10.0.0.0/8,!10.10.10.10] any -> [10.0.0.0/8,!10.10.10.10] any (msg:"tcp, has negated IP address"; sid:305;)

tests/rules/rule-type-like-ip-only/test.yaml

@@ -0,0 +1,20 @@
+requires:
+  min-version: 7
+  pcap: false
+
+args:
+- --engine-analysis
+
+checks:
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 304
+        type: "like_ip_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 305
+        type: "like_ip_only"

tests/rules/rule-type-pd-only/test.rules

@@ -0,0 +1,5 @@
+# Protocol Detection Only Rules
+alert tcp any any -> any any (msg:"tcp, pd negated"; app-layer-protocol:!http; sid:401;)
+alert tcp any any -> any any (msg:"tcp, pd positive"; app-layer-protocol:http; sid:402;)
+alert tcp any any -> any any (msg:"tcp, pd positive dns"; app-layer-protocol:dns; sid:403;)
+alert tcp any any -> any any (msg:"tcp, pd positive, dns, flow:to_server"; app-layer-protocol:dns; flow:to_server; sid:405;)

tests/rules/rule-type-pd-only/test.yaml

@@ -0,0 +1,34 @@
+requires:
+  min-version: 7
+  pcap: false
+args:
+- --engine-analysis
+checks:
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        raw: "alert tcp any any -> any any (msg:\"tcp, pd negated\"; app-layer-protocol:!http; sid:401;)"
+        id: 401
+        type: "pd_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        raw: "alert tcp any any -> any any (msg:\"tcp, pd positive\"; app-layer-protocol:http; sid:402;)"
+        id: 402
+        type: "pd_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        raw: "alert tcp any any -> any any (msg:\"tcp, pd positive dns\"; app-layer-protocol:dns; sid:403;)"
+        id: 403
+        type: "pd_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        raw: "alert tcp any any -> any any (msg:\"tcp, pd positive, dns, flow:to_server\"; app-layer-protocol:dns; flow:to_server; sid:405;)"
+        id: 405
+        type: "pd_only"

tests/rules/rule-type-pkt-stream/test.rules

@@ -0,0 +1,3 @@
+# Packet Stream rules
+alert tcp any any -> any any (msg:"tcp, anchored content"; content:"abc"; startswith; sid:303;)
+alert http any any -> any any (msg:"http, anchored content"; content:"abc"; depth:30; sid:603;)

tests/rules/rule-type-pkt-stream/test.yaml

@@ -0,0 +1,20 @@
+requires:
+    min-version: 7
+    pcap: false
+
+args:
+- --engine-analysis
+
+checks:
+    - filter:
+        filename: rules.json
+        count: 1
+        match:
+            id: 303
+            type: pkt_stream
+    - filter:
+        filename: rules.json
+        count: 1
+        match:
+            id: 603
+            type: pkt_stream

tests/rules/rule-type-pkt/test.rules

@@ -0,0 +1,6 @@
+# Packet rules
+alert tcp-pkt any any -> any any (msg:"tcp-pkt, anchored content"; content:"abc"; startswith; sid:203;)
+alert tcp any any -> any any (msg:"ttl"; ttl:123; sid:701;)
+alert udp any any -> any any (msg:"UDP with flow direction"; flow:to_server; sid:1001;)
+alert tcp any any -> any 443 (flow: to_server; flowbits:set,tls_error; sid:1604; msg:"Allow TLS error handling (outgoing packet) - non-stateful rule";)
+alert tcp-pkt any any -> any any (msg:"Flowbit isset"; flowbits:isset,fb6; flowbits:isset,fb7; sid:1919;)

tests/rules/rule-type-pkt/test.yaml

@@ -0,0 +1,38 @@
+requires:
+    min-version: 7
+    pcap: false
+
+args:
+- --engine-analysis
+
+checks:
+    - filter:
+        filename: rules.json
+        count: 1
+        match:
+            id: 203
+            type: pkt
+    - filter:
+        filename: rules.json
+        count: 1
+        match:
+            id: 701
+            type: pkt
+    - filter:
+        filename: rules.json
+        count: 1
+        match:
+            id: 1001
+            type: pkt
+    - filter:
+        filename: rules.json
+        count: 1
+        match:
+            id: 1604
+            type: pkt
+    - filter:
+        filename: rules.json
+        count: 1
+        match:
+            id: 1919
+            type: pkt

tests/rules/rule-type-stream/test.rules

@@ -0,0 +1,7 @@
+# Stream rules
+alert tcp-stream any any -> any any (msg:"tcp-stream, simple content"; content:"abc"; sid:102;)
+alert http any any -> any any (msg:"http, simple content"; content:"abc"; sid:602;)
+alert tcp any any -> any any (msg:"byte_extract with dce"; byte_extract:4,0,var,dce; byte_test:4,>,var,4,little; sid:901;)
+alert tcp any any -> any 443 (flow: to_server; content:"abc"; flowbits:set,tls_error; sid:1605; msg:"Allow TLS error handling (outgoing packet) with simple content - Stream rule";)
+alert tcp any any -> any 443 (flow: to_server; content:"abc"; sid:160401; msg:"Allow TLS error handling (outgoing packet) - stream rule";)
+alert tcp any any -> any 443 (content:"abc"; sid:160402; msg:"Allow TLS error handling (outgoing packet) - stream rule";)