tests: add various eve payload representation tests

Overlaps and gaps.

tests/eve-overlap-payload-01/suricata.yaml

@@ -0,0 +1,14 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            payload: yes             # enable dumping payload in Base64
+            payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+            payload-printable: yes   # enable dumping payload in printable (lossy) format
+            packet: yes              # enable dumping of packet (without stream segments)

tests/eve-overlap-payload-01/tcp-overlap.py

@@ -0,0 +1,44 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkt1 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 5)])
+pkt2 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 5)],window=4096)
+pkt3 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=4096)
+pkt4 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='A',seq=1001,ack=2,window=4096)
+pkt5 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=4096)/"GOOD"
+pkt6 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=4096)/"EVIL"
+pkt7 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='A',ack=6,seq=1001,window=4096)
+
+# VLAN tagged packet
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+pkts += pkt4
+pkts += pkt5
+pkts += pkt6
+pkts += pkt7
+
+wrpcap('tcp-overlap.pcap', pkts)
+
+pkts = []
+
+pkt1 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 5)])
+pkt2 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 5)],window=4096)
+pkt3 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=4096)
+pkt4 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='A',seq=1001,ack=2,window=4096)
+pkt5 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=4096)/"GOOD"
+pkt6 = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=3, ack=1001,window=4096)/"XXX"
+pkt7 = Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='A',ack=6,seq=1001,window=4096)
+
+# VLAN tagged packet
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+pkts += pkt4
+pkts += pkt5
+pkts += pkt6
+pkts += pkt7
+
+wrpcap('tcp-overlap2.pcap', pkts)

tests/eve-overlap-payload-01/tcp-overlap.rules

@@ -0,0 +1,5 @@
+alert tcp-stream any any -> any any (content:"EVIL"; sid:1;)
+alert tcp-stream any any -> any any (content:"GOOD"; sid:2;)
+
+alert tcp-pkt any any -> any any (content:"EVIL"; sid:3;)
+alert tcp-pkt any any -> any any (content:"GOOD"; sid:4;)

tests/eve-overlap-payload-01/test.yaml

@@ -0,0 +1,36 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+      payload: "R09PRA=="
+      payload_printable: "GOOD"
+      packet: "RQAAKAAAAABABnTLAQEBAQICAgIwOR+QAAAABgAAA+lQEAoATBcAAA=="
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+      payload: "RVZJTA=="
+      payload_printable: "EVIL"
+      packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAt3QAAEVWSUw="
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 4
+      payload: "R09PRA=="
+      payload_printable: "GOOD"
+      packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAr4MAAEdPT0Q="

tests/eve-overlap-payload-02-policy-oldlinux/suricata.yaml

@@ -0,0 +1,30 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            payload: yes             # enable dumping payload in Base64
+            payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+            payload-printable: yes   # enable dumping payload in printable (lossy) format
+            packet: yes              # enable dumping of packet (without stream segments)
+
+host-os-policy:
+  # Make the default policy windows.
+  windows: [0.0.0.0/0]
+  bsd: []
+  bsd-right: []
+  old-linux: [2.2.2.2]
+  linux: []
+  old-solaris: []
+  solaris: []
+  hpux10: []
+  hpux11: []
+  irix: []
+  macos: []
+  vista: []
+  windows2k3: []

tests/eve-overlap-payload-02-policy-oldlinux/tcp-overlap.rules

@@ -0,0 +1,5 @@
+alert tcp-stream any any -> any any (content:"EVIL"; sid:1;)
+alert tcp-stream any any -> any any (content:"GOOD"; sid:2;)
+
+alert tcp-pkt any any -> any any (content:"EVIL"; sid:3;)
+alert tcp-pkt any any -> any any (content:"GOOD"; sid:4;)

tests/eve-overlap-payload-02-policy-oldlinux/test.yaml

@@ -0,0 +1,36 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      payload: "RVZJTA=="
+      payload_printable: "EVIL"
+      packet: "RQAAKAAAAABABnTLAQEBAQICAgIwOR+QAAAABgAAA+lQEAoATBcAAA=="
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+      payload: "RVZJTA=="
+      payload_printable: "EVIL"
+      packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAt3QAAEVWSUw="
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 4
+      payload: "R09PRA=="
+      payload_printable: "GOOD"
+      packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAr4MAAEdPT0Q="

tests/eve-overlap-payload-03-ips/suricata.yaml

@@ -0,0 +1,14 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            payload: yes             # enable dumping payload in Base64
+            payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+            payload-printable: yes   # enable dumping payload in printable (lossy) format
+            packet: yes              # enable dumping of packet (without stream segments)

tests/eve-overlap-payload-03-ips/tcp-overlap.rules

@@ -0,0 +1,5 @@
+alert tcp-stream any any -> any any (content:"EVIL"; sid:1;)
+alert tcp-stream any any -> any any (content:"GOOD"; sid:2;)
+
+alert tcp-pkt any any -> any any (content:"EVIL"; sid:3;)
+alert tcp-pkt any any -> any any (content:"GOOD"; sid:4;)

tests/eve-overlap-payload-03-ips/test.yaml

@@ -0,0 +1,35 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 2 # one for original, one for overlap
+    match:
+      event_type: alert
+      alert.signature_id: 2
+      payload: "R09PRA=="
+      payload_printable: "GOOD"
+      packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAr4MAAEdPT0Q="
+      stream: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 4
+      payload: "R09PRA=="
+      payload_printable: "GOOD"
+      packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAr4MAAEdPT0Q="
+      stream: 0

tests/eve-overlap-payload-04-partial-overlap/suricata.yaml

@@ -0,0 +1,14 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            payload: yes             # enable dumping payload in Base64
+            payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+            payload-printable: yes   # enable dumping payload in printable (lossy) format
+            packet: yes              # enable dumping of packet (without stream segments)

tests/eve-overlap-payload-04-partial-overlap/tcp-overlap.rules

@@ -0,0 +1,5 @@
+alert tcp-stream any any -> any any (content:"XXX"; sid:1;)
+alert tcp-stream any any -> any any (content:"GOOD"; sid:2;)
+
+alert tcp-pkt any any -> any any (content:"XXX"; sid:3;)
+alert tcp-pkt any any -> any any (content:"GOOD"; sid:4;)

tests/eve-overlap-payload-04-partial-overlap/test.yaml

@@ -0,0 +1,39 @@
+requires:
+  min-version: 8
+
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+      stream: 1
+      payload: "R09PRA=="
+      payload_printable: "GOOD"
+      packet: "RQAAKAAAAABABnTLAQEBAQICAgIwOR+QAAAABgAAA+lQEAoATBcAAA=="
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+      stream: 0
+      payload: "WFhY"
+      payload_printable: "XXX"
+      packet: "BQQDAgEAAAECAwQFgQAABggARQAAKwABAABABnTHAQEBAQICAgIwOR+QAAAAAwAAA+lQEBAAlb4AAFhYWA=="
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 4
+      payload: "R09PRA=="
+      payload_printable: "GOOD"
+      packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEBAAr4MAAEdPT0Q="

tests/eve-overlap-payload-05-gap/suricata.yaml

@@ -0,0 +1,14 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            payload: yes             # enable dumping payload in Base64
+            payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+            payload-printable: yes   # enable dumping payload in printable (lossy) format
+            packet: yes              # enable dumping of packet (without stream segments)

tests/eve-overlap-payload-05-gap/test.rules

@@ -0,0 +1,9 @@
+alert tcp-stream any any -> any any (content:"VERY"; sid:1;)
+alert tcp-stream any any -> any any (content:"GOOD"; sid:2;)
+alert tcp-stream any any -> any any (content:"DATA"; sid:3;)
+
+alert tcp-pkt any any -> any any (content:"VERY"; sid:4;)
+alert tcp-pkt any any -> any any (content:"GOOD"; sid:5;)
+alert tcp-pkt any any -> any any (content:"DATA"; sid:6;)
+
+alert tcp-stream any any -> any any (content:"VERYGOODDATA"; sid:7;)

tests/eve-overlap-payload-05-gap/test.yaml

@@ -0,0 +1,59 @@
+requires:
+  min-version: 8
+
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      stream: 1
+      payload: "VkVSWVs0IGJ5dGVzIG1pc3NpbmddREFUQQ=="
+      payload_printable: "VERY[4 bytes missing]DATA"
+      packet: "RQAAKAAAAABABnTLAQEBAQICAgIwOR+QAAAADgAAA+lQEAoATA8AAA=="
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+      stream: 1
+      payload: "VkVSWVs0IGJ5dGVzIG1pc3NpbmddREFUQQ=="
+      payload_printable: "VERY[4 bytes missing]DATA"
+      packet: "RQAAKAAAAABABnTLAQEBAQICAgIwOR+QAAAADgAAA+lQEAoATA8AAA=="
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 4
+      payload: "VkVSWQ=="
+      payload_printable: "VERY"
+      packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAgAAA+lQEAQAqXgAAFZFUlk="
+      stream: 0
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 5
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6
+      payload: "REFUQQ=="
+      payload_printable: "DATA"
+      packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAACgAAA+lQEAQAuYwAAERBVEE="
+      stream: 0
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 7

tests/eve-payload-01-tcp-exact-overlap/suricata.yaml

@@ -0,0 +1,14 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            payload: yes             # enable dumping payload in Base64
+            payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+            payload-printable: yes   # enable dumping payload in printable (lossy) format
+            packet: yes              # enable dumping of packet (without stream segments)