From 4bf5b4a8ec52417cfcd50ad6dbe36cc08f55834f Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Thu, 18 Jan 2024 14:30:27 +0100
Subject: [PATCH] Adds test about bidirectional rules

Ticket: 5665

Both positive and negative tests (impossible to load rules)
Matching and not matching tests
---
 tests/detect-bidir-flowbits/README.md    |  11 +++++
 tests/detect-bidir-flowbits/input.pcap   | Bin 0 -> 1554 bytes
 tests/detect-bidir-flowbits/server.go    |  26 +++++++++++
 tests/detect-bidir-flowbits/test.rules   |   6 +++
 tests/detect-bidir-flowbits/test.yaml    |  17 +++++++
 tests/detect-bidir-impossible/README.md  |   8 ++++
 tests/detect-bidir-impossible/test.rules |   7 +++
 tests/detect-bidir-impossible/test.yaml  |  35 ++++++++++++++
 tests/detect-bidir-ja3/README.md         |   8 ++++
 tests/detect-bidir-ja3/test.rules        |   4 ++
 tests/detect-bidir-ja3/test.yaml         |  18 ++++++++
 tests/detect-bidir/README.md             |   8 ++++
 tests/detect-bidir/test.rules            |  10 ++++
 tests/detect-bidir/test.yaml             |  56 +++++++++++++++++++++++
 14 files changed, 214 insertions(+)
 create mode 100644 tests/detect-bidir-flowbits/README.md
 create mode 100644 tests/detect-bidir-flowbits/input.pcap
 create mode 100644 tests/detect-bidir-flowbits/server.go
 create mode 100644 tests/detect-bidir-flowbits/test.rules
 create mode 100644 tests/detect-bidir-flowbits/test.yaml
 create mode 100644 tests/detect-bidir-impossible/README.md
 create mode 100644 tests/detect-bidir-impossible/test.rules
 create mode 100644 tests/detect-bidir-impossible/test.yaml
 create mode 100644 tests/detect-bidir-ja3/README.md
 create mode 100644 tests/detect-bidir-ja3/test.rules
 create mode 100644 tests/detect-bidir-ja3/test.yaml
 create mode 100644 tests/detect-bidir/README.md
 create mode 100644 tests/detect-bidir/test.rules
 create mode 100644 tests/detect-bidir/test.yaml

diff --git a/tests/detect-bidir-flowbits/README.md b/tests/detect-bidir-flowbits/README.md
new file mode 100644
index 000000000..f8188b9e2
--- /dev/null
+++ b/tests/detect-bidir-flowbits/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test bidirection matching with a real life example
+https://redmine.openinfosecfoundation.org/issues/5665
+
+# PCAP
+
+Crafted from the rules
+Client is
+`curl -d '"goog:chromeOptions";"binary";"args":["' -X POST 127.0.0.1:8080/wd/hub/session`
+Server is server.go
diff --git a/tests/detect-bidir-flowbits/input.pcap b/tests/detect-bidir-flowbits/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..9888603e7b50954f9838c2b0cc2d8d73ca683c95
GIT binary patch
literal 1554
zcmbW1L1@!Z9LCdbObIJEQK;ClM=#D{lBVlemmzMf!#b1=7Ii}rvh=kLX79z9*R?&V
zhaH6p1J9nl3_)-QFYaVf&z^UX4G*GTc5(Cn%wo4X#O|dJUf)Z8?|a|(Pck1~K95SB
zQnLl)H}}fLSMhEs2MeNyEeeB4Ng5Nsu`Wq^C`l2~cM^Ro%bV|Pao<{WZ*MmvNzu+L
zpCTO{U6II1na<CD7i*mW5bP7@{-52qvXj_ez4aFOg|*Xvv)?~^@mlah_8DMjVK33c
zwyzsh9jUtj{EbJa;$L?A;V}Dp1y^Y8ZG*S3bwg-9$O|<Jo(a52MC=o)1Fv8RzW)5D
zzBuUnc39uc^sI@rYC$Vk7BnCGzC#Jho92wBt9ne%Q=c11PY<gpxO5|%%BEuSO&>F5
zyo3p?*%jt$!|G60g@tk3#vV)#Xag~Mf)Wn5DAzG5@v?yiN1AhH-NOd5JkND(i^HB;
zO{rF^N|CZf1&El~w15jSIVLAdl$H#;%;+MX_Qbt@ax}T%5R27eV6l>)H0~sYG2~cA
zHxw{>D-7<S(Pz(hOHaXM(Zd!P9eL7fbTc^M#p7Fhj{~DaUg#+rN~O>>aE1}fMYEVK
zVTL9dqbw!|{|q#RIj_g$oW;Q;vw|-nT}M+Dg3_sU2I(0iJ#3^#(A67e)6vjnePpmX
z8Q9EmjccB3Ib;;sWsCWkU#{??k`?w+R#K^l$pcIEG5GFO7S-E$A;%mLHdzySg5?IP
zko$yI3Bp3EfhK<Efr^&n;sW9n`P^cVJgzw$CJ5wcxo%x;c`S#QOiEpU+~&Zap^T#<
z5Kw_)pIqSLai3qjOAzWe%NTi#+E9}L9I!<w0yu&w1?1A8azyY71l8Uf+fcSw=MoV7
z=P-Ej1qk2ReBzkAo}+nI8@!;9<`T=B4Yj2(*M&xL-jB!S^&BenKfJGP@PaROLk0hO
LTm1V0{;mH4|0kV`

literal 0
HcmV?d00001

diff --git a/tests/detect-bidir-flowbits/server.go b/tests/detect-bidir-flowbits/server.go
new file mode 100644
index 000000000..9f2429752
--- /dev/null
+++ b/tests/detect-bidir-flowbits/server.go
@@ -0,0 +1,26 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+)
+
+func main() {
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Server", "Jetty")
+		w.WriteHeader(http.StatusInternalServerError)
+		content := "org.openqa.selenium.WebDriverException: unknown error: Chrome failed to start: exited normally."
+		content = content + `unknown error: DevToolsActivePort file doesn't exist)\n  (The process started from chrome location`
+		n, err := w.Write([]byte(content))
+		fmt.Printf("lola %v %v\n", n, err)
+	})
+
+	server := &http.Server{
+		Addr:    "0.0.0.0:8080",
+		Handler: handler,
+	}
+
+	fmt.Printf("Listening [0.0.0.0:8080]...\n")
+	err := server.ListenAndServe()
+	fmt.Printf("lol %s", err)
+}
diff --git a/tests/detect-bidir-flowbits/test.rules b/tests/detect-bidir-flowbits/test.rules
new file mode 100644
index 000000000..f38707d1f
--- /dev/null
+++ b/tests/detect-bidir-flowbits/test.rules
@@ -0,0 +1,6 @@
+#flowbits version
+alert http any any -> any any (msg:"ET EXPLOIT Selenium Server Chrome 3.141.59 Remote Code Execution"; flow:established,to_server; flowbits:set,ET.Selenium314159.RCE; urilen:15; http.method; content:"POST"; http.uri; content:"/wd/hub/session"; fast_pattern; http.request_body; content:"|22|goog|3a|chromeOptions|22|"; content:"|22|binary|22|"; content:"|22|args|22|"; content:"|5b 22|"; within:5; reference:url,github.com/BoredHackerBlog/selenium_code_exec_notes; classtype:attempted-admin; sid:2052319; rev:2; metadata:attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_05_01, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_05_02; target:dest_ip;)
+alert http any any -> any any (msg:"ET EXPLOIT Selenium Server Grid Chrome 3.141.59 Remote Code Execution - Successful"; flow:established,to_client; flowbits:isset,ET.Selenium314159.RCE; http.stat_code; content:"500"; http.server; content:"Jetty"; startswith; file.data; content:"org|2e|openqa|2e|selenium|2e|WebDriverException|3a 20|unknown|20|error|3a 20|Chrome|20|failed|20|to|20|start|3a 20|exited|20|normally|2e|"; content:"unknown|20|error|3a 20|DevToolsActivePort|20|file|20|doesn|27|t|20|exist|29 5c|n|20 20 28|The|20|process|20|started|20|from|20|chrome|20|location"; fast_pattern; reference:url,github.com/BoredHackerBlog/selenium_code_exec_notes; classtype:successful-admin; sid:2052359; rev:1; metadata:attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_05_02, deployment Perimeter, deployment Internal, former_category EXPLOIT, confidence High, signature_severity Critical, updated_at 2024_05_02; target:src_ip;)
+
+# and now the bidir version
+alert http any any => any any (msg:"ET EXPLOIT Selenium Server Chrome 3.141.59 Remote Code Execution"; urilen:15; http.method; content:"POST"; http.uri; content:"/wd/hub/session"; fast_pattern; http.request_body; content:"|22|goog|3a|chromeOptions|22|"; content:"|22|binary|22|"; content:"|22|args|22|"; content:"|5b 22|"; within:5; http.stat_code; content:"500"; http.server; content:"Jetty"; startswith; bidir.toclient; file.data; content:"org|2e|openqa|2e|selenium|2e|WebDriverException|3a 20|unknown|20|error|3a 20|Chrome|20|failed|20|to|20|start|3a 20|exited|20|normally|2e|"; content:"unknown|20|error|3a 20|DevToolsActivePort|20|file|20|doesn|27|t|20|exist|29 5c|n|20 20 28|The|20|process|20|started|20|from|20|chrome|20|location"; reference:url,github.com/BoredHackerBlog/selenium_code_exec_notes; classtype:attempted-admin; sid:1; metadata:attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_05_01, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_05_02; target:dest_ip;)
diff --git a/tests/detect-bidir-flowbits/test.yaml b/tests/detect-bidir-flowbits/test.yaml
new file mode 100644
index 000000000..cf960eb7f
--- /dev/null
+++ b/tests/detect-bidir-flowbits/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  min-version: 8
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2052359
diff --git a/tests/detect-bidir-impossible/README.md b/tests/detect-bidir-impossible/README.md
new file mode 100644
index 000000000..aeec7416a
--- /dev/null
+++ b/tests/detect-bidir-impossible/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Test invalid rules for bidirection matching
+https://redmine.openinfosecfoundation.org/issues/5665
+
+# PCAP
+
+Reusing a pcap, but does not matter
diff --git a/tests/detect-bidir-impossible/test.rules b/tests/detect-bidir-impossible/test.rules
new file mode 100644
index 000000000..0dd4c7696
--- /dev/null
+++ b/tests/detect-bidir-impossible/test.rules
@@ -0,0 +1,7 @@
+alert http any any => any any (msg:"matching both uri and status"; sid: 11; http.uri; content: "/download"; http.stat_code; content: "200"; flow: to_server;)
+alert http any any => any any (msg:"matching only uri"; sid: 2; http.uri; content: "/download"; )
+alert http any any => any any (msg:"matching only status"; sid: 3; http.stat_code; content: "200";)
+alert http any any => any any (msg:"matching connection, but from ambiguous direction"; sid: 4; http.uri; content: "/download"; http.stat_code; content: "200"; http.connection; content: "eep";)
+alert http any any => any any (msg:"stream rule"; sid: 5; content: "/download"; content: "200";)
+alert http any any => any any (msg:"stream rule"; sid: 6; bidir.toserver; content: "/download"; bidir.toclient; content: "200";)
+alert enip any any => any any (msg:"frame rule"; sid: 7; bidir.toserver; frame: enip.pdu; content: "/download"; bidir.toclient; frame: enip.pdu; content: "200";)
diff --git a/tests/detect-bidir-impossible/test.yaml b/tests/detect-bidir-impossible/test.yaml
new file mode 100644
index 000000000..6f8e6c877
--- /dev/null
+++ b/tests/detect-bidir-impossible/test.yaml
@@ -0,0 +1,35 @@
+requires:
+  min-version: 8
+
+pcap: ../http-all-headers/input.pcap
+
+args:
+  - --set app-layer.protocols.enip.enabled=yes
+
+exit-code: 1
+
+checks:
+  - shell:
+      args: grep -c 'error parsing signature' suricata.log
+      expect: 7
+  - shell:
+      args: grep -c 'rule 2 should use both directions, but does not' suricata.log
+      expect: 1
+  - shell:
+      args: grep -c 'rule 3 should use both directions, but does not' suricata.log
+      expect: 1
+  - shell:
+      args: grep -c 'rule 4 means to use both directions, cannot have keywords ambiguous about directions' suricata.log
+      expect: 1
+  - shell:
+      args: grep -c 'rule 5 should use both directions, but does not' suricata.log
+      expect: 1
+  - shell:
+      args: grep -c 'rule 6 should use both directions, but does not' suricata.log
+      expect: 1
+  - shell:
+      args: grep -c 'rule 7 should use both directions, but does not' suricata.log
+      expect: 1
+  - shell:
+      args: grep -c 'rule 11 means to use both directions, cannot specify a flow direction' suricata.log
+      expect: 1
diff --git a/tests/detect-bidir-ja3/README.md b/tests/detect-bidir-ja3/README.md
new file mode 100644
index 000000000..3cdcc9e1f
--- /dev/null
+++ b/tests/detect-bidir-ja3/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Test bidirection matching with TLS ja3
+https://redmine.openinfosecfoundation.org/issues/5665
+
+# PCAP
+
+reused
diff --git a/tests/detect-bidir-ja3/test.rules b/tests/detect-bidir-ja3/test.rules
new file mode 100644
index 000000000..3165d8e21
--- /dev/null
+++ b/tests/detect-bidir-ja3/test.rules
@@ -0,0 +1,4 @@
+alert tls any any => any any (msg:"bidir ja3"; ja3s.hash; content:"5d79edf64e03689ff559a54e9d9487bc"; ja3.string; content:"771,49196-49200"; sid:1;)
+# should not match
+alert tls any any => any any (msg:"bidir ja3"; ja3s.hash; content:"6d79edf64e03689ff559a54e9d9487bc"; ja3.string; content:"771,49196-49200"; sid:2;)
+alert tls any any => any any (msg:"bidir ja3"; ja3s.hash; content:"5d79edf64e03689ff559a54e9d9487bc"; ja3.string; content:"9999999999"; sid:3;)
diff --git a/tests/detect-bidir-ja3/test.yaml b/tests/detect-bidir-ja3/test.yaml
new file mode 100644
index 000000000..751428fb0
--- /dev/null
+++ b/tests/detect-bidir-ja3/test.yaml
@@ -0,0 +1,18 @@
+requires:
+  min-version: 8
+
+pcap: ../tls/tls-certs-alert/input.pcap
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
diff --git a/tests/detect-bidir/README.md b/tests/detect-bidir/README.md
new file mode 100644
index 000000000..35b0d6504
--- /dev/null
+++ b/tests/detect-bidir/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Test bidirection matching
+https://redmine.openinfosecfoundation.org/issues/5665
+
+# PCAP
+
+Reusing pcap from http-all-headers
diff --git a/tests/detect-bidir/test.rules b/tests/detect-bidir/test.rules
new file mode 100644
index 000000000..70054d2d7
--- /dev/null
+++ b/tests/detect-bidir/test.rules
@@ -0,0 +1,10 @@
+alert http any any => any any (msg:"matching both uri and status"; sid: 1; http.uri; content: "/download"; http.stat_code; content: "200";)
+alert http any any => any any (msg:"not matching both uri and status"; sid: 2; http.uri; content: "/download"; http.stat_code; content: "404";)
+alert http any any => any any (msg:"not matching both uri and status"; sid: 3; http.uri; content: "/upload"; http.stat_code; content: "200";)
+alert http any any => any any (msg:"fast_pattern on to_client side"; sid: 7; http.uri; content: "down"; http.server; content: "Apache"; fast_pattern;)
+alert http any any => any any (msg:"fast_pattern on to_client side but not matching"; sid: 8; http.uri; content: "upload"; http.server; content: "Apache"; fast_pattern;)
+alert http any any => any any (msg:"disambiguated toclient"; sid: 11; http.uri; content: "/download"; http.stat_code; content: "200"; bidir.toclient; http.connection; content: "eep";)
+alert http any any => any any (msg:"disambiguated toserver"; sid: 12; http.uri; content: "/download"; bidir.toserver; http.connection; content: "eep"; bidir.toclient; http.stat_code; content: "200";)
+alert http any any => any any (msg:"disambiguated toclient, without other toclient"; sid: 13; http.uri; content: "/download";  bidir.toclient; http.connection; content: "eep";)
+alert http any any => any any (msg:"disambiguated both sides"; sid: 14; bidir.toclient; http.connection; content: "eep"; bidir.toserver; http.connection; content: "eep";)
+alert http any any => any any (msg:"toclient, followed by http.uri implicitly toserver"; sid: 15; bidir.toclient; http.connection; content: "eep"; http.uri; content: "/download"; )
diff --git a/tests/detect-bidir/test.yaml b/tests/detect-bidir/test.yaml
new file mode 100644
index 000000000..5a56f45ec
--- /dev/null
+++ b/tests/detect-bidir/test.yaml
@@ -0,0 +1,56 @@
+requires:
+  min-version: 8
+
+pcap: ../http-all-headers/input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 7
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 8
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 11
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 12
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 13
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 14
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 15