- Generated on Fri Jul 26 2024 23:30:47 for suricata by
1.8.18
|
suricata
|
Test that the http_client_body content matches against a http request against a case insensitive pattern.
Test that the http_cookie content matches against a http request which holds the content.
Test that the http_cookie content matches against a http request which holds the content.
Test that the http_cookie content matches against a http request which holds the content.
Test that the http_cookie content matches against a http request which holds the content.
Test that the http_cookie content matches against a http request which holds the content.
multiple http transactions and body chunks of request handling
multiple http transactions and body chunks of request handling
Test that the http_client_body content matches against a http request which holds the content.
Negative test that the negated http_client_body content matches against a http request which holds hold the content.
Test that the negated http_client_body content matches against a http request which doesn't hold the content.
Test that the http_cookie content matches against a http request which holds the content.
Test that the http_client_body content matches against a http request which holds the content, against a cross boundary present pattern.
Test that the http_client_body content matches against a http request which holds the content.
Test that the http_client_body content matches against a http request which holds the content.
Test that the http_client_body content matches against a http request which holds the content.
Test that an invalid signature containing a rawbytes along with a http_client_body is invalidated.
Test that a signature containing an valid http_client_body entry is parsed.
Test that a signature containing a http_client_body is correctly parsed and the keyword is registered.
Test parser accepting valid rules and rejecting invalid rules
Test that the http_cookie content matches against a http request which holds the content.
Check the signature working to alert when http_cookie is not present
Check the signature working to alert when http_cookie is not present
Check the signature working to alert when http_cookie is not present
Check the signature working to alert when http_cookie is not present
Check the signature working to alert when http_cookie is not present
Check the signature working to alert when http_cookie is not present
Check the signature working to alert when http_cookie is matched .
Checks if a http_cookie is registered in a Signature, if some parameter is specified with http_cookie in the signature
Checks if a http_cookie is registered in a Signature, if content is not specified in the signature
Test that the http_cookie content matches against a http request which holds the content.
Test parser accepting valid rules and rejecting invalid rules
Test that the http_cookie content matches against a http request which holds the content.
Test that the http_cookie content matches against a http request which holds the content.
Test that the http_cookie content matches against a http request which holds the content.
Test that the http_cookie content matches against a http request which holds the content.
Test that the http_cookie content matches against a http request which holds the content.
Test that the http_cookie content matches against a http request which holds the content.
Test that the http_cookie content matches against a http request which holds the content.
Test that the http_cookie content matches against a http request which holds the content.
Test that the http_cookie content matches against a http request which holds the content.
Test the pruning of SACK ranges.
Test the pruning of SACK ranges.
Test the pruning of SACK ranges.
Test the pruning of SACK ranges.
Test the insertion of SACK ranges.
Test the insertion of SACK ranges.
Test the insertion of SACK ranges.
Test the insertion of SACK ranges.
Test the insertion of SACK ranges.
Test the insertion of SACK ranges.
Test the pruning of SACK ranges.
3 in order segments, then reassemble, add one more and reassemble again. test the sliding window reassembly with a small window size so that we cutting off at the start (left edge). Test if the first segment is removed from the list.
3 in order segments, then reassemble, add one more and reassemble again. test the sliding window reassembly with a small window size so that we cutting off at the start (left edge). Test if the first segment is removed from the list.
3 in order segments, then reassemble, add one more and reassemble again. test the sliding window reassembly with a small window size so that we cutting off at the start (left edge) with small packet overlap.
3 in order segments, then reassemble, add one more and reassemble again. test the sliding window reassembly with a small window size so that we cutting off at the start (left edge)
3 in order segments, then reassemble, add one more and reassemble again. test the sliding window reassembly.
3 in order segments in inline reassembly
Test the file_data fails with flow:to_server.
endswith (isdataat) recursion logic based on DetectEngineContentInspectionTest06
multiple independent blocks recursion logic
Check the signature working to alert against set-cookie
AppLayerHtpFileParseContentRangeTest04 is a test for setting up a valid range value without the size.
AppLayerHtpFileParseContentRangeTest03 is a regression test for setting up an invalid range value.
AppLayerHtpFileParseContentRangeTest02 is a regression test for setting up an invalid range value.
AppLayerHtpFileParseContentRangeTest01 is a test for setting up a valid range value.
Test the insertion of out of window condition.
Test the insertion on out of window condition.
Test the pruning of SACK ranges.
Test that the http_host header content matches against a http request which holds the content.
Test that the http_host content matches against a http request which holds the content.
Test that the http_host content matches against a http request which holds the content.
Test that the http_host content matches against a http request which holds the content.
invalid sig: uppercase content
Test that a http_host with nocase is parsed.
Test that an invalid signature containing a rawbytes along with a http_host is invalidated.
Test that an invalid signature containing no content but a http_host is invalidated.
Test that a signature containing a http_host is correctly parsed and the keyword is registered.
Test that the http_host header content matches against a http request which holds the content.
Test that the http_host header content matches against a http request which holds the content.
Test that the http_host content matches against a http request which holds the content, against a cross boundary present pattern.
Test that the http_host header content matches against a http request which holds the content.
Test that the http_host header content matches against a http request which holds the content.
Test that the http_host header content matches against a http request which holds the content.
Test that the http_host header content matches against a http request which holds the content.
Test that the http_host header content matches against a http request which holds the content.
Test that the http_host header content matches against a http request which holds the content.
Test that the http_host header content matches against a http request which holds the content.
Test that the http_host content matches against a http request which holds the content.
Test that the http_host header content matches against a http request which holds the content.
Test that the http_raw_host content matches against a http request against a case insensitive pattern.
Test that the http_raw_host content matches against a http request which holds the content.
Test that the http_raw_host content matches against a http request which holds the content.
Test that the http_raw_host content matches against a http request which holds the content.
Test that the http_raw_host content matches against a http request which holds the content.
Test that the http_raw_host content matches against a http request which holds the content.
Test that the http_raw_host content matches against a http request against a case insensitive pattern.
multiple http transactions and body chunks of request handling
Test that the http_raw_host content matches against a http request which holds the content.
Negative test that the negated http_raw_host content matches against a http request which holds hold the content.
Test that the negated http_raw_host content matches against a http request which doesn't hold the content.
Test that the http_host content matches against a http request which holds the content.
Test that the http_raw_host content matches against a http request which holds the content, against a cross boundary present pattern.
Test that the http_raw_host content matches against a http request which holds the content.
Test that the http_raw_host content matches against a http request which holds the content.
Test that the http_raw_host content matches against a http request which holds the content.
multiple http transactions and body chunks of request handling
Test that the http_host content matches against a http request which holds the content.
Negative test that the negated http_host content matches against a http request which holds hold the content.
Test that the negated http_host content matches against a http request which doesn't hold the content.
Test that the http_host content matches against a http request against a case insensitive pattern.
Negative test that the negated http_header content matches against a http request which holds hold the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
app-layer-event:http.host_header_ambiguous should be set
app-layer-event:http.host_header_ambiguous should be set
app-layer-event:http.host_header_ambiguous should not be set
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the negated http_header content matches against a http request which doesn't hold the content.
Test that the http_header content matches against a http request against a case insensitive pattern.
Test that the http_header content matches against a http request which holds the content, against a cross boundary present pattern.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test parser accepting valid rules and rejecting invalid rules
Test parser accepting valid rules and rejecting invalid rules
Check the signature working to alert against cookie/set-cookie
Test that the http_header content matches against a http request which holds the content.
Test that the http_host content matches against a http request which holds the content.
Test that the http_host content matches against a http request which holds the content.
Test that the http_host content matches against a http request which holds the content.
Test that the http_host content matches against a http request which holds the content.
reassembly bug where headers with names of length 6 were skipped
Test to make sure we detect the sequence wrap around and continue stream reassembly properly.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Check if replace is working when depth is used
Check if replace is working when nocase used
Check if replace is not done when second content match and not first
Check if replace is not done when second content don't match
Check if replace is working with second content
Check if replace is working with offset and keyword inversion
Check if replace is working with offset
Check if replace is working when depth block match used
QuicVersionTestParse03 is a test for an invalid value
QuicVersionTestParse01 is a test for a valid value
QuicUaTestParse03 is a test for an invalid value
QuicUaTestParse01 is a test for a valid value
QuicSniTestParse03 is a test for an invalid value
QuicSniTestParse01 is a test for a valid value
DetectQuicCyuStringTest01 is a test for a valid quic packet, matching on the cyu string
DetectQuicCyuHashTest01 is a test for a valid quic packet, matching on the cyu hash
DetectRpcTestParse05 is a test for check invalid values
DetectRpcTestParse04 is a test for check the discarding of empty options
DetectRpcTestParse03 is a test for checking the wildcards and not specified fields
DetectRpcTestParse02 is a test for setting the established rpc opt
DetectRpcTestParse01 is a test to make sure that we return "something" when given valid rpc opt
RfbSecresultTestParse02 is a test for an invalid secresult value
RfbSecresultTestParse01 is a test for a valid secresult value
Parsing test content and replace length differ
Parsing test content and replace length differ
Parsing test content after replace
multiple http transactions and body chunks of request handling
Parsing test: non valid because of http_header on same content as replace keyword
Parsing test: non valid because of http protocol
Check if replace is working with within
Check if replace is working with within
Check if replace is working with within
Check if replace is working with within
Check if replace is working with within
Check if replace is working when depth block match used
DetectPcreParseTest08 make sure we parse pcre with O opts
DetectPcreParseTest07 make sure we parse pcre with /Ui opts
DetectPcreParseTest06 make sure we parse pcre with smi opts
DetectPcreParseTest05 make sure we parse pcre with no opts
DetectPcreParseTest04 make sure we allow escaped "
DetectPcreParseTest03 make sure we don't allow invalid opts UZi.
DetectPcreParseTest02 make sure we don't allow invalid opts Ui$.
DetectPcreParseTest01 make sure we don't allow invalid opts 7.
DetectPcreParseTest09 make sure we parse pcre with a content that has slashes
check that we don't allow invalid negation options
check that we don't allow invalid negation options
check that we don't allow invalid negation options
check that we don't allow invalid negation options
check that we don't allow invalid negation options
check that we don't allow invalid negation options
Check a signature with inconsistent pcre relative
test pcre P modifier with multiple pipelined http transactions
Test tracking of body chunks per transactions (on requests)
Check a signature with inconsistent pcre modifiers
Check a signature with inconsistent pcre modifiers
Check a signature with inconsistent pcre modifiers
DetectRpcTestParse05 is a test to check the match function
Check a signature with pcre relative http_uri
Check a signature with pcre relative uricontent
Check a signature with pcre relative raw uri
Check a signature with pcre relative client-body
Check a signature with pcre relative header
Check a signature with pcre relative raw header
Check a signature with pcre relative cookie
Check a signature with pcre relative method
Test pcre option for dce sig(yeah I'm bored of writing test titles).
DetectThresholdTestSig13 is a test for checking the working by_rule limits by setting up the signature and later testing its working by matching received packets against the sig.
DetectThresholdTestSig14 is a test for checking the working by_both limits by setting up the signature and later testing its working by matching received packets against the sig.
Test drop action being set even if thresholded
Test drop action being set even if thresholded
Test drop action being set even if thresholded
Test drop action being set even if thresholded
Test drop action being set even if thresholded
Test drop action being set even if thresholded
DetectThresholdTestSig5 is a test for checking the working of limit keyword by setting up the signature and later testing its working by matching the received packet against the sig.
DetectThresholdTestSig4 is a test for checking the working of both keyword by setting up the signature and later testing its working by matching the received packet against the sig.
DetectThresholdTestSig3 is a test for checking the working of limit keyword by setting up the signature and later testing its working by matching the received packet against the sig.
Test flow allocations when it reach memcap
Test the unlimited config value of reassembly depth.
Test to make sure that reassembly_depth is enforced.
Test the memcap incrementing/decrementing and memcap check
Test to make sure that we sent all the segments from the initial segments to app layer until we have detected the app layer proto.
Test to make sure that we don't return the segments until the app layer proto has been detected and after that remove the processed segments.
Test the handling of packets missed by IDS, but the end host has received it and send the acknowledgment of it. The packet is missed in the middle of the stream.
Test the handling of packets missed by IDS, but the end host has received it and send the acknowledgment of it. The packet is missed in the starting of the stream.
Test the handling of packets missed by both IDS and the end host. The packet is missed in the end of the stream.
Test the handling of packets missed by both IDS and the end host. The packet is missed in the middle of the stream.
Test the handling of packets missed by both IDS and the end host. The packet is missed in the starting of the stream.
DetectThresholdTestSig2 is a test for checking the working of threshold keyword by setting up the signature and later testing its working by matching the received packet against the sig.
Test flow allocations when it reach memcap
Test flow allocations when it reach memcap
Test the setting of the per protocol free function to free the protocol specific memory.
Test the setting of the per protocol timeouts.
DetectWithinTestPacket01 is a test to check matches of within, if the previous keyword is pcre (bug 145)
Check a signature with given urilen
DetectUrilenSetpTest01 is a test for setting up an valid urilen values with valid "<>" operator and include spaces arround the given values. In the test the values are setup with initializing the detection engine context and setting up the signature itself.
FlagsTestParse01 is a test for a valid flags value
FlagsTestParse11 test if ACK or PUSH are set. Ignore SYN and RST. Must fails.
FlagsTestParse10 test if ACK and PUSH are not set. Must return success.
FlagsTestParse09 test if SYN and RST are not set. Must fails.
FlagsTestParse08 test if SYN or RST are set. Must return success.
FlagsTestParse07 test if SYN or RST are set. Must fails.
FlagsTestParse06 test if ACK+PUSH and more flags are set. Ignore URG and RST bits. Must return success.
FlagsTestParse05 test if ACK+PUSH and more flags are set. Ignore SYN and RST bits. Must fails.
FlagsTestParse04 check if ACK bit is set. Must fails.
FlagsTestParse03 test if ACK and PUSH are set. Must return success
FlagsTestParse02 is a test for an invalid flags value
FlagsTestParse12 check if no flags are set. Must fails.
DetectTagTestParse05 is a test for default opts
DetectTagTestParse04 is a test for default opts
DetectTagTestParse03 is a test for setting the stateless tag opt
DetectTagTestParse02 is a test to check that we parse tag correctly
DetectTagTestParse01 is a test to make sure that we return "something" when given valid tag opt
DetectStreamSizeParseTest04 is a test to make sure that we match the stream_size against invalid packet parameters.
DetectStreamSizeParseTest03 is a test to make sure that we match the packet correctly provided valid stream size.
DetectStreamSizeParseTest02 is a test to make sure that we detect the invalid stream_size options.
DetectStreamSizeParseTest01 is a test to make sure that we parse the user options correctly, when given valid stream_size options.
DetectWindowTestPacket01 is a test to check window with constructed packets
DetectThresholdTestSig1 is a test for checking the working of limit keyword by setting up the signature and later testing its working by matching the received packet against the sig.
ThresholdTestParse07 is a test for thresholding by_rule
ThresholdTestParse06 is a test for thresholding by_both
ThresholdTestParse05 is a test for a valid threshold options in any order
ThresholdTestParse04 is a test for an invalid threshold options in any order
ThresholdTestParse03 is a test for a valid threshold options in any order
ThresholdTestParse02 is a test for a invalid threshold options
ThresholdTestParse01 is a test for a valid threshold options
Test that the http_raw_host header content matches against a http request which holds the content.
DetectWindowTestParse03 is a test to check for a big value
DetectWindowTestParse03 is a test to check for an empty value
DetectWindowTestParse02 is a test for setting the window opt negated
DetectWindowTestParse01 is a test to make sure that we set the size correctly when given valid window opt
DetectSeqSigTest02 tests seq keyword
DetectSeqSigTest01 tests parses
Test the setting up a OS policy. Te OS policy values are defined in the config string "dummy_conf_string1"
Test the initialization of tcp streams with congestion flags
Test the initialization of tcp streams with congestion flags
Test the stream mem leaks conditions.
Test the stream mem leaks conditions.
Test the various OS policies based on different IP addresses from configuration defined in 'dummy_conf_string1'
Test the various OS policies based on different IP addresses from configuration defined in 'dummy_conf_string1'
Test the various OS policies based on different IP addresses from configuration defined in 'dummy_conf_string1'
Test the various OS policies based on different IP addresses from configuration defined in 'dummy_conf_string1'
Test the various OS policies based on different IP addresses from configuration defined in 'dummy_conf_string1'
Test the setting up a OS policy. Te OS policy values are defined in the config string "dummy_conf_string1". To check the setting of Default os policy
Test the initialization of tcp streams with congestion flags
Test the setting up a OS policy. Te OS policy values are defined in the config string "dummy_conf_string1"
set up a TCP session using the 4WHS: SYN, SYN, SYN/ACK, ACK: however the SYN/ACK and ACK are part of a normal 3WHS
set up a TCP session using the 4WHS: SYN, SYN, SYN/ACK, ACK, but the SYN/ACK does not have the right SEQ
Test the setting up a TCP session using the 4WHS: SYN, SYN, SYN/ACK, ACK
Test the setting up a OS policy. Te OS policy values are defined in the config string "dummy_conf_string"
Test the setting up a TCP session when we are seeing asynchronous stream, while we missed the SYN and SYN/ACK packets in that stream. Later, we start to receive the packet from other end stream too.
Test the setting up a TCP session when we are seeing asynchronous stream, while we missed the SYN and SYN/ACK packets in that stream.
Test the setting up a TCP session when we are seeing asynchronous stream, while we missed the SYN packet of that stream.
Test the setting up a TCP session when we are seeing asynchronous stream, while we see all the packets in that stream from start.
Check that we invalidate with unknown keywords (It should default to pass, drop, reject, alert)
Check that invalid classtypes present in the classification config file aren't loaded.
Check that the classification file is loaded and the detection engine content class_conf_hash_table loaded with the classtype data.
Check that the expected defaults are loaded if the action-order configuration is not present.
Check that we load a valid config
Check that we load a valid config
Check that we invalidate with unknown keywords and/or more than the expected (It should default to pass, drop, reject, alert)
Check that we invalidate if any action is missing (It should default to pass, drop, reject, alert)
Check that we invalidate if any action is missing (It should default to pass, drop, reject, alert)
Test the working of No stream reassembly flag. The stream will not reassemble the segment if the flag is set.
Check that we invalidate duplicated actions (It should default to pass, drop, reject, alert)
multiple different SYN/ACK, over the limit
multiple different SYN/ACK, pick neither
multiple different SYN/ACK, pick second
multiple different SYN/ACK, pick first
Test the validation of the ACK number before setting up the stream.last_ack and update the next_seq after loosing the .
Test the validation of the ACK number before setting up the stream.last_ack.
Test the processing of out of order FIN packets in tcp session.
Test the memcap incrementing/decrementing and memcap check
SigTest37ContentAndIsdataatKeywords02 is a test to check window with constructed packets,
ICMP packet shouldn't be matching port based sig Bug #611
test if the engine set flag to drop pkts of a flow that triggered a drop action on IPS mode, and it doesn't inspect any other packet of the stream
test if the engine set flag to drop pkts of a flow that triggered a drop action on IPS mode
test if the engine set flag to drop pkts of a flow that triggered a drop action on IPS mode
sigs with patterns at the limit of the pm's size limit
SigTest42NoPayloadInspection is a test to check that when PKT_NOPAYLOAD_INSPECTION flag is set, we don't need to inspect the packet contents.
SigTest41NoPacketInspection is a test to check that when PKT_NOPACKET_INSPECTION flag is set, we don't need to inspect the packet protocol header or its contents.
SigTest36ContentAndIsdataatKeywords01 is a test to check window with constructed packets,
DetectTtlTestSig01 is a test for checking the working of ttl keyword by setting up the signature and later testing its working by matching the received packet against the sig.
DetectTtlSetupTest01 is a test for setting up an valid ttl values with valid "-" operator and include spaces arround the given values. In the test the values are setup with initializing the detection engine context setting up the signature itself.
DetectTtlParseTest07 is a test for setting up an valid ttl values with invalid "<>" operator and include spaces arround the given values.
DetectTtlParseTest06 is a test for setting up an valid ttl values with invalid "=" operator and include spaces arround the given values.
DetectTtlParseTest05 is a test for setting up an valid ttl values with "-" operator and include spaces arround the given values.
DetectTtlParseTest04 is a test for setting up an valid ttl value with ">" operator and include spaces arround the given values.
DetectTtlParseTest03 is a test for setting up an valid ttl values with "-" operator.
DetectTtlParseTest02 is a test for setting up an valid ttl value with "<" operator.
Test the working on PAWS. The packet will be accepted by engine as the timestamp is valid and it is in window.
Test the working on PAWS. The packet will be dropped by stream, as its timestamp is old, although the segment is in the window.
Test the setting up a TCP session when we have seen only the FIN, RST packets packet of the session. The session is setup only if midstream sessions are allowed to setup.
Test the setting up a TCP session when we missed the initial 3WHS packet of the session. The session is setup only if midstream sessions are allowed to setup.
Test the setting up a TCP session when we missed the initial SYN/ACK packet of the session. The session is setup only if midstream sessions are allowed to setup.
Test the setting up a TCP session when we missed the initial SYN packet of the session. The session is setup only if midstream sessions are allowed to setup.
Test the deallocation of TCP session for a given packet and return the memory back to ssn_pool and corresponding segments to segment pool.
Test the allocation of TCP session for a given packet from the ssn_pool.
Check that only valid classtypes are loaded into the hash table from the classification.config file.
Check if the threshold file is loaded and well parsed
Check if the threshold file is loaded and well parsed
Check if the threshold file is loaded and well parsed
Check if the threshold file is loaded and well parsed
Check if the threshold file is loaded and well parsed
Check if the threshold file is loaded and well parsed
Check if the rate_filter rules are loaded and well parsed
Check that all the algorithms (no case) work at any offset and any pattern length
Check that all the algorithms work at any offset and any pattern length
issue 130 (@redmine) check to ensure that the problem is not the algorithm implementation
Generic test for boyer moore nocase matching
Generic test for boyer moore matching
Generic test for Bs2Bm no case matching
Generic test for Bs2Bm matching
Generic test for BasicSearch nocase matching
Generic test for BasicSearch matching
Check if the suppress rules work - ip only rule
Global UTHPacketMatchSig (Packet *p, const char *) Test if a packet match a signature given as string Hint: Useful for unittests with only one packet and one signature
Global UTHPacketMatchSigMpm (Packet *, char *, uint16_t) Test if a packet match a signature given as string and a mpm_type Hint: Useful for unittests with only one packet and one signature
Global UTHMatchPackets (DetectEngineCtx *, Packet **, int) UTHMatchPackets Match a packet or a array of packets against sigs of a de_ctx, but note that the return value doesn't mean that we have a match, we have to check it later with PacketAlertCheck()
Global UTHMatchPacketsWithResults (DetectEngineCtx *de_ctx, Packet **p, int num_packets, uint32_t sids[], uint32_t *results, int numsigs) UTHMatchPacketsWithResults Match a packet or a array of packets against sigs of a de_ctx, checking that each signature matches X times for certain packets
" Check if the rate_filter by_both work when similar packets going in opposite direction
Check if the rate_filter rules work with track by_both
Check if the threshold file is loaded and well parsed, and applied correctly to a rule with thresholding
Check if the threshold file is loaded and well parsed
Check if the suppress rule parsing handles errors correctly
Check if the suppress rule parsing handles errors correctly
Check that valid address and port group vars are correctly retrieved from the configuration.
Check if the suppress rules work
Check if the suppress rules work
Check if the suppress rules work
Check if the threshold file is loaded and well parsed
Check if the rate_filter rules work
Check if the rate_filter rules work
Check if the rate_filter rules work with track by_rule
Check if the rate_filter rules work
Check if the rate_filter rules are loaded and well parsed with multilines
Check that valid ipv6 addresses/netblocks are inserted into the host os radix tree, and the host os api retrieves the right value for the host os flavour, on supplying as arg an ipv6 address that has been added to the host os radix tree.
Check that the best match search works for all the possible netblocks of a fixed address
Check that the best match search works for all the possible netblocks of a fixed address
Check the loading of host info from a configuration file.
Check the loading of host info from a configuration file.
Check the loading of host info from a configuration file.
Check the loading of host info from a configuration file.
Check the loading of host info from a configuration file.
Check that valid ipv4 addresses are inserted into the host os radix tree, and the host os api retrieves the right value for the host os flavour, on supplying as arg an ipv4 addresses that has been added to the host os radix tree.
Check that the best match search works for all the possible netblocks of a fixed address
Check that valid ipv6 addresses/netblocks are inserted into the host os radix tree, and the host os api retrieves the right value for the host os flavour, on supplying as arg an ipv6 address that has been added to the host os radix tree.
Check that valid ipv6 addresses are inserted into the host os radix tree, and the host os api retrieves the right value for the host os flavour, on supplying as arg an ipv6 address that has been added to the host os radix tree.
Check that valid ipv4 addresses/netblocks are inserted into the host os radix tree, and the host os api retrieves the right value for the host os flavour, on supplying as arg an ipv4 addresses that has been added to the host os radix tree.
Check that valid ipv4 addresses are inserted into the host os radix tree, and the host os api retrieves the right value for the host os flavour, on supplying as arg an ipv4 addresses that has been added to the host os radix tree.
Check that invalid ipv4 addresses and ipv4 netblocks are rejected by the host os info API
Check that invalid ipv4 addresses and ipv4 netblocks are rejected by the host os info API
Check if we the IPs with the right OS flavours are added to the host OS radix tree, and the IPS with invalid flavours returns an error(-1)
Check if the classtype info from the invalid classification.config file have not been loaded into the hash table, and cross verify to check that the hash table contains no classtype data.
Check if the classtype info from the classification.config file have been loaded into the hash table.
Check that the reference file is loaded and the detection engine content reference_conf_ht loaded with the reference data.
Check that Signatures with invalid address and port groups, are are invalidated by the Signature parsing API.
Check that Signatures with valid address and port groups are parsed without any errors by the Signature parsing API.
Check that invalid address and port groups are properly handled by the API.
Check that valid address and port group vars are correctly retrieved from the configuration.
Check if the reference info from the reference.config file have been loaded into the hash table.
Check if the reference info from the invalid reference.config file have not been loaded into the hash table, and cross verify to check that the hash table contains no reference data.
Check if the reference info from the reference.config file have been loaded into the hash table.
Check that only valid references are loaded into the hash table from the reference.config file.
Check that invalid references present in the reference.config file aren't loaded.
DetectTtlParseTest01 is a test for setting up an valid ttl value.
SCRadixTestIPV4NetblockInsertion26 insert a node searching on it. Should always return true but the purpose of the test is to monitor the memory usage to detect memleaks (there was one on searching)
SCRadixTestIPV4NetblockInsertion15 insert a node searching on it. Should always return true but the purpose of the test is to monitor the memory usage to detect memleaks (there was one on searching)
Check special combinations of netblocks and addresses on best search checking the returned userdata
Check that the best match search works for all the possible netblocks of a fixed address
Check that the best match search works for all the possible netblocks of a fixed address
Check that the best match search works for all the possible netblocks of a fixed address
Check that the best match search works for all the possible netblocks of a fixed address
Check special combinations of netblocks and addresses on best search checking the returned userdata
Check that the best match search works for all the possible netblocks of a fixed address
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content, against a cross boundary present pattern.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_header content matches against a http request which holds the content.
Test that the http_server_body content matches against a http request which holds the content.
Test that the http_server_body content matches against a http request which holds the content. Negated match.
Test that the http_server_body content matches against a http request which holds the content. Case insensitive.
Test that the http_server_body content matches against a http request which holds the content.
Test that the http_server_body content matches against a http request which holds the content.
Test that the http_server_body content matches against a http request which holds the content.
Test that the http_server_body content matches against a http request which holds the content.
multiple http transactions and body chunks of request handling
Test that the http_server_body content matches against a http request which holds the content. Negated match.
Test that the http_server_body content matches against a http request which holds the content. Negated match.
Test that the http_server_body content matches against a http request which holds the content. Case insensitive.
Test that the http_header content matches against a http request which holds the content.
Test that the http_server_body content matches against a http request which holds the content.
Test that the http_server_body content matches against a http request which holds the content.
Test that the http_server_body content matches against a http request which holds the content.
Test parser accepting valid rules and rejecting invalid rules
Test parser accepting valid rules and rejecting invalid rules
Test that the http_header content matches against a http request which holds the content.
Negative test that the negated http_header content matches against a http request which holds hold the content.
Test that the negated http_header content matches against a http request which doesn't hold the content.
Test that the http_header content matches against a http request against a case insensitive pattern.
Test that the http_raw_host header content matches against a http request which holds the content.
Test that the http_method content matches against a http request which holds the content.
Test that the http_method content matches against a http request which holds the content.
Test that the http_method content matches against a http request which holds the content.
Test that the http_method content matches against a http request which holds the content.
Test that the http_method content matches against a http request which holds the content.
Test that the http_method content matches against a http request which holds the content.
Test that the http_method content matches against a http request which holds the content.
Test that the http_method content matches against a http request which holds the content.
Test that the http_method content matches against a http request which holds the content.
Test that the http_raw_host header content matches against a http request which holds the content.
Test that the http_method content matches against a http request which holds the content.
Test that the http_raw_host header content matches against a http request which holds the content.
Test that the http_raw_host header content matches against a http request which holds the content.
Test that the http_raw_host header content matches against a http request which holds the content.
Test that the http_raw_host header content matches against a http request which holds the content.
Test that the http_raw_host header content matches against a http request which holds the content.
Test that the http_raw_host header content matches against a http request which holds the content.
Test that the http_raw_host header content matches against a http request which holds the content.
Test that the http_raw_host header content matches against a http request which holds the content.
Test that the http_raw_host content matches against a http request which holds the content.
Check a signature with parameter (fail)
Test that the http_header content matches against a http request which holds the content.
Test parser accepting valid rules and rejecting invalid rules
Test parser accepting valid rules and rejecting invalid rules
Check a signature with an request method and negation of the same
Check a signature against an unparsable request
Check a signature with an unknown request method
Check a signature with an known request method
Check a signature with rawbytes (fail)
Check a signature with fast_pattern (should work)
Test that the http_server_body content matches against a http request which holds the content. Negated match.
Check a signature without content (fail)
Check a signature with content
Test that the http_method content matches against a http request which holds the content.
Test that the http_method content matches against a http request which holds the content.
Test that the http_method content matches against a http request which holds the content.
Test that the http_method content matches against a http request which holds the content.
Test that the http_method content matches against a http request which holds the content.
Test that the http_method content matches against a http request which holds the content.
Test that the http_method content matches against a http request which holds the content.
This is a test for a invalid value >1430000000<>1470000000.
This is a test for a valid value 2015-10.
This is a test for a valid value 1490000000.
This is a test for a valid value < 1490000000.
This is a test for a valid value > 1430000000.
This is a test for a valid value 1430000000 <> 1490000000.
This is a test for a invalid value 1490000000<>1430000000.
This is a test for a invalid value " ".
This is a test for a invalid value "".
This is a test for a invalid value <>1430000000.
This is a test for a invalid value 1430000000<>.
This is a test for a valid value >2015-10-22.
This is a test for a invalid value A.
This is a test for a valid value 1430000000<>1470000000.
This is a test for a valid value <1430000000.
This is a test for a valid value >1430000000.
This is a test for a valid value 1430000000.
Test matching for google in the subject of a certificate
Test that a signature containing a tls.cert_subject is correctly parsed and that the keyword is registered.
Test matching for serial in a certificate.
Test that a signature containing tls.cert_serial is correctly parsed and that the keyword is registered.
Test matching on an expired certificate.
signature with a valid xor value.
signature with an invalid xor value.
signature with a pcrexform value without substring capture
signature with a valid pcrexform value.
signature with an invalid pcrexform value.
DetectTlsVersionTestParse02 is a test to make sure that we parse the "id" option correctly when given an invalid id option it should return id_d = NULL
DetectTlsVersionTestParse01 is a test to make sure that we parse the "id" option correctly when given valid id option
Test matching on bytes in a certificate
Test that a signature containing tls.certs is correctly parsed and that the keyword is registered.
Test matching on a valid TLS certificate.
Test matching for google in the issuer of a certificate
Test matching on validity dates in a certificate.
This is a test for a valid value of 1965-10-22T23:59:59 that is lower than epoch 0, but within the range of acceptable values (1950-2049) as per RFC 5280. (https://tools.ietf.org/html/rfc5280#section-4.1.2.5.1)
This is a test for a valid value of 1970-01-01T00:00:00 that is at epoch 0, within the range of acceptable values (1950-2049) as per RFC 5280. (https://tools.ietf.org/html/rfc5280#section-4.1.2.5.1)
This is a test for a valid value 2015-10-22T23:59:59.
This is a test for a valid value 2015-10-22T23:59.
This is a test for a valid value 2015-10-22T23.
This is a test for a valid value 2015-10-22 23:59:59.
This is a test for a valid value 2015-10-22 23:59.
This is a test for a valid value <2015-10-22 23.
Test that a signature containing an valid http_user_agent entry is parsed.
Negative test that the negated http_user_agent content matches against a http request which holds hold the content.
Test that the negated http_user_agent content matches against a http request which doesn't hold the content.
Test that the http_user_agent content matches against a http request against a case insensitive pattern.
Test that the http_user_agent content matches against a http request which holds the content, against a cross boundary present pattern.
Test that the http_user_agent content matches against a http request which holds the content.
Test that the http_user_agent content matches against a http request which holds the content.
Test that the http_user_agent content matches against a http request which holds the content.
Test that a http_user_agent with nocase is parsed.
Test that an invalid signature containing a rawbytes along with a http_user_agent is invalidated.
Test that an invalid signature containing no content but a http_user_agent is invalidated.
Test that the http_user_agent content matches against a http request which holds the content.
Test that a signature containing a http_user_agent is correctly parsed and the keyword is registered.
Check the signature working to alert when http_stat_msg is used with negated content .
Check the signature working to alert when http_stat_msg is not matched .
Check the signature working to alert when http_stat_msg is matched .
Check the signature working to alert when http_stat_code is matched for for negation or not
Check the signature working to alert when http_stat_code is matched for for nocase or not
Check the signature working to alert when http_stat_code is not matched .
Check the signature working to alert when http_stat_code is matched .
multiple http transactions and body chunks of request handling
DetectParseTestNoOpt is a regression test to make sure that we reject any signature where a NOOPT rule option is given a value. This can hide rule errors which make other options disappear, eg: foo: bar: baz; where "foo" is the NOOPT option, we will end up with a signature which is missing "bar".
Test that a signature containing a tls_cert_issuer is correctly parsed and that the keyword is registered.
Test matching for fingerprint of a certificate.
Test that a signature containing tls_cert_fingerprint is correctly parsed and that the keyword is registered.
DetectSslVersionTestParse03 is a test to make sure that we parse the "ssl_version" options correctly when given valid ssl_version options
DetectSslVersionTestParse02 is a test to make sure that we parse the "ssl_version" option correctly when given an invalid ssl_version option it should return ssl = NULL
DetectSslVersionTestParse01 is a test to make sure that we parse the "ssl_version" option correctly when given valid ssl_version option
Test parsing of negated states.
check that we don't allow invalid negation options
DetectParseTest01 is a regression test against a memory leak in the case of multiple signatures with different revisions Leak happened in function DetectEngineSignatureIsDuplicate
signature with a valid icmpv6.mtu value.
signature with a valid http2.size_update value.
signature with a valid http2.settings value.
signature with a valid http2.window value.
signature with a valid http2.priority value.
signature with a valid http2.errorcode value.
signature with a valid http2.frametype value.
multiple http transactions and body chunks of request handling
DetectBytetestTestParse02 is a test for setting the required opts
DetectBytetestTestParse01 is a test to make sure that we return "something" when given valid bytetest opt
check matches of with from_end
check matches of with from_beginning (bug 626/627)
check matches of with from_beginning (bug 626/627)
check matches of with from_beginning (bug 626/627)
check matches of with from_beginning (bug 626/627)
DetectByteJumpTestPacket02 is a test to check matches of byte_jump and byte_jump relative works if the previous keyword is byte_jump (bug 165)
DetectByteJumpTestPacket01 is a test to check matches of byte_jump and byte_jump relative works if the previous keyword is pcre (bug 142)
DetectBytetestTestParse03 is a test for setting the relative flag
DetectBytejumpTestParse08 is a test for offset too big
DetectBytejumpTestParse07 is a test for too many string bytes to extract
DetectBytejumpTestParse06 is a test for too many bytes to extract
DetectBytejumpTestParse05 is a test for setting base without string
DetectBytejumpTestParse04 is a test for setting the optional flags with parameters
DetectBytejumpTestParse03 is a test for setting the optional flags
DetectBytejumpTestParse02 is a test for setting the required opts
DetectBytetestTestParse13 is a test for too many bytes to extract
DetectBytetestTestParse16 is a test for offset too big
DetectBytetestTestParse15 is a test for too many bytes to extract (string)
DetectBytetestTestParse14 is a test for large string extraction
DetectBytejumpTestParse01 is a test to make sure that we return "something" when given valid bytejump opt
DetectBytetestTestParse12 is a test for hex w/o string
DetectBytetestTestParse11 is a test for whitespace
DetectBytetestTestParse10 is a test for whitespace
DetectBytetestTestParse09 is a test for neg operator only
DetectBytetestTestParse08 is a test for setting the little flag
DetectBytetestTestParse07 is a test for setting the big flag
DetectBytetestTestParse06 is a test for setting the string/hex flags
DetectBytetestTestParse05 is a test for setting the string/dec flags
DetectBytetestTestParse04 is a test for setting the string/oct flags
IPV4 defrag and flow retrieval test.
Don't send IPv4 fragments to the upper layer decoder and and packet recursion level test.
IPV4 defrag and packet recursion level test
IPV4 with RTRALT option (len invalid.
IPV4 with SSRR option (ptr not in 4 byte increment).
IPV4 with SSRR option (ptr too large).
IPV4 with SSRR option (len too large).
IPV4 with SID option (len invalid.
IPV4 with LSRR option (ptr not in 4 byte increment).
IPV4 with LSRR option (ptr too large).
IPV4 with LSRR option (len too large).
IPV4 with ESEC option (invalid length).
IPV4 with SEC option (invalid length).
DecodeVNTagt02 test if vntag header has unknown type.
Test that the list can be changed to post-detection lists after the base64 keyword.
DetectAsn1TestReal04 like the real test 02, but modified the relative offset to check negative offset values, in this case start decoding from -7 bytes respect the content match "John"
DetectAsn1TestReal03 Ensure that all works together
DetectAsn1TestReal02 Ensure that all works together
DetectAsn1TestReal01 Ensure that all works together
Test a report Linux overlap issue that doesn't appear to be covered by the Sturges/Novak tests above.
DecodeVXLANtest02 tests default port disabled by the config.
DecodeVXLANTest01 test a good vxlan header. Contains a DNS request packet.
DecodeVNTagTest03 test a good vntag header.
DecodeVNTagTest01 test if vntag header is too small.
DecodeVLANTest02 test a good vlan header.
DecodeVLANTest02 test if vlan header has unknown type.
DecodeVLANTest01 test if vlan header is too small.
Get the wscale, but it's missing, so see if return 0 properly
Get the wscale of 15, so see if return 0 properly
A negative test that uses a combination of content string with negated content string, with we receiving a failure for 'onee' itself.
A positive test that checks the combined use of 2 contents in the presence of within
A negative test that checks the use of negated content along with the presence of depth
A positive test that checks the combined use of content and negated content, in the presence of within
A negative test that checks the combined use of content and negated content, in the presence of within
A negative test that checks the combined use of content and negated content, with the content not being present
A negative test that checks the combined use of content and negated content with the use of distance
A positive test that checks the combined use of content and negated content with the use of distance
A negative test that checks the combined use of content and negated content with the use of within
A positive test that checks that we don't have a negated content within the specified length from the previous content match.
A negative test that uses a combination of content string with negated content string, with we receiving a failure of first content's offset condition
A negative test that checks the combined use of content and negated content, in the presence of within
A positive test that uses a combination of content string with negated content string
A negative test that checks that the content string doesn't contain the negated content after the specified offset and within the specified depth.
A negative test that checks that the content string doesn't contain the negated content within the specified depth, and also after the specified offset. Since the content is there, the match fails.
A positive test that checks that the content string doesn't contain the negated content within the specified depth
crash condition: as packet has no direction, it defaults to toclient in stream ctx inspection of packet. There a null ptr deref happens We don't care about the match/nomatch here.
A positive test that checks that the content string doesn't contain the negated content
Parsing test to check for unescaped quote within content section
DetectDetectionfilterTestParse03 is a test for a valid detection_filter options in any order
simple google.com query matching (TCP)
multi tx google.(com|net) query matching
simple google.com query matching
DetectDistanceTestPacket01 is a test to check matches of distance works, if the previous keyword is byte_jump and content (bug 163)
DetectDetectionFilterTestSig2 is a test for checking the working of detection_filter keyword by setting up the signature and later testing its working by matching the received packet against the sig.
DetectDetectionFilterTestSig1 is a test for checking the working of detection_filter keyword by setting up the signature and later testing its working by matching the received packet against the sig.
DetectDetectionFilterTestParse06 is a test for an invalid value in detection_filter
DetectDetectionFilterTestParse05 is a test for a valid detection_filter options in any order
DetectDetectionFilterTestParse04 is a test for an invalid detection_filter options in any order
DetectDetectionFilterTestParse02 is a test for a invalid detection_filter options
DetectDetectionFilterTestParse01 is a test for a valid detection_filter options
Test a valid dce_stub_data with just a request frag.
Test a valid dce_stub_data entry with bind, bind_ack, request frags.
Test negation in combination with within and depth
Test negation in combination with within and depth
A negative test that checks the combined use of content and negated content, in the presence of distance
A positive test that checks the combined use of content and negated content, in the presence of distance
DetectContentParseTest06 test a binary content
Check if we match contents that are in the payload but not in the same order as specified in the signature
Check that we match packets with multiple chunks and not chunks Here we should specify contents that fit and contents that must be splitted Each of them with their modifier values
Check that we match packets with multiple chunks and not chunks Here we should specify only contents that fit in 32 bytes Each of them with their modifier values
Check if we match multiple content (not splitted)
Check that we don't match the signature if one of the splitted chunks doesn't match the packet
Check if we match a splitted pattern
Check if we match a normal pattern (not splitted)
DetectContentParseTest08 test an empty content
DetectContentParseTest07 test an empty content
Check if we match contents that are in the payload but not in the same order as specified in the signature
DetectContentParseTest05 test illegal escape
DetectContentParseTest04 this is a test to make sure we can deal with escaped backslashes
DetectContentParseTest03 this is a test to make sure we can deal with escaped double-quotes
DetectContentParseTest02 this is a test to make sure we can deal with escaped semi-colons
DetectContentParseTest01 this is a test to make sure we can deal with escaped colons
test propagation of depth/offset/distance/within
Check that the signatures are assigned priority based on classtype they are given.
Check that both valid and invalid classtypes in a rule are handled properly, with rules containing invalid classtypes being rejected and the ones containing valid classtypes parsed and returned.
IPV4 with TS option (ptr not valid).
Test cases where if within specified is < content length we invalidate the sig.
Check if we match two contents of length 1
Check if we match two consecutive simple contents
Check if we match contents that are in the payload but not in the same order as specified in the signature
Test %2f decoding in profile IDS with double-decode-* options
Test really long request (same as HTPParserTest14), now with config update to allow it
Test really long request, this should result in HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG
BG box crash – chunks are messed up. Observed for real.
Test 'proxy' URI normalization. Ticket 1008
Test 'proxy' URI normalization. Ticket 1008
Test + char in query. Bug 1035
Test + char in query. Bug 1035
Test \ char in query profile IDS. Bug 739
Test http:// in query profile IDS
Test unusual delims in request line HTTP_DECODER_EVENT_REQUEST_FIELD_TOO_LONG
Test %2f decoding in profile IDS
Test %2f decoding in profile Apache_2_2
Test traffic is handled by the correct htp config
Test config builds radix correctly
Host:www.google.com0dName: Value0d0a <- missing space between name:value (rfc violation)
Host:www.google.com <- missing space between name:value (rfc violation)
Send Modbus Force Listen Only Mode request.
Send Modbus Write single register request/response.
Send Modbus Mask Write register request/response.
Send Modbus invalid PDU Length.
Send Modbus exceed Length request.
Modbus fragmentation - 2 ADU in 1 TCP packet.
Modbus fragmentation - 1 ADU over 2 TCP packets.
Send Modbus Read Coils request and error response with Exception code invalid.
Send Modbus invalid Length request.
Send Modbus unsolicited response.
Send Modbus invalid Protocol version in request.
Send Modbus Read/Write Multiple registers request/response with mismatch value.
Send Modbus Write Multiple registers request/response.
Send Modbus Read Coils request/response.
multi transactions and cleanup
Test the link layer length calculation.
Test the parsing of a request PDU.
Test multiple DNP3 frames in one TCP read.
Test parsing of partial frames.
Test an unsolicited response from an outstation.
Test a basic request/response.
Test removal of CRCs from user data.
Test the validation of the link header CRC.
The conversion of length with CRCs to the length without CRCs.
Test the decode of a DNP3 fragment with a single 70:3 object.
Test validation of all CRCs in user data.
Test CRC checking on partial and full blocks.
test if the engine detect the proto and doesn't match because the packet has another proto (ex ftp)
test if the engine detect the proto and doesn't match because the sig expects another proto (ex ftp)
test if the engine detect the proto on a non standar port and match with it
test if the engine detect the proto and match with it
What about if we add some sigs only for udp calling it for UDP? It should detect ALPROTO_HTTP1 (over udp). This is just a check to ensure that TCP/UDP differences work correctly.
What about if we add some sigs only for udp but call for tcp? It should not detect any proto
Test proper chunked encoded response body
Test both sides of a http stream mixed up to see if the HTP parser properly parsed them and also keeps them separated.
Test case where invalid data is sent and check the response of the parser from HTP library.
Test case where method is invalid and data is sent in smaller chunks and check the response of the parser from HTP library.
See how it deals with an incomplete request.
Test case where chunks are sent in smaller chunks and check the response of the parser from HTP library.
Test folding in 1byte per read case
Send invalid Modbus Mask Write register request.
Test case where chunks are sent in smaller chunks and check the response of the parser from HTP library.
invalid header: Somereallylongheaderstr: has no value
first multipart part contains file but doesn't end in first chunk
Supply STOR without a filename
Supply RETR without a filename
Send a get request in one chunk.
DecodeGeneveTest03 tests a good Geneve header with 16-bytes of options. Contains a IPv4 DNS request packet with a VLAN tag after the Ethernet frame. In practice, this probably won't be used but it should be support either way.
icmpv6 message type: echo request, valid packet
icmpv6 message type: destination unreach, valid packet
icmpv6 message type: time exceed, valid packet
icmpv6 message type: packet too big, valid packet
icmpv6 message type: parameter problem, valid packet
DecodeGRETest03 is a test for valid gre packet
DecodeGRETest02 is a test for wrong gre version
DecodeGRETest01 is a test for small gre packet
DecodeGeneveTest05 tests if Geneve header has inconsistent option len values.
DecodeGeneveTest04 tests default port disabled by the config.
icmpv6 message type: echo reply, valid packet
DecodeGeneveTest02 tests a good Geneve header with 16-bytes of options. Contains a IPv4 DNS request packet.
DecodeGeneveTest01 tests a good Geneve header with 16-bytes of options. Contains a Ethernet+IPv6 DHCP request packet.
Failure decoding, not enough data
Successful decoding, with payload data
RUBBISH(TC - PM and PP DONE) -> RUBBISH(TS - PM and PP NOT DONE) -> RUBBISH(TS - PM and PP DONE)
RUBBISH(TC - PM and PP DONE) -> RUBBISH(TS - PM and PP DONE)
RUBBISH(TC - PM and PP NOT DONE) -> RUBBISH(TC - PM and PP DONE) -> RUBBISH(TS - PM and PP DONE)
IPV4 with TS option (ptr too large).
IPV4 with TS option (ptr too small).
IPV4 with QS option (len too small)
IPV4 with RR option (ptr not in 4 byte increment).
IPV4 with RR option (ptr too large).
IPV4 with RR option (len too large).
Test for valid ICMPv6 checksum when the FCS is still attached.
icmpv6 packet decoding and setting up of payload_len and payload buffer
icmpv6 message type: echo reply, invalid packet
icmpv6 message type: echo request, invalid packet
icmpv6 message type: destination unreach, invalid packet
icmpv6 message type: time exceed, invalid packet
icmpv6 message type: packet too big, invalid packet
icmpv6 message type: parameter problem, invalid packet
Test DATA command w/MIME message.
Send a banner and 2 records record in four chunks.
Send a banner and record in three chunks.
Send a version banner in three chunks.
Send a version banner in three chunks.
Send a invalid version string in one chunk (server version str)
Send a version string in one chunk (server version str)
Send a version string in one chunk (server version str).
Send a invalid version string in one chunk but multiple lines and comments. (client version str)
Send a version string in one chunk but multiple lines and comments. (client version str)
Send a version string in one chunk (client version str).
Send a banner and 2 records record in four chunks.
Test multiple DATA commands(full mail transactions).
Testing parsing pipelined commands.
Test multiple DATA commands(full mail transactions).
multi transactions and cleanup
Test the deallocation of app layer parser memory on occurrence of error in the parsing process for UDP.
Test the deallocation of app layer parser memory on occurrence of error in the parsing process.
Checks if stream_depth is correct
Send invalid Modbus Mask Write register request.
Send a version string in one chunk (client version str).
GE -> RUBBISH(TC - PM AND PP NOT DONE) -> RUBBISH(TC - PM AND PP DONE).
GET -> RUBBISH(PM AND PP DONE IN ONE GO)
Send a version string in one chunk (client version str).
simple google.com query matching, pcre
Fragmented banner handling: chunk has final part of bannel plus a record.
Fragmented banner handling: chunk has final part of bannel plus a record.
Really long banner handling: banner exactly 255, followed by malformed record
Really long banner handling: bannel exactly 255
Send toserver a banner and 2 records record in four chunks.
Send toserver a banner and record in three chunks.
Send a banner and 2 records record in four chunks.
Send a banner and 2 records record in four chunks.
DetectICodeParseTest05 is a test for setting a valid icode value with spaces all around
DetectIdTestParse04 is a test to make sure that we parse the "id" option correctly when given valid id option but wrapped with "'s <p> \anchor _test000557 DetectIdTestParse03 is a test to make sure that we parse the "id" option correctly when given an invalid id option it should return id_d = NULL
DetectIdTestParse02 is a test to make sure that we parse the "id" option correctly when given an invalid id option it should return id_d = NULL
DetectIdTestParse01 is a test to make sure that we parse the "id" option correctly when given valid id option
DetectICodeMatchTest01 is a test for checking the working of icode keyword by creating 5 rules and matching a crafted packet against them. 4 out of 5 rules shall trigger.
DetectICodeParseTest09 is a test for setting an invalid icode value with "<<" operator
DetectICodeParseTest08 is a test for setting an invalid icode value
DetectICodeParseTest07 is a test for setting a valid icode value with "<>" operator and spaces all around
DetectICodeParseTest06 is a test for setting a valid icode value with ">" operator and spaces all around
IKEChosenSaParserTest is a test for valid values
DetectICodeParseTest04 is a test for setting a valid icode value with "<>" operator
DetectICodeParseTest03 is a test for setting a valid icode value with "<" operator
DetectICodeParseTest02 is a test for setting a valid icode value with ">" operator
DetectICodeParseTest01 is a test for setting a valid icode value
DetectIcmpSeqParseTest03 is a test for setting an invalid icmp_seq value
DetectIcmpSeqParseTest02 is a test for setting a valid icmp_seq value with spaces all around
DetectIcmpSeqParseTest01 is a test for setting a valid icmp_seq value
DetectIcmpIdMatchTest02 is a test for checking the working of icmp_id keyword by creating 1 rule and matching a crafted packet against them. The packet is an ICMP packet with no "id" field, therefore the rule should not trigger.
DetectIcmpIdMatchTest01 is a test for checking the working of icmp_id keyword by creating 2 rules and matching a crafted packet against them. Only the first one shall trigger.
DetectIPProtoTestSetup03 is a test for a < operator
DetectIPProtoTestSetup05 is a test for a ! operator
DetectIPProtoTestSetup04 is a test for a > operator
DetectIcmpIdParseTest05 is a test for setting an invalid icmp_id value with missing quotation marks
DetectIPProtoTestSetup02 is a test for a protocol name
DetectIPProtoTestSetup01 is a test for a protocol number
DetectIPProtoTestParse02 is a test for an invalid proto name
DetectIPProtoTestParse01 is a test for an invalid proto number
IpOptsTestParse05 tests the NULL and empty string
IpOptsTestParse04 test the match function on a packet that needs to not match
IpOptsTestParse03 test the match function on a packet that needs to match
IpOptsTestParse02 is a test for an invalid ipopts value
IpOptsTestParse01 is a test for a valid ipopts value
DetectFlowintTestParseVal07 is a test to make sure that we set the DetectFlowint correctly for checking if greater or equal than a valid target value
DetectFlowintTestParseInvalidSyntaxis01 is a test to make sure that we dont set the DetectFlowint for a invalid input option
DetectFlowintTestParseVar09 is a test to make sure that handle the isset keyword correctly
DetectFlowintTestParseVar09 is a test to make sure that we set the DetectFlowint correctly for checking if lower than a valid target variable
DetectFlowintTestParseVal09 is a test to make sure that we set the DetectFlowint correctly for checking if lower than a valid target value
DetectFlowintTestParseVar08 is a test to make sure that we set the DetectFlowint correctly for checking if lower or equal than a valid target variable
DetectFlowintTestParseVal08 is a test to make sure that we set the DetectFlowint correctly for checking if lower or equal than a valid target value
DetectFlowintTestParseVar07 is a test to make sure that we set the DetectFlowint correctly for checking if greater or equal than a valid target variable
FragBitsTestParse01 is a test for a valid fragbits value
DetectFlowintTestParseVar06 is a test to make sure that we set the DetectFlowint correctly for checking if greater than a valid target variable
DetectFlowintTestParseVal06 is a test to make sure that we set the DetectFlowint correctly for checking if greater than a valid target value
DetectFlowintTestParseVar05 is a test to make sure that we set the DetectFlowint correctly for checking if not equal to a valid target variable
DetectFlowintTestParseVal05 is a test to make sure that we set the DetectFlowint correctly for checking if not equal to a valid target value
DetectFlowintTestParseVar04 is a test to make sure that we set the DetectFlowint correctly for checking if equal to a valid target variable
DetectFlowintTestParseVal04 is a test to make sure that we set the DetectFlowint correctly for checking if equal to a valid target value
DetectFlowintTestParseVar03 is a test to make sure that we set the DetectFlowint correctly for substract a valid target variable
DetectFlowintTestParseVal03 is a test to make sure that we set the DetectFlowint correctly for substract a valid target value
DetectFlowintTestParseVar02 is a test to make sure that we set the DetectFlowint correctly for adding a valid target variable
Test a gid consisting of a single quote.
DetectIcmpIdParseTest04 is a test for setting a valid icmp_id value with quotation marks and spaces all around
DetectIcmpIdParseTest03 is a test for setting a valid icmp_id value with quotation marks
DetectIcmpIdParseTest02 is a test for setting a valid icmp_id value with spaces all around
DetectIcmpIdParseTest01 is a test for setting a valid icmp_id value
Test that a signature containing a http_response_line is correctly parsed and the keyword is registered.
Test that a signature containing a http_request_line is correctly parsed and the keyword is registered.
HostBitsTestSig03 is a test check idx value
HostBitsTestSig01 is a test for a valid noalert flowbits option
DetectIsdataatTestParse01 is a test to make sure that we return a correct IsdataatData structure when given valid isdataat opt
GidTestParse02 is a test for an invalid gid value
GidTestParse01 is a test for a valid gid value
DetectFragOffsetMatchTest01 is a test for checking the working of fragoffset keyword by creating 2 rules and matching a crafted packet against them. Only the first one shall trigger.
DetectFragOffsetParseTest03 is a test for setting an invalid fragoffset value
DetectFragOffsetParseTest02 is a test for setting a valid fragoffset value with spaces all around
DetectFragOffsetParseTest01 is a test for setting a valid fragoffset value
FragBitsTestParse04 test if DONT FRAG is not set. Must fails.
FragBitsTestParse03 test if DONT FRAG is set. Must return success
FragBitsTestParse02 is a test for an invalid fragbits value
Parsing sig with trailing space(s) as reported by Morgan Cox on oisf-users.
Parsing bug debugging at 2010-03-18
SigParseTest03 test for invalid direction operator in rule
This is a test for a valid value 1490000000.
This is a test for a valid value < 1490000000.
This is a test for a valid value > 1430000000.
This is a test for a valid value 1430000000 <> 1490000000.
This is a test for a invalid value 1490000000<>1430000000.
This is a test for a invalid value " ".
This is a test for a invalid value "".
This is a test for a invalid value <>1430000000.
Direction operator validation (invalid)
Ensure that we set a bidirectional Signature correctly and we install it with the rest of the signatures, checking also that it match with the correct addr directions
Ensure that we set a bidirectional Signature correctly and we install it with the rest of the signatures, checking also that it match with the correct addr directions
Ensure that we set a bidirectional Signature correctly
Ensure that we don't set bidirectional in a normal (one direction) Signature
Direction operator validation (valid)
Direction operator validation (valid)
Direction operator validation (invalid)
Direction operator validation (invalid)
Direction operator validation (invalid)
Direction operator validation (invalid)
This is a test for a invalid value 1430000000<>.
Direction operator validation (invalid)
Direction operator validation (invalid)
rule ending in carriage return
rev value too large. Related to bug #779
gid value too large. Related to bug #779
DetectITypeParseTest04 is a test for setting a valid itype value with "<>" operator
DetectL3protoTestSig03 is a test for checking the working of l3proto keyword in conjunction with ip_proto keyword.
DetectL3protoTestSig02 is a test for checking the working of l3proto keyword by setting up the signature and later testing its working by matching the received IPv6 packet against the sig.
DetectL3protoTestSig01 is a test for checking the working of ttl keyword by setting up the signature and later testing its working by matching the received packet against the sig.
DetectITypeParseTest08 is a test for setting an invalid itype value
DetectITypeParseTest07 is a test for setting a valid itype value with "<>" operator and spaces all around
DetectITypeParseTest06 is a test for setting a valid itype value with ">" operator and spaces all around
DetectITypeParseTest05 is a test for setting a valid itype value with spaces all around
DetectITypeParseTest03 is a test for setting a valid itype value with "<" operator
DetectITypeParseTest02 is a test for setting a valid itype value with ">" operator
DetectITypeParseTest01 is a test for setting a valid itype value
DetectIsdataatTestPacket03 is a test to check matches of isdataat, and isdataat relative works if the previous keyword is byte_jump (bug 146)
DetectIsdataatTestPacket02 is a test to check matches of isdataat, and isdataat relative works if the previous keyword is pcre (bug 144)
DetectIsdataatTestPacket01 is a test to check matches of isdataat, and isdataat relative
Test isdataat option for dce sig.
DetectIsdataatTestParse03 is a test to make sure that we return a correct IsdataatData structure when given valid isdataat opt
DetectIsdataatTestParse02 is a test to make sure that we return a correct IsdataatData structure when given valid isdataat opt
MarkTestParse01 is a test for a valid mark value
This is a test for a invalid value >1430000000<>1470000000.
This is a test for a invalid value A.
This is a test for a valid value 1430000000<>1470000000.
This is a test for a valid value <1430000000.
This is a test for a valid value >1430000000.
This is a test for a valid value 1430000000.
MarkTestParse04 is a test for a invalid mark value
MarkTestParse03 is a test for a valid mark value
MarkTestParse02 is a test for an invalid mark value
DetectFlowintTestParseVal02 is a test to make sure that we set the DetectFlowint correctly for adding a valid target value
Check if two port ranges are properly allocated in the DetectPort group
Check if two ports are properly allocated in the DetectPort group
Check if a DetectPort is properly allocated
Test pcre recursive matching - bug #529
normal & negated matching, both absolute and relative
Used to check the working of recursion_limit counter.
Check if a negated port range is properly allocated in the DetectPort
Test multiple relative matches with negative matches and show the need for det_ctx->discontinue_matching.
Test multiple relative matches.
Test multiple relative matches.
Test multiple relative matches.
Test multiple relative matches.
Test merging negated port groups
signature parsing with tcp-pkt and tcp-stream
DetectProtoTestSetup02 is a test for a icmpv4 and icmpv6 protocol setting up in signature.
DetectIPProtoTestSetup01 is a test for a protocol setting up in signature.
make sure that we properly parse tcp-stream
make sure that we properly parse tcp-pkt
ProtoTestParse05 is a test to make sure that we do not parse the protocol, when given an invalid proto option.
ProtoTestParse04 is a test to make sure that we do not parse the protocol, when given an invalid proto option.
ProtoTestParse03 is a test to make sure that we parse the protocol correctly, when given "ip" as proto option.
ProtoTestParse02 is a test to make sure that we parse the protocol correctly, when given "tcp" as proto option.
ProtoTestParse01 is a test to make sure that we parse the protocol correctly, when given valid proto option.
Not the first but the second occurrence of "abc" should be used for the 2nd match
Test first port of range being too big
Test second port of range being just right
Test second port of range being too big
Test we don't allow a port that is too big
Check if we autocomplete correctly an open range
Check if we dont allow invalid port range specification
Check if a negated port range is properly fragmented in the allowed real groups
Check if a negated port range is properly fragmented in the allowed real groups, ex !80:81 should allow 0:79 and 82:65535
this is a test for a valid dsize value !1
Test the working of byte_test endianness.
Test the working of byte_test endianness.
Test the working of byte_test endianness.
that address range sets proper start address
DetectDsizeIcmpv6Test01 is a test for checking the working of dsize keyword by creating 2 rules and matching a crafted packet against them. Only the first one shall trigger.
this is a test for negative ! dsize matching
this is a test for positive ! dsize matching
this is a test for invalid dsize values A, >10<>10, <>10, 1<>, "", " ", 2<>1, 1!
this is a test for a valid dsize value ! 1
Test the working of byte_jump endianness.
test for a valid dsize value 12
test for a valid dsize value < 12
this is test for a valid dsize value > 2
this is a test for a valid dsize value 1 <> 3
this is a test for a valid dsize value 1<>3
this is a test for a valid dsize value <100
this is a test for a valid dsize value >10
this is a test for a valid dsize value 1
multi tx google.(com|net) query matching + app layer event
check that we don't set a Signature as IPOnly because it has no rule option appending a SigMatch but a port is fixed
Test a set of ip only signatures making use a lot of addresses for src and dst (none should match) with ipv4 and ipv6 mixed
Test a set of ip only signatures making use a lot of addresses for src and dst (none should match)
Test a set of ip only signatures making use a lot of addresses for src and dst (all should match)
Test a set of ip only signatures making use a lot of addresses for src and dst (none should match)
Test a set of ip only signatures making use a lot of addresses for src and dst (none should match)
Test a set of ip only signatures making use a lot of addresses for src and dst (all should match)
check that we set don't set a Signature as IPOnly because it has rule options appending a SigMatch like content, and pcre
Check if a SigGroupHead hash table is properly allocated and deallocated when calling SigGroupHeadHashInit() and SigGroupHeadHashFree() respectively.
check that we set a Signature as IPOnly because it has no rule option appending a SigMatch and no port is fixed
EngineEventTestParse06 is a test for match function with valid decode-event value
EngineEventTestParse05 is a test for an invalid char into the decode-event value
EngineEventTestParse04 is a test for an invalid upper case decode-event value
EngineEventTestParse03 is a test for a valid upper case decode-event value
EngineEventTestParse02 is a test for a valid upper + lower case decode-event value
EngineEventTestParse01 is a test for a valid decode-event value
Test the working of byte_jump endianness.
Test the working of byte_jump endianness.
DetectFlowTestParseNocase10 is a test for setting the from_server,stateless flow opts (order of state,dir reversed)
DetectFlowTestParse19 is a test for one to many options passed to DetectFlowParse
DetectFlowTestParseNocase18 is a test for setting the from_server,stateless,only_stream flow opts (order of state,dir reversed)
DetectFlowTestParse18 is a test for setting the from_server,stateless,only_stream flow opts (order of state,dir reversed)
DetectFlowTestParse16 is a test for an invalid combo of options to_client,from_server flowbit flags are the same
DetectFlowTestParse16 is a test for an invalid combo of options to_client,to_server
DetectFlowTestParse15 is a test for an invalid combo of options established,stateless
DetectFlowTestParse14 is a test for a empty option
DetectFlowTestParse13 is a test for an invalid option
DetectFlowTestParse12 is a test for setting an invalid separator :
DetectFlowTestParseNocase11 is a test for setting the from_server,stateless flow opts with spaces all around
DetectFlowTestParse20 is a test for setting from_server, established, no_stream
DetectFlowTestParseNocase09 is a test for setting the to_client,stateless flow opts (order of state,dir reversed)
DetectFlowTestParseNocase08 is a test for setting the established,to_client flow opts
DetectFlowTestParseNocase07 is a test for setting the from_client flow opt
DetectFlowTestParseNocase06 is a test for setting the from_server flow opt
DetectFlowTestParseNocase05 is a test for setting the to_server flow opt
DetectFlowTestParseNocase04 is a test for setting the to_client flow opt
DetectFlowTestParseNocase03 is a test for setting the stateless flow opt
DetectFlowTestParseNocase02 is a test for setting the established flow opt
DetectFlowTestParseNocase01 is a test to make sure that we return "something" when given valid flow opt
FlowBitsTestSig01 is a test for a valid noalert flowbits option
DetectFlowintTestParseVar01 is a test to make sure that we set the DetectFlowint correctly for setting a valid target variable
DetectFlowintTestParseVal01 is a test to make sure that we set the DetectFlowint correctly for setting a valid target value
FlowBitsTestSig08 is a test toggle flowbits option
FlowBitsTestSig07 is a test unset flowbits option
FlowBitsTestSig06 is a test set flowbits option
FlowBitsTestSig05 is a test check noalert flag
FlowBitsTestSig04 is a test check idx value
FlowBitsTestSig03 is a test for a invalid flowbits option
FlowBitsTestSig02 is a test for a valid isset,set,isnotset,unset,toggle flowbits options
DetectFlowTestParse11 is a test for setting the from_server,stateless flow opts with spaces all around
Test that parsing of only_frag and no_frag together fails.
Test parsing of the "only_frag" flow argument.
Test parsing of the "no_frag" flow argument.
Test parsing of the not_established keyword.
DetectFlowTestParse22 is a test for setting the established,not_established flow opts both
DetectFlowTestParse21 is a test for an invalid opt between to valid opts
DetectFlowTestParse20 is a test for setting from_server, established, no_stream
multiple pipelined http transactions
session tagging: bytes, where a 2nd match makes us tag more
multiple files in a tx. Both files should match. No other matches.
multiple files in a tx. Both files should match
Order with a different Action priority (as specified from config)
Order with a different Action priority (as specified from config)
Order with a different Action priority (as specified from config)
Check if SigGroupHeadBuildMatchArray(), correctly updates the match array with the sids.
Check if SigGroupHeadCopySigs(), correctly copies the sig_array from the source to the destination SigGroupHead.
Check if a SigGroupHeadAppendSig(), correctly appends a sid to a SigGroupHead() and SigGroupHeadContainsSigId(), correctly indicates the presence of a sid and SigGroupHeadClearSigs(), correctly clears the SigGroupHead->sig_array and SigGroupHead->sig_cnt.
Check if a SigGroupHeadAppendSig() correctly appends a sid to a SigGroupHead() and SigGroupHeadContainsSigId() correctly indicates the presence of a sid.
DetectFlowTestParse01 is a test to make sure that we return "something" when given valid flow opt
DetectFlowTestParse10 is a test for setting the from_server,stateless flow opts (order of state,dir reversed)
DetectFlowTestParse09 is a test for setting the to_client,stateless flow opts (order of state,dir reversed)
DetectFlowTestParse08 is a test for setting the established,to_client flow opts
DetectFlowTestParse07 is a test for setting the from_client flow opt
DetectFlowTestParse06 is a test for setting the from_server flow opt
DetectFlowTestParse05 is a test for setting the to_server flow opt
DetectFlowTestParse04 is a test for setting the to_client flow opt
DetectFlowTestParse03 is a test for setting the stateless flow opt
DetectFlowTestParse02 is a test for setting the established flow opt
Why we still get http for connect... obviously because we also match on the reply, duh
DetectFilesizeSetpTest01 is a test for setting up an valid filesize values with valid "<>" operator and include spaces arround the given values. In the test the values are setup with initializing the detection engine context and setting up the signature itself.
Test the Filesize keyword setup
Test the Filesize keyword setup
Test the Filesize keyword setup
Test the Filesize keyword setup
Test the Filesize keyword setup
Test parser accepting valid rules and rejecting invalid rules
Checks to make sure that other sigs work that should when fast_pattern is inspecting on the same payload
1.8.18