From 14fd3242cfcbf150c645b719ce9bf2fd82c999b1 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 11 May 2023 11:21:11 +0200 Subject: [PATCH 1/4] ftp: improves check for alert app-layer data --- tests/ftp/ftp-too-long-command/test.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/ftp/ftp-too-long-command/test.yaml b/tests/ftp/ftp-too-long-command/test.yaml index 3336d8883..f1df7213d 100644 --- a/tests/ftp/ftp-too-long-command/test.yaml +++ b/tests/ftp/ftp-too-long-command/test.yaml @@ -34,3 +34,4 @@ checks: match: event_type: alert alert.signature_id: 2232000 + ftp.command: "RETR" From 3e962c5a457e0da3c13a7da109d2d92f10c27601 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 11 May 2023 11:21:32 +0200 Subject: [PATCH 2/4] tftp: improves check for alert app-layer data --- tests/output-eve-tftp-01/test.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/output-eve-tftp-01/test.yaml b/tests/output-eve-tftp-01/test.yaml index b83cefc3e..802379136 100644 --- a/tests/output-eve-tftp-01/test.yaml +++ b/tests/output-eve-tftp-01/test.yaml @@ -15,3 +15,9 @@ checks: count: 1 match: event_type: alert +- filter: + min-version: 7 + count: 1 + match: + event_type: alert + tftp.packet: "read" From b8db46785ca015e4f583c9b87237e8423c158023 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 12 May 2023 12:28:05 +0200 Subject: [PATCH 3/4] krb5: improves check for alert app-layer data --- tests/krb5-kerberoasting/test.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/krb5-kerberoasting/test.yaml b/tests/krb5-kerberoasting/test.yaml index bd5ba8a3f..783640d4e 100644 --- a/tests/krb5-kerberoasting/test.yaml +++ b/tests/krb5-kerberoasting/test.yaml @@ -21,6 +21,7 @@ checks: match: event_type: alert alert.signature_id: 1 + krb5.msg_type: KRB_TGS_REP - filter: count: 1 match: From f589e8105d9b5b96f3190fbfcc39325da14f813a Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Thu, 18 May 2023 14:57:35 +0200 Subject: [PATCH 4/4] ssh: do not test direction as we log packet direction instead of flow direction --- tests/bug-4903/bug-4903-01/test.yaml | 4 ---- tests/bug-4903/bug-4903-02/test.yaml | 4 ---- tests/bug-4903/bug-4903-04/test.yaml | 4 ---- 3 files changed, 12 deletions(-) diff --git a/tests/bug-4903/bug-4903-01/test.yaml b/tests/bug-4903/bug-4903-01/test.yaml index 61ef84932..0c0b4e3f2 100644 --- a/tests/bug-4903/bug-4903-01/test.yaml +++ b/tests/bug-4903/bug-4903-01/test.yaml @@ -54,12 +54,8 @@ checks: - filter: count: 1 match: - dest_ip: 192.168.200.1 - dest_port: 22 event_type: ssh proto: TCP - src_ip: 192.168.100.1 - src_port: 10000 ssh.server.proto_version: '1.99' ssh.server.software_version: Cisco_server-1.24 - filter: diff --git a/tests/bug-4903/bug-4903-02/test.yaml b/tests/bug-4903/bug-4903-02/test.yaml index 562558f25..56e891d7f 100644 --- a/tests/bug-4903/bug-4903-02/test.yaml +++ b/tests/bug-4903/bug-4903-02/test.yaml @@ -54,12 +54,8 @@ checks: - filter: count: 1 match: - dest_ip: 192.168.200.1 - dest_port: 22 event_type: ssh proto: TCP - src_ip: 192.168.100.1 - src_port: 10001 ssh.server.proto_version: '1.99' ssh.server.software_version: Cisco_server-1.24 - filter: diff --git a/tests/bug-4903/bug-4903-04/test.yaml b/tests/bug-4903/bug-4903-04/test.yaml index 4ef142345..6d3b4cc35 100644 --- a/tests/bug-4903/bug-4903-04/test.yaml +++ b/tests/bug-4903/bug-4903-04/test.yaml @@ -60,13 +60,9 @@ checks: - filter: count: 1 match: - dest_ip: 192.168.200.1 - dest_port: 22 event_type: ssh pcap_cnt: 6 proto: TCP - src_ip: 192.168.100.1 - src_port: 10003 ssh.client.proto_version: '2.0' ssh.client.software_version: Cisco_client-1.25 ssh.server.proto_version: '1.99'