Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

3.10 add ini tests #474

Closed
wants to merge 2 commits into from
Closed

3.10 add ini tests #474

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e359eda
add unit tests
Lopuiz Aug 13, 2019
a5152e3
add CISCO IOS tests
Lopuiz Aug 13, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 48 additions & 3 deletions tools/rules-testing/tests/cisco_ios.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ log 1 pass = Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:
log 2 pass = Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:60797 -> 10.10.10.10:80]
log 3 pass = Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:5123 Subsig:2 Sev:5 WWW IIS Internet Printing Overflow [192.168.100.11:60797 -> 10.10.10.10:80]


rule = 20100
alert = 8
decoder = cisco-ios
Expand All @@ -12,10 +11,56 @@ decoder = cisco-ios
[cisco ios: acl ]
log 1 pass = Sep 1 10:25:29 10.10.10.1 %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.6.56(3067) -> 172.36.4.7(139), 1 packet
log 2 pass = Sep 1 10:25:29 10.10.10.1 %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1477) -> 10.0.127.20(445), 1 packet


rule = 4100
alert = 0
decoder = cisco-ios


[Cisco IOS error message - UPDOWN]
log 1 pass = 00:00:46: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
rule = 4713
alert = 4
decoder = cisco-ios


[Cisco IOS: Router configuration changed I]
log 1 pass = 000019: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
log 2 pass = *Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
log 3 pass = Mar 1 18:46:11: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
log 4 pass = Mar 1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
log 5 pass = *Mar 1 18:48:50 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
log 6 pass = Mar 1 18:48:50 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
log 7 pass = *Mar 1 18:48:50.483 UTC: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
log 8 pass = *Mar 1 18:46:11.444: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
log 9 pass = Mar 1 18:46:11.444: %SYS-5-CONFIG_I: Configured from console by vty2 (10.34.195.36)
rule = 4721
alert = 3
decoder = cisco-ios


[Cisco IOS: Router configuration changed II]
log 1 pass = 1348: HOSTNAME: .Jun 12 18:22:22: %SYS-5-CONFIG_I:
log 2 pass = 1348: HOSTNAME: Jun 12 18:22:22: %SYS-5-CONFIG_I:
log 3 pass = 1348: HOSTNAME: .Jun 12 18:22:22.555: %SYS-5-CONFIG_I:
log 4 pass = 1348: HOSTNAME: Jun 12 18:22:22.555: %SYS-5-CONFIG_I:
log 5 pass = 1348: HOSTNAME: .Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
log 6 pass = 1348: HOSTNAME: Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
log 7 pass = 1348: HOSTNAME: .Jun 12 18:22:22.555 UTC: %SYS-5-CONFIG_I:
log 8 pass = 1348: HOSTNAME: Jun 12 18:22:22.555 UTC: %SYS-5-CONFIG_I:
rule = 4721
alert = 3
decoder = cisco-ios


[Cisco IOS: Router configuration changed III]
log 1 pass = 1348: .Jun 12 18:22:22: %SYS-5-CONFIG_I:
log 2 pass = 1348: Jun 12 18:22:22: %SYS-5-CONFIG_I:
log 3 pass = 1348: .Jun 12 18:22:22.555: %SYS-5-CONFIG_I:
log 4 pass = 1348: Jun 12 18:22:22.555: %SYS-5-CONFIG_I:
log 5 pass = 1348: .Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
log 6 pass = 1348: Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
log 7 pass = 1348: .Jun 12 18:22:22.555 UTC: %SYS-5-CONFIG_I:
log 8 pass = 1348: Jun 12 18:22:22.555 UTC: %SYS-5-CONFIG_I:
rule = 4721
alert = 3
decoder = cisco-ios
17 changes: 6 additions & 11 deletions tools/rules-testing/tests/nginx.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,79 +1,74 @@
; YYYY/MM/DD HH:MM:SS [LEVEL] PID:TID yadda yadda
[Nginx messages grouped.]
log 1 pass = 2014/12/30 06:07:37 [yadda] 80:2 yadda yadda

rule = 31300
alert = 0
decoder = nginx-errorlog

[Nginx error message.]
log 1 pass = 2014/12/30 06:07:37 [error] 80:2 yadda yadda

rule = 31301
alert = 3
decoder = nginx-errorlog

[Nginx warning message.]
log 1 pass = 2014/12/30 06:07:37 [warn] 80:2 yadda yadda

rule = 31302
alert = 3
decoder = nginx-errorlog

[Nginx critical message.]
log 1 pass = 2014/12/30 06:07:37 [crit] 80:2

rule = 31303
alert = 5
decoder = nginx-errorlog

[Server returned 404 (reported in the access.log).]
log 1 pass = 2015/01/08 11:31:23 [error] 80:2 blah blah failed (2: No such file or directory)
log 2 pass = 2015/01/08 11:31:23 [error] 80:2 blah blah is not found (2: No such file or directory)

rule = 31310
alert = 0
decoder = nginx-errorlog

[Incomplete client request.]
log 1 pass = 2015/01/08 11:31:23 [error] 80:2 blah blah accept() failed (53: Software caused connection abort)

rule = 31311
alert = 0
decoder = nginx-errorlog

[Initial 401 authentication request.]
log 1 pass = 2015/01/08 11:31:23 [error] 80:2 no user/password was provided for basic authentication

rule = 31312
alert = 0
decoder = nginx-errorlog

[Web authentication failed.]
log 1 pass = 2015/01/08 11:31:23 [error] 80:2 yadda password mismatch, client yadda
log 2 pass = 2015/01/08 11:31:23 [error] 80:2 yadda was not found in yadda

rule = 31315
alert = 5
decoder = nginx-errorlog

# Can't yet test frequency <rule id="31316" level="10" frequency="6" timeframe="240">
;[Multiple web authentication failures.]
;
;rule = 31316
;alert = 10
;decoder = nginx-errorlog

[Common cache error when files were removed.]
log 1 pass = 2015/01/08 11:31:23 [crit] 80:2 yadda yadda failed (2: No such file or directory

rule = 31317
alert = 0
decoder = nginx-errorlog

[Invalid URI, file name too long.]
log 1 pass = 2015/01/08 11:31:23 [error] 80:2 yadda yadda failed (36: File name too long)

rule = 31320
alert = 10
decoder = nginx-errorlog

[NAXSI warning]
log 1 pass = 2013/11/10 07:36:19 [error] 8278#0: *5932 NAXSI_FMT: ip=X.X.X.X&server=Y.Y.Y.Y&uri=/phpMyAdmin-2.8.2/scripts/setup.php&learning=0&vers=0.52&total_processed=472&total_blocked=204&block=0&cscore0=$UWA&score0=8&zone0=HEADERS&id0=42000227&var_name0=user-agent, client: X.X.X.X, server: blog.memze.ro, request: "GET /phpMyAdmin-2.8.2/scripts/setup.php HTTP/1.1", host: "X.X.X.X"
Lopuiz marked this conversation as resolved.
Show resolved Hide resolved
rule = 31334
alert = 3
decoder = nginx-errorlog
21 changes: 21 additions & 0 deletions tools/rules-testing/tests/perdition.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
[Perdition custom app group]
log 1 pass = Jun 10 08:40:26 agent perdition.pop3s[21154]: Fatal error establishing SSL context for listening
log 2 pass = Jun 10 08:40:26 agent perdition.pop3[21150]: Starting perdition version=2.2 protocol=POP3
rule = 100100
alert = 0
decoder = perdition

[perdition; New connection]
log 1 pass = Jun 10 08:40:26 agent perdition.imaps[21162]: Connect: 10.10.10.10 [inetd_pid=1234]
rule = 100101
alert = 3
decoder = perdition

[perdition: Multiple connection attempts from same source.]
log 1 pass = Jun 10 08:40:26 agent perdition.imaps[21162]: Connect: 10.10.10.10 [inetd_pid=1234]
log 1 pass = Jun 10 08:40:26 agent perdition.imaps[21162]: Connect: 10.10.10.10 [inetd_pid=1234]
log 1 pass = Jun 10 08:40:26 agent perdition.imaps[21162]: Connect: 10.10.10.10 [inetd_pid=1234]
log 1 pass = Jun 10 08:40:26 agent perdition.imaps[21162]: Connect: 10.10.10.10 [inetd_pid=1234]
rule = 100102
alert = 10
decoder = perdition
Loading