From df3ed7fee7d38e4165ed3019b98b45760021035c Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Mon, 29 Apr 2024 15:00:04 -0400
Subject: [PATCH] tests/reference; Tests for reference inclusion

Issue: 4974

Positive and negative tests for reference inclusion in alerts.

Additionally, reference-04 tests that a scheme provided with
a reference is used in place of the key.
---
 tests/reference-01/suricata.yaml | 13 +++++++++++++
 tests/reference-01/test.rules    |  2 ++
 tests/reference-01/test.yaml     | 21 +++++++++++++++++++++
 tests/reference-02/suricata.yaml | 11 +++++++++++
 tests/reference-02/test.rules    |  2 ++
 tests/reference-02/test.yaml     | 21 +++++++++++++++++++++
 tests/reference-03/suricata.yaml | 13 +++++++++++++
 tests/reference-03/test.rules    |  2 ++
 tests/reference-03/test.yaml     | 21 +++++++++++++++++++++
 tests/reference-04/suricata.yaml | 13 +++++++++++++
 tests/reference-04/test.rules    |  2 ++
 tests/reference-04/test.yaml     | 21 +++++++++++++++++++++
 12 files changed, 142 insertions(+)
 create mode 100644 tests/reference-01/suricata.yaml
 create mode 100644 tests/reference-01/test.rules
 create mode 100644 tests/reference-01/test.yaml
 create mode 100644 tests/reference-02/suricata.yaml
 create mode 100644 tests/reference-02/test.rules
 create mode 100644 tests/reference-02/test.yaml
 create mode 100644 tests/reference-03/suricata.yaml
 create mode 100644 tests/reference-03/test.rules
 create mode 100644 tests/reference-03/test.yaml
 create mode 100644 tests/reference-04/suricata.yaml
 create mode 100644 tests/reference-04/test.rules
 create mode 100644 tests/reference-04/test.yaml

diff --git a/tests/reference-01/suricata.yaml b/tests/reference-01/suricata.yaml
new file mode 100644
index 000000000..d965bfe59
--- /dev/null
+++ b/tests/reference-01/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            metadata:
+              rule:
+                reference: yes
diff --git a/tests/reference-01/test.rules b/tests/reference-01/test.rules
new file mode 100644
index 000000000..65f476fc5
--- /dev/null
+++ b/tests/reference-01/test.rules
@@ -0,0 +1,2 @@
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Attempt"; flow:established,to_server; dcerpc.opnum:26; content:"|00 00 00 00 00 00 00 00 ff ff 2f 21|"; endswith; reference:url,github.com/corelight/zerologon; classtype:attempted-admin; sid:20166330; rev:2;)
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Password Reset"; flow:established,to_server; dcerpc.opnum:30; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; reference:url,github.com/corelight/zerologon; classtype:attempted-admin; sid:20166331; rev:2;)
diff --git a/tests/reference-01/test.yaml b/tests/reference-01/test.yaml
new file mode 100644
index 000000000..8745bcec9
--- /dev/null
+++ b/tests/reference-01/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 8
+
+args:
+ - -k none
+
+pcap: ../dcerpc/zerologon/input.pcap
+
+checks:
+  - filter:
+      count: 21
+      match:
+        event_type: alert
+        alert.signature_id: 20166330
+        alert.references: ["https://github.com/corelight/zerologon"]
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 20166331
+        alert.references: ["https://github.com/corelight/zerologon"]
diff --git a/tests/reference-02/suricata.yaml b/tests/reference-02/suricata.yaml
new file mode 100644
index 000000000..5aaf02a02
--- /dev/null
+++ b/tests/reference-02/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            reference: no
diff --git a/tests/reference-02/test.rules b/tests/reference-02/test.rules
new file mode 100644
index 000000000..65f476fc5
--- /dev/null
+++ b/tests/reference-02/test.rules
@@ -0,0 +1,2 @@
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Attempt"; flow:established,to_server; dcerpc.opnum:26; content:"|00 00 00 00 00 00 00 00 ff ff 2f 21|"; endswith; reference:url,github.com/corelight/zerologon; classtype:attempted-admin; sid:20166330; rev:2;)
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Password Reset"; flow:established,to_server; dcerpc.opnum:30; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; reference:url,github.com/corelight/zerologon; classtype:attempted-admin; sid:20166331; rev:2;)
diff --git a/tests/reference-02/test.yaml b/tests/reference-02/test.yaml
new file mode 100644
index 000000000..8d90376f8
--- /dev/null
+++ b/tests/reference-02/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 8
+
+pcap: ../dcerpc/zerologon/input.pcap
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 21
+      match:
+        event_type: alert
+        alert.signature_id: 20166330
+        not-has-key: alert.references
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 20166331
+        not-has-key: alert.references
diff --git a/tests/reference-03/suricata.yaml b/tests/reference-03/suricata.yaml
new file mode 100644
index 000000000..d965bfe59
--- /dev/null
+++ b/tests/reference-03/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            metadata:
+              rule:
+                reference: yes
diff --git a/tests/reference-03/test.rules b/tests/reference-03/test.rules
new file mode 100644
index 000000000..addef56f9
--- /dev/null
+++ b/tests/reference-03/test.rules
@@ -0,0 +1,2 @@
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Attempt"; flow:established,to_server; dcerpc.opnum:26; content:"|00 00 00 00 00 00 00 00 ff ff 2f 21|"; endswith; reference:cve,2014-0160; reference:url,github.com/corelight/zerologon; classtype:attempted-admin; sid:20166330; rev:2;)
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Password Reset"; flow:established,to_server; dcerpc.opnum:30; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith;reference:cve,2014-0160; reference:url,github.com/corelight/zerologon; classtype:attempted-admin; sid:20166331; rev:2;)
diff --git a/tests/reference-03/test.yaml b/tests/reference-03/test.yaml
new file mode 100644
index 000000000..0789700ed
--- /dev/null
+++ b/tests/reference-03/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 8
+
+args:
+ - -k none
+
+pcap: ../dcerpc/zerologon/input.pcap
+
+checks:
+  - filter:
+      count: 21
+      match:
+        event_type: alert
+        alert.signature_id: 20166330
+        alert.references: ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0160","https://github.com/corelight/zerologon"]
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 20166331
+        alert.references: ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0160","https://github.com/corelight/zerologon"]
diff --git a/tests/reference-04/suricata.yaml b/tests/reference-04/suricata.yaml
new file mode 100644
index 000000000..d965bfe59
--- /dev/null
+++ b/tests/reference-04/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            metadata:
+              rule:
+                reference: yes
diff --git a/tests/reference-04/test.rules b/tests/reference-04/test.rules
new file mode 100644
index 000000000..f0a9b1c78
--- /dev/null
+++ b/tests/reference-04/test.rules
@@ -0,0 +1,2 @@
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Attempt"; flow:established,to_server; dcerpc.opnum:26; content:"|00 00 00 00 00 00 00 00 ff ff 2f 21|"; endswith; reference:url,foobar://github.com/corelight/zerologon; classtype:attempted-admin; sid:20166330; rev:2;)
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Password Reset"; flow:established,to_server; dcerpc.opnum:30; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; reference:url,foobar://github.com/corelight/zerologon; classtype:attempted-admin; sid:20166331; rev:2;)
diff --git a/tests/reference-04/test.yaml b/tests/reference-04/test.yaml
new file mode 100644
index 000000000..60fbfc4fe
--- /dev/null
+++ b/tests/reference-04/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 8
+
+args:
+ - -k none
+
+pcap: ../dcerpc/zerologon/input.pcap
+
+checks:
+  - filter:
+      count: 21
+      match:
+        event_type: alert
+        alert.signature_id: 20166330
+        alert.references: ["foobar://github.com/corelight/zerologon"]
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 20166331
+        alert.references: ["foobar://github.com/corelight/zerologon"]