From 3afe7553ad15ccec98b9b7f4778be6f583a89a1e Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Mon, 27 Nov 2023 17:28:47 +0100
Subject: [PATCH 1/2] Adds test about ssh new keys

Ticket: 6578
---
 tests/ssh-newkeys/README.md  |   8 ++++++++
 tests/ssh-newkeys/input.pcap | Bin 0 -> 4730 bytes
 tests/ssh-newkeys/test.rules |   1 +
 tests/ssh-newkeys/test.yaml  |   9 +++++++++
 4 files changed, 18 insertions(+)
 create mode 100644 tests/ssh-newkeys/README.md
 create mode 100644 tests/ssh-newkeys/input.pcap
 create mode 100644 tests/ssh-newkeys/test.rules
 create mode 100644 tests/ssh-newkeys/test.yaml

diff --git a/tests/ssh-newkeys/README.md b/tests/ssh-newkeys/README.md
new file mode 100644
index 000000000..39fb109c2
--- /dev/null
+++ b/tests/ssh-newkeys/README.md
@@ -0,0 +1,8 @@
+# Description
+
+Test rule on ssh for new keys packet.
+https://redmine.openinfosecfoundation.org/issues/6578
+
+# PCAP
+
+The pcap comes from https://forum.suricata.io/t/can-not-get-ssh-alert/4223/9
diff --git a/tests/ssh-newkeys/input.pcap b/tests/ssh-newkeys/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..275d7283c4d57f3fc0cbaf52682cbcb030b248ee
GIT binary patch
literal 4730
zcmds5c~nzZ9=<Pxz+n@_bwUAA4xkBUArL4iSeL?JVFoKz7->jC0w)k4C<Q^mQmP|@
zU<E}ssUk;fm6Re@s8xzZaiasKwIbA7P=rBiwUkAA?}e}=kDSgQ^T*6P{POO*%lE$D
z^1gQ;tqsbf6hH-&2Ne+T!oK;8=<FT>tb%Q1tg~*4&akYklSJMoL$C$_7ZuMNq|pHQ
zs&c)#k+I&7J*8ltQ@Jr(4ALlrPwCA7P^kLVgr1%uK~O0OF(_{maSUq=cMK5#Z{SH=
zY>UtkDwx+(+Fs1ff~b_V*@I6V9*iSGG>B@75YIzIS9nKcS{xl!d{T}Sh`KM(oJyfz
z9P?DwK!CqO1Y}ygys8EfuQ)3WUi%QQzy-jtv>kw;pf{NuXBIOcRvZJ{VQ$VYrbdY1
z@vkSLwFr8tf@dUH9=HG!Y@LLbMTRRBQYOpU&6$ItY2OgQ6Ea4o#oDoI2(xBsur7zJ
z=LebtLtzqJh7UyZRSS%xK8zzYO)P!Ks$qmBTTY4vBOtCoK-6KQIqNK6o;?0IDp)xh
zBx=6)r4s;zw{UCxHZh0CW4kjIQUQnO%FycZ9&^rF9xq{tg(4}Q$c%|pB*dcm8eLqz
zi)I&(!)AygBO)TjOsQBVix$K%CGqmDu}txMLa87|B39p;Y!cfQjq=zWQV2F**XXnx
zkaJ+W=)5@|ona+f$cCZyL79(N2pG^X7!$FbxEPO-dTb(YXq8xmLk~gDz(~M94vQHp
zmnE^eES|R<mMfg(ER;tx1Y!l7!)FQ;;&IcRqi#ZUbrVgH2%|OEp&2CI7%p5m0XNpf
zaIhIJlP5+*LWV+kArvSQ)YG{lu>y7eZ&GgC8Z8hqU0s;sgz0g@{m4hn0V!I5o(v`m
z&CH`P<ui`5wMNEiOiPuT!nDq5w`WXVp$b!9p&I<Zb!={oJVwk&h7vS2F3{r{2jH02
zfmF1xkfQ5t6iF)f^V^I0<$>mUBkH$N%X%tUK>^q_Ul|mZDp?200=<#fzCqL|RKq#1
z>HU_{cWz#N$;Sb)&+UXP*d6hoDle&A{u#vzo}xWSthKaBvu|9~r_DpEu2w#D7AX|a
ziD0NyQ#EN)sjz~K>6cn%kgA~x<1&N<PE&iP=*@o-+Ft!E;m3U9$>LxoSC66R>`zam
zqPm3()Mwb#I8aS)iJ<D*C5+%*g7fq@J0I>6Ol{CEAv8`6iLiD<tO(eFOtUh<JE~N&
z$~3jX^$jbN-jA^uG;4Uat<1h~J33>)uxTB=p>Y;BS<iv?rguROcLSYa*Y_lUE}o0`
zp`B4WJ$QvZV3K$cfIaXTLmJ!Z4OdYC4en8qY3_5tK-DP1iVY>jg8LlVVT@I0Xamn&
zXvR~j9A4VSlvVe3jCOySd$^+dK_WL!8r#yR>NtPDcIRi#cjkPai{{)b4;Yd!(YIW)
z4a^G>W&CnZk$v#~KN6RyG7f}T^@MrBIYHXc-p$Iu63L-~%E-P3i-C+I1<&j{OS|p!
zd}0f^b#-2w3uoKhBL11g47tX?xL#(x*5U6t&(gcA>7TY)8rTo4Og4s)>chlnJi4d@
z<+Z1d3f96lGOfJwRUeY(HK4uNJsxjTZy_9@g_`n6SKgF(w;#7`daT{!VdaIPyoCrb
zD*QnVZ$PYVu#HTMp;WbplwsHe!%+Yv4o$f$Mz5WH5&g!g+@aMO#B+YjLXT7Cf3xzm
zy&KRRd2I0C>8Cv$>hC}OW!F$1?NZH|tZQ?w3@}QrJ}fZI6x~BC9`@?=h`^P&l*FS_
z?9rmB9w98XM_QFARZ?&zJ|@M2mH69g_(En-N*n#kjt*KErz=`7AC0`Stmsg4R=S;o
zs{UX~K!k-XG|PSUgWkEB8yi_U$u_BXR8D0Thm1FF@44!)B+`&aZhcgc327nIitBr-
zy`*u4UuEt}lzFRJ02F8JT6Nc_rF!FMalUPSWl6QZ-!Hu&%uK9(q-={i>7Q+J<HhR>
z%K{vUl$P&a^xnMp^2FJ5w}!XxjB{;DX+3{+iyddBQ`eU7d1*XPdBN4h&4^Wpfj-EG
zjF4%?X17ug$EHamHcD7I{pfp4k`BOu?EWsRs8&~#SnneH1%eXJ6LVR_tIMid{wL8V
zh6_yHKCskJztg$+u$4q;W*pwP!gF-^lLFevPeD|k<B`ISV{ZBM=limacSufqZP_?$
z{>6u<4UX3wV<mR%Shp_yU<G37V>roDD|Wk8Ii#`cZ!h+k4P!@GK@GVP8k(8((e}!Y
zj30k`dznLC&FH{xX?E!Qfvc!;`{q3BrXT#wxt#0`ivn8eulMJ+T|V$piJyL5t9zs9
zt^K?5-e~ClwrI0nS%`CuNs(3X-aCq#G#fM8r%@u`OBLU3wIdMA8<qMx^j}HEHR~`v
zmL9X6%FVEPZfb!kz=s3GiiTg?I`X2A^Kyk03+ClrC~GyTFBcW9DLsF;@zsU*<3~z}
zeANbiUxM#aTkg+`Uk5=wAN!85eBwJh=uh5#a{c<vQ?Aw~2fCJ+kEAnS?&5rF@PV&9
z?AL^^mz(sMbv-1m-1N9zl(eX5*^BNE9~77Ec<Xn>GEGTLJXu<Kk*Xe%<;4uDnFmrc
zf)2IfFKf5?=dP-4*efw9x*g44xzxYg_gQL+U{Ckp?;BDVT67(mMgPijXL8)LpWk+p
zgfRV<-}OIXbZTw*5Bcvz$u4;y7GFRXt}t@Qv{*Q*9+R@j!7MBwi;Dmt6rx(!H@=dF
zvuCdnaj2nYIY@Cfq5T9t5Z1rybz&J{tR*B^`vWZ?*7B)XLl8@ccfF+E?T6ke;Qw8)
GcYgq%>mcg@

literal 0
HcmV?d00001

diff --git a/tests/ssh-newkeys/test.rules b/tests/ssh-newkeys/test.rules
new file mode 100644
index 000000000..3837fe45c
--- /dev/null
+++ b/tests/ssh-newkeys/test.rules
@@ -0,0 +1 @@
+alert ssh any any -> any 22 (msg:"This is a test"; content:"|15 00 00 00 00 00 00 00 00 00 00|"; classtype:protocol-command-decode; sid:1300013; rev:1; metadata:created_at 2023_05_23, updated_at 2023_05_24;)
diff --git a/tests/ssh-newkeys/test.yaml b/tests/ssh-newkeys/test.yaml
new file mode 100644
index 000000000..7ab083c36
--- /dev/null
+++ b/tests/ssh-newkeys/test.yaml
@@ -0,0 +1,9 @@
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+         event_type: alert
+         alert.signature_id: 1300013 

From e5567918fc474b3bff167fc5ecbf8df03678d4ea Mon Sep 17 00:00:00 2001
From: Philippe Antoine <pantoine@oisf.net>
Date: Mon, 27 Nov 2023 20:02:11 +0100
Subject: [PATCH 2/2] tls: do not check pcap_cnt

as a tls event can come from a flush after setting no_inspection
---
 tests/community-id-ipv4/test.yaml | 1 -
 tests/community-id-ipv6/test.yaml | 2 --
 2 files changed, 3 deletions(-)

diff --git a/tests/community-id-ipv4/test.yaml b/tests/community-id-ipv4/test.yaml
index 436478fd6..647d58375 100644
--- a/tests/community-id-ipv4/test.yaml
+++ b/tests/community-id-ipv4/test.yaml
@@ -9,7 +9,6 @@ checks:
       dest_ip: 172.217.14.206
       dest_port: 443
       event_type: tls
-      pcap_cnt: 7
       proto: TCP
       src_ip: 172.26.0.39
       src_port: 35958
diff --git a/tests/community-id-ipv6/test.yaml b/tests/community-id-ipv6/test.yaml
index daf362242..96a056c62 100644
--- a/tests/community-id-ipv6/test.yaml
+++ b/tests/community-id-ipv6/test.yaml
@@ -9,7 +9,6 @@ checks:
       dest_ip: 2607:f8b0:400a:0800:0000:0000:0000:200e
       dest_port: 443
       event_type: tls
-      pcap_cnt: 41
       proto: TCP
       src_ip: 2600:1f13:00f8:d400:03a6:303c:e011:18eb
       src_port: 60202
@@ -22,7 +21,6 @@ checks:
       dest_ip: 2001:4860:4860:0000:0000:0000:0000:8888
       dest_port: 443
       event_type: tls
-      pcap_cnt: 7
       proto: TCP
       src_ip: 2600:1f13:00f8:d400:03a6:303c:e011:18eb
       src_port: 33892