From 012e85293fd17782f00854e72d7828c9da9f6e6a Mon Sep 17 00:00:00 2001 From: Sebitosh Date: Sun, 1 Jun 2025 21:55:21 +0200 Subject: [PATCH] Test target REQUEST_FILENAME Signed-off-by: Sebitosh --- .../CONF_061_TARGET_REQUEST_FILENAME.yaml | 46 ++++++++++ .../rules/MRTS_061_REQUEST_FILENAME.conf | 36 ++++++++ generated/rules/MRTS_110_XML.conf | 6 +- .../100148_MRTS_061_REQUEST_FILENAME.yaml | 91 +++++++++++++++++++ .../100149_MRTS_061_REQUEST_FILENAME.yaml | 91 +++++++++++++++++++ .../100150_MRTS_061_REQUEST_FILENAME.yaml | 91 +++++++++++++++++++ .../100151_MRTS_061_REQUEST_FILENAME.yaml | 91 +++++++++++++++++++ ..._110_XML.yaml => 100152_MRTS_110_XML.yaml} | 8 +- ..._110_XML.yaml => 100153_MRTS_110_XML.yaml} | 8 +- ..._110_XML.yaml => 100154_MRTS_110_XML.yaml} | 8 +- mrts/generate-rules.py | 4 +- 11 files changed, 464 insertions(+), 16 deletions(-) create mode 100644 config_tests/CONF_061_TARGET_REQUEST_FILENAME.yaml create mode 100644 generated/rules/MRTS_061_REQUEST_FILENAME.conf create mode 100644 generated/tests/regression/tests/100148_MRTS_061_REQUEST_FILENAME.yaml create mode 100644 generated/tests/regression/tests/100149_MRTS_061_REQUEST_FILENAME.yaml create mode 100644 generated/tests/regression/tests/100150_MRTS_061_REQUEST_FILENAME.yaml create mode 100644 generated/tests/regression/tests/100151_MRTS_061_REQUEST_FILENAME.yaml rename generated/tests/regression/tests/{100148_MRTS_110_XML.yaml => 100152_MRTS_110_XML.yaml} (86%) rename generated/tests/regression/tests/{100149_MRTS_110_XML.yaml => 100153_MRTS_110_XML.yaml} (86%) rename generated/tests/regression/tests/{100150_MRTS_110_XML.yaml => 100154_MRTS_110_XML.yaml} (86%) diff --git a/config_tests/CONF_061_TARGET_REQUEST_FILENAME.yaml b/config_tests/CONF_061_TARGET_REQUEST_FILENAME.yaml new file mode 100644 index 0000000..65a39bc --- /dev/null +++ b/config_tests/CONF_061_TARGET_REQUEST_FILENAME.yaml @@ -0,0 +1,46 @@ +target: REQUEST_FILENAME +rulefile: MRTS_061_REQUEST_FILENAME.conf +testfile: MRTS_061_REQUEST_FILENAME.yaml +templates: + - SecRule for TARGETS +colkey: + - - '' +operator: + - '@contains' +oparg: + - attack +phase: + - 1 + - 2 + - 3 + - 4 +testdata: + phase_methods: + 1: get + 2: post + 3: post + 4: post + targets: + - target: '' + test: + data: null + input: + uri: '/in/uri/attack?arg=value' + - target: '' + test: + data: null + input: + uri: '/attack/in/uri?arg=value' + - target: '' + test: + data: null + input: + uri: '/in/uri/is%3Fattack?arg=value' + - target: '' + test: + data: null + input: + uri: '/in/uri/is?attack' + output: + log: + no_expect_ids: [] diff --git a/generated/rules/MRTS_061_REQUEST_FILENAME.conf b/generated/rules/MRTS_061_REQUEST_FILENAME.conf new file mode 100644 index 0000000..a6d938c --- /dev/null +++ b/generated/rules/MRTS_061_REQUEST_FILENAME.conf @@ -0,0 +1,36 @@ +SecRule REQUEST_FILENAME "@contains attack" \ + "id:100148,\ + phase:1,\ + deny,\ + t:none,\ + log,\ + msg:'%{MATCHED_VAR_NAME} was caught in phase:1',\ + ver:'MRTS/0.1'" + +SecRule REQUEST_FILENAME "@contains attack" \ + "id:100149,\ + phase:2,\ + deny,\ + t:none,\ + log,\ + msg:'%{MATCHED_VAR_NAME} was caught in phase:2',\ + ver:'MRTS/0.1'" + +SecRule REQUEST_FILENAME "@contains attack" \ + "id:100150,\ + phase:3,\ + deny,\ + t:none,\ + log,\ + msg:'%{MATCHED_VAR_NAME} was caught in phase:3',\ + ver:'MRTS/0.1'" + +SecRule REQUEST_FILENAME "@contains attack" \ + "id:100151,\ + phase:4,\ + deny,\ + t:none,\ + log,\ + msg:'%{MATCHED_VAR_NAME} was caught in phase:4',\ + ver:'MRTS/0.1'" + diff --git a/generated/rules/MRTS_110_XML.conf b/generated/rules/MRTS_110_XML.conf index f511a8b..e06683d 100644 --- a/generated/rules/MRTS_110_XML.conf +++ b/generated/rules/MRTS_110_XML.conf @@ -1,5 +1,5 @@ SecRule XML:/* "@beginsWith foo" \ - "id:100148,\ + "id:100152,\ phase:2,\ deny,\ t:none,\ @@ -8,7 +8,7 @@ SecRule XML:/* "@beginsWith foo" \ ver:'MRTS/0.1'" SecRule XML:/* "@beginsWith foo" \ - "id:100149,\ + "id:100153,\ phase:3,\ deny,\ t:none,\ @@ -17,7 +17,7 @@ SecRule XML:/* "@beginsWith foo" \ ver:'MRTS/0.1'" SecRule XML:/* "@beginsWith foo" \ - "id:100150,\ + "id:100154,\ phase:4,\ deny,\ t:none,\ diff --git a/generated/tests/regression/tests/100148_MRTS_061_REQUEST_FILENAME.yaml b/generated/tests/regression/tests/100148_MRTS_061_REQUEST_FILENAME.yaml new file mode 100644 index 0000000..7008f38 --- /dev/null +++ b/generated/tests/regression/tests/100148_MRTS_061_REQUEST_FILENAME.yaml @@ -0,0 +1,91 @@ +--- +meta: + author: MRTS generate-rules.py + enabled: true + name: MRTS_061_REQUEST_FILENAME.yaml + description: Desc +tests: +- test_title: 100148-1 + ruleid: 100148 + test_id: 1 + desc: 'Test case for rule 100148, #1' + stages: + - description: Send request + input: + dest_addr: 127.0.0.1 + port: 80 + protocol: http + method: GET + headers: + User-Agent: OWASP MRTS test agent + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: /in/uri/attack?arg=value + version: HTTP/1.1 + output: + log: + expect_ids: + - 100148 +- test_title: 100148-2 + ruleid: 100148 + test_id: 2 + desc: 'Test case for rule 100148, #2' + stages: + - description: Send request + input: + dest_addr: 127.0.0.1 + port: 80 + protocol: http + method: GET + headers: + User-Agent: OWASP MRTS test agent + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: /attack/in/uri?arg=value + version: HTTP/1.1 + output: + log: + expect_ids: + - 100148 +- test_title: 100148-3 + ruleid: 100148 + test_id: 3 + desc: 'Test case for rule 100148, #3' + stages: + - description: Send request + input: + dest_addr: 127.0.0.1 + port: 80 + protocol: http + method: GET + headers: + User-Agent: OWASP MRTS test agent + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: /in/uri/is%3Fattack?arg=value + version: HTTP/1.1 + output: + log: + expect_ids: + - 100148 +- test_title: 100148-4 + ruleid: 100148 + test_id: 4 + desc: 'Test case for rule 100148, #4' + stages: + - description: Send request + input: + dest_addr: 127.0.0.1 + port: 80 + protocol: http + method: GET + headers: + User-Agent: OWASP MRTS test agent + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: /in/uri/is?attack + version: HTTP/1.1 + output: + log: + no_expect_ids: + - 100148 diff --git a/generated/tests/regression/tests/100149_MRTS_061_REQUEST_FILENAME.yaml b/generated/tests/regression/tests/100149_MRTS_061_REQUEST_FILENAME.yaml new file mode 100644 index 0000000..d7631c6 --- /dev/null +++ b/generated/tests/regression/tests/100149_MRTS_061_REQUEST_FILENAME.yaml @@ -0,0 +1,91 @@ +--- +meta: + author: MRTS generate-rules.py + enabled: true + name: MRTS_061_REQUEST_FILENAME.yaml + description: Desc +tests: +- test_title: 100149-1 + ruleid: 100149 + test_id: 1 + desc: 'Test case for rule 100149, #1' + stages: + - description: Send request + input: + dest_addr: 127.0.0.1 + port: 80 + protocol: http + method: POST + headers: + User-Agent: OWASP MRTS test agent + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: /in/uri/attack?arg=value + version: HTTP/1.1 + output: + log: + expect_ids: + - 100149 +- test_title: 100149-2 + ruleid: 100149 + test_id: 2 + desc: 'Test case for rule 100149, #2' + stages: + - description: Send request + input: + dest_addr: 127.0.0.1 + port: 80 + protocol: http + method: POST + headers: + User-Agent: OWASP MRTS test agent + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: /attack/in/uri?arg=value + version: HTTP/1.1 + output: + log: + expect_ids: + - 100149 +- test_title: 100149-3 + ruleid: 100149 + test_id: 3 + desc: 'Test case for rule 100149, #3' + stages: + - description: Send request + input: + dest_addr: 127.0.0.1 + port: 80 + protocol: http + method: POST + headers: + User-Agent: OWASP MRTS test agent + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: /in/uri/is%3Fattack?arg=value + version: HTTP/1.1 + output: + log: + expect_ids: + - 100149 +- test_title: 100149-4 + ruleid: 100149 + test_id: 4 + desc: 'Test case for rule 100149, #4' + stages: + - description: Send request + input: + dest_addr: 127.0.0.1 + port: 80 + protocol: http + method: POST + headers: + User-Agent: OWASP MRTS test agent + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: /in/uri/is?attack + version: HTTP/1.1 + output: + log: + no_expect_ids: + - 100149 diff --git a/generated/tests/regression/tests/100150_MRTS_061_REQUEST_FILENAME.yaml b/generated/tests/regression/tests/100150_MRTS_061_REQUEST_FILENAME.yaml new file mode 100644 index 0000000..95c5835 --- /dev/null +++ b/generated/tests/regression/tests/100150_MRTS_061_REQUEST_FILENAME.yaml @@ -0,0 +1,91 @@ +--- +meta: + author: MRTS generate-rules.py + enabled: true + name: MRTS_061_REQUEST_FILENAME.yaml + description: Desc +tests: +- test_title: 100150-1 + ruleid: 100150 + test_id: 1 + desc: 'Test case for rule 100150, #1' + stages: + - description: Send request + input: + dest_addr: 127.0.0.1 + port: 80 + protocol: http + method: POST + headers: + User-Agent: OWASP MRTS test agent + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: /in/uri/attack?arg=value + version: HTTP/1.1 + output: + log: + expect_ids: + - 100150 +- test_title: 100150-2 + ruleid: 100150 + test_id: 2 + desc: 'Test case for rule 100150, #2' + stages: + - description: Send request + input: + dest_addr: 127.0.0.1 + port: 80 + protocol: http + method: POST + headers: + User-Agent: OWASP MRTS test agent + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: /attack/in/uri?arg=value + version: HTTP/1.1 + output: + log: + expect_ids: + - 100150 +- test_title: 100150-3 + ruleid: 100150 + test_id: 3 + desc: 'Test case for rule 100150, #3' + stages: + - description: Send request + input: + dest_addr: 127.0.0.1 + port: 80 + protocol: http + method: POST + headers: + User-Agent: OWASP MRTS test agent + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: /in/uri/is%3Fattack?arg=value + version: HTTP/1.1 + output: + log: + expect_ids: + - 100150 +- test_title: 100150-4 + ruleid: 100150 + test_id: 4 + desc: 'Test case for rule 100150, #4' + stages: + - description: Send request + input: + dest_addr: 127.0.0.1 + port: 80 + protocol: http + method: POST + headers: + User-Agent: OWASP MRTS test agent + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: /in/uri/is?attack + version: HTTP/1.1 + output: + log: + no_expect_ids: + - 100150 diff --git a/generated/tests/regression/tests/100151_MRTS_061_REQUEST_FILENAME.yaml b/generated/tests/regression/tests/100151_MRTS_061_REQUEST_FILENAME.yaml new file mode 100644 index 0000000..cd4e84c --- /dev/null +++ b/generated/tests/regression/tests/100151_MRTS_061_REQUEST_FILENAME.yaml @@ -0,0 +1,91 @@ +--- +meta: + author: MRTS generate-rules.py + enabled: true + name: MRTS_061_REQUEST_FILENAME.yaml + description: Desc +tests: +- test_title: 100151-1 + ruleid: 100151 + test_id: 1 + desc: 'Test case for rule 100151, #1' + stages: + - description: Send request + input: + dest_addr: 127.0.0.1 + port: 80 + protocol: http + method: POST + headers: + User-Agent: OWASP MRTS test agent + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: /in/uri/attack?arg=value + version: HTTP/1.1 + output: + log: + expect_ids: + - 100151 +- test_title: 100151-2 + ruleid: 100151 + test_id: 2 + desc: 'Test case for rule 100151, #2' + stages: + - description: Send request + input: + dest_addr: 127.0.0.1 + port: 80 + protocol: http + method: POST + headers: + User-Agent: OWASP MRTS test agent + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: /attack/in/uri?arg=value + version: HTTP/1.1 + output: + log: + expect_ids: + - 100151 +- test_title: 100151-3 + ruleid: 100151 + test_id: 3 + desc: 'Test case for rule 100151, #3' + stages: + - description: Send request + input: + dest_addr: 127.0.0.1 + port: 80 + protocol: http + method: POST + headers: + User-Agent: OWASP MRTS test agent + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: /in/uri/is%3Fattack?arg=value + version: HTTP/1.1 + output: + log: + expect_ids: + - 100151 +- test_title: 100151-4 + ruleid: 100151 + test_id: 4 + desc: 'Test case for rule 100151, #4' + stages: + - description: Send request + input: + dest_addr: 127.0.0.1 + port: 80 + protocol: http + method: POST + headers: + User-Agent: OWASP MRTS test agent + Host: localhost + Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 + uri: /in/uri/is?attack + version: HTTP/1.1 + output: + log: + no_expect_ids: + - 100151 diff --git a/generated/tests/regression/tests/100148_MRTS_110_XML.yaml b/generated/tests/regression/tests/100152_MRTS_110_XML.yaml similarity index 86% rename from generated/tests/regression/tests/100148_MRTS_110_XML.yaml rename to generated/tests/regression/tests/100152_MRTS_110_XML.yaml index cf33a8a..65234bc 100644 --- a/generated/tests/regression/tests/100148_MRTS_110_XML.yaml +++ b/generated/tests/regression/tests/100152_MRTS_110_XML.yaml @@ -5,10 +5,10 @@ meta: name: MRTS_110_XML.yaml description: Desc tests: -- test_title: 100148-1 - ruleid: 100148 +- test_title: 100152-1 + ruleid: 100152 test_id: 1 - desc: 'Test case for rule 100148, #1' + desc: 'Test case for rule 100152, #1' stages: - description: Send request input: @@ -27,4 +27,4 @@ tests: output: log: expect_ids: - - 100148 + - 100152 diff --git a/generated/tests/regression/tests/100149_MRTS_110_XML.yaml b/generated/tests/regression/tests/100153_MRTS_110_XML.yaml similarity index 86% rename from generated/tests/regression/tests/100149_MRTS_110_XML.yaml rename to generated/tests/regression/tests/100153_MRTS_110_XML.yaml index f9a9bd9..f2255be 100644 --- a/generated/tests/regression/tests/100149_MRTS_110_XML.yaml +++ b/generated/tests/regression/tests/100153_MRTS_110_XML.yaml @@ -5,10 +5,10 @@ meta: name: MRTS_110_XML.yaml description: Desc tests: -- test_title: 100149-1 - ruleid: 100149 +- test_title: 100153-1 + ruleid: 100153 test_id: 1 - desc: 'Test case for rule 100149, #1' + desc: 'Test case for rule 100153, #1' stages: - description: Send request input: @@ -27,4 +27,4 @@ tests: output: log: expect_ids: - - 100149 + - 100153 diff --git a/generated/tests/regression/tests/100150_MRTS_110_XML.yaml b/generated/tests/regression/tests/100154_MRTS_110_XML.yaml similarity index 86% rename from generated/tests/regression/tests/100150_MRTS_110_XML.yaml rename to generated/tests/regression/tests/100154_MRTS_110_XML.yaml index fb4bd20..a390d0c 100644 --- a/generated/tests/regression/tests/100150_MRTS_110_XML.yaml +++ b/generated/tests/regression/tests/100154_MRTS_110_XML.yaml @@ -5,10 +5,10 @@ meta: name: MRTS_110_XML.yaml description: Desc tests: -- test_title: 100150-1 - ruleid: 100150 +- test_title: 100154-1 + ruleid: 100154 test_id: 1 - desc: 'Test case for rule 100150, #1' + desc: 'Test case for rule 100154, #1' stages: - description: Send request input: @@ -27,4 +27,4 @@ tests: output: log: expect_ids: - - 100150 + - 100154 diff --git a/mrts/generate-rules.py b/mrts/generate-rules.py index e3e367e..b772578 100755 --- a/mrts/generate-rules.py +++ b/mrts/generate-rules.py @@ -357,7 +357,9 @@ def genrulefromtemplate(self, tpl, current_confdata): # if expect_ids is in rewrite, append the current rule id if 'log' in item['stages'][0]['output']: if 'expect_ids' in item['stages'][0]['output']['log']: - item['stages'][0]['output']['log']['expect_ids'].append(self.currid) + item['stages'][0]['output']['log']['expect_ids'] = [self.currid] + if 'no_expect_ids' in item['stages'][0]['output']['log']: + item['stages'][0]['output']['log']['no_expect_ids'] = [self.currid] else: item['stages'][0]['output']['log']['expect_ids'].append(self.currid)