From e4f9762d5dbe2a0af6160a917b201b3a233f5761 Mon Sep 17 00:00:00 2001
From: Giuseppe Longo <giuseppe@glongo.it>
Date: Thu, 18 Jul 2024 17:14:55 +0200
Subject: [PATCH] ldap: add tests for udp and frames

---
 tests/ldap-frames/README.md     |   7 +++++++
 tests/ldap-frames/suricata.yaml |   8 ++++++++
 tests/ldap-frames/test.yaml     |  34 ++++++++++++++++++++++++++++++++
 tests/ldap-udp/README.md        |   7 +++++++
 tests/ldap-udp/cldap.pcap       | Bin 0 -> 428 bytes
 tests/ldap-udp/test.yaml        |  29 +++++++++++++++++++++++++++
 6 files changed, 85 insertions(+)
 create mode 100644 tests/ldap-frames/README.md
 create mode 100644 tests/ldap-frames/suricata.yaml
 create mode 100644 tests/ldap-frames/test.yaml
 create mode 100644 tests/ldap-udp/README.md
 create mode 100644 tests/ldap-udp/cldap.pcap
 create mode 100644 tests/ldap-udp/test.yaml

diff --git a/tests/ldap-frames/README.md b/tests/ldap-frames/README.md
new file mode 100644
index 000000000..479850a6b
--- /dev/null
+++ b/tests/ldap-frames/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP over UDP is parsed correctly.
+
+## PCAP
+
+PCAP downloaded from cloudshark.
diff --git a/tests/ldap-frames/suricata.yaml b/tests/ldap-frames/suricata.yaml
new file mode 100644
index 000000000..554239918
--- /dev/null
+++ b/tests/ldap-frames/suricata.yaml
@@ -0,0 +1,8 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - frame
diff --git a/tests/ldap-frames/test.yaml b/tests/ldap-frames/test.yaml
new file mode 100644
index 000000000..53350958b
--- /dev/null
+++ b/tests/ldap-frames/test.yaml
@@ -0,0 +1,34 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: ../ldap-udp/cldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 1
+        event_type: frame
+        frame.direction: toserver
+        frame.length: 137
+        frame.complete: true
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 2
+        event_type: frame
+        frame.direction: toclient
+        frame.length: 137
+        frame.complete: true
+  - filter:
+      count: 1
+      match:
+        pcap_cnt: 2
+        event_type: frame
+        frame.direction: toclient
+        frame.length: 14
+        frame.complete: true
+        frame.tx_id: 1
diff --git a/tests/ldap-udp/README.md b/tests/ldap-udp/README.md
new file mode 100644
index 000000000..479850a6b
--- /dev/null
+++ b/tests/ldap-udp/README.md
@@ -0,0 +1,7 @@
+# Test Purpose
+
+Test that LDAP over UDP is parsed correctly.
+
+## PCAP
+
+PCAP downloaded from cloudshark.
diff --git a/tests/ldap-udp/cldap.pcap b/tests/ldap-udp/cldap.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..3aeb6bb54fbff2012503d8c60e9021f27efc532b
GIT binary patch
literal 428
zcmca|c+)~A1{MYw`2U}Qff2~zP7MfHdzY1AGms6!K_Lu#9@qlO%8hOu46Y0eOBtmY
z7#ai*dmLC%H4%uJKPob|GEB@@GiU)SZ)Rd-Oa?KkSQxk%L5K;A7#SHBfP{k=gGeP7
zPM5r5m;Bts%sdv+ViUcL{PL1~y~L!%qLQ4{61}|C60kZU78Z~E;u03Fa8ExM|L|aQ
zU1P8~FAJ+*NmyzT3yT=gG_b{7EF6BRB{})&`FS8On2NJ890baNFvRf?kAS@Z^p^vJ
zgW!=6kn=&_U~K)U$S}Wbnn7b5(ETZm4J-@>H3n5I96*PFjWo<-$q@${wO5dVp=5f6
zJgfC}r|wNXpKn&xXE7C<u!7ys0dqeyP#ePm36}h%)RY4f9Kj~K9{%AW{tPVsPOdHt
x4B{@SX^EvdCAw~zMa3n$!I>qgx_*hdsSF1^S%G%^2Lb~gpgU68fx*WDga96Rbp8MU

literal 0
HcmV?d00001

diff --git a/tests/ldap-udp/test.yaml b/tests/ldap-udp/test.yaml
new file mode 100644
index 000000000..3dfa28996
--- /dev/null
+++ b/tests/ldap-udp/test.yaml
@@ -0,0 +1,29 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+pcap: cldap.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: ldap
+        ldap.request.message_id: 1
+        ldap.request.operation: search_request
+        ldap.request.search_request.base_object: ""
+        ldap.request.search_request.scope: 0
+        ldap.request.search_request.deref_alias: 0
+        ldap.request.search_request.size_limit: 0
+        ldap.request.search_request.time_limit: 0
+        ldap.request.search_request.types_only: false
+        ldap.request.search_request.attributes[0]: Netlogon
+        ldap.responses[0].operation: search_result_entry
+        ldap.responses[0].search_result_entry.base_object: ""
+        ldap.responses[0].search_result_entry.attributes[0].type: netlogon
+        ldap.responses[1].operation: search_result_done
+        ldap.responses[1].search_result_done.result_code: success
+        ldap.responses[1].search_result_done.matched_dn: ""
+        ldap.responses[1].search_result_done.message: ""