Adds regression test to cover the @fuzzeHash operator

Felipe Zimmerle · Felipe Zimmerle · commit e5aea895fcff · 2014-10-28T09:34:33.000-07:00
Added 30-fuzzyHash.t and the ssdeep hash files. Hash files was generated using
files from ModSecurity repository.
diff --git a/tests/regression/misc/30-fuzzyHash.t b/tests/regression/misc/30-fuzzyHash.t
@@ -0,0 +1,122 @@
+### libinjection.
+
+{
+	type => "misc",
+	comment => "fuzzyHash test",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+                SecRequestBodyAccess On
+
+		SecRule REQUEST_BODY "\@fuzzyHash $ENV{CONF_DIR}/ssdeep.txt 1" "id:192372,log,deny"
+	),
+	match_log => {
+		error => [ qr/ModSecurity: Access denied with code 403 \(phase 2\)\. Fuzzy hash of REQUEST_BODY matched with 96:MbQ1L0LDX8GPI8ov3D2D9zd6.*"modsecurity.conf-recommended"/, 1],
+		debug => [ qr/Access denied with code 403 \(phase 2\)\. Fuzzy hash of REQUEST_BODY matched with 96:MbQ1L0LDX8GPI8ov3D2D9zd6.*"modsecurity.conf-recommended"/, 1],
+	},
+	match_response => {
+		status => qr/^403$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/index.html",
+		[
+			"Content-Type" => "application/x-www-form-urlencoded",
+		],
+		#  Args
+		"
+# -- Rule engine initialization ----------------------------------------------
+
+# Enable ModSecurity, attaching it to every transaction. Use detection
+# only to start with, because that minimises the chances of post-installation
+# disruption.
+#
+SecRuleEngine DetectionOnly
+
+
+# -- Request body handling ---------------------------------------------------
+
+# Allow ModSecurity to access request bodies. If you don't, ModSecurity
+# won't be able to see any POST parameters, which opens a large security
+# hole for attackers to exploit.
+#
+SecRequestBodyAccess On
+
+
+# Enable XML request body parser.
+# Initiate XML Processor in case of xml content-type
+#
+SecRule REQUEST_HEADERS:Content-Type \"text/xml\" \
+     \"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML\"
+
+# Enable JSON request body parser.
+# Initiate JSON Processor in case of JSON content-type; change accordingly
+# if your application does not use 'application/json'
+#
+SecRule REQUEST_HEADERS:Content-Type \"application/json\" \
+     \"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON\"
+
+# Maximum request body size we will accept for buffering. If you support
+# file uploads then the value given on the first line has to be as large
+# as the largest file you are willing to accept. The second value refers
+# to the size of data, with files excluded. You want to keep that value as
+# low as practical.
+#
+SecRequestBodyLimit 13107200
+SecRequestBodyNoFilesLimit 131072
+
+# Store up to 128 KB of request body data in memory. When the multipart
+# parser reachers this limit, it will start using your hard disk for
+# storage. That is slow, but unavoidable.
+#
+SecRequestBodyInMemoryLimit 131072
+
+# What do do if the request body size is above our configured limit.
+# Keep in mind that this setting will automatically be set to ProcessPartial
+# when SecRuleEngine is set to DetectionOnly mode in order to minimize
+# disruptions when initially deploying ModSecurity.
+#
+SecRequestBodyLimitAction Reject
+
+# Verify that we've correctly processed the request body.
+# As a rule of thumb, when failing to process a request body
+# you should reject the request (when deployed in blocking mode)
+# or log a high-severity alert (when deployed in detection-only mode).
+#
+SecRule REQBODY_ERROR \"!\@eq 0\" \
+\"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\"
+		"
+	),
+},
+
+{
+	type => "misc",
+	comment => "fuzzyHash test",
+	conf => qq(
+		SecRuleEngine On
+		SecDebugLog $ENV{DEBUG_LOG}
+		SecDebugLogLevel 9
+                SecRequestBodyAccess On
+
+		SecRule REQUEST_BODY "\@fuzzyHash $ENV{CONF_DIR}/ssdeep.txt 1" "id:192372,log,deny"
+	),
+	match_log => {
+		-error => [ qr/Fuzzy hash of REQUEST_BODY matched/, 1],
+		-debug => [ qr/Fuzzy hash of REQUEST_BODY matched/, 1],
+	},
+	match_response => {
+		status => qr/^200$/,
+	},
+	request => new HTTP::Request(
+		POST => "http://$ENV{SERVER_NAME}:$ENV{SERVER_PORT}/index.html",
+		[
+			"Content-Type" => "application/x-www-form-urlencoded",
+		],
+		#  Args
+		"
+		wheee
+		"
+	),
+},
+
+
diff --git a/tests/regression/nginx/conf/ssdeep.txt b/tests/regression/nginx/conf/ssdeep.txt
@@ -0,0 +1,4 @@
+ssdeep,1.1--blocksize:hash:hash,filename
+96:MbQ1L0LDX8GPI8ov3D2D9zd6/gz2wZhFvV0O598La8Kqvfi0znNa8Xi5SM7XRWCK:KvL8Gg8rWIz2ZKqvfjzQ55RpRHjftQ++,"modsecurity.conf-recommended"
+192:b8B5UQvywcMIJuavpde/Yyz/U/vF+vGCoCvrQr/dw:afcnrvp8zqUvGrzr6,"README_WINDOWS.TXT"
+96:+qK8Z4gA165/hquKNMi68zuEyMM9qNB26x:+RG4z6c1LyZOB26x,"README.TXT"
diff --git a/tests/regression/server_root/conf/ssdeep.txt b/tests/regression/server_root/conf/ssdeep.txt
@@ -0,0 +1,4 @@
+ssdeep,1.1--blocksize:hash:hash,filename
+96:MbQ1L0LDX8GPI8ov3D2D9zd6/gz2wZhFvV0O598La8Kqvfi0znNa8Xi5SM7XRWCK:KvL8Gg8rWIz2ZKqvfjzQ55RpRHjftQ++,"modsecurity.conf-recommended"
+192:b8B5UQvywcMIJuavpde/Yyz/U/vF+vGCoCvrQr/dw:afcnrvp8zqUvGrzr6,"README_WINDOWS.TXT"
+96:+qK8Z4gA165/hquKNMi68zuEyMM9qNB26x:+RG4z6c1LyZOB26x,"README.TXT"
