]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 2301045)
pppoe: Add test for pppoe decoder protocol alerts
authorThomas Winter <Thomas.Winter@alliedtelesis.co.nz>
Mon, 21 Jul 2025 22:52:37 +0000 (10:52 +1200)
committerVictor Julien <victor@inliniac.net>
Mon, 8 Sep 2025 16:47:11 +0000 (18:47 +0200)
Suricata commit b23fa51e ("detect: fix decoder only events") fixed
decoder events to go off properly. However it was found that the pppoe
decoder was going off on valid ppp packets.
With drop rules isntead of alert rules, a ppp connection could not
be established.

The following pcap is a valid ppp connection but valid pppoe packets
are being detected as wrong_type or unsup_proto.

tests/pppoe/input.pcap [new file with mode: 0644] patch | blob
tests/pppoe/test.rules [new file with mode: 0644] patch | blob
tests/pppoe/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/pppoe/input.pcap b/tests/pppoe/input.pcap
new file mode 100644 (file)
index 0000000..6de528e
Binary files /dev/null and b/tests/pppoe/input.pcap differ
diff --git a/tests/pppoe/test.rules b/tests/pppoe/test.rules
new file mode 100644 (file)
index 0000000..29452b5
--- /dev/null
+++ b/tests/pppoe/test.rules
@@ -0,0 +1,9 @@
+alert pkthdr any any -> any any (msg:"SURICATA PPP packet too small"; decode-event:ppp.pkt_too_small; classtype:protocol-command-decode; sid:2200043; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA PPP VJU packet too small"; decode-event:ppp.vju_pkt_too_small; classtype:protocol-command-decode; sid:2200044; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA PPP IPv4 packet too small"; decode-event:ppp.ip4_pkt_too_small; classtype:protocol-command-decode; sid:2200045; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA PPP IPv6 too small"; decode-event:ppp.ip6_pkt_too_small; classtype:protocol-command-decode; sid:2200046; rev:2;)
+drop pkthdr any any -> any any (msg:"SURICATA PPP wrong type"; decode-event:ppp.wrong_type; classtype:protocol-command-decode; sid:2200047; rev:2;)
+drop pkthdr any any -> any any (msg:"SURICATA PPP unsupported protocol"; decode-event:ppp.unsup_proto; classtype:protocol-command-decode; sid:2200048; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA PPPOE packet too small"; decode-event:pppoe.pkt_too_small; classtype:protocol-command-decode; sid:2200049; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA PPPOE wrong code"; decode-event:pppoe.wrong_code; classtype:protocol-command-decode; sid:2200050; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA PPPOE malformed tags"; decode-event:pppoe.malformed_tags; classtype:protocol-command-decode; sid:2200051; rev:2;)
diff --git a/tests/pppoe/test.yaml b/tests/pppoe/test.yaml
new file mode 100644 (file)
index 0000000..b25475c
--- /dev/null
+++ b/tests/pppoe/test.yaml
@@ -0,0 +1,8 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
Mirror of https://github.com/OISF/suricata-verify.git