From: Philippe Antoine Date: Thu, 30 Jul 2020 15:20:48 +0000 (+0200) Subject: dns: adds test against incomplete TCP payload X-Git-Tag: suricata-6.0.4~243 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F315%2Fhead;p=thirdparty%2Fsuricata-verify.git dns: adds test against incomplete TCP payload --- diff --git a/tests/dns-incomplete/README.md b/tests/dns-incomplete/README.md new file mode 100644 index 000000000..babffdac5 --- /dev/null +++ b/tests/dns-incomplete/README.md @@ -0,0 +1,7 @@ +# Description + +Test DNS incomplete parsing + +# PCAP + +The pcap comes from running script txt2pcap.py input.txt diff --git a/tests/dns-incomplete/input.pcap b/tests/dns-incomplete/input.pcap new file mode 100644 index 000000000..c9a12acd6 Binary files /dev/null and b/tests/dns-incomplete/input.pcap differ diff --git a/tests/dns-incomplete/input.txt b/tests/dns-incomplete/input.txt new file mode 100644 index 000000000..3739f2884 --- /dev/null +++ b/tests/dns-incomplete/input.txt @@ -0,0 +1,8 @@ +# First a complete request to get protocol detection +c2s 001c11330100000100000000000006676F6F676C65036E65740000100001 +s2c 002c10328180000100010000000006676F6F676C6503636F6D0000010001c00c00010001000140ef000401020304 +# Then an incomplete request split in 2 packets, to be tested +c2s 001c103201000001000000000000 +c2s 06676F6F676C6503636F6D0000100001 +# And its answer +s2c 002c10328180000100010000000006676F6F676C6503636F6D0000010001c00c00010001000140ef000401020304 \ No newline at end of file diff --git a/tests/dns-incomplete/test.rules b/tests/dns-incomplete/test.rules new file mode 100644 index 000000000..1473e8048 --- /dev/null +++ b/tests/dns-incomplete/test.rules @@ -0,0 +1 @@ +alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google.com"; nocase; sid:1;) diff --git a/tests/dns-incomplete/test.yaml b/tests/dns-incomplete/test.yaml new file mode 100644 index 000000000..85a743807 --- /dev/null +++ b/tests/dns-incomplete/test.yaml @@ -0,0 +1,19 @@ +requires: + min-version: 6.0 + +# disables checksum verification +args: +- -k none --set app-layer.protocols.dns.detection-ports.dp=5353 + +checks: + - filter: + count: 1 + match: + event_type: dns + dns.rrname: google.com + dns.type: query + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/dns-incomplete/txt2pcap.py b/tests/dns-incomplete/txt2pcap.py new file mode 100644 index 000000000..40d7e56b5 --- /dev/null +++ b/tests/dns-incomplete/txt2pcap.py @@ -0,0 +1,88 @@ +import sys +import binascii +from threading import Thread +import time +import socket + +# Create a pcap from a htp test file +# Launches a server on port 8080 +# Launches a client in another thread that connects to it +# Both client and server read the htp test file +# And they send and receive data as described (without analysing it) +# So, you need to capture traffic on port 8080 while running the script + +def removeOneEOL(s): + r = s + if r[-1] == '\n': + r = r[:-1] + if r[-1] == '\r': + r = r[:-1] + return r + +PCAP_TCP_PORT = 5353 + +class ServerThread(Thread): + + def __init__(self, filename): + Thread.__init__(self) + self.filename = filename + + def run(self): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind(("127.0.0.1", PCAP_TCP_PORT)) + s.listen(1) + conn, addr = s.accept() + f = open(self.filename) + sending = "" + receiving = "" + + for l in f.readlines(): + data = binascii.unhexlify(l.split()[1]) + if l.split()[0] == "s2c": + conn.send(data) + print "server sent", len(data) + else: + data = conn.recv(len(data)) + print "server recvd", len(data) + + conn.close() + s.close() + f.close() + + +class ClientThread(Thread): + + def __init__(self, filename): + Thread.__init__(self) + self.filename = filename + + def run(self): + time.sleep(1) + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect(("127.0.0.1", PCAP_TCP_PORT)) + f = open(self.filename) + sending = "" + receiving = "" + + for l in f.readlines(): + data = binascii.unhexlify(l.split()[1]) + if l.split()[0] != "s2c": + s.send(data) + print "client sent", len(data) + else: + data = s.recv(len(data)) + print "client recvd", len(data) + + s.close() + f.close() + +t1 = ServerThread(sys.argv[1]) +t2 = ClientThread(sys.argv[1]) + +# Launch threads +t1.start() +t2.start() + +# Wait for threads to finish +t1.join() +t2.join()