From 435a812dfca7f11e4e7d3205cce50fae499217ea Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 14 Apr 2020 14:05:16 +0200
Subject: [PATCH] Adds test for smb padding evasion

---
 tests/smb-eicar-padding/README.md                |  14 ++++++++++++++
 .../smb1_eicar_andx_write_padding2.pcap          | Bin 0 -> 3783 bytes
 tests/smb-eicar-padding/test.rules               |   1 +
 tests/smb-eicar-padding/test.yaml                |  14 ++++++++++++++
 4 files changed, 29 insertions(+)
 create mode 100644 tests/smb-eicar-padding/README.md
 create mode 100644 tests/smb-eicar-padding/smb1_eicar_andx_write_padding2.pcap
 create mode 100644 tests/smb-eicar-padding/test.rules
 create mode 100644 tests/smb-eicar-padding/test.yaml

diff --git a/tests/smb-eicar-padding/README.md b/tests/smb-eicar-padding/README.md
new file mode 100644
index 0000000..32b445e
--- /dev/null
+++ b/tests/smb-eicar-padding/README.md
@@ -0,0 +1,14 @@
+# Description
+
+Test SMB EICAR file rule with padding evasion.
+
+# PCAP
+
+The pcap comes from running Linux client smbclient against a Windows 2019 Server (with a shared forlder public wihtout needed authentication)
+Command is
+`smbclient //192.168.1.3/public/ -U % -m NT1`
+Than in the smbclient shell :
+`put eicar` where eicar is the name of a file with the EICAR contents :
+https://en.wikipedia.org/wiki/EICAR_test_file
+
+The proxy changes the Write request with adding a dummy padding (by increasing unnecessarly the data_offset)
diff --git a/tests/smb-eicar-padding/smb1_eicar_andx_write_padding2.pcap b/tests/smb-eicar-padding/smb1_eicar_andx_write_padding2.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..78500803aa81a36b55741e5825a6b770f41e9034
GIT binary patch
literal 3783
zc-qZYYitx%6h1S%-ImJqLD6iCmPMd!X}X==KDH1nyM5V(ePwrnDp=amN|cAtLPZ)v
z*{%Vhh(yxe@{nyyA`vkJh!O@U&;}8FBu0}OA2l%$!lTA0P>Shz?%fC7W!nAWA7?Ui
z@7%fPJLmh(xp(IK-V>cH$l>uJhjn;AxpGm}y=D%~*f$4;8BhS9^<yDECO{d$T(8dn
z2E~+B7mhG>c*%MOnRD&^5AKoaezqZ{^#%Ydk2@u26B3)=Y2HT08JR4eV9(vgK`B0$
z2Aopt-96RvAa<UhF+ht#_=VsSeCAxwVDG@RO^AQLWs)eKYz$x{UIN3&S%Uc*ViqD;
zp>(`zZwHNcOH{n~5x3c%0@qu=3-C_f&cQH33`^tO^6n!z>1QQzlyKd%mvTBUIxWQw
zq^B&o0ujfENSpn@+DlZ{GS_08V}Z)<u)X9kT2xvM53I#h;;=bw<*v|cCmGL`e345G
z%toulXr;Dhi&mqn<ar&ir8cK3@J6T6h9=Rjvu1T|4X{>M@O{87d9<i_jaEmMXxPPp
zfPo6qSvo4@&@9zQWvRKnf9SMbsha%xyVPz=SP7rB5~&kFrbBqSG2n(A|NPFh-1Oc4
z`tY3}m_8BaK<f1ufBkfJ)dH__xAUh51<BQFg(6GA#Kp1xbpAR2v%FG~h|hAyt!LTv
zQT;?hrEOP?;@D4%V{>FuhfX7%5iE|oq2kEj%RxUv^h@Jh@gAVX@v|h367G7a4sd`-
z(kNLR->xMROeDgHA{$g=KE1mxKuZl&SA>Zd@pJu2{KU~@yJpGNR+ri0blR!y)9!>?
zVyh0qlU5M`O@@WA2407a*mpt=tcF^=2Y9}^kAo4MHo{1yo*5K)lKL}Kqf$T8-v6)?
zQ=gW0keXehJf8u$;CqrMtHP9va0y)`GhU|C%{;}snRve}kzqO`Np1a8zI8A}i$&{n
zJPRqk9kuh+S=`a&q1F(x56?x|Cc^SELUS>gzzW%5!O=n}hJ0*Iz(YA0adTr4Y5W;X
z%o*~SGh{Jm#G|sIf+s8%V`kPs9lQx|K_jRzL-o)AP4un;9olJOHXUD&StB!R@J$_#
zXhDx>0p$KClmgID1X2x~_j9ypXyH6r_4mC8Y1JQ#tonzQy#q7)u<Gx5{4_CF$E$i)
z#YR{C#&Ff|hR!B_eOH5gZKw!jLBq;%+5|jFn}TOGDV7~j8>;=a1)9b-S;aSB=!@Q4
zw#Hmu0X7uD1?T_xdqPL0?n=TQH~6|bE{?NCZgg=lg#97u?eV6drQ2gh<QkdL*WN#z
zLDtCDFR9(xuqr-jRd9`*#fJ&72Rh^VII=$eSJg4)FbCwDw^w>k^msp{duw`Rbqr_p
z4rF++Iz~L2K*op;8zibj6p0Qpq65H0#Los;il-JM)MFfc@Y3R#9rIO;tH}f<IC&m9
zXpGlB;$RbwY?98^8-kAJsyi}Q86J$&jk%h%s+igpg=37$l_Dh&W4s7Oz(Eg_MlTMG
zb8yYOaE&{IYIPjpfGh{Uv|8_b4^g#JqttR^G?%GbbEv~Q5=obYT7gL9proJHr11D5
zW>Q3Lkp&comjN%9euasu^;i+hX_g@v@8M54=*E7xv~nK^xm3Bgqm;XhG2bG}sh+2H
zE5h;mq~m=-gcTUCfyDChUw7#~I998IF%J@Q{V@*uu-_*w@hPvLZdZ4rB)-)<FjGq<
zuA)%eNys^4N*o7CMB*evWB{eXpW3qEK9p~pYM)^++Lz=lwZBrCpQpB0W$H^xGWDCM
zmzhe8j%=sPXe~85O0$htmuZp7vCx_ADs#HB%T4C8snaX6DrON*X~#KOiFhle)38Ly
zqiHxEnTDC#_Wnmrn1)n!8@0;`bMi@ZQiza)3`Fs<oW1C}9{csuaxV0C(u$oQDd(dm
zbYDm0Yz<&#64&xE<y3$y$smfvF>#tAaIg$tE|cbK6Y?ovA&PGuI_@TXU;d2RO$$5q
zNjnX46i2&zlB3PrMLF7{ICi7Uos{Fl$L`jR$uU0UPSF#CT>)ixCW_roba|DqyS*aH
zoo`%sLQjmp-)_ooLlnEK=<<X;71;&<eupn|xV-_rB*In;dK&g`QDL7ztZViZRq9un
XqnD|pF9up6MH`Srn+$NLAcXcW%_en7

literal 0
Hc-jL100001

diff --git a/tests/smb-eicar-padding/test.rules b/tests/smb-eicar-padding/test.rules
new file mode 100644
index 0000000..fcb9e44
--- /dev/null
+++ b/tests/smb-eicar-padding/test.rules
@@ -0,0 +1 @@
+alert smb any any -> any any (msg:"EICAR file"; flow:established; file_data; content:"|58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a|"; sid:1; rev:1;)
diff --git a/tests/smb-eicar-padding/test.yaml b/tests/smb-eicar-padding/test.yaml
new file mode 100644
index 0000000..c1282b1
--- /dev/null
+++ b/tests/smb-eicar-padding/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
-- 
2.47.3