From 1259e30a507b694db8d9a4663ef03af4261a377c Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Tue, 30 Sep 2025 18:21:59 -0300 Subject: [PATCH] tests: add tests for bug 7964 Related to Bug #7964 --- tests/bug-7964-01/README.md | 12 +++++++++ tests/bug-7964-01/editable-ipv4-in-ipv6.txt | 7 ++++++ tests/bug-7964-01/test.rules | 1 + tests/bug-7964-01/test.yaml | 23 ++++++++++++++++++ .../bug-7964-01/wrong-version-ipv4-ipv6.pcap | Bin 0 -> 146 bytes tests/bug-7964-02/README.md | 12 +++++++++ tests/bug-7964-02/editable-ip6-in-ip6.txt | 8 ++++++ tests/bug-7964-02/test.rules | 1 + tests/bug-7964-02/test.yaml | 23 ++++++++++++++++++ .../bug-7964-02/wrong-version-ipv6-ipv6.pcap | Bin 0 -> 166 bytes 10 files changed, 87 insertions(+) create mode 100644 tests/bug-7964-01/README.md create mode 100644 tests/bug-7964-01/editable-ipv4-in-ipv6.txt create mode 100644 tests/bug-7964-01/test.rules create mode 100644 tests/bug-7964-01/test.yaml create mode 100644 tests/bug-7964-01/wrong-version-ipv4-ipv6.pcap create mode 100644 tests/bug-7964-02/README.md create mode 100644 tests/bug-7964-02/editable-ip6-in-ip6.txt create mode 100644 tests/bug-7964-02/test.rules create mode 100644 tests/bug-7964-02/test.yaml create mode 100644 tests/bug-7964-02/wrong-version-ipv6-ipv6.pcap diff --git a/tests/bug-7964-01/README.md b/tests/bug-7964-01/README.md new file mode 100644 index 000000000..5aa3adfd9 --- /dev/null +++ b/tests/bug-7964-01/README.md @@ -0,0 +1,12 @@ +Test that the engine correctly issues a wrong ip version event and flags packet +as invalid when decoding an IPv4-in-IPv6 packet with wrong/ invalid IP version. + +PCAP +---- + +Created by using bug-4571-06 pcap and replacing IPv4 version with invalid value. + +Ticket +------ + +https://redmine.openinfosecfoundation.org/issues/7964 diff --git a/tests/bug-7964-01/editable-ipv4-in-ipv6.txt b/tests/bug-7964-01/editable-ipv4-in-ipv6.txt new file mode 100644 index 000000000..62d4876fa --- /dev/null +++ b/tests/bug-7964-01/editable-ipv4-in-ipv6.txt @@ -0,0 +1,7 @@ +0000 0a 00 27 00 00 01 0a 00 27 00 00 00 86 dd 60 00 ..'.....'.....`. +0010 00 00 00 34 04 7f 20 01 0d b8 85 a3 00 00 00 00 ...4.. ......... +0020 8a 2e 03 70 73 34 20 01 0d b8 85 a3 00 00 00 00 ...ps4 ......... +0030 8a 2e 03 70 73 35 56 80 00 34 04 d2 00 00 7f 06 ...ps5E..4...... +0040 22 6e 0a 01 00 01 0a 01 00 02 00 50 00 50 00 01 "n.........P.P.. +0050 f7 fa 00 00 00 00 50 00 04 00 5e ec 00 00 68 65 ......P...^...he +0060 6c 6c 6f 2c 20 77 6f 72 6c 64 llo, world diff --git a/tests/bug-7964-01/test.rules b/tests/bug-7964-01/test.rules new file mode 100644 index 000000000..3e2bdbcc9 --- /dev/null +++ b/tests/bug-7964-01/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA IPv4-in-IPv6 invalid protocol"; decode-event:ipv6.ipv4_in_ipv6_wrong_version; classtype:protocol-command-decode; sid:2200083; rev:2;) diff --git a/tests/bug-7964-01/test.yaml b/tests/bug-7964-01/test.yaml new file mode 100644 index 000000000..378eef4d0 --- /dev/null +++ b/tests/bug-7964-01/test.yaml @@ -0,0 +1,23 @@ +requires: + min-version: 9 + +args: +- -k none +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200083 + proto: IP-in-IP + ip_v: 6 + - filter: + count: 1 + match: + event_type: stats + stats.decoder.pkts: 1 + stats.decoder.invalid: 1 + stats.decoder.ipv6: 1 + stats.decoder.event.ipv6.ipv4_in_ipv6_wrong_version: 1 diff --git a/tests/bug-7964-01/wrong-version-ipv4-ipv6.pcap b/tests/bug-7964-01/wrong-version-ipv4-ipv6.pcap new file mode 100644 index 0000000000000000000000000000000000000000..03cc7555e0807f6b35b603cb0eae3440b17b5bd6 GIT binary patch literal 146 zc-p&ic+)~A1{MYcU}0bcl8$C~GC*_|6mv1CGcYiMNrtw&2_S_gEcFVEygOPKgE(D! z%mu|JXnfPK2B4}-3=H*bN_kw2K>dsiObh`)$oTyiNL2vPwzxM83>m38Ir%yY<@rT9 FDFFPG8|nZ6 literal 0 Hc-jL100001 diff --git a/tests/bug-7964-02/README.md b/tests/bug-7964-02/README.md new file mode 100644 index 000000000..70e6b37e9 --- /dev/null +++ b/tests/bug-7964-02/README.md @@ -0,0 +1,12 @@ +Test that the engine correctly issues a wrong ip version event and flags packet +as invalid when decoding an IPv6-in-IPv6 packet with wrong/ invalid IP version. + +PCAP +---- + +Created by using bug-4571-03 pcap and replacing IPv6 version with invalid value. + +Ticket +------ + +https://redmine.openinfosecfoundation.org/issues/7964 diff --git a/tests/bug-7964-02/editable-ip6-in-ip6.txt b/tests/bug-7964-02/editable-ip6-in-ip6.txt new file mode 100644 index 000000000..6eecb2d1d --- /dev/null +++ b/tests/bug-7964-02/editable-ip6-in-ip6.txt @@ -0,0 +1,8 @@ +0000 0a 00 27 00 00 01 0a 00 27 00 00 00 86 dd 60 00 ..'.....'.....`. +0010 00 00 00 48 29 7f 20 01 0d b8 85 a3 00 00 00 00 ...H). ......... +0020 8a 2e 03 70 73 34 20 01 0d b8 85 a3 00 00 00 00 ...ps4 ......... +0030 8a 2e 03 70 73 35 45 00 00 00 00 20 06 7f 20 01 ...ps5`.... .. . +0040 0d b8 85 a3 00 00 00 00 8a 2e 03 70 83 34 20 01 ...........p.4 . +0050 0d b8 85 a3 00 00 00 00 8a 2e 03 70 83 35 00 50 ...........p.5.P +0060 00 50 00 01 f7 fa 00 00 00 00 50 00 04 00 ea 90 .P........P..... +0070 00 00 68 65 6c 6c 6f 2c 20 77 6f 72 6c 64 ..hello, world diff --git a/tests/bug-7964-02/test.rules b/tests/bug-7964-02/test.rules new file mode 100644 index 000000000..592e8d00b --- /dev/null +++ b/tests/bug-7964-02/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA IPv6-in-IPv6 invalid protocol"; decode-event:ipv6.ipv6_in_ipv6_wrong_version; classtype:protocol-command-decode; sid:2200085; rev:2;) diff --git a/tests/bug-7964-02/test.yaml b/tests/bug-7964-02/test.yaml new file mode 100644 index 000000000..4fe2c4c83 --- /dev/null +++ b/tests/bug-7964-02/test.yaml @@ -0,0 +1,23 @@ +requires: + min-version: 9 + +args: +- -k none +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200085 + proto: IPv6 + ip_v: 6 + - filter: + count: 1 + match: + event_type: stats + stats.decoder.pkts: 1 + stats.decoder.invalid: 1 + stats.decoder.ipv6: 1 + stats.decoder.event.ipv6.ipv6_in_ipv6_wrong_version: 1 diff --git a/tests/bug-7964-02/wrong-version-ipv6-ipv6.pcap b/tests/bug-7964-02/wrong-version-ipv6-ipv6.pcap new file mode 100644 index 0000000000000000000000000000000000000000..17953c17717bb5de0de1c76a12f5347257d360eb GIT binary patch literal 166 zc-p&ic+)~A1{MYcU}0bck~h=uW`O8ADCS~NXJB9ilMHQl6F>?*H0u=@d3Urf264Ld zm0YJ$3{TE0i0O*2O6BrmWQgd?hbrj0;i*ix`3J@a# literal 0 Hc-jL100001 -- 2.47.3