From 3ef200ae95f998e38fa39e6e9fc62583b4bd43a3 Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Tue, 12 Nov 2024 13:48:17 +0530 Subject: [PATCH] applayer: add test for dcerpc req http resp as done in the unittest AppLayerTest08 as of Suricata 278dc24c. --- tests/dcerpc-request-http-response/README.md | 12 ++++++++++++ tests/dcerpc-request-http-response/input.pcap | Bin 0 -> 501 bytes tests/dcerpc-request-http-response/test.yaml | 12 ++++++++++++ tests/dcerpc-request-http-response/writepcap.py | 15 +++++++++++++++ 4 files changed, 39 insertions(+) create mode 100644 tests/dcerpc-request-http-response/README.md create mode 100644 tests/dcerpc-request-http-response/input.pcap create mode 100644 tests/dcerpc-request-http-response/test.yaml create mode 100644 tests/dcerpc-request-http-response/writepcap.py diff --git a/tests/dcerpc-request-http-response/README.md b/tests/dcerpc-request-http-response/README.md new file mode 100644 index 000000000..23d917ed1 --- /dev/null +++ b/tests/dcerpc-request-http-response/README.md @@ -0,0 +1,12 @@ +# Test Description + +This test is a conversion of an applayer unittest that comprised of a dcerpc +request followed by an HTTP response. + +## PCAP + +PCAP was created with the Scapy script checked in. + +## Related issues + +None diff --git a/tests/dcerpc-request-http-response/input.pcap b/tests/dcerpc-request-http-response/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..e7d410b1b2b445722b8da931e096a3cc001116fb GIT binary patch literal 501 zc-p&ic+)~A1{MYw`2U}Qfe}b^=?A1+g>f_30ofqT%EHV96lY{&W?^k)U|{25aAjc7 z0V#E0D>=pp1WZ6+U@1R=0b&3{0+RxRBo6}vGczC9wA@&PX%KTDW@4HKG6`g&`~(9_ zp#B#?^-Kvu|Nol`BTQpY=4J>2N(A9@n*-FeO=xao0-EtMK;r-ZbKikFfgAy#pajg( z4BQNyK;0l4KIU>Wv;sw1ak;k`YC}DmdtU<8OMz_QSjoWP5fT!hZ>VReU}RvR;P1`L z<(!{alA2ed>yw(7UXo#@V8F}el30>zr4XK)qN8A7qTrI63{-4nqF`uXWn^h(Y@p!o r8^X)Q%LQ`O!wPN&E1>ySxV)_ab<`;|Z%Z*Su$Tl0{Qn=igMk46@{~w# literal 0 Hc-jL100001 diff --git a/tests/dcerpc-request-http-response/test.yaml b/tests/dcerpc-request-http-response/test.yaml new file mode 100644 index 000000000..508adaaf3 --- /dev/null +++ b/tests/dcerpc-request-http-response/test.yaml @@ -0,0 +1,12 @@ +args: +- -k none + +checks: + - filter: + count: 1 + match: + event_type: flow + app_proto: dcerpc + app_proto_tc: http + tcp.psh: true + tcp.ack: true diff --git a/tests/dcerpc-request-http-response/writepcap.py b/tests/dcerpc-request-http-response/writepcap.py new file mode 100644 index 000000000..ccbe818a7 --- /dev/null +++ b/tests/dcerpc-request-http-response/writepcap.py @@ -0,0 +1,15 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +load_layer("http") +load_layer("dcerpc") +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)]) +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535) +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='AP',seq=2,ack=1001,window=65535)/DceRpc(ptype=0, call_id=1)/"\x00\x00\x0b\x00\x09\x00\x45\x00" +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1001,ack=26,window=65535)/HTTP()/HTTPResponse() +#pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1001,ack=2,window=65535)/HTTP()/HTTPResponse() ## This works. Why? +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=26,ack=1076,window=65535) + +wrpcap('input.pcap', pkts) -- 2.47.2