From 330982b9e2796ad6629598765af9994da9a228f4 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 30 Jul 2020 17:20:48 +0200
Subject: [PATCH] dns: adds test against incomplete TCP payload

---
 tests/dns-incomplete/README.md   |   7 +++
 tests/dns-incomplete/input.pcap  | Bin 0 -> 1496 bytes
 tests/dns-incomplete/input.txt   |   8 +++
 tests/dns-incomplete/test.rules  |   1 +
 tests/dns-incomplete/test.yaml   |  19 +++++++
 tests/dns-incomplete/txt2pcap.py |  88 +++++++++++++++++++++++++++++++
 6 files changed, 123 insertions(+)
 create mode 100644 tests/dns-incomplete/README.md
 create mode 100644 tests/dns-incomplete/input.pcap
 create mode 100644 tests/dns-incomplete/input.txt
 create mode 100644 tests/dns-incomplete/test.rules
 create mode 100644 tests/dns-incomplete/test.yaml
 create mode 100644 tests/dns-incomplete/txt2pcap.py

diff --git a/tests/dns-incomplete/README.md b/tests/dns-incomplete/README.md
new file mode 100644
index 000000000..babffdac5
--- /dev/null
+++ b/tests/dns-incomplete/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test DNS incomplete parsing
+
+# PCAP
+
+The pcap comes from running script txt2pcap.py input.txt
diff --git a/tests/dns-incomplete/input.pcap b/tests/dns-incomplete/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c9a12acd6c73b2e62222b224191ab20fe01c85d7
GIT binary patch
literal 1496
zc-p&ic+)~A1{MYcfUxi0Q;L`R%*NmXWP>mh5W6xkIDn7?8v{c<0|O%nKerNj`D3Sr
z3P{fervLx{nE=(Y*xz7eW@cq%<lstC4$20b$^<cU84+fRynJpIb^g(6pt-6Wgs__l
z!Z0%r0L`=jnq`47(*%b*Re|QNX%H~H{!arah-4PXoNGjw19jUPkXg9QS^0~NAq=QL
z3}H?XUiU}<&2fX9lM4<r89`%4pb#WZ*wXX!({oap^HNI~7z7v?LAEgcCdswVK-XSF
zaxKV~T#z}*Ky%W7`qL2RB;hqj0%%ScsyPfg0!EDuK-V%NyEZvL7vuxR13X|EMu+zd
zER0OdEFfFEe-j;N&On=Q0bPF;o9lW1urUCG4veAZIN>!%0%(pIn(Ji*j1XZBGS%b{
z(P4WFXmTK~u&n@^;{nv~fiTAfhwB32uCqWj2PHJ2aX*7J_a)*AJ<q>H$34Uxkozc(
z`=-A{$9-bd`NteU*I&Wr`u%^24TZ-XVAl&`4}}M$xrY;%d)WVzXpSI?Ie9R1{QeW|
PFHWFYNocVPGA9oJPo`*r

literal 0
Hc-jL100001

diff --git a/tests/dns-incomplete/input.txt b/tests/dns-incomplete/input.txt
new file mode 100644
index 000000000..3739f2884
--- /dev/null
+++ b/tests/dns-incomplete/input.txt
@@ -0,0 +1,8 @@
+# First a complete request to get protocol detection
+c2s 001c11330100000100000000000006676F6F676C65036E65740000100001
+s2c 002c10328180000100010000000006676F6F676C6503636F6D0000010001c00c00010001000140ef000401020304
+# Then an incomplete request split in 2 packets, to be tested
+c2s 001c103201000001000000000000
+c2s 06676F6F676C6503636F6D0000100001
+# And its answer
+s2c 002c10328180000100010000000006676F6F676C6503636F6D0000010001c00c00010001000140ef000401020304
\ No newline at end of file
diff --git a/tests/dns-incomplete/test.rules b/tests/dns-incomplete/test.rules
new file mode 100644
index 000000000..1473e8048
--- /dev/null
+++ b/tests/dns-incomplete/test.rules
@@ -0,0 +1 @@
+alert dns any any -> any any (msg:"Test dns_query option"; dns_query; content:"google.com"; nocase; sid:1;)
diff --git a/tests/dns-incomplete/test.yaml b/tests/dns-incomplete/test.yaml
new file mode 100644
index 000000000..85a743807
--- /dev/null
+++ b/tests/dns-incomplete/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  min-version: 6.0
+
+# disables checksum verification
+args:
+- -k none --set app-layer.protocols.dns.detection-ports.dp=5353
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: dns
+        dns.rrname: google.com
+        dns.type: query
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/dns-incomplete/txt2pcap.py b/tests/dns-incomplete/txt2pcap.py
new file mode 100644
index 000000000..40d7e56b5
--- /dev/null
+++ b/tests/dns-incomplete/txt2pcap.py
@@ -0,0 +1,88 @@
+import sys
+import binascii
+from threading import Thread
+import time
+import socket
+
+# Create a pcap from a htp test file
+# Launches a server on port 8080
+# Launches a client in another thread that connects to it
+# Both client and server read the htp test file
+# And they send and receive data as described (without analysing it)
+# So, you need to capture traffic on port 8080 while running the script
+
+def removeOneEOL(s):
+    r = s
+    if r[-1] == '\n':
+        r = r[:-1]
+        if r[-1] == '\r':
+            r = r[:-1]
+    return r
+
+PCAP_TCP_PORT = 5353
+
+class ServerThread(Thread):
+
+    def __init__(self, filename):
+        Thread.__init__(self)
+        self.filename = filename
+
+    def run(self):
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.bind(("127.0.0.1", PCAP_TCP_PORT))
+        s.listen(1)
+        conn, addr = s.accept()
+        f = open(self.filename)
+        sending = ""
+        receiving = ""
+
+        for l in f.readlines():
+            data = binascii.unhexlify(l.split()[1])
+            if l.split()[0] == "s2c":
+                conn.send(data)
+                print "server sent", len(data)
+            else:
+                data = conn.recv(len(data))
+                print "server recvd", len(data)
+
+        conn.close()
+        s.close()
+        f.close()
+
+
+class ClientThread(Thread):
+
+    def __init__(self, filename):
+        Thread.__init__(self)
+        self.filename = filename
+
+    def run(self):
+        time.sleep(1)
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.connect(("127.0.0.1", PCAP_TCP_PORT))
+        f = open(self.filename)
+        sending = ""
+        receiving = ""
+
+        for l in f.readlines():
+            data = binascii.unhexlify(l.split()[1])
+            if l.split()[0] != "s2c":
+                s.send(data)
+                print "client sent", len(data)
+            else:
+                data = s.recv(len(data))
+                print "client recvd", len(data)
+
+        s.close()
+        f.close()
+
+t1 = ServerThread(sys.argv[1])
+t2 = ClientThread(sys.argv[1])
+
+# Launch threads
+t1.start()
+t2.start()
+
+# Wait for threads to finish
+t1.join()
+t2.join()
-- 
2.47.2