Adds tests about IPv6 fragmentation

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-1/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-1/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-1/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-1/frag-1.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-1/frag-1.pcap
new file mode 100644 (file)
index 0000000..ec117bc
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-1/frag-1.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-1/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-1/test.rules
new file mode 100644 (file)
index 0000000..e1b4585
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-1/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-1/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-1/test.yaml
new file mode 100644 (file)
index 0000000..c336f6b
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-1/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200072

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-10/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-10/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-10/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-10/frag-10.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-10/frag-10.pcap
new file mode 100644 (file)
index 0000000..606f894
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-10/frag-10.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-10/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-10/test.rules
new file mode 100644 (file)
index 0000000..1279331
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-10/test.rules
@@ -0,0 +1,2 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Fragment extension header"; decode-event:ipv6.exthdr_dupl_fh; classtype:protocol-command-decode; sid:2200015; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-10/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-10/test.yaml
new file mode 100644 (file)
index 0000000..edb9434
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-10/test.yaml
@@ -0,0 +1,15 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200080
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200015

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-11/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-11/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-11/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-11/frag-11.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-11/frag-11.pcap
new file mode 100644 (file)
index 0000000..54147ac
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-11/frag-11.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-11/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-11/test.rules
new file mode 100644 (file)
index 0000000..1279331
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-11/test.rules
@@ -0,0 +1,2 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Fragment extension header"; decode-event:ipv6.exthdr_dupl_fh; classtype:protocol-command-decode; sid:2200015; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-11/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-11/test.yaml
new file mode 100644 (file)
index 0000000..edb9434
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-11/test.yaml
@@ -0,0 +1,15 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200080
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200015

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-12/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-12/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-12/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-12/frag-12.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-12/frag-12.pcap
new file mode 100644 (file)
index 0000000..37d5542
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-12/frag-12.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-12/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-12/test.rules
new file mode 100644 (file)
index 0000000..1279331
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-12/test.rules
@@ -0,0 +1,2 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Fragment extension header"; decode-event:ipv6.exthdr_dupl_fh; classtype:protocol-command-decode; sid:2200015; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-12/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-12/test.yaml
new file mode 100644 (file)
index 0000000..edb9434
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-12/test.yaml
@@ -0,0 +1,15 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200080
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200015

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-15/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-15/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-15/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-15/frag-15.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-15/frag-15.pcap
new file mode 100644 (file)
index 0000000..0d35932
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-15/frag-15.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-15/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-15/test.rules
new file mode 100644 (file)
index 0000000..91bfd63
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-15/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-15/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-15/test.yaml
new file mode 100644 (file)
index 0000000..7c59366
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-15/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200071

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-16/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-16/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-16/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-16/frag-16.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-16/frag-16.pcap
new file mode 100644 (file)
index 0000000..3223b1c
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-16/frag-16.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-16/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-16/test.rules
new file mode 100644 (file)
index 0000000..91bfd63
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-16/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-16/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-16/test.yaml
new file mode 100644 (file)
index 0000000..7c59366
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-16/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200071

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-17/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-17/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-17/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-17/frag-17.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-17/frag-17.pcap
new file mode 100644 (file)
index 0000000..b9eb525
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-17/frag-17.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-17/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-17/test.rules
new file mode 100644 (file)
index 0000000..e1b4585
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-17/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-17/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-17/test.yaml
new file mode 100644 (file)
index 0000000..c336f6b
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-17/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200072

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-18/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-18/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-18/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-18/frag-18.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-18/frag-18.pcap
new file mode 100644 (file)
index 0000000..87d4201
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-18/frag-18.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-18/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-18/test.rules
new file mode 100644 (file)
index 0000000..e1b4585
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-18/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-18/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-18/test.yaml
new file mode 100644 (file)
index 0000000..c336f6b
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-18/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200072

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-2/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-2/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-2/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-2/frag-2.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-2/frag-2.pcap
new file mode 100644 (file)
index 0000000..47a60a1
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-2/frag-2.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-2/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-2/test.rules
new file mode 100644 (file)
index 0000000..e1b4585
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-2/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-2/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-2/test.yaml
new file mode 100644 (file)
index 0000000..c336f6b
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-2/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200072

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-22/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-22/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-22/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-22/frag-22.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-22/frag-22.pcap
new file mode 100644 (file)
index 0000000..c14c02b
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-22/frag-22.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-22/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-22/test.rules
new file mode 100644 (file)
index 0000000..9d9eae9
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-22/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-22/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-22/test.yaml
new file mode 100644 (file)
index 0000000..d206c0a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-22/test.yaml
@@ -0,0 +1,11 @@
+
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200119

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-23/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-23/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-23/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-23/frag-23.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-23/frag-23.pcap
new file mode 100644 (file)
index 0000000..e794dc1
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-23/frag-23.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-23/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-23/test.rules
new file mode 100644 (file)
index 0000000..9d9eae9
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-23/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-23/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-23/test.yaml
new file mode 100644 (file)
index 0000000..d206c0a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-23/test.yaml
@@ -0,0 +1,11 @@
+
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200119

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-24/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-24/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-24/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-24/frag-24.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-24/frag-24.pcap
new file mode 100644 (file)
index 0000000..2893a07
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-24/frag-24.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-24/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-24/test.rules
new file mode 100644 (file)
index 0000000..9d9eae9
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-24/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-24/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-24/test.yaml
new file mode 100644 (file)
index 0000000..d206c0a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-24/test.yaml
@@ -0,0 +1,11 @@
+
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200119

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-25/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-25/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-25/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-25/frag-25.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-25/frag-25.pcap
new file mode 100644 (file)
index 0000000..a75e926
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-25/frag-25.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-25/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-25/test.rules
new file mode 100644 (file)
index 0000000..3efc741
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-25/test.rules
@@ -0,0 +1,2 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension header"; decode-event:ipv6.trunc_exthdr; classtype:protocol-command-decode; sid:2200014 ; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-25/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-25/test.yaml
new file mode 100644 (file)
index 0000000..33ffa00
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-25/test.yaml
@@ -0,0 +1,15 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200080
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200014

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-26/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-26/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-26/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-26/frag-26.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-26/frag-26.pcap
new file mode 100644 (file)
index 0000000..1c75156
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-26/frag-26.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-26/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-26/test.rules
new file mode 100644 (file)
index 0000000..3efc741
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-26/test.rules
@@ -0,0 +1,2 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension header"; decode-event:ipv6.trunc_exthdr; classtype:protocol-command-decode; sid:2200014 ; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-26/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-26/test.yaml
new file mode 100644 (file)
index 0000000..33ffa00
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-26/test.yaml
@@ -0,0 +1,15 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200080
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200014

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-27/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-27/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-27/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-27/frag-27.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-27/frag-27.pcap
new file mode 100644 (file)
index 0000000..a6b259d
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-27/frag-27.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-27/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-27/test.rules
new file mode 100644 (file)
index 0000000..3efc741
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-27/test.rules
@@ -0,0 +1,2 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension header"; decode-event:ipv6.trunc_exthdr; classtype:protocol-command-decode; sid:2200014 ; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-27/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-27/test.yaml
new file mode 100644 (file)
index 0000000..33ffa00
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-27/test.yaml
@@ -0,0 +1,15 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200080
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200014

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-28/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-28/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-28/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-28/frag-28.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-28/frag-28.pcap
new file mode 100644 (file)
index 0000000..4327675
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-28/frag-28.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-28/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-28/test.rules
new file mode 100644 (file)
index 0000000..3efc741
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-28/test.rules
@@ -0,0 +1,2 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension header"; decode-event:ipv6.trunc_exthdr; classtype:protocol-command-decode; sid:2200014 ; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-28/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-28/test.yaml
new file mode 100644 (file)
index 0000000..33ffa00
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-28/test.yaml
@@ -0,0 +1,15 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200080
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200014

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-29/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-29/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-29/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-29/frag-29.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-29/frag-29.pcap
new file mode 100644 (file)
index 0000000..cde4e10
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-29/frag-29.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-29/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-29/test.rules
new file mode 100644 (file)
index 0000000..e1b4585
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-29/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-29/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-29/test.yaml
new file mode 100644 (file)
index 0000000..c336f6b
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-29/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200072

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-3/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-3/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-3/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-3/frag-3.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-3/frag-3.pcap
new file mode 100644 (file)
index 0000000..fe850aa
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-3/frag-3.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-3/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-3/test.rules
new file mode 100644 (file)
index 0000000..e1b4585
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-3/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-3/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-3/test.yaml
new file mode 100644 (file)
index 0000000..c336f6b
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-3/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200072

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-30/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-30/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-30/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-30/frag-30.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-30/frag-30.pcap
new file mode 100644 (file)
index 0000000..b954610
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-30/frag-30.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-30/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-30/test.rules
new file mode 100644 (file)
index 0000000..b9140d1
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-30/test.rules
@@ -0,0 +1 @@
+alert icmpv6 any any -> any any (itype:3; icode:1; sid:1;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-30/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-30/test.yaml
new file mode 100644 (file)
index 0000000..d4e086a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-30/test.yaml
@@ -0,0 +1,11 @@
+
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 1

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-31/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-31/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-31/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-31/frag-31.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-31/frag-31.pcap
new file mode 100644 (file)
index 0000000..73c4af6
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-31/frag-31.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-31/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-31/test.rules
new file mode 100644 (file)
index 0000000..91bfd63
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-31/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-31/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-31/test.yaml
new file mode 100644 (file)
index 0000000..7c59366
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-31/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200071

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-32/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-32/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-32/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-32/frag-32.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-32/frag-32.pcap
new file mode 100644 (file)
index 0000000..0284512
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-32/frag-32.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-32/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-32/test.rules
new file mode 100644 (file)
index 0000000..1048fff
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-32/test.rules
@@ -0,0 +1,2 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;)
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-32/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-32/test.yaml
new file mode 100644 (file)
index 0000000..5d66d80
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-32/test.yaml
@@ -0,0 +1,15 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200071
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200119

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-33/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-33/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-33/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-33/frag-33.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-33/frag-33.pcap
new file mode 100644 (file)
index 0000000..b8e34de
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-33/frag-33.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-33/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-33/test.rules
new file mode 100644 (file)
index 0000000..1048fff
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-33/test.rules
@@ -0,0 +1,2 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;)
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-33/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-33/test.yaml
new file mode 100644 (file)
index 0000000..5d66d80
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-33/test.yaml
@@ -0,0 +1,15 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200071
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200119

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-35/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-35/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-35/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-35/frag-35.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-35/frag-35.pcap
new file mode 100644 (file)
index 0000000..0d0309f
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-35/frag-35.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-35/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-35/test.rules
new file mode 100644 (file)
index 0000000..84ffabc
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-35/test.rules
@@ -0,0 +1 @@
+alert icmpv6 any any -> any any (itype:4; icode:0; sid:1;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-35/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-35/test.yaml
new file mode 100644 (file)
index 0000000..d4e086a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-35/test.yaml
@@ -0,0 +1,11 @@
+
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 1

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-36/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-36/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-36/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-36/frag-36.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-36/frag-36.pcap
new file mode 100644 (file)
index 0000000..e501bae
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-36/frag-36.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-36/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-36/test.rules
new file mode 100644 (file)
index 0000000..84ffabc
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-36/test.rules
@@ -0,0 +1 @@
+alert icmpv6 any any -> any any (itype:4; icode:0; sid:1;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-36/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-36/test.yaml
new file mode 100644 (file)
index 0000000..d4e086a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-36/test.yaml
@@ -0,0 +1,11 @@
+
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 1

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-4/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-4/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-4/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-4/frag-4.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-4/frag-4.pcap
new file mode 100644 (file)
index 0000000..044f159
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-4/frag-4.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-4/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-4/test.rules
new file mode 100644 (file)
index 0000000..e1b4585
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-4/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-4/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-4/test.yaml
new file mode 100644 (file)
index 0000000..c336f6b
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-4/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200072

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-6/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-6/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-6/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-6/frag-6.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-6/frag-6.pcap
new file mode 100644 (file)
index 0000000..17e174b
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-6/frag-6.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-6/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-6/test.rules
new file mode 100644 (file)
index 0000000..e1b4585
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-6/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-6/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-6/test.yaml
new file mode 100644 (file)
index 0000000..c336f6b
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-6/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200072

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-7/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-7/README.md
new file mode 100644 (file)
index 0000000..380aaaf
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-7/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
+
+# Notes
+
+Triggers IPv6 checksum rule but a more precise rule would make more sense

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-7/frag-7.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-7/frag-7.pcap
new file mode 100644 (file)
index 0000000..e18b86f
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-7/frag-7.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-7/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-7/test.rules
new file mode 100644 (file)
index 0000000..e1b4585
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-7/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-7/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-7/test.yaml
new file mode 100644 (file)
index 0000000..c336f6b
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-7/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200072

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-8/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-8/README.md
new file mode 100644 (file)
index 0000000..380aaaf
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-8/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
+
+# Notes
+
+Triggers IPv6 checksum rule but a more precise rule would make more sense

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-8/frag-8.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-8/frag-8.pcap
new file mode 100644 (file)
index 0000000..08d3ff6
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-8/frag-8.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-8/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-8/test.rules
new file mode 100644 (file)
index 0000000..e1b4585
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-8/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-8/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-8/test.yaml
new file mode 100644 (file)
index 0000000..c336f6b
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-8/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200072

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-9/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-9/README.md
new file mode 100644 (file)
index 0000000..1ec302a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-9/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test detection of fragmentation attack.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-9/frag-9.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-9/frag-9.pcap
new file mode 100644 (file)
index 0000000..afee3c4
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-9/frag-9.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-9/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-9/test.rules
new file mode 100644 (file)
index 0000000..ef7df75
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-9/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-9/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-9/test.yaml
new file mode 100644 (file)
index 0000000..f691751
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-malformed-fragments-9/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 2200080