Ads various tests about IPv6 denial of service

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/README.md b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/README.md
new file mode 100644 (file)
index 0000000..6d97a81
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test detection of DoS attack that tries to increase decoding effort by including a huge amount of unknown options for Hop-by-Hop Options Header.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
+
+# Notes
+
+It might be better to have a dedicated rule that focuses on the DoS aspect in combination with the decoder-event

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/denial6-1.pcap b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/denial6-1.pcap
new file mode 100644 (file)
index 0000000..7fa02b7
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/denial6-1.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/test.rules b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/test.rules
new file mode 100644 (file)
index 0000000..bbddd32
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 HOPOPTS unknown option"; decode-event:ipv6.hopopts_unknown_opt; classtype:protocol-command-decode; sid:2200086; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/test.yaml b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/test.yaml
new file mode 100644 (file)
index 0000000..4bd4a44
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 34114
+        match:
+            event_type: alert
+            alert.signature_id: 2200086

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/README.md b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/README.md
new file mode 100644 (file)
index 0000000..031e13d
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test detection of DoS attack that tries to increase decoding effort by including a huge amount of unknown options for Destination Options Header.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
+
+# Notes
+
+It might be better to have a dedicated rule that focuses on the DoS aspect in combination with the decoder-event

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/denial6-2.pcap b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/denial6-2.pcap
new file mode 100644 (file)
index 0000000..e54a02e
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/denial6-2.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/test.rules b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/test.rules
new file mode 100644 (file)
index 0000000..b371664
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/test.rules
@@ -0,0 +1,2 @@
+# DST option that we don't understand
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 DSTOPTS unknown option"; decode-event:ipv6.dstopts_unknown_opt; classtype:protocol-command-decode; sid:2200088; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/test.yaml b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/test.yaml
new file mode 100644 (file)
index 0000000..d48a7eb
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 16188
+        match:
+            event_type: alert
+            alert.signature_id: 2200088

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/README.md b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/README.md
new file mode 100644 (file)
index 0000000..031e13d
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test detection of DoS attack that tries to increase decoding effort by including a huge amount of unknown options for Destination Options Header.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
+
+# Notes
+
+It might be better to have a dedicated rule that focuses on the DoS aspect in combination with the decoder-event

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/denial6-3.pcap b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/denial6-3.pcap
new file mode 100644 (file)
index 0000000..98e3b69
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/denial6-3.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/test.rules b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/test.rules
new file mode 100644 (file)
index 0000000..cbb712e
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/test.rules
@@ -0,0 +1,2 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Destination Options extension header"; decode-event:ipv6.exthdr_dupl_dh; classtype:protocol-command-decode; sid:2200018; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 DSTOPTS only padding"; decode-event:ipv6.dstopts_only_padding; classtype:protocol-command-decode; sid:2200089; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/test.yaml b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/test.yaml
new file mode 100644 (file)
index 0000000..ac6086a
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/test.yaml
@@ -0,0 +1,15 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 17674
+        match:
+            event_type: alert
+            alert.signature_id: 2200018
+    - filter:
+        count: 17674
+        match:
+            event_type: alert
+            alert.signature_id: 2200089

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/README.md b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/README.md
new file mode 100644 (file)
index 0000000..031e13d
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test detection of DoS attack that tries to increase decoding effort by including a huge amount of unknown options for Destination Options Header.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
+
+# Notes
+
+It might be better to have a dedicated rule that focuses on the DoS aspect in combination with the decoder-event

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/denial6-4.pcap b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/denial6-4.pcap
new file mode 100644 (file)
index 0000000..4fa2cf8
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/denial6-4.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/test.rules b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/test.rules
new file mode 100644 (file)
index 0000000..cbb712e
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/test.rules
@@ -0,0 +1,2 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Destination Options extension header"; decode-event:ipv6.exthdr_dupl_dh; classtype:protocol-command-decode; sid:2200018; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 DSTOPTS only padding"; decode-event:ipv6.dstopts_only_padding; classtype:protocol-command-decode; sid:2200089; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/test.yaml b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/test.yaml
new file mode 100644 (file)
index 0000000..bc9f8f8
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/test.yaml
@@ -0,0 +1,15 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 17424
+        match:
+            event_type: alert
+            alert.signature_id: 2200018
+    - filter:
+        count: 17424
+        match:
+            event_type: alert
+            alert.signature_id: 2200089

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/README.md b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/README.md
new file mode 100644 (file)
index 0000000..6d97a81
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test detection of DoS attack that tries to increase decoding effort by including a huge amount of unknown options for Hop-by-Hop Options Header.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
+
+# Notes
+
+It might be better to have a dedicated rule that focuses on the DoS aspect in combination with the decoder-event

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/denial6-7.pcap b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/denial6-7.pcap
new file mode 100644 (file)
index 0000000..33aac0c
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/denial6-7.pcap differ

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/test.rules b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/test.rules
new file mode 100644 (file)
index 0000000..bbddd32
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 HOPOPTS unknown option"; decode-event:ipv6.hopopts_unknown_opt; classtype:protocol-command-decode; sid:2200086; rev:2;)

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/test.yaml b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/test.yaml
new file mode 100644 (file)
index 0000000..12f73ef
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 37341
+        match:
+            event_type: alert
+            alert.signature_id: 2200086