]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ac548f0)
tests: tcp urgent tests
authorVictor Julien <victor@inliniac.net>
Mon, 9 Dec 2024 16:13:07 +0000 (17:13 +0100)
committerVictor Julien <victor@inliniac.net>
Wed, 11 Dec 2024 22:10:20 +0000 (23:10 +0100)
25 files changed:
tests/tcp-urgp-01-oob/suricata.rules [new file with mode: 0644] patch | blob
tests/tcp-urgp-01-oob/tcp-urgent1.pcap [new file with mode: 0644] patch | blob
tests/tcp-urgp-01-oob/test.yaml [new file with mode: 0644] patch | blob
tests/tcp-urgp-02-drop-ips/suricata.rules [new file with mode: 0644] patch | blob
tests/tcp-urgp-02-drop-ips/tcp-urgent1.pcap [new file with mode: 0644] patch | blob
tests/tcp-urgp-02-drop-ips/test.yaml [new file with mode: 0644] patch | blob
tests/tcp-urgp-03-inline/suricata.rules [new file with mode: 0644] patch | blob
tests/tcp-urgp-03-inline/tcp-urgent1.pcap [new file with mode: 0644] patch | blob
tests/tcp-urgp-03-inline/test.yaml [new file with mode: 0644] patch | blob
tests/tcp-urgp-04-2byte-XY/README.md [new file with mode: 0644] patch | blob
tests/tcp-urgp-04-2byte-XY/suricata.rules [new file with mode: 0644] patch | blob
tests/tcp-urgp-04-2byte-XY/tcp-urgent-2byte-XY.pcap [new file with mode: 0644] patch | blob
tests/tcp-urgp-04-2byte-XY/test.yaml [new file with mode: 0644] patch | blob
tests/tcp-urgp-06-oob-within-limit/suricata.rules [new file with mode: 0644] patch | blob
tests/tcp-urgp-06-oob-within-limit/tcp-urgent-1byte-64k.pcap [new file with mode: 0644] patch | blob
tests/tcp-urgp-06-oob-within-limit/test.yaml [new file with mode: 0644] patch | blob
tests/tcp-urgp-07-oob-exceed-limit/suricata.rules [new file with mode: 0644] patch | blob
tests/tcp-urgp-07-oob-exceed-limit/tcp-urgent-1byte-66k.pcap [new file with mode: 0644] patch | blob
tests/tcp-urgp-07-oob-exceed-limit/test.yaml [new file with mode: 0644] patch | blob
tests/tcp-urgp-08-oob-exceed-limit-gap/suricata.rules [new file with mode: 0644] patch | blob
tests/tcp-urgp-08-oob-exceed-limit-gap/tcp-urgent-1byte-66k.pcap [new file with mode: 0644] patch | blob
tests/tcp-urgp-08-oob-exceed-limit-gap/test.yaml [new file with mode: 0644] patch | blob
tests/tcp-urgp-09-oob-exceed-limit-inline/suricata.rules [new file with mode: 0644] patch | blob
tests/tcp-urgp-09-oob-exceed-limit-inline/tcp-urgent-1byte-66k.pcap [new file with mode: 0644] patch | blob
tests/tcp-urgp-09-oob-exceed-limit-inline/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/tcp-urgp-01-oob/suricata.rules b/tests/tcp-urgp-01-oob/suricata.rules
new file mode 100644 (file)
index 0000000..ae3a59c
--- /dev/null
+++ b/tests/tcp-urgp-01-oob/suricata.rules
@@ -0,0 +1,3 @@
+drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; content:"malicious"; nocase; sid:1000001; rev:1;)
+drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; http.uri; content:"malicious"; nocase; sid:1000002; rev:1;)
+drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; frame:http1.request; content:"malicious"; nocase; sid:1000003; rev:1;)
diff --git a/tests/tcp-urgp-01-oob/tcp-urgent1.pcap b/tests/tcp-urgp-01-oob/tcp-urgent1.pcap
new file mode 100644 (file)
index 0000000..4715352
Binary files /dev/null and b/tests/tcp-urgp-01-oob/tcp-urgent1.pcap differ
diff --git a/tests/tcp-urgp-01-oob/test.yaml b/tests/tcp-urgp-01-oob/test.yaml
new file mode 100644 (file)
index 0000000..3324924
--- /dev/null
+++ b/tests/tcp-urgp-01-oob/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 8
+
+args:
+- --set stream.reassembly.urgent.policy=oob
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1000002
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1000003
diff --git a/tests/tcp-urgp-02-drop-ips/suricata.rules b/tests/tcp-urgp-02-drop-ips/suricata.rules
new file mode 100644 (file)
index 0000000..ae3a59c
--- /dev/null
+++ b/tests/tcp-urgp-02-drop-ips/suricata.rules
@@ -0,0 +1,3 @@
+drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; content:"malicious"; nocase; sid:1000001; rev:1;)
+drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; http.uri; content:"malicious"; nocase; sid:1000002; rev:1;)
+drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; frame:http1.request; content:"malicious"; nocase; sid:1000003; rev:1;)
diff --git a/tests/tcp-urgp-02-drop-ips/tcp-urgent1.pcap b/tests/tcp-urgp-02-drop-ips/tcp-urgent1.pcap
new file mode 100644 (file)
index 0000000..4715352
Binary files /dev/null and b/tests/tcp-urgp-02-drop-ips/tcp-urgent1.pcap differ
diff --git a/tests/tcp-urgp-02-drop-ips/test.yaml b/tests/tcp-urgp-02-drop-ips/test.yaml
new file mode 100644 (file)
index 0000000..342190e
--- /dev/null
+++ b/tests/tcp-urgp-02-drop-ips/test.yaml
@@ -0,0 +1,34 @@
+requires:
+  min-version: 8
+
+args:
+- --set stream.reassembly.urgent.policy=drop
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1000002
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1000003
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.ips.accepted: 6
+        stats.ips.blocked: 10
+        stats.ips.drop_reason.flow_drop: 8
+        stats.ips.drop_reason.rules: 1
+        stats.ips.drop_reason.stream_urgent: 1
+        stats.tcp.urg: 1
+        stats.tcp.reassembly_gap: 1
+        stats.detect.alert: 1
diff --git a/tests/tcp-urgp-03-inline/suricata.rules b/tests/tcp-urgp-03-inline/suricata.rules
new file mode 100644 (file)
index 0000000..ae3a59c
--- /dev/null
+++ b/tests/tcp-urgp-03-inline/suricata.rules
@@ -0,0 +1,3 @@
+drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; content:"malicious"; nocase; sid:1000001; rev:1;)
+drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; http.uri; content:"malicious"; nocase; sid:1000002; rev:1;)
+drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; frame:http1.request; content:"malicious"; nocase; sid:1000003; rev:1;)
diff --git a/tests/tcp-urgp-03-inline/tcp-urgent1.pcap b/tests/tcp-urgp-03-inline/tcp-urgent1.pcap
new file mode 100644 (file)
index 0000000..4715352
Binary files /dev/null and b/tests/tcp-urgp-03-inline/tcp-urgent1.pcap differ
diff --git a/tests/tcp-urgp-03-inline/test.yaml b/tests/tcp-urgp-03-inline/test.yaml
new file mode 100644 (file)
index 0000000..3324924
--- /dev/null
+++ b/tests/tcp-urgp-03-inline/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 8
+
+args:
+- --set stream.reassembly.urgent.policy=oob
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1000002
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1000003
diff --git a/tests/tcp-urgp-04-2byte-XY/README.md b/tests/tcp-urgp-04-2byte-XY/README.md
new file mode 100644 (file)
index 0000000..ddd5b1c
--- /dev/null
+++ b/tests/tcp-urgp-04-2byte-XY/README.md
@@ -0,0 +1,15 @@
+Test
+====
+
+Test to show last urg byte is treated as OOB.
+```
+$ python3 proof_of_concept_2bytes_unique_XY.py 
+HTTP/1.1 200 OK
+Server: Werkzeug/3.0.1 Python/3.12.3
+Date: Sun, 08 Dec 2024 08:57:56 GMT
+Content-Type: text/html; charset=utf-8
+Content-Length: 37
+Connection: close
+
+You've accessed the path: /malicXious
+```
diff --git a/tests/tcp-urgp-04-2byte-XY/suricata.rules b/tests/tcp-urgp-04-2byte-XY/suricata.rules
new file mode 100644 (file)
index 0000000..38b71b1
--- /dev/null
+++ b/tests/tcp-urgp-04-2byte-XY/suricata.rules
@@ -0,0 +1,3 @@
+drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicXious'"; content:"malicXious"; nocase; sid:1000001; rev:1;)
+drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicXious'"; http.uri; content:"malicXious"; nocase; sid:1000002; rev:1;)
+drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicXious'"; frame:http1.request; content:"malicXious"; nocase; sid:1000003; rev:1;)
diff --git a/tests/tcp-urgp-04-2byte-XY/tcp-urgent-2byte-XY.pcap b/tests/tcp-urgp-04-2byte-XY/tcp-urgent-2byte-XY.pcap
new file mode 100644 (file)
index 0000000..223c507
Binary files /dev/null and b/tests/tcp-urgp-04-2byte-XY/tcp-urgent-2byte-XY.pcap differ
diff --git a/tests/tcp-urgp-04-2byte-XY/test.yaml b/tests/tcp-urgp-04-2byte-XY/test.yaml
new file mode 100644 (file)
index 0000000..3324924
--- /dev/null
+++ b/tests/tcp-urgp-04-2byte-XY/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 8
+
+args:
+- --set stream.reassembly.urgent.policy=oob
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1000002
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1000003
diff --git a/tests/tcp-urgp-06-oob-within-limit/suricata.rules b/tests/tcp-urgp-06-oob-within-limit/suricata.rules
new file mode 100644 (file)
index 0000000..ae3a59c
--- /dev/null
+++ b/tests/tcp-urgp-06-oob-within-limit/suricata.rules
@@ -0,0 +1,3 @@
+drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; content:"malicious"; nocase; sid:1000001; rev:1;)
+drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; http.uri; content:"malicious"; nocase; sid:1000002; rev:1;)
+drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; frame:http1.request; content:"malicious"; nocase; sid:1000003; rev:1;)
diff --git a/tests/tcp-urgp-06-oob-within-limit/tcp-urgent-1byte-64k.pcap b/tests/tcp-urgp-06-oob-within-limit/tcp-urgent-1byte-64k.pcap
new file mode 100644 (file)
index 0000000..8a57ab4
Binary files /dev/null and b/tests/tcp-urgp-06-oob-within-limit/tcp-urgent-1byte-64k.pcap differ
diff --git a/tests/tcp-urgp-06-oob-within-limit/test.yaml b/tests/tcp-urgp-06-oob-within-limit/test.yaml
new file mode 100644 (file)
index 0000000..d3ddeb4
--- /dev/null
+++ b/tests/tcp-urgp-06-oob-within-limit/test.yaml
@@ -0,0 +1,28 @@
+requires:
+  min-version: 8
+
+args:
+- --set stream.reassembly.urgent.policy=oob
+
+checks:
+  - filter:
+      count: 0 # TODO find out why
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1000002
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1000003
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.tcp.urg: 64000
+        stats.tcp.reassembly_gap: 0
diff --git a/tests/tcp-urgp-07-oob-exceed-limit/suricata.rules b/tests/tcp-urgp-07-oob-exceed-limit/suricata.rules
new file mode 100644 (file)
index 0000000..f6efe93
--- /dev/null
+++ b/tests/tcp-urgp-07-oob-exceed-limit/suricata.rules
@@ -0,0 +1,4 @@
+alert tcp any any -> any 9090 (content:"malicious"; nocase; sid:1000001; rev:1;)
+alert tcp any any -> any 9090 (http.uri; content:"malicious"; nocase; sid:1000002; rev:1;)
+alert tcp any any -> any 9090 (frame:http1.request; content:"malicious"; nocase; sid:1000003; rev:1;)
+alert tcp any any -> any any (msg:"SURICATA STREAM urgent OOB limit reached";  stream-event:reassembly_urgent_oob_limit_reached; classtype:protocol-command-decode; sid:2210066; rev:1;)
diff --git a/tests/tcp-urgp-07-oob-exceed-limit/tcp-urgent-1byte-66k.pcap b/tests/tcp-urgp-07-oob-exceed-limit/tcp-urgent-1byte-66k.pcap
new file mode 100644 (file)
index 0000000..25a25c2
Binary files /dev/null and b/tests/tcp-urgp-07-oob-exceed-limit/tcp-urgent-1byte-66k.pcap differ
diff --git a/tests/tcp-urgp-07-oob-exceed-limit/test.yaml b/tests/tcp-urgp-07-oob-exceed-limit/test.yaml
new file mode 100644 (file)
index 0000000..6cff4b0
--- /dev/null
+++ b/tests/tcp-urgp-07-oob-exceed-limit/test.yaml
@@ -0,0 +1,43 @@
+requires:
+  min-version: 8
+
+args:
+- --set stream.reassembly.urgent.policy=oob
+- --set stream.reassembly.urgent.oob-limit-policy=drop
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1000002
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1000003
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2210066
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.url: "/malicious"
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.ips.accepted: 131549
+        stats.ips.blocked: 465
+        stats.ips.drop_reason.stream_urgent: 465
+        stats.tcp.urg: 66000
+        stats.tcp.reassembly_gap: 1
diff --git a/tests/tcp-urgp-08-oob-exceed-limit-gap/suricata.rules b/tests/tcp-urgp-08-oob-exceed-limit-gap/suricata.rules
new file mode 100644 (file)
index 0000000..6688916
--- /dev/null
+++ b/tests/tcp-urgp-08-oob-exceed-limit-gap/suricata.rules
@@ -0,0 +1,3 @@
+alert tcp any any -> any 9090 (content:"malicious"; nocase; sid:1000001; rev:1;)
+alert tcp any any -> any 9090 (http.uri; content:"malicious"; nocase; sid:1000002; rev:1;)
+alert tcp any any -> any 9090 (frame:http1.request; content:"malicious"; nocase; sid:1000003; rev:1;)
diff --git a/tests/tcp-urgp-08-oob-exceed-limit-gap/tcp-urgent-1byte-66k.pcap b/tests/tcp-urgp-08-oob-exceed-limit-gap/tcp-urgent-1byte-66k.pcap
new file mode 100644 (file)
index 0000000..25a25c2
Binary files /dev/null and b/tests/tcp-urgp-08-oob-exceed-limit-gap/tcp-urgent-1byte-66k.pcap differ
diff --git a/tests/tcp-urgp-08-oob-exceed-limit-gap/test.yaml b/tests/tcp-urgp-08-oob-exceed-limit-gap/test.yaml
new file mode 100644 (file)
index 0000000..c09d195
--- /dev/null
+++ b/tests/tcp-urgp-08-oob-exceed-limit-gap/test.yaml
@@ -0,0 +1,38 @@
+requires:
+  min-version: 8
+
+args:
+- --set stream.reassembly.urgent.policy=oob
+- --set stream.reassembly.urgent.oob-limit-policy=gap
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1000002
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1000003
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.url: "/malicious"
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.ips.accepted: 132014
+        stats.ips.blocked: 0
+        stats.ips.drop_reason.stream_reassembly: 0
+        stats.tcp.urg: 66000
+        stats.tcp.reassembly_gap: 1
diff --git a/tests/tcp-urgp-09-oob-exceed-limit-inline/suricata.rules b/tests/tcp-urgp-09-oob-exceed-limit-inline/suricata.rules
new file mode 100644 (file)
index 0000000..6688916
--- /dev/null
+++ b/tests/tcp-urgp-09-oob-exceed-limit-inline/suricata.rules
@@ -0,0 +1,3 @@
+alert tcp any any -> any 9090 (content:"malicious"; nocase; sid:1000001; rev:1;)
+alert tcp any any -> any 9090 (http.uri; content:"malicious"; nocase; sid:1000002; rev:1;)
+alert tcp any any -> any 9090 (frame:http1.request; content:"malicious"; nocase; sid:1000003; rev:1;)
diff --git a/tests/tcp-urgp-09-oob-exceed-limit-inline/tcp-urgent-1byte-66k.pcap b/tests/tcp-urgp-09-oob-exceed-limit-inline/tcp-urgent-1byte-66k.pcap
new file mode 100644 (file)
index 0000000..25a25c2
Binary files /dev/null and b/tests/tcp-urgp-09-oob-exceed-limit-inline/tcp-urgent-1byte-66k.pcap differ
diff --git a/tests/tcp-urgp-09-oob-exceed-limit-inline/test.yaml b/tests/tcp-urgp-09-oob-exceed-limit-inline/test.yaml
new file mode 100644 (file)
index 0000000..9559a70
--- /dev/null
+++ b/tests/tcp-urgp-09-oob-exceed-limit-inline/test.yaml
@@ -0,0 +1,38 @@
+requires:
+  min-version: 8
+
+args:
+- --set stream.reassembly.urgent.policy=oob
+- --set stream.reassembly.urgent.oob-limit-policy=inline
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1000002
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1000003
+  - filter:
+      count: 1
+      match:
+        event_type: http
+        http.url: "/malicXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXious"
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.ips.accepted: 132014
+        stats.ips.blocked: 0
+        stats.ips.drop_reason.stream_reassembly: 0
+        stats.tcp.urg: 66000
+        stats.tcp.reassembly_gap: 0
Mirror of https://github.com/OISF/suricata-verify.git