]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7881fb9)
Adds smb overlap evasion test
authorPhilippe Antoine <contact@catenacyber.fr>
Tue, 14 Apr 2020 11:46:02 +0000 (13:46 +0200)
committerVictor Julien <victor@inliniac.net>
Tue, 23 Feb 2021 10:05:40 +0000 (11:05 +0100)
tests/smb-eicar-overlap/README.md [new file with mode: 0644] patch | blob
tests/smb-eicar-overlap/input.pcap [new file with mode: 0644] patch | blob
tests/smb-eicar-overlap/test.rules [new file with mode: 0644] patch | blob
tests/smb-eicar-overlap/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/smb-eicar-overlap/README.md b/tests/smb-eicar-overlap/README.md
new file mode 100644 (file)
index 0000000..92f5dec
--- /dev/null
+++ b/tests/smb-eicar-overlap/README.md
@@ -0,0 +1,18 @@
+# Description
+
+Test SMB EICAR file rule with file overlap evasion.
+
+# PCAP
+
+The pcap comes from running Linux client smbclient against a Windows 2019 Server (with a shared forlder public wihtout needed authentication)
+Command is
+`smbclient //192.168.1.3/public/ -U % -m NT1`
+Than in the smbclient shell :
+`put eicar` where eicar is the name of a file with the EICAR contents :
+https://en.wikipedia.org/wiki/EICAR_test_file
+
+The proxy changes the Write request with :
+- a first dummy write of one byte at offset 0 is done
+- the second full write of EICAR at offset 0 is then done and does not trigger detection
+
+Now, an event is set for file overlaps.
diff --git a/tests/smb-eicar-overlap/input.pcap b/tests/smb-eicar-overlap/input.pcap
new file mode 100644 (file)
index 0000000..4df168e
Binary files /dev/null and b/tests/smb-eicar-overlap/input.pcap differ
diff --git a/tests/smb-eicar-overlap/test.rules b/tests/smb-eicar-overlap/test.rules
new file mode 100644 (file)
index 0000000..62b2f06
--- /dev/null
+++ b/tests/smb-eicar-overlap/test.rules
@@ -0,0 +1,3 @@
+alert smb any any -> any any (msg:"EICAR file"; flow:established; file_data; content:"|58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a|"; sid:1; rev:1;)
+
+alert smb any any -> any any (msg:"SURICATA SMB file overlap"; app-layer-event:smb.file_overlap; classtype:protocol-command-decode; sid:2225006; rev:1;)
diff --git a/tests/smb-eicar-overlap/test.yaml b/tests/smb-eicar-overlap/test.yaml
new file mode 100644 (file)
index 0000000..79eddfb
--- /dev/null
+++ b/tests/smb-eicar-overlap/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 2225006
Mirror of https://github.com/OISF/suricata-verify.git