tests: add test for bug 6008 SMB_COM_WRITE_ANDX data offset issue

author Lancer Cheng <b1tg@protonmail.ch>

Mon, 8 May 2023 10:00:44 +0000 (10:00 +0000)

committer Victor Julien <victor@inliniac.net>

Fri, 4 Aug 2023 08:57:59 +0000 (10:57 +0200)
author Lancer Cheng <b1tg@protonmail.ch>
Mon, 8 May 2023 10:00:44 +0000 (10:00 +0000)
committer Victor Julien <victor@inliniac.net>
Fri, 4 Aug 2023 08:57:59 +0000 (10:57 +0200)
diff --git a/tests/filestore-filecontainer-smb1-data-offset/input.pcap b/tests/filestore-filecontainer-smb1-data-offset/input.pcap

new file mode 100644 (file)

index 0000000..36a7e34

Binary files /dev/null and b/tests/filestore-filecontainer-smb1-data-offset/input.pcap differ
diff --git a/tests/filestore-filecontainer-smb1-data-offset/suricata.yaml b/tests/filestore-filecontainer-smb1-data-offset/suricata.yaml

new file mode 100644 (file)

index 0000000..0864792
--- /dev/null
+++ b/tests/filestore-filecontainer-smb1-data-offset/suricata.yaml
@@ -0,0 +1,14 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - files
+        - stats
+  - file-store:
+      version: 2
+      enabled: yes
+      stream-depth: 0
+      write-fileinfo: true
diff --git a/tests/filestore-filecontainer-smb1-data-offset/test.rules b/tests/filestore-filecontainer-smb1-data-offset/test.rules

new file mode 100644 (file)

index 0000000..8e78350
--- /dev/null
+++ b/tests/filestore-filecontainer-smb1-data-offset/test.rules
@@ -0,0 +1 @@
+alert smb any any -> any any (msg:"filestore executables"; filemagic:"for MS Windows"; filestore; sid:13371337; rev:1;)
diff --git a/tests/filestore-filecontainer-smb1-data-offset/test.yaml b/tests/filestore-filecontainer-smb1-data-offset/test.yaml

new file mode 100644 (file)

index 0000000..c67a69a
--- /dev/null
+++ b/tests/filestore-filecontainer-smb1-data-offset/test.yaml
@@ -0,0 +1,29 @@
+requires:
+  features:
+    - HAVE_NSS
+    - MAGIC
+    - RUST
+  files:
+    - src/output-filestore.c
+
+checks:
+  - filter:
+      count: 1
+      match:
+        fileinfo.sha256: 367964b64b83363362805824fae6732858f74f0e9fe527d6e9e05fe2f9e46645
+  - filter:
+      filename: "filestore/36/367964b64b83363362805824fae6732858f74f0e9fe527d6e9e05fe2f9e46645.1525123869.1.json"
+      count: 1
+      match:
+        fileinfo.sha256: 367964b64b83363362805824fae6732858f74f0e9fe527d6e9e05fe2f9e46645
+  - filter:
+      count: 1
+      match:
+        fileinfo.sha256: cf99990bee6c378cbf56239b3cc88276eec348d82740f84e9d5c343751f82560
+  - filter:
+      filename: "filestore/cf/cf99990bee6c378cbf56239b3cc88276eec348d82740f84e9d5c343751f82560.1525123869.2.json"
+      count: 1
+      match:
+        fileinfo.sha256: cf99990bee6c378cbf56239b3cc88276eec348d82740f84e9d5c343751f82560
+  - stats:
+      file_store.fs_errors: 0
author	Lancer Cheng <b1tg@protonmail.ch>
	Mon, 8 May 2023 10:00:44 +0000 (10:00 +0000)
committer	Victor Julien <victor@inliniac.net>
	Fri, 4 Aug 2023 08:57:59 +0000 (10:57 +0200)
tests/filestore-filecontainer-smb1-data-offset/input.pcap	[new file with mode: 0644]	patch \| blob
tests/filestore-filecontainer-smb1-data-offset/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/filestore-filecontainer-smb1-data-offset/test.rules	[new file with mode: 0644]	patch \| blob
tests/filestore-filecontainer-smb1-data-offset/test.yaml	[new file with mode: 0644]	patch \| blob