dcerpc: add test for frames

author Shivani Bhardwaj <shivanib134@gmail.com>

Thu, 29 Aug 2024 10:59:11 +0000 (16:29 +0530)

committer Victor Julien <victor@inliniac.net>

Thu, 30 Jan 2025 09:52:05 +0000 (10:52 +0100)
author Shivani Bhardwaj <shivanib134@gmail.com>
Thu, 29 Aug 2024 10:59:11 +0000 (16:29 +0530)
committer Victor Julien <victor@inliniac.net>
Thu, 30 Jan 2025 09:52:05 +0000 (10:52 +0100)
diff --git a/tests/dcerpc/dcerpc-frames/README.md b/tests/dcerpc/dcerpc-frames/README.md

new file mode 100644 (file)

index 0000000..bf15e8c
--- /dev/null
+++ b/tests/dcerpc/dcerpc-frames/README.md
@@ -0,0 +1,17 @@
+Description
+===========
+Test for DCERPC frames.
+Three types of frames exist for DCERPC:
+1. Hdr: Header
+2. Pdu: Protocol Data Unit
+3. Data: Data inside the PDU
+
+as per the generic PDU structure defined in https://pubs.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_01
+
+PCAP
+====
+PCAP comes from an existing test.
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/4904
diff --git a/tests/dcerpc/dcerpc-frames/suricata.yaml b/tests/dcerpc/dcerpc-frames/suricata.yaml

new file mode 100644 (file)

index 0000000..ba97838
--- /dev/null
+++ b/tests/dcerpc/dcerpc-frames/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - alert
+        - dcerpc
+        - frame
diff --git a/tests/dcerpc/dcerpc-frames/test.rules b/tests/dcerpc/dcerpc-frames/test.rules

new file mode 100644 (file)

index 0000000..db4b11f
--- /dev/null
+++ b/tests/dcerpc/dcerpc-frames/test.rules
@@ -0,0 +1,3 @@
+alert dcerpc any any -> any any (flow:established,to_server; frame:dcerpc.hdr; content:"|05 00 0b 03 10 00 00 00 74 00 00 00 1b 00 00 00|"; sid:1;)
+alert dcerpc any any -> any any (flow:established,to_server; frame:dcerpc.pdu; content:"|05 00 0b 03 10 00 00 00 74 00 00 00 1b 00 00 00 d0 16 d0 16|"; sid:2;)
+alert dcerpc any any -> any any (flow:established,to_server; frame:dcerpc.data; content:"|d0 16 d0 16|"; sid:3;)
diff --git a/tests/dcerpc/dcerpc-frames/test.yaml b/tests/dcerpc/dcerpc-frames/test.yaml

new file mode 100644 (file)

index 0000000..d9f22a3
--- /dev/null
+++ b/tests/dcerpc/dcerpc-frames/test.yaml
@@ -0,0 +1,24 @@
+requires:
+  min-version: 8
+
+pcap: ../dcerpc-dce-iface-02/input.pcap
+
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
author	Shivani Bhardwaj <shivanib134@gmail.com>
	Thu, 29 Aug 2024 10:59:11 +0000 (16:29 +0530)
committer	Victor Julien <victor@inliniac.net>
	Thu, 30 Jan 2025 09:52:05 +0000 (10:52 +0100)
tests/dcerpc/dcerpc-frames/README.md	[new file with mode: 0644]	patch \| blob
tests/dcerpc/dcerpc-frames/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/dcerpc/dcerpc-frames/test.rules	[new file with mode: 0644]	patch \| blob
tests/dcerpc/dcerpc-frames/test.yaml	[new file with mode: 0644]	patch \| blob