tests: add tcp split handshake tests

diff --git a/tests/tcp-split-handshake-01-4whs/README.md b/tests/tcp-split-handshake-01-4whs/README.md
new file mode 100644 (file)
index 0000000..9694431
--- /dev/null
+++ b/tests/tcp-split-handshake-01-4whs/README.md
@@ -0,0 +1,3 @@
+Based on split handshake research by Tod Beardsley
+
+https://www.macrothink.org/journal/index.php/npa/article/view/285/807

diff --git a/tests/tcp-split-handshake-01-4whs/split-handshake-4whs.pcap b/tests/tcp-split-handshake-01-4whs/split-handshake-4whs.pcap
new file mode 100644 (file)
index 0000000..ddee6c3
Binary files /dev/null and b/tests/tcp-split-handshake-01-4whs/split-handshake-4whs.pcap differ

diff --git a/tests/tcp-split-handshake-01-4whs/split-handshake.py b/tests/tcp-split-handshake-01-4whs/split-handshake.py
new file mode 100755 (executable)
index 0000000..45c0094
--- /dev/null
+++ b/tests/tcp-split-handshake-01-4whs/split-handshake.py
@@ -0,0 +1,67 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+src='1.1.1.1'
+dst='2.2.2.2'
+dport=80
+sport=12345
+smac='11:11:11:11:11:11'
+dmac='22:22:22:22:22:22'
+
+pkts = []
+
+# CLIENT: SYN
+pkts += Ether(dst=dmac, src=smac)/ \
+    IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="S",seq=1000)
+# SERVER: ACK
+pkts += Ether(dst=smac, src=dmac)/ \
+    IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="A",seq=2000,ack=1001)
+# SERVER: SYN
+pkts += Ether(dst=smac, src=dmac)/ \
+    IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="S",seq=3000)
+# CLIENT: SYN/ACK
+pkts += Ether(dst=dmac, src=smac)/ \
+    IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="SA",seq=1000,ack=3001)
+# SERVER: ACK
+pkts += Ether(dst=smac, src=dmac)/ \
+    IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="A",seq=3001,ack=1001)
+
+# CLIENT: EVIL DATA
+pkts += Ether(dst=dmac, src=smac)/ \
+    IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="A",seq=1001,ack=3001)/"EVIL"
+# SERVER: ACK EVIL DATA
+pkts += Ether(dst=smac, src=dmac)/ \
+    IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="A",seq=3001,ack=1005)
+
+pkts += Ether(dst=dmac, src=smac)/ \
+    IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="R",seq=1005)
+
+wrpcap('split-handshake-5whs.pcap', pkts)
+
+
+pkts = []
+
+# CLIENT: SYN
+pkts += Ether(dst=dmac, src=smac)/ \
+    IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="S",seq=1000)
+# SERVER: SYN
+pkts += Ether(dst=smac, src=dmac)/ \
+    IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="S",seq=3000)
+# CLIENT: SYN/ACK
+pkts += Ether(dst=dmac, src=smac)/ \
+    IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="SA",seq=1000,ack=3001)
+# SERVER: ACK
+pkts += Ether(dst=smac, src=dmac)/ \
+    IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="A",seq=3001,ack=1001)
+
+# CLIENT: EVIL DATA
+pkts += Ether(dst=dmac, src=smac)/ \
+    IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="A",seq=1001,ack=3001)/"EVIL"
+# SERVER: ACK EVIL DATA
+pkts += Ether(dst=smac, src=dmac)/ \
+    IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="A",seq=3001,ack=1005)
+
+pkts += Ether(dst=dmac, src=smac)/ \
+    IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="R",seq=1005)
+
+wrpcap('split-handshake-4whs.pcap', pkts)

diff --git a/tests/tcp-split-handshake-01-4whs/test.rules b/tests/tcp-split-handshake-01-4whs/test.rules
new file mode 100644 (file)
index 0000000..50c4995
--- /dev/null
+++ b/tests/tcp-split-handshake-01-4whs/test.rules
@@ -0,0 +1,3 @@
+alert tcp any any -> any any (content:"EVIL"; sid:1;)
+alert tcp-stream any any -> any any (content:"EVIL"; sid:2;)
+alert tcp-pkt any any -> any any (content:"EVIL"; sid:3;)

diff --git a/tests/tcp-split-handshake-01-4whs/test.yaml b/tests/tcp-split-handshake-01-4whs/test.yaml
new file mode 100644 (file)
index 0000000..4bb2f0a
--- /dev/null
+++ b/tests/tcp-split-handshake-01-4whs/test.yaml
@@ -0,0 +1,16 @@
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3

diff --git a/tests/tcp-split-handshake-02-5whs/README.md b/tests/tcp-split-handshake-02-5whs/README.md
new file mode 100644 (file)
index 0000000..9694431
--- /dev/null
+++ b/tests/tcp-split-handshake-02-5whs/README.md
@@ -0,0 +1,3 @@
+Based on split handshake research by Tod Beardsley
+
+https://www.macrothink.org/journal/index.php/npa/article/view/285/807

diff --git a/tests/tcp-split-handshake-02-5whs/split-handshake-5whs.pcap b/tests/tcp-split-handshake-02-5whs/split-handshake-5whs.pcap
new file mode 100644 (file)
index 0000000..b37bb57
Binary files /dev/null and b/tests/tcp-split-handshake-02-5whs/split-handshake-5whs.pcap differ

diff --git a/tests/tcp-split-handshake-02-5whs/test.rules b/tests/tcp-split-handshake-02-5whs/test.rules
new file mode 100644 (file)
index 0000000..50c4995
--- /dev/null
+++ b/tests/tcp-split-handshake-02-5whs/test.rules
@@ -0,0 +1,3 @@
+alert tcp any any -> any any (content:"EVIL"; sid:1;)
+alert tcp-stream any any -> any any (content:"EVIL"; sid:2;)
+alert tcp-pkt any any -> any any (content:"EVIL"; sid:3;)

diff --git a/tests/tcp-split-handshake-02-5whs/test.yaml b/tests/tcp-split-handshake-02-5whs/test.yaml
new file mode 100644 (file)
index 0000000..4bb2f0a
--- /dev/null
+++ b/tests/tcp-split-handshake-02-5whs/test.yaml
@@ -0,0 +1,16 @@
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3