dcerpc/udp: test with Scapy gen PCAP

diff --git a/tests/dcerpc/dcerpc-udp-scapy/dcerpc_udp_scapy.py b/tests/dcerpc/dcerpc-udp-scapy/dcerpc_udp_scapy.py
new file mode 100644 (file)
index 0000000..054482e
--- /dev/null
+++ b/tests/dcerpc/dcerpc-udp-scapy/dcerpc_udp_scapy.py
@@ -0,0 +1,62 @@
+#!/usr/bin/env python
+
+from uuid import uuid4
+from scapy.all import wrpcap, Ether, IP, UDP
+from scapy.contrib.dce_rpc import DceRpc
+
+
+def create_pkt(rtype, seqnum, obj, iface, act):
+    """
+    Create a DCE/RPC over UDP packet as per the given arguments.
+    This function is responsible for creating request as well as
+    response packets.
+
+    Scapy layering has been done (default) as per the TCP/IP model.
+
+                Data Link Layer (Ether)
+                        |
+                Internet Layer (IP)
+                        |
+                Transport Layer (UDP)
+                        |
+                Application Layer (DceRpc)
+
+    """
+    # sport and dport at default make the packet be detected as
+    # a DNS packet by Wireshark so change it
+    return Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05') / \
+        IP(dst='255.255.255.255', src='192.168.0.1') / \
+        UDP(sport=80, dport=8000) / \
+        DceRpc(
+        type=rtype,
+        flags1=0x01,
+        sequence_num=seqnum,
+        object_uuid=obj,
+        interface_uuid=iface,
+        activity=act,
+    )
+
+
+def create_pcap():
+    """
+    Method to create a few request response cycles
+    """
+    pkts = list()
+    for i in range(0, 10):
+        if i % 2 == 0:
+            activity_uuid = uuid4()
+            pkts.append(create_pkt(rtype=0,
+                                   seqnum=i,
+                                   obj=uuid4(),
+                                   iface=uuid4(),
+                                   act=activity_uuid,))
+        else:
+            pkts.append(create_pkt(rtype=2,
+                                   seqnum=i-1,
+                                   obj=uuid4(),
+                                   iface=uuid4(),
+                                   act=activity_uuid,))
+    return pkts
+
+
+wrpcap('input.pcap', create_pcap())

diff --git a/tests/dcerpc/dcerpc-udp-scapy/input.pcap b/tests/dcerpc/dcerpc-udp-scapy/input.pcap
new file mode 100644 (file)
index 0000000..313b697
Binary files /dev/null and b/tests/dcerpc/dcerpc-udp-scapy/input.pcap differ

diff --git a/tests/dcerpc/dcerpc-udp-scapy/test.yaml b/tests/dcerpc/dcerpc-udp-scapy/test.yaml
new file mode 100644 (file)
index 0000000..115ec45
--- /dev/null
+++ b/tests/dcerpc/dcerpc-udp-scapy/test.yaml
@@ -0,0 +1,125 @@
+requires:
+  min-version: 6.0
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      dcerpc.activityuuid: dddc324e-03d8-af4e-86ee-7650df599e40
+      dcerpc.req.frag_cnt: 1
+      dcerpc.req.opnum: 0
+      dcerpc.req.stub_data_size: 0
+      dcerpc.request: REQUEST
+      dcerpc.res.frag_cnt: 1
+      dcerpc.res.stub_data_size: 0
+      dcerpc.response: RESPONSE
+      dcerpc.rpc_version: '4.0'
+      dcerpc.seqnum: 0
+      dest_ip: 255.255.255.255
+      dest_port: 8000
+      event_type: dcerpc
+      pcap_cnt: 2
+      proto: UDP
+      src_ip: 192.168.0.1
+      src_port: 80
+- filter:
+    count: 1
+    match:
+      dcerpc.activityuuid: 83d81b49-4532-1e4b-9e9d-b3264564992e
+      dcerpc.req.frag_cnt: 1
+      dcerpc.req.opnum: 0
+      dcerpc.req.stub_data_size: 0
+      dcerpc.request: REQUEST
+      dcerpc.res.frag_cnt: 1
+      dcerpc.res.stub_data_size: 0
+      dcerpc.response: RESPONSE
+      dcerpc.rpc_version: '4.0'
+      dcerpc.seqnum: 2
+      dest_ip: 255.255.255.255
+      dest_port: 8000
+      event_type: dcerpc
+      pcap_cnt: 4
+      proto: UDP
+      src_ip: 192.168.0.1
+      src_port: 80
+- filter:
+    count: 1
+    match:
+      dcerpc.activityuuid: 34c2dfa9-aaa5-3b4a-a899-1ff934073dcb
+      dcerpc.req.frag_cnt: 1
+      dcerpc.req.opnum: 0
+      dcerpc.req.stub_data_size: 0
+      dcerpc.request: REQUEST
+      dcerpc.res.frag_cnt: 1
+      dcerpc.res.stub_data_size: 0
+      dcerpc.response: RESPONSE
+      dcerpc.rpc_version: '4.0'
+      dcerpc.seqnum: 4
+      dest_ip: 255.255.255.255
+      dest_port: 8000
+      event_type: dcerpc
+      pcap_cnt: 6
+      proto: UDP
+      src_ip: 192.168.0.1
+      src_port: 80
+- filter:
+    count: 1
+    match:
+      dcerpc.activityuuid: 45c10d80-5695-384c-b710-0d51f16d9406
+      dcerpc.req.frag_cnt: 1
+      dcerpc.req.opnum: 0
+      dcerpc.req.stub_data_size: 0
+      dcerpc.request: REQUEST
+      dcerpc.res.frag_cnt: 1
+      dcerpc.res.stub_data_size: 0
+      dcerpc.response: RESPONSE
+      dcerpc.rpc_version: '4.0'
+      dcerpc.seqnum: 6
+      dest_ip: 255.255.255.255
+      dest_port: 8000
+      event_type: dcerpc
+      pcap_cnt: 8
+      proto: UDP
+      src_ip: 192.168.0.1
+      src_port: 80
+- filter:
+    count: 1
+    match:
+      dcerpc.activityuuid: de28b15f-be84-f74c-8d6d-47b041bfba76
+      dcerpc.req.frag_cnt: 1
+      dcerpc.req.opnum: 0
+      dcerpc.req.stub_data_size: 0
+      dcerpc.request: REQUEST
+      dcerpc.res.frag_cnt: 1
+      dcerpc.res.stub_data_size: 0
+      dcerpc.response: RESPONSE
+      dcerpc.rpc_version: '4.0'
+      dcerpc.seqnum: 8
+      dest_ip: 255.255.255.255
+      dest_port: 8000
+      event_type: dcerpc
+      pcap_cnt: 10
+      proto: UDP
+      src_ip: 192.168.0.1
+      src_port: 80
+- filter:
+    count: 1
+    match:
+      app_proto: dcerpc
+      dest_ip: 255.255.255.255
+      dest_port: 8000
+      event_type: flow
+      flow.age: 0
+      flow.alerted: false
+      flow.bytes_toclient: 0
+      flow.bytes_toserver: 1220
+      flow.pkts_toclient: 0
+      flow.pkts_toserver: 10
+      flow.reason: shutdown
+      flow.state: new
+      proto: UDP
+      src_ip: 192.168.0.1
+      src_port: 80