]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7064e6b)
Adds test for SMB EICAR file by segmentation between NetBIOS and SMB
authorDEL VALLE Bastien <bastien.del-valle@telecomnancy.eu>
Tue, 3 Mar 2020 17:45:20 +0000 (18:45 +0100)
committerVictor Julien <victor@inliniac.net>
Sun, 26 Apr 2020 12:00:32 +0000 (14:00 +0200)
tests/smb-eicar-file-segmentation-postheader/README.md [new file with mode: 0644] patch | blob
tests/smb-eicar-file-segmentation-postheader/input.pcap [new file with mode: 0644] patch | blob
tests/smb-eicar-file-segmentation-postheader/test.rules [new file with mode: 0644] patch | blob
tests/smb-eicar-file-segmentation-postheader/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/smb-eicar-file-segmentation-postheader/README.md b/tests/smb-eicar-file-segmentation-postheader/README.md
new file mode 100644 (file)
index 0000000..b967630
--- /dev/null
+++ b/tests/smb-eicar-file-segmentation-postheader/README.md
@@ -0,0 +1,15 @@
+# Description
+
+Test SMB EICAR file rule.
+
+# PCAP
+
+The pcap comes from running Linux client smbclient against a Windows 2019 Server (with a shared folder public without needed authentication)
+
+Needs a Proxy that can cut and send the request into 2 pieces at the end of the smb header
+
+Command is
+`smbclient //localhost/public/ -U % -m NT1`
+Than in the smbclient shell :
+`put eicar` where eicar is the name of a file with the EICAR contents :
+https://en.wikipedia.org/wiki/EICAR_test_file
diff --git a/tests/smb-eicar-file-segmentation-postheader/input.pcap b/tests/smb-eicar-file-segmentation-postheader/input.pcap
new file mode 100644 (file)
index 0000000..229c102
Binary files /dev/null and b/tests/smb-eicar-file-segmentation-postheader/input.pcap differ
diff --git a/tests/smb-eicar-file-segmentation-postheader/test.rules b/tests/smb-eicar-file-segmentation-postheader/test.rules
new file mode 100644 (file)
index 0000000..fcb9e44
--- /dev/null
+++ b/tests/smb-eicar-file-segmentation-postheader/test.rules
@@ -0,0 +1 @@
+alert smb any any -> any any (msg:"EICAR file"; flow:established; file_data; content:"|58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a|"; sid:1; rev:1;)
diff --git a/tests/smb-eicar-file-segmentation-postheader/test.yaml b/tests/smb-eicar-file-segmentation-postheader/test.yaml
new file mode 100644 (file)
index 0000000..c1282b1
--- /dev/null
+++ b/tests/smb-eicar-file-segmentation-postheader/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
Mirror of https://github.com/OISF/suricata-verify.git