Adds test about IPv6 smurf detection

author Philippe Antoine <contact@catenacyber.fr>

Fri, 23 Jul 2021 15:44:06 +0000 (17:44 +0200)

committer Jason Ish <jason.ish@oisf.net>

Tue, 28 Sep 2021 16:21:35 +0000 (10:21 -0600)
author Philippe Antoine <contact@catenacyber.fr>
Fri, 23 Jul 2021 15:44:06 +0000 (17:44 +0200)
committer Jason Ish <jason.ish@oisf.net>
Tue, 28 Sep 2021 16:21:35 +0000 (10:21 -0600)
diff --git a/tests/ipv6-evasion/ipv6-rsmurf/README.md b/tests/ipv6-evasion/ipv6-rsmurf/README.md

new file mode 100644 (file)

index 0000000..f56d54d
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-rsmurf/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Detect an attack that sends a ping from a multicast address to the victim.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
diff --git a/tests/ipv6-evasion/ipv6-rsmurf/rsmurf6.pcap b/tests/ipv6-evasion/ipv6-rsmurf/rsmurf6.pcap

new file mode 100644 (file)

index 0000000..39fb189

Binary files /dev/null and b/tests/ipv6-evasion/ipv6-rsmurf/rsmurf6.pcap differ
diff --git a/tests/ipv6-evasion/ipv6-rsmurf/test.rules b/tests/ipv6-evasion/ipv6-rsmurf/test.rules

new file mode 100644 (file)

index 0000000..ab12d88
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-rsmurf/test.rules
@@ -0,0 +1,2 @@
+# It detects pings to multicast addresses
+alert icmpv6 any any -> ff00::/8 any (itype:128; sid:1;)
diff --git a/tests/ipv6-evasion/ipv6-rsmurf/test.yaml b/tests/ipv6-evasion/ipv6-rsmurf/test.yaml

new file mode 100644 (file)

index 0000000..5855ad2
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-rsmurf/test.yaml
@@ -0,0 +1,11 @@
+
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1000
+        match:
+            event_type: alert
+            alert.signature_id: 1
diff --git a/tests/ipv6-evasion/ipv6-smurf/README.md b/tests/ipv6-evasion/ipv6-smurf/README.md

new file mode 100644 (file)

index 0000000..ecdee52
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-smurf/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Detect an attack that sends a ping with the IP of the victim to a multicast address.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
diff --git a/tests/ipv6-evasion/ipv6-smurf/smurf6.pcap b/tests/ipv6-evasion/ipv6-smurf/smurf6.pcap

new file mode 100644 (file)

index 0000000..6a7e3e8

Binary files /dev/null and b/tests/ipv6-evasion/ipv6-smurf/smurf6.pcap differ
diff --git a/tests/ipv6-evasion/ipv6-smurf/test.rules b/tests/ipv6-evasion/ipv6-smurf/test.rules

new file mode 100644 (file)

index 0000000..ab12d88
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-smurf/test.rules
@@ -0,0 +1,2 @@
+# It detects pings to multicast addresses
+alert icmpv6 any any -> ff00::/8 any (itype:128; sid:1;)
diff --git a/tests/ipv6-evasion/ipv6-smurf/test.yaml b/tests/ipv6-evasion/ipv6-smurf/test.yaml

new file mode 100644 (file)

index 0000000..a22a0af
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-smurf/test.yaml
@@ -0,0 +1,11 @@
+
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 282345
+        match:
+            event_type: alert
+            alert.signature_id: 1
author	Philippe Antoine <contact@catenacyber.fr>
	Fri, 23 Jul 2021 15:44:06 +0000 (17:44 +0200)
committer	Jason Ish <jason.ish@oisf.net>
	Tue, 28 Sep 2021 16:21:35 +0000 (10:21 -0600)
tests/ipv6-evasion/ipv6-rsmurf/README.md	[new file with mode: 0644]	patch \| blob
tests/ipv6-evasion/ipv6-rsmurf/rsmurf6.pcap	[new file with mode: 0644]	patch \| blob
tests/ipv6-evasion/ipv6-rsmurf/test.rules	[new file with mode: 0644]	patch \| blob
tests/ipv6-evasion/ipv6-rsmurf/test.yaml	[new file with mode: 0644]	patch \| blob
tests/ipv6-evasion/ipv6-smurf/README.md	[new file with mode: 0644]	patch \| blob
tests/ipv6-evasion/ipv6-smurf/smurf6.pcap	[new file with mode: 0644]	patch \| blob
tests/ipv6-evasion/ipv6-smurf/test.rules	[new file with mode: 0644]	patch \| blob
tests/ipv6-evasion/ipv6-smurf/test.yaml	[new file with mode: 0644]	patch \| blob