tests: add bug 6244 RST with data tests

diff --git a/tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.pcap b/tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.pcap
new file mode 100644 (file)
index 0000000..fbd0f67
Binary files /dev/null and b/tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.pcap differ

diff --git a/tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.py b/tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.py
new file mode 100755 (executable)
index 0000000..33fa262
--- /dev/null
+++ b/tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535)
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1001,ack=2,window=65535)/"Please "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1008,ack=2,window=65535)/"Let "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1012,ack=2,window=65535)/"Me "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1015,ack=2,window=65535)/"In!"
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='R',seq=1018,window=65535)/"Access Denied"
+
+wrpcap('tcp-rst-with-data.pcap', pkts)

diff --git a/tests/bug-6244-tcp-rst-with-data-02/test.rules b/tests/bug-6244-tcp-rst-with-data-02/test.rules
new file mode 100644 (file)
index 0000000..f5cc648
--- /dev/null
+++ b/tests/bug-6244-tcp-rst-with-data-02/test.rules
@@ -0,0 +1,7 @@
+alert tcp-pkt any any -> any any (tcp.flags:R,A; content:"Access Denied"; startswith; endswith; sid:1;)
+# FP as RST data is not part of the stream
+alert tcp any any -> any any (flow:only_stream; content:"Access Denied"; sid:2;)
+# TODO why is this not the same as sid 2?
+#alert tcp-stream any any -> any any (content:"Access Denied"; sid:3;)
+alert tcp any any -> any any (content:"Please Let Me In!"; sid:4;)
+alert tcp any any -> any any (content:"Please Let Me In!Access Denied"; sid:5;)

diff --git a/tests/bug-6244-tcp-rst-with-data-02/test.yaml b/tests/bug-6244-tcp-rst-with-data-02/test.yaml
new file mode 100644 (file)
index 0000000..74185ef
--- /dev/null
+++ b/tests/bug-6244-tcp-rst-with-data-02/test.yaml
@@ -0,0 +1,25 @@
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 5

diff --git a/tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.pcap b/tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.pcap
new file mode 100644 (file)
index 0000000..ba08ec4
Binary files /dev/null and b/tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.pcap differ

diff --git a/tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.py b/tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.py
new file mode 100755 (executable)
index 0000000..1bb8420
--- /dev/null
+++ b/tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535)
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1001,ack=2,window=65535)/"Please "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1008,ack=2,window=65535)/"Let "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1012,ack=2,window=65535)/"Me "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1015,ack=2,window=65535)/"In!"
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='RA',seq=2,ack=1018,window=65535)/"Access Denied"
+
+wrpcap('tcp-rst-with-data.pcap', pkts)

diff --git a/tests/bug-6244-tcp-rst-with-data/test.rules b/tests/bug-6244-tcp-rst-with-data/test.rules
new file mode 100644 (file)
index 0000000..06c283f
--- /dev/null
+++ b/tests/bug-6244-tcp-rst-with-data/test.rules
@@ -0,0 +1,5 @@
+alert tcp-pkt any any -> any any (tcp.flags:R,A; content:"Access Denied"; startswith; endswith; sid:1;)
+alert tcp any any -> any any (flow:only_stream; content:"Access Denied"; sid:2;)
+# TODO why is this not the same as sid 2?
+#alert tcp-stream any any -> any any (content:"Access Denied"; sid:3;)
+alert tcp any any -> any any (content:"Please Let Me In!"; sid:4;)

diff --git a/tests/bug-6244-tcp-rst-with-data/test.yaml b/tests/bug-6244-tcp-rst-with-data/test.yaml
new file mode 100644 (file)
index 0000000..dc6cd45
--- /dev/null
+++ b/tests/bug-6244-tcp-rst-with-data/test.yaml
@@ -0,0 +1,20 @@
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4