decode-event: Add test for too small UDP and TCP packets

Add test for IPv4 and IPv6 packets that set proto/next-header to UDP and
TCP but have no payload.

Bug: #6086.

diff --git a/tests/decode-too-small/README.md b/tests/decode-too-small/README.md
new file mode 100644 (file)
index 0000000..9bcf613
--- /dev/null
+++ b/tests/decode-too-small/README.md
@@ -0,0 +1,8 @@
+# Test Purpose
+
+Test that an empty TCP and UDP packets ontop of IPv4 and IPv6 are
+detected as decode-event failures.
+
+## PCAP
+
+This PCAP was generated with scapy.
\ No newline at end of file

diff --git a/tests/decode-too-small/test.pcap b/tests/decode-too-small/test.pcap
new file mode 100644 (file)
index 0000000..4ca0440
Binary files /dev/null and b/tests/decode-too-small/test.pcap differ

diff --git a/tests/decode-too-small/test.py b/tests/decode-too-small/test.py
new file mode 100644 (file)
index 0000000..b94dee3
--- /dev/null
+++ b/tests/decode-too-small/test.py
@@ -0,0 +1,16 @@
+from scapy.all import Ether, IP, IPv6, PcapWriter, Raw
+
+with PcapWriter('test.pcap') as pcap:
+    # TCP and UDP too small packets
+    udp_payload = Raw(b'\x81\x58\x00\x35')  # Half a UDP header
+    s_mac = 'cb:cf:2b:50:a7:61'
+    d_mac = '49:a2:25:1a:07:4a'
+    proto_udp = 17
+    proto_tcp = 6
+
+    pcap.write(Ether(src=s_mac, dst=d_mac) / IP(src='1.1.1.1', dst='2.2.2.2', proto=proto_tcp))
+    pcap.write(Ether(src=s_mac, dst=d_mac) / IP(src='1.1.1.1', dst='2.2.2.2', proto=proto_udp))
+    pcap.write(Ether(src=s_mac, dst=d_mac) / IP(src='1.1.1.1', dst='2.2.2.2', proto=proto_udp) / udp_payload)
+    pcap.write(Ether(src=s_mac, dst=d_mac) / IPv6(src='fd01::1.1.1.1', dst='fd02::2.2.2.2', nh=proto_tcp))
+    pcap.write(Ether(src=s_mac, dst=d_mac) / IPv6(src='fd01::1.1.1.1', dst='fd02::2.2.2.2', nh=proto_udp))
+    pcap.write(Ether(src=s_mac, dst=d_mac) / IPv6(src='fd01::1.1.1.1', dst='fd02::2.2.2.2', nh=proto_udp) / udp_payload)

diff --git a/tests/decode-too-small/test.rules b/tests/decode-too-small/test.rules
new file mode 100644 (file)
index 0000000..0266a9c
--- /dev/null
+++ b/tests/decode-too-small/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (msg:"TCP packet too small"; decode-event:tcp.pkt_too_small; sid:1;)
+alert udp any any -> any any (msg:"UDP packet too small"; decode-event:udp.hlen_too_small; sid:2;)

diff --git a/tests/decode-too-small/test.yaml b/tests/decode-too-small/test.yaml
new file mode 100644 (file)
index 0000000..63cf6bb
--- /dev/null
+++ b/tests/decode-too-small/test.yaml
@@ -0,0 +1,32 @@
+checks:
+  # Look for IPv4 TCP too small
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        src_ip: 1.1.1.1
+        alert.signature_id: 1
+
+  # Look for IPv6 TCP too small
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        src_ip: fd01:0000:0000:0000:0000:0000:0101:0101
+        alert.signature_id: 1
+
+  # Look for IPv4 UDP too small
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        src_ip: 1.1.1.1
+        alert.signature_id: 2
+
+  # Look for IPv6 UDP too small
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        src_ip: fd01:0000:0000:0000:0000:0000:0101:0101
+        alert.signature_id: 2