decode-event: Add test case for GRE packet too small

Add test for IPv4 and IPv6 packets that set proto/next-header to GRE but
have an invalid payload.

Bug: #6222

diff --git a/tests/decode-too-small/test.pcap b/tests/decode-too-small/test.pcap
index 4ca04409ac407725dcdf723487b0cb23772d8783..efd0dcf4e0a806f9c49a61f765924f8431df3308 100644 (file)
Binary files a/tests/decode-too-small/test.pcap and b/tests/decode-too-small/test.pcap differ

diff --git a/tests/decode-too-small/test.py b/tests/decode-too-small/test.py
index b94dee34ce0b5886226b019f378382cf37bcc429..7195c070957a76942971a4a79c32c6ba6e82202a 100644 (file)
--- a/tests/decode-too-small/test.py
+++ b/tests/decode-too-small/test.py
@@ -1,16 +1,31 @@
 from scapy.all import Ether, IP, IPv6, PcapWriter, Raw
 
 with PcapWriter('test.pcap') as pcap:
-    # TCP and UDP too small packets
+    # Too small packets
     udp_payload = Raw(b'\x81\x58\x00\x35')  # Half a UDP header
-    s_mac = 'cb:cf:2b:50:a7:61'
-    d_mac = '49:a2:25:1a:07:4a'
+    gre_payload = Raw(b'\x00\x00') # Half of non-optional GRE hdr
+
+    proto_gre = 47
     proto_udp = 17
     proto_tcp = 6
 
-    pcap.write(Ether(src=s_mac, dst=d_mac) / IP(src='1.1.1.1', dst='2.2.2.2', proto=proto_tcp))
-    pcap.write(Ether(src=s_mac, dst=d_mac) / IP(src='1.1.1.1', dst='2.2.2.2', proto=proto_udp))
-    pcap.write(Ether(src=s_mac, dst=d_mac) / IP(src='1.1.1.1', dst='2.2.2.2', proto=proto_udp) / udp_payload)
-    pcap.write(Ether(src=s_mac, dst=d_mac) / IPv6(src='fd01::1.1.1.1', dst='fd02::2.2.2.2', nh=proto_tcp))
-    pcap.write(Ether(src=s_mac, dst=d_mac) / IPv6(src='fd01::1.1.1.1', dst='fd02::2.2.2.2', nh=proto_udp))
-    pcap.write(Ether(src=s_mac, dst=d_mac) / IPv6(src='fd01::1.1.1.1', dst='fd02::2.2.2.2', nh=proto_udp) / udp_payload)
+    def mk_pkt(proto, ver=4):
+        s_mac, d_mac = 'cb:cf:2b:50:a7:61', '49:a2:25:1a:07:4a'
+        pkt = Ether(src=s_mac, dst=d_mac)
+        if ver == 4:
+            s_ip, d_ip = '1.1.1.1', '2.2.2.2'
+            pkt /= IP(src=s_ip, dst=d_ip, proto=proto)
+        else:
+            s_ipv6 = f'fd01::1.1.1.1'
+            d_ipv6 = f'fd02::2.2.2.2'
+            pkt /= IPv6(src=s_ipv6, dst=d_ipv6, nh=proto)
+        return pkt
+
+    pcap.write(mk_pkt(proto_tcp))
+    pcap.write(mk_pkt(proto_udp))
+    pcap.write(mk_pkt(proto_udp) / udp_payload)
+    pcap.write(mk_pkt(proto_gre) / gre_payload)
+    pcap.write(mk_pkt(proto_tcp, ver=6))
+    pcap.write(mk_pkt(proto_udp, ver=6))
+    pcap.write(mk_pkt(proto_udp, ver=6) / udp_payload)
+    pcap.write(mk_pkt(proto_gre, ver=6) / gre_payload)

diff --git a/tests/decode-too-small/test.rules b/tests/decode-too-small/test.rules
index 0266a9ce8a0f01eb713b1d2c939f3eb667ca3a01..399d4cd4dc241097371cf2562fc6c414ba3fdce3 100644 (file)
--- a/tests/decode-too-small/test.rules
+++ b/tests/decode-too-small/test.rules
@@ -1,2 +1,3 @@
 alert tcp any any -> any any (msg:"TCP packet too small"; decode-event:tcp.pkt_too_small; sid:1;)
 alert udp any any -> any any (msg:"UDP packet too small"; decode-event:udp.hlen_too_small; sid:2;)
+alert ip any any -> any any (msg:"GRE packet too small"; decode-event:gre.pkt_too_small; sid:3;)

diff --git a/tests/decode-too-small/test.yaml b/tests/decode-too-small/test.yaml
index 63cf6bba1953d26e5f3af7d680f9821f1de1b7b5..ffbcfd8806a46420b0e729c8d7946a20c1ebf72a 100644 (file)
--- a/tests/decode-too-small/test.yaml
+++ b/tests/decode-too-small/test.yaml
@@ -30,3 +30,19 @@ checks:
         event_type: alert
         src_ip: fd01:0000:0000:0000:0000:0000:0101:0101
         alert.signature_id: 2
+
+  # Look for IPv4 GRE too small
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        src_ip: 1.1.1.1
+        alert.signature_id: 3
+
+  # Look for IPv6 GRE too small
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        src_ip: fd01:0000:0000:0000:0000:0000:0101:0101
+        alert.signature_id: 3