Add tests for bad handling of unacked data following a RST.
The additional data should not lead to new tx's or files.
--- /dev/null
+PCAP
+====
+
+Pcap from a pcap known as TLPW1 in the team. Originally from:
+malware-traffic-analysis.net
+
+Test handling of post-GAP data following a RST.
--- /dev/null
+%YAML 1.1
+---
+
+stats:
+ enabled: yes
+ interval: 8
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filename: eve.json
+ types:
+ - alert
+ - anomaly:
+ enabled: yes
+ - http:
+ extended: yes # enable this for extended logging information
+ - files:
+ force-magic: no # force logging magic on all logged files
+ # force logging of checksums, available hash functions are md5,
+ # sha1 and sha256
+ #force-hash: [md5]
+ #- drop:
+ # alerts: yes # log alerts that caused drops
+ # flows: all # start or all: 'start' logs only a single drop
+ # # per flow direction. All logs each dropped pkt.
+ # Enable logging the final action taken on a packet by the engine
+ # (will show more information in case of a drop caused by 'reject')
+ # verdict: yes
+ - stats:
+ totals: yes # stats for all threads merged together
+ threads: no # per thread stats
+ deltas: no # include delta values
+ # Don't log stats counters that are zero. Default: true
+ #null-values: false # False will NOT log stats counters: 0
+ # bi-directional flows
+ - flow
+
+ - file-store:
+ version: 2
+ enabled: yes
+ write-fileinfo: yes
+ force-filestore: yes
+ stream-depth: 0
+
+app-layer:
+ # error-policy: ignore
+ protocols:
+ http:
+ enabled: yes
+ libhtp:
+ default-config:
+ personality: IDS
+
+ # Can be specified in KiB, MiB, GiB. Just a number indicates
+ # it's in bytes.
+ request-body-limit: 0
+ response-body-limit: 0
+
+ # inspection limits
+ request-body-minimal-inspect-size: 32 KiB
+ request-body-inspect-window: 4 KiB
+ response-body-minimal-inspect-size: 40 KiB
+ response-body-inspect-window: 16 KiB
+
+ # response body decompression (0 disables)
+ response-body-decompress-layer-limit: 2
+
+ # auto will use http-body-inline mode in IPS mode, yes or no set it statically
+ http-body-inline: auto
+
+ swf-decompression:
+ enabled: no
+ type: both
+ compress-depth: 100 KiB
+ decompress-depth: 100 KiB
+
--- /dev/null
+requires:
+ min-version: 8
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: fileinfo
+ fileinfo.sha256: b95aa84c9ac4948c8565202e016933644c592c366525b2790857615ca7e6f665
+ - filter:
+ count: 1
+ match:
+ event_type: fileinfo
+ - filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.app_layer.tx.http: 1
+ stats.app_layer.flow.http: 1
--- /dev/null
+PCAP
+====
+
+Pcap from a pcap known as TLPW1 in the team. Originally from:
+malware-traffic-analysis.net
+
+Test handling of post-GAP data following a RST.
--- /dev/null
+%YAML 1.1
+---
+
+stats:
+ enabled: yes
+ interval: 8
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filename: eve.json
+ types:
+ - alert
+ - anomaly:
+ enabled: yes
+ - http:
+ extended: yes # enable this for extended logging information
+ - files:
+ force-magic: no # force logging magic on all logged files
+ # force logging of checksums, available hash functions are md5,
+ # sha1 and sha256
+ #force-hash: [md5]
+ #- drop:
+ # alerts: yes # log alerts that caused drops
+ # flows: all # start or all: 'start' logs only a single drop
+ # # per flow direction. All logs each dropped pkt.
+ # Enable logging the final action taken on a packet by the engine
+ # (will show more information in case of a drop caused by 'reject')
+ # verdict: yes
+ - stats:
+ totals: yes # stats for all threads merged together
+ threads: no # per thread stats
+ deltas: no # include delta values
+ # Don't log stats counters that are zero. Default: true
+ #null-values: false # False will NOT log stats counters: 0
+ # bi-directional flows
+ - flow
+
+ - file-store:
+ version: 2
+ enabled: yes
+ write-fileinfo: yes
+ force-filestore: yes
+ stream-depth: 0
+
+app-layer:
+ # error-policy: ignore
+ protocols:
+ http:
+ enabled: yes
+ libhtp:
+ default-config:
+ personality: IDS
+
+ # Can be specified in KiB, MiB, GiB. Just a number indicates
+ # it's in bytes.
+ request-body-limit: 0
+ response-body-limit: 0
+
+ # inspection limits
+ request-body-minimal-inspect-size: 32 KiB
+ request-body-inspect-window: 4 KiB
+ response-body-minimal-inspect-size: 40 KiB
+ response-body-inspect-window: 16 KiB
+
+ # response body decompression (0 disables)
+ response-body-decompress-layer-limit: 2
+
+ # auto will use http-body-inline mode in IPS mode, yes or no set it statically
+ http-body-inline: auto
+
+ swf-decompression:
+ enabled: no
+ type: both
+ compress-depth: 100 KiB
+ decompress-depth: 100 KiB
+
--- /dev/null
+requires:
+ min-version: 8
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: fileinfo
+ fileinfo.sha256: 8ff57c7fc0d4babd27e2e914ad9b556b1b980a69710d3917266ec1cb4edbb782
+ - filter:
+ count: 1
+ match:
+ event_type: fileinfo
+ - filter:
+ count: 1
+ match:
+ event_type: http
+ - filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.app_layer.tx.http: 1
+ stats.app_layer.flow.http: 1
--- /dev/null
+PCAP
+====
+
+Pcap from a pcap known as TLPW1 in the team. Originally from:
+malware-traffic-analysis.net
+
+Test handling of post-GAP data following a RST.
--- /dev/null
+%YAML 1.1
+---
+
+stats:
+ enabled: yes
+ interval: 8
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filename: eve.json
+ types:
+ - alert
+ - anomaly:
+ enabled: yes
+ - http:
+ extended: yes # enable this for extended logging information
+ - files:
+ force-magic: no # force logging magic on all logged files
+ # force logging of checksums, available hash functions are md5,
+ # sha1 and sha256
+ #force-hash: [md5]
+ #- drop:
+ # alerts: yes # log alerts that caused drops
+ # flows: all # start or all: 'start' logs only a single drop
+ # # per flow direction. All logs each dropped pkt.
+ # Enable logging the final action taken on a packet by the engine
+ # (will show more information in case of a drop caused by 'reject')
+ # verdict: yes
+ - stats:
+ totals: yes # stats for all threads merged together
+ threads: no # per thread stats
+ deltas: no # include delta values
+ # Don't log stats counters that are zero. Default: true
+ #null-values: false # False will NOT log stats counters: 0
+ # bi-directional flows
+ - flow
+
+ - file-store:
+ version: 2
+ enabled: yes
+ write-fileinfo: yes
+ force-filestore: yes
+ stream-depth: 0
+
+app-layer:
+ # error-policy: ignore
+ protocols:
+ http:
+ enabled: yes
+ libhtp:
+ default-config:
+ personality: IDS
+
+ # Can be specified in KiB, MiB, GiB. Just a number indicates
+ # it's in bytes.
+ request-body-limit: 0
+ response-body-limit: 0
+
+ # inspection limits
+ request-body-minimal-inspect-size: 32 KiB
+ request-body-inspect-window: 4 KiB
+ response-body-minimal-inspect-size: 40 KiB
+ response-body-inspect-window: 16 KiB
+
+ # response body decompression (0 disables)
+ response-body-decompress-layer-limit: 2
+
+ # auto will use http-body-inline mode in IPS mode, yes or no set it statically
+ http-body-inline: auto
+
+ swf-decompression:
+ enabled: no
+ type: both
+ compress-depth: 100 KiB
+ decompress-depth: 100 KiB
+
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: fileinfo
+ fileinfo.sha256: b6e5d8314e3c65a277af9db044b0cd6df1b641c0378703a5ab5de6d54cb9033f
+ - filter:
+ count: 1
+ match:
+ event_type: fileinfo
+ fileinfo.sha256: 33d346033ff4559e8f74a90112232610f4ea63db60a3f7434745a1aae5ea9169
+ - filter:
+ count: 2
+ match:
+ event_type: fileinfo
+ - filter:
+ count: 2
+ match:
+ event_type: http
+ - filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.app_layer.tx.http: 2
+ stats.app_layer.flow.http: 1
--- /dev/null
+PCAP
+====
+
+Pcap from a pcap known as TLPW1 in the team. Originally from:
+malware-traffic-analysis.net
+
+Test handling of post-GAP data following a RST.
--- /dev/null
+%YAML 1.1
+---
+
+stats:
+ enabled: yes
+ interval: 8
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filename: eve.json
+ types:
+ - alert
+ - anomaly:
+ enabled: yes
+ - http:
+ extended: yes # enable this for extended logging information
+ - files:
+ force-magic: no # force logging magic on all logged files
+ # force logging of checksums, available hash functions are md5,
+ # sha1 and sha256
+ #force-hash: [md5]
+ #- drop:
+ # alerts: yes # log alerts that caused drops
+ # flows: all # start or all: 'start' logs only a single drop
+ # # per flow direction. All logs each dropped pkt.
+ # Enable logging the final action taken on a packet by the engine
+ # (will show more information in case of a drop caused by 'reject')
+ # verdict: yes
+ - stats:
+ totals: yes # stats for all threads merged together
+ threads: no # per thread stats
+ deltas: no # include delta values
+ # Don't log stats counters that are zero. Default: true
+ #null-values: false # False will NOT log stats counters: 0
+ # bi-directional flows
+ - flow
+
+ - file-store:
+ version: 2
+ enabled: yes
+ write-fileinfo: yes
+ force-filestore: yes
+ stream-depth: 0
+
+app-layer:
+ # error-policy: ignore
+ protocols:
+ http:
+ enabled: yes
+ libhtp:
+ default-config:
+ personality: IDS
+
+ # Can be specified in KiB, MiB, GiB. Just a number indicates
+ # it's in bytes.
+ request-body-limit: 0
+ response-body-limit: 0
+
+ # inspection limits
+ request-body-minimal-inspect-size: 32 KiB
+ request-body-inspect-window: 4 KiB
+ response-body-minimal-inspect-size: 40 KiB
+ response-body-inspect-window: 16 KiB
+
+ # response body decompression (0 disables)
+ response-body-decompress-layer-limit: 2
+
+ # auto will use http-body-inline mode in IPS mode, yes or no set it statically
+ http-body-inline: auto
+
+ swf-decompression:
+ enabled: no
+ type: both
+ compress-depth: 100 KiB
+ decompress-depth: 100 KiB
+
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: fileinfo
+ fileinfo.sha256: 2a6d1d2d85129cf9e84290a94e7b4d7cfe09d80c47a899dbc04cc61cc737c5a4
+ - filter:
+ count: 1
+ match:
+ event_type: fileinfo
+ - filter:
+ count: 1
+ match:
+ event_type: http
+ - filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.app_layer.tx.http: 1
+ # Should be 1, but gives 23. See https://redmine.openinfosecfoundation.org/issues/7238
+ #stats.app_layer.flow.http: 1
projects / thirdparty / suricata-verify.git / commitdiff
