Adds test for SMB AndX evasion

diff --git a/tests/smb-eicar-andx/README.md b/tests/smb-eicar-andx/README.md
new file mode 100644 (file)
index 0000000..a3b606b
--- /dev/null
+++ b/tests/smb-eicar-andx/README.md
@@ -0,0 +1,21 @@
+# Description
+
+Test SMB EICAR file rule with AndX evasion.
+
+# PCAP
+
+The pcap comes from running Linux client smbclient against a server which is a Windows10 with public shared folder named catena without password
+Command is
+`smbclient -p 4445 //192.168.1.12/catena/ -U" "%" " -m NT1`
+Than in the smbclient shell :
+`put eicar` where eicar is the name of a file with the EICAR contents :
+https://en.wikipedia.org/wiki/EICAR_test_file
+
+cf https://redmine.openinfosecfoundation.org/issues/3475
+
+The proxy changes the Write request with chained AndX commands :
+- Locking
+- Write
+- Close
+
+and putting the data written to the file after the Close Request

diff --git a/tests/smb-eicar-andx/smbandx.pcap b/tests/smb-eicar-andx/smbandx.pcap
new file mode 100644 (file)
index 0000000..1542954
Binary files /dev/null and b/tests/smb-eicar-andx/smbandx.pcap differ

diff --git a/tests/smb-eicar-andx/test.rules b/tests/smb-eicar-andx/test.rules
new file mode 100644 (file)
index 0000000..fcb9e44
--- /dev/null
+++ b/tests/smb-eicar-andx/test.rules
@@ -0,0 +1 @@
+alert smb any any -> any any (msg:"EICAR file"; flow:established; file_data; content:"|58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a|"; sid:1; rev:1;)

diff --git a/tests/smb-eicar-andx/test.yaml b/tests/smb-eicar-andx/test.yaml
new file mode 100644 (file)
index 0000000..c1282b1
--- /dev/null
+++ b/tests/smb-eicar-andx/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1