From: Philippe Antoine Date: Fri, 10 Sep 2021 11:38:05 +0000 (+0200) Subject: Adds tests about IPv6 fragmentation X-Git-Tag: suricata-6.0.4~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0aa30e6ac6f05963b9aa1c76633e128989b84a07;p=thirdparty%2Fsuricata-verify.git Adds tests about IPv6 fragmentation --- diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-1/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-1/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-1/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-1/frag-1.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-1/frag-1.pcap new file mode 100644 index 000000000..ec117bc4f Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-1/frag-1.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-1/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-1/test.rules new file mode 100644 index 000000000..e1b4585ca --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-1/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-1/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-1/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-1/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-10/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-10/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-10/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-10/frag-10.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-10/frag-10.pcap new file mode 100644 index 000000000..606f8941c Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-10/frag-10.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-10/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-10/test.rules new file mode 100644 index 000000000..1279331ec --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-10/test.rules @@ -0,0 +1,2 @@ +alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;) +alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Fragment extension header"; decode-event:ipv6.exthdr_dupl_fh; classtype:protocol-command-decode; sid:2200015; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-10/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-10/test.yaml new file mode 100644 index 000000000..edb943475 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-10/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200080 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200015 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-11/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-11/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-11/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-11/frag-11.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-11/frag-11.pcap new file mode 100644 index 000000000..54147acea Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-11/frag-11.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-11/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-11/test.rules new file mode 100644 index 000000000..1279331ec --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-11/test.rules @@ -0,0 +1,2 @@ +alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;) +alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Fragment extension header"; decode-event:ipv6.exthdr_dupl_fh; classtype:protocol-command-decode; sid:2200015; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-11/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-11/test.yaml new file mode 100644 index 000000000..edb943475 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-11/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200080 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200015 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-12/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-12/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-12/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-12/frag-12.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-12/frag-12.pcap new file mode 100644 index 000000000..37d554249 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-12/frag-12.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-12/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-12/test.rules new file mode 100644 index 000000000..1279331ec --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-12/test.rules @@ -0,0 +1,2 @@ +alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;) +alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Fragment extension header"; decode-event:ipv6.exthdr_dupl_fh; classtype:protocol-command-decode; sid:2200015; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-12/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-12/test.yaml new file mode 100644 index 000000000..edb943475 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-12/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200080 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200015 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-15/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-15/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-15/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-15/frag-15.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-15/frag-15.pcap new file mode 100644 index 000000000..0d3593291 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-15/frag-15.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-15/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-15/test.rules new file mode 100644 index 000000000..91bfd63a7 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-15/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-15/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-15/test.yaml new file mode 100644 index 000000000..7c5936607 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-15/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200071 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-16/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-16/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-16/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-16/frag-16.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-16/frag-16.pcap new file mode 100644 index 000000000..3223b1c8d Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-16/frag-16.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-16/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-16/test.rules new file mode 100644 index 000000000..91bfd63a7 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-16/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-16/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-16/test.yaml new file mode 100644 index 000000000..7c5936607 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-16/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200071 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-17/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-17/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-17/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-17/frag-17.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-17/frag-17.pcap new file mode 100644 index 000000000..b9eb5253b Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-17/frag-17.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-17/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-17/test.rules new file mode 100644 index 000000000..e1b4585ca --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-17/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-17/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-17/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-17/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-18/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-18/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-18/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-18/frag-18.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-18/frag-18.pcap new file mode 100644 index 000000000..87d42018b Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-18/frag-18.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-18/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-18/test.rules new file mode 100644 index 000000000..e1b4585ca --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-18/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-18/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-18/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-18/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-2/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-2/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-2/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-2/frag-2.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-2/frag-2.pcap new file mode 100644 index 000000000..47a60a1d9 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-2/frag-2.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-2/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-2/test.rules new file mode 100644 index 000000000..e1b4585ca --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-2/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-2/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-2/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-2/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-22/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-22/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-22/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-22/frag-22.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-22/frag-22.pcap new file mode 100644 index 000000000..c14c02b83 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-22/frag-22.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-22/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-22/test.rules new file mode 100644 index 000000000..9d9eae989 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-22/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-22/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-22/test.yaml new file mode 100644 index 000000000..d206c0a47 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-22/test.yaml @@ -0,0 +1,11 @@ + +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200119 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-23/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-23/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-23/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-23/frag-23.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-23/frag-23.pcap new file mode 100644 index 000000000..e794dc173 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-23/frag-23.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-23/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-23/test.rules new file mode 100644 index 000000000..9d9eae989 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-23/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-23/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-23/test.yaml new file mode 100644 index 000000000..d206c0a47 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-23/test.yaml @@ -0,0 +1,11 @@ + +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200119 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-24/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-24/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-24/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-24/frag-24.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-24/frag-24.pcap new file mode 100644 index 000000000..2893a077f Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-24/frag-24.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-24/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-24/test.rules new file mode 100644 index 000000000..9d9eae989 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-24/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-24/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-24/test.yaml new file mode 100644 index 000000000..d206c0a47 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-24/test.yaml @@ -0,0 +1,11 @@ + +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200119 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-25/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-25/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-25/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-25/frag-25.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-25/frag-25.pcap new file mode 100644 index 000000000..a75e92616 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-25/frag-25.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-25/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-25/test.rules new file mode 100644 index 000000000..3efc741af --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-25/test.rules @@ -0,0 +1,2 @@ +alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension header"; decode-event:ipv6.trunc_exthdr; classtype:protocol-command-decode; sid:2200014 ; rev:2;) +alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-25/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-25/test.yaml new file mode 100644 index 000000000..33ffa0069 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-25/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200080 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200014 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-26/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-26/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-26/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-26/frag-26.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-26/frag-26.pcap new file mode 100644 index 000000000..1c7515699 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-26/frag-26.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-26/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-26/test.rules new file mode 100644 index 000000000..3efc741af --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-26/test.rules @@ -0,0 +1,2 @@ +alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension header"; decode-event:ipv6.trunc_exthdr; classtype:protocol-command-decode; sid:2200014 ; rev:2;) +alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-26/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-26/test.yaml new file mode 100644 index 000000000..33ffa0069 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-26/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200080 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200014 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-27/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-27/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-27/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-27/frag-27.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-27/frag-27.pcap new file mode 100644 index 000000000..a6b259de4 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-27/frag-27.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-27/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-27/test.rules new file mode 100644 index 000000000..3efc741af --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-27/test.rules @@ -0,0 +1,2 @@ +alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension header"; decode-event:ipv6.trunc_exthdr; classtype:protocol-command-decode; sid:2200014 ; rev:2;) +alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-27/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-27/test.yaml new file mode 100644 index 000000000..33ffa0069 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-27/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200080 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200014 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-28/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-28/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-28/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-28/frag-28.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-28/frag-28.pcap new file mode 100644 index 000000000..4327675dc Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-28/frag-28.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-28/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-28/test.rules new file mode 100644 index 000000000..3efc741af --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-28/test.rules @@ -0,0 +1,2 @@ +alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension header"; decode-event:ipv6.trunc_exthdr; classtype:protocol-command-decode; sid:2200014 ; rev:2;) +alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-28/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-28/test.yaml new file mode 100644 index 000000000..33ffa0069 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-28/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200080 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200014 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-29/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-29/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-29/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-29/frag-29.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-29/frag-29.pcap new file mode 100644 index 000000000..cde4e100b Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-29/frag-29.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-29/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-29/test.rules new file mode 100644 index 000000000..e1b4585ca --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-29/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-29/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-29/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-29/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-3/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-3/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-3/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-3/frag-3.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-3/frag-3.pcap new file mode 100644 index 000000000..fe850aae4 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-3/frag-3.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-3/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-3/test.rules new file mode 100644 index 000000000..e1b4585ca --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-3/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-3/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-3/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-3/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-30/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-30/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-30/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-30/frag-30.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-30/frag-30.pcap new file mode 100644 index 000000000..b95461076 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-30/frag-30.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-30/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-30/test.rules new file mode 100644 index 000000000..b9140d176 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-30/test.rules @@ -0,0 +1 @@ +alert icmpv6 any any -> any any (itype:3; icode:1; sid:1;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-30/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-30/test.yaml new file mode 100644 index 000000000..d4e086aeb --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-30/test.yaml @@ -0,0 +1,11 @@ + +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-31/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-31/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-31/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-31/frag-31.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-31/frag-31.pcap new file mode 100644 index 000000000..73c4af638 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-31/frag-31.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-31/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-31/test.rules new file mode 100644 index 000000000..91bfd63a7 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-31/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-31/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-31/test.yaml new file mode 100644 index 000000000..7c5936607 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-31/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200071 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-32/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-32/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-32/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-32/frag-32.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-32/frag-32.pcap new file mode 100644 index 000000000..028451278 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-32/frag-32.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-32/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-32/test.rules new file mode 100644 index 000000000..1048fffe0 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-32/test.rules @@ -0,0 +1,2 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;) +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-32/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-32/test.yaml new file mode 100644 index 000000000..5d66d8050 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-32/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200071 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200119 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-33/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-33/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-33/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-33/frag-33.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-33/frag-33.pcap new file mode 100644 index 000000000..b8e34de41 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-33/frag-33.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-33/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-33/test.rules new file mode 100644 index 000000000..1048fffe0 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-33/test.rules @@ -0,0 +1,2 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;) +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-33/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-33/test.yaml new file mode 100644 index 000000000..5d66d8050 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-33/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200071 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200119 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-35/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-35/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-35/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-35/frag-35.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-35/frag-35.pcap new file mode 100644 index 000000000..0d0309fe9 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-35/frag-35.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-35/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-35/test.rules new file mode 100644 index 000000000..84ffabca1 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-35/test.rules @@ -0,0 +1 @@ +alert icmpv6 any any -> any any (itype:4; icode:0; sid:1;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-35/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-35/test.yaml new file mode 100644 index 000000000..d4e086aeb --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-35/test.yaml @@ -0,0 +1,11 @@ + +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-36/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-36/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-36/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-36/frag-36.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-36/frag-36.pcap new file mode 100644 index 000000000..e501baef0 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-36/frag-36.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-36/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-36/test.rules new file mode 100644 index 000000000..84ffabca1 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-36/test.rules @@ -0,0 +1 @@ +alert icmpv6 any any -> any any (itype:4; icode:0; sid:1;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-36/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-36/test.yaml new file mode 100644 index 000000000..d4e086aeb --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-36/test.yaml @@ -0,0 +1,11 @@ + +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-4/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-4/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-4/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-4/frag-4.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-4/frag-4.pcap new file mode 100644 index 000000000..044f15945 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-4/frag-4.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-4/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-4/test.rules new file mode 100644 index 000000000..e1b4585ca --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-4/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-4/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-4/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-4/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-6/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-6/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-6/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-6/frag-6.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-6/frag-6.pcap new file mode 100644 index 000000000..17e174bd3 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-6/frag-6.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-6/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-6/test.rules new file mode 100644 index 000000000..e1b4585ca --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-6/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-6/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-6/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-6/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-7/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-7/README.md new file mode 100644 index 000000000..380aaaf8c --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-7/README.md @@ -0,0 +1,11 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files + +# Notes + +Triggers IPv6 checksum rule but a more precise rule would make more sense diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-7/frag-7.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-7/frag-7.pcap new file mode 100644 index 000000000..e18b86f48 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-7/frag-7.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-7/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-7/test.rules new file mode 100644 index 000000000..e1b4585ca --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-7/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-7/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-7/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-7/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-8/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-8/README.md new file mode 100644 index 000000000..380aaaf8c --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-8/README.md @@ -0,0 +1,11 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files + +# Notes + +Triggers IPv6 checksum rule but a more precise rule would make more sense diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-8/frag-8.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-8/frag-8.pcap new file mode 100644 index 000000000..08d3ff662 Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-8/frag-8.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-8/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-8/test.rules new file mode 100644 index 000000000..e1b4585ca --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-8/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-8/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-8/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-8/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-9/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-9/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-9/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-9/frag-9.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-9/frag-9.pcap new file mode 100644 index 000000000..afee3c42c Binary files /dev/null and b/tests/ipv6-evasion/ipv6-malformed-fragments-9/frag-9.pcap differ diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-9/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-9/test.rules new file mode 100644 index 000000000..ef7df75a5 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-9/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-9/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-9/test.yaml new file mode 100644 index 000000000..f69175151 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-9/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200080