From: Victor Julien Date: Mon, 18 Jan 2021 14:42:46 +0000 (+0100) Subject: tests: add smb tests X-Git-Tag: suricata-6.0.4~177 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1b4cb7ff2fbc4fa83395a7c6841c94fb34cf7432;p=thirdparty%2Fsuricata-verify.git tests: add smb tests --- diff --git a/tests/smb1-01/README.md b/tests/smb1-01/README.md new file mode 100644 index 000000000..a96a2785c --- /dev/null +++ b/tests/smb1-01/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +Pcap found in Zeek/Bro git repo. diff --git a/tests/smb1-01/smb1.pcap b/tests/smb1-01/smb1.pcap new file mode 100644 index 000000000..bbcf5a12b Binary files /dev/null and b/tests/smb1-01/smb1.pcap differ diff --git a/tests/smb1-01/test.yaml b/tests/smb1-01/test.yaml new file mode 100644 index 000000000..7e1bfe21a --- /dev/null +++ b/tests/smb1-01/test.yaml @@ -0,0 +1,95 @@ +requires: + features: + - HAVE_LIBJANSSON + - RUST + files: + - rust/src/smb/smb.rs +args: +- --set stream.midstream=true + +checks: + - filter: + count: 17 + match: + event_type: smb + - filter: + count: 7 + match: + event_type: smb + smb.dialect: "unknown" + smb.command: SMB2_COMMAND_CREATE + smb.status: STATUS_SUCCESS + - filter: + count: 7 + match: + event_type: smb + smb.dialect: "unknown" + smb.command: SMB2_COMMAND_CLOSE + smb.status: STATUS_SUCCESS + - filter: + count: 0 + match: + event_type: smb + smb.dialect: "unknown" + smb.command: SMB2_COMMAND_GET_INFO + smb.status: STATUS_SUCCESS + - filter: + count: 2 + match: + event_type: smb + smb.dialect: "unknown" + smb.command: SMB2_COMMAND_FIND + smb.status: STATUS_SUCCESS + - filter: + count: 1 + match: + event_type: smb + smb.dialect: "unknown" + smb.command: SMB2_COMMAND_READ + smb.status: STATUS_SUCCESS + - filter: + count: 1 + match: + event_type: smb + smb.dialect: "unknown" + smb.command: SMB2_COMMAND_CREATE + smb.status: STATUS_SUCCESS + smb.session_id: 4398046511153 + smb.tree_id: 1 + smb.disposition: "FILE_OPEN" + smb.filename: "Test\\2009-12 Payroll.xlsx" + smb.fuid: "00000065-0030-0000-0025-0020ffffffff" + - filter: + count: 1 + match: + event_type: smb + smb.dialect: "unknown" + smb.command: SMB2_COMMAND_READ + smb.status: STATUS_SUCCESS + smb.session_id: 4398046511153 + smb.tree_id: 1 + smb.filename: "Test\\2009-12 Payroll.xlsx" + smb.fuid: "00000065-0030-0000-0025-0020ffffffff" + - filter: + count: 1 + match: + event_type: fileinfo + app_proto: smb + fileinfo.filename: "Test\\2009-12 Payroll.xlsx" + fileinfo.state: CLOSED + fileinfo.gaps: false + fileinfo.size: 25940 + - filter: + count: 1 + match: + event_type: stats + stats.app_layer.tx.smb: 17 + stats.app_layer.flow.smb: 1 + - filter: + count: 1 + match: + event_type: flow + app_proto: smb + tcp.state: established + flow.state: established + diff --git a/tests/smb1-02/README.md b/tests/smb1-02/README.md new file mode 100644 index 000000000..18897f962 --- /dev/null +++ b/tests/smb1-02/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +Pcap by Victor Julien. diff --git a/tests/smb1-02/smb1_osx.pcap b/tests/smb1-02/smb1_osx.pcap new file mode 100644 index 000000000..144242b50 Binary files /dev/null and b/tests/smb1-02/smb1_osx.pcap differ diff --git a/tests/smb1-02/test.yaml b/tests/smb1-02/test.yaml new file mode 100644 index 000000000..561a98080 --- /dev/null +++ b/tests/smb1-02/test.yaml @@ -0,0 +1,57 @@ +requires: + features: + - HAVE_LIBJANSSON + - RUST + files: + - rust/src/smb/smb.rs +args: +- --set stream.reassembly.depth=0 + +checks: + - filter: + count: 3 + match: + event_type: smb + smb.id: 1 + smb.dialect: "NT LM 0.12" + smb.command: "SMB1_COMMAND_NEGOTIATE_PROTOCOL" + smb.status: "STATUS_SUCCESS" + smb.status_code: "0x0" +# smb.session_id: 0 +# smb.tree_id: 0, + smb.client_dialects[0]: "NT LM 0.12" + smb.server_guid: "31347374-0032-0000-0000-000000000000" + - filter: + count: 3 + match: + event_type: smb + smb.id: 2 + smb.dialect: "NT LM 0.12" + smb.command: "SMB1_COMMAND_SESSION_SETUP_ANDX" + smb.status: "STATUS_MORE_PROCESSING_REQUIRED" + smb.status_code: "0xc0000016" +# smb.session_id: 35909 + smb.tree_id: 65535 + smb.request.native_os: "Mac OS X 10.10" + smb.request.native_lm: "SMBFS 3.0.0" + smb.response.native_os: "QTS" + smb.response.native_lm: "Samba 4.4.16" + - filter: + count: 3 + match: + event_type: smb + smb.id: 3 + smb.dialect: "NT LM 0.12" + smb.command: "SMB1_COMMAND_LOGOFF_ANDX" + smb.status: "SRV_BADUID" + smb.status_code: "0x005b" +# smb.session_id: 35909 + smb.tree_id: 65535 + - filter: + count: 3 + match: + event_type: flow + app_proto: smb + tcp.state: closed + flow.state: closed + diff --git a/tests/smb1-03-midstream/README.md b/tests/smb1-03-midstream/README.md new file mode 100644 index 000000000..18897f962 --- /dev/null +++ b/tests/smb1-03-midstream/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +Pcap by Victor Julien. diff --git a/tests/smb1-03-midstream/smb1_osx-s1-midstream-modified.pcap b/tests/smb1-03-midstream/smb1_osx-s1-midstream-modified.pcap new file mode 100644 index 000000000..9519f6cd5 Binary files /dev/null and b/tests/smb1-03-midstream/smb1_osx-s1-midstream-modified.pcap differ diff --git a/tests/smb1-03-midstream/test.rules b/tests/smb1-03-midstream/test.rules new file mode 100644 index 000000000..0cbec5c86 --- /dev/null +++ b/tests/smb1-03-midstream/test.rules @@ -0,0 +1 @@ +alert tcp-pkt any any -> any 445 (content:"|00 00 00 bc|"; depth:4; flow:to_server; sid:1;) diff --git a/tests/smb1-03-midstream/test.yaml b/tests/smb1-03-midstream/test.yaml new file mode 100644 index 000000000..68a1bd2fc --- /dev/null +++ b/tests/smb1-03-midstream/test.yaml @@ -0,0 +1,50 @@ +requires: + features: + - HAVE_LIBJANSSON + - RUST + files: + - rust/src/smb/smb.rs + min-version: 5.0.0 + +args: +- --set stream.reassembly.depth=0 +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 3 + - filter: + count: 1 + match: + event_type: smb + smb.id: 1 + smb.dialect: "unknown" + smb.command: "SMB1_COMMAND_SESSION_SETUP_ANDX" + smb.status: "STATUS_MORE_PROCESSING_REQUIRED" + smb.status_code: "0xc0000016" + smb.tree_id: 65535 + smb.request.native_os: "Mac OS X 10.10" + smb.request.native_lm: "SMBFS 3.0.0" + smb.response.native_os: "QTS" + smb.response.native_lm: "Samba 4.4.16" + - filter: + count: 1 + match: + event_type: smb + smb.id: 2 + smb.dialect: "unknown" + smb.command: "SMB1_COMMAND_LOGOFF_ANDX" + smb.status: "SRV_BADUID" + smb.status_code: "0x005b" + smb.tree_id: 65535 + - filter: + count: 1 + match: + event_type: flow + app_proto: smb + tcp.state: closed + flow.state: closed + diff --git a/tests/smb2-01/README.md b/tests/smb2-01/README.md new file mode 100644 index 000000000..21635f46a --- /dev/null +++ b/tests/smb2-01/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +PCAP found on Wireshark Wiki. diff --git a/tests/smb2-01/smb2-peter.pcap b/tests/smb2-01/smb2-peter.pcap new file mode 100644 index 000000000..86e08b61b Binary files /dev/null and b/tests/smb2-01/smb2-peter.pcap differ diff --git a/tests/smb2-01/test.yaml b/tests/smb2-01/test.yaml new file mode 100644 index 000000000..01be9ef8e --- /dev/null +++ b/tests/smb2-01/test.yaml @@ -0,0 +1,55 @@ +requires: + features: + - HAVE_LIBJANSSON + - RUST + files: + - rust/src/smb/smb.rs +args: +- --set stream.reassembly.depth=0 +- -k none + +checks: + - filter: + count: 51 + match: + event_type: fileinfo + fileinfo.state: CLOSED + app_proto: smb + - filter: + count: 17 + match: + event_type: smb + smb.command: SMB2_COMMAND_WRITE + - filter: + count: 153 + match: + event_type: smb + smb.status: STATUS_SUCCESS + - filter: + count: 17 + match: + event_type: smb + smb.status: STATUS_ACCESS_DENIED + - filter: + count: 0 + match: + event_type: smb + smb.status: STATUS_END_OF_FILE + - filter: + count: 2 + match: + event_type: smb + smb.status: STATUS_NO_MORE_FILES + - filter: + count: 1 + match: + event_type: smb + smb.status: STATUS_MORE_PROCESSING_REQUIRED + - filter: + count: 1 + match: + event_type: flow + app_proto: smb + tcp.state: established + flow.state: established + diff --git a/tests/smb2-02/README.md b/tests/smb2-02/README.md new file mode 100644 index 000000000..a96a2785c --- /dev/null +++ b/tests/smb2-02/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +Pcap found in Zeek/Bro git repo. diff --git a/tests/smb2-02/smb2.pcap b/tests/smb2-02/smb2.pcap new file mode 100644 index 000000000..49c711601 Binary files /dev/null and b/tests/smb2-02/smb2.pcap differ diff --git a/tests/smb2-02/test.yaml b/tests/smb2-02/test.yaml new file mode 100644 index 000000000..5070f36ec --- /dev/null +++ b/tests/smb2-02/test.yaml @@ -0,0 +1,96 @@ +requires: + features: + - HAVE_LIBJANSSON + - RUST + files: + - rust/src/smb/smb.rs +args: +- --set stream.reassembly.depth=0 + +checks: + - filter: + count: 20 + match: + event_type: smb + - filter: + count: 2 + match: + event_type: smb + smb.command: SMB2_COMMAND_WRITE + - filter: + count: 1 + match: + event_type: smb + smb.id: 3 + smb.dialect: "2.02" + smb.command: SMB2_COMMAND_SESSION_SETUP + smb.status: STATUS_SUCCESS + smb.ntlmssp.domain: "CONTOSO" + smb.ntlmssp.user: "Administrator" + smb.ntlmssp.host: "SERVER01" + smb.session_id: 4398046511109 + - filter: + count: 1 + match: + event_type: smb + smb.id: 4 + smb.dialect: "2.02" + smb.command: SMB2_COMMAND_TREE_CONNECT + smb.status: STATUS_SUCCESS + smb.tree_id: 1 + smb.session_id: 4398046511109 + smb.share: "\\\\10.0.0.12\\smb2" + - filter: + count: 1 + match: + event_type: smb + smb.id: 6 + smb.dialect: "2.02" + smb.command: SMB2_COMMAND_TREE_CONNECT + smb.status: STATUS_SUCCESS + smb.tree_id: 5 + smb.session_id: 4398046511109 + smb.named_pipe: "\\\\10.0.0.12\\IPC$" + - filter: + count: 1 + match: + event_type: smb + smb.dialect: "2.02" + smb.command: SMB2_COMMAND_CREATE + smb.status: STATUS_SUCCESS + smb.tree_id: 1 + smb.session_id: 4398046511109 + smb.filename: "WP_SMBPlugin.pdf" + smb.disposition: "FILE_CREATE" + smb.fuid: "0000004d-0000-0000-0009-0000ffffffff" + - filter: + count: 1 + match: + event_type: smb + smb.dialect: "2.02" + smb.command: SMB2_COMMAND_WRITE + smb.status: STATUS_SUCCESS + smb.tree_id: 1 + smb.session_id: 4398046511109 + smb.filename: "WP_SMBPlugin.pdf" + smb.fuid: "0000004d-0000-0000-0009-0000ffffffff" + - filter: + count: 1 + match: + event_type: fileinfo + app_proto: smb + fileinfo.filename: "WP_SMBPlugin.pdf" + fileinfo.state: CLOSED + fileinfo.gaps: false + fileinfo.size: 1508939 + smb.session_id: 4398046511109 + smb.filename: "WP_SMBPlugin.pdf" + smb.fuid: "0000004d-0000-0000-0009-0000ffffffff" + - filter: + count: 1 + match: + event_type: flow + app_proto: smb + tcp.state: established + flow.state: established + diff --git a/tests/smb2-03-rule/README.md b/tests/smb2-03-rule/README.md new file mode 100644 index 000000000..a96a2785c --- /dev/null +++ b/tests/smb2-03-rule/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +Pcap found in Zeek/Bro git repo. diff --git a/tests/smb2-03-rule/filedata.rules b/tests/smb2-03-rule/filedata.rules new file mode 100644 index 000000000..e90903c35 --- /dev/null +++ b/tests/smb2-03-rule/filedata.rules @@ -0,0 +1 @@ +alert smb any any -> any any (file_data; content:"%PDF-1.5"; startswith; sid:1;) diff --git a/tests/smb2-03-rule/smb2.pcap b/tests/smb2-03-rule/smb2.pcap new file mode 100644 index 000000000..49c711601 Binary files /dev/null and b/tests/smb2-03-rule/smb2.pcap differ diff --git a/tests/smb2-03-rule/test.yaml b/tests/smb2-03-rule/test.yaml new file mode 100644 index 000000000..0910c932c --- /dev/null +++ b/tests/smb2-03-rule/test.yaml @@ -0,0 +1,101 @@ +requires: + features: + - HAVE_LIBJANSSON + - RUST + files: + - rust/src/smb/smb.rs +args: +- --set stream.reassembly.depth=0 + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 20 + match: + event_type: smb + - filter: + count: 2 + match: + event_type: smb + smb.command: SMB2_COMMAND_WRITE + - filter: + count: 1 + match: + event_type: smb + smb.id: 3 + smb.dialect: "2.02" + smb.command: SMB2_COMMAND_SESSION_SETUP + smb.status: STATUS_SUCCESS + smb.ntlmssp.domain: "CONTOSO" + smb.ntlmssp.user: "Administrator" + smb.ntlmssp.host: "SERVER01" + smb.session_id: 4398046511109 + - filter: + count: 1 + match: + event_type: smb + smb.id: 4 + smb.dialect: "2.02" + smb.command: SMB2_COMMAND_TREE_CONNECT + smb.status: STATUS_SUCCESS + smb.tree_id: 1 + smb.session_id: 4398046511109 + smb.share: "\\\\10.0.0.12\\smb2" + - filter: + count: 1 + match: + event_type: smb + smb.id: 6 + smb.dialect: "2.02" + smb.command: SMB2_COMMAND_TREE_CONNECT + smb.status: STATUS_SUCCESS + smb.tree_id: 5 + smb.session_id: 4398046511109 + smb.named_pipe: "\\\\10.0.0.12\\IPC$" + - filter: + count: 1 + match: + event_type: smb + smb.dialect: "2.02" + smb.command: SMB2_COMMAND_CREATE + smb.status: STATUS_SUCCESS + smb.tree_id: 1 + smb.session_id: 4398046511109 + smb.filename: "WP_SMBPlugin.pdf" + smb.disposition: "FILE_CREATE" + smb.fuid: "0000004d-0000-0000-0009-0000ffffffff" + - filter: + count: 1 + match: + event_type: smb + smb.dialect: "2.02" + smb.command: SMB2_COMMAND_WRITE + smb.status: STATUS_SUCCESS + smb.tree_id: 1 + smb.session_id: 4398046511109 + smb.filename: "WP_SMBPlugin.pdf" + smb.fuid: "0000004d-0000-0000-0009-0000ffffffff" + - filter: + count: 1 + match: + event_type: fileinfo + app_proto: smb + fileinfo.filename: "WP_SMBPlugin.pdf" + fileinfo.state: CLOSED + fileinfo.gaps: false + fileinfo.size: 1508939 + smb.session_id: 4398046511109 + smb.filename: "WP_SMBPlugin.pdf" + smb.fuid: "0000004d-0000-0000-0009-0000ffffffff" + - filter: + count: 1 + match: + event_type: flow + app_proto: smb + tcp.state: established + flow.state: established + diff --git a/tests/smb2-04/20171220_smb_at_schedule.pcap b/tests/smb2-04/20171220_smb_at_schedule.pcap new file mode 100644 index 000000000..34c685f28 Binary files /dev/null and b/tests/smb2-04/20171220_smb_at_schedule.pcap differ diff --git a/tests/smb2-04/README.md b/tests/smb2-04/README.md new file mode 100644 index 000000000..f5704256d --- /dev/null +++ b/tests/smb2-04/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +Pcap from the ProtectWise blog. diff --git a/tests/smb2-04/test.yaml b/tests/smb2-04/test.yaml new file mode 100644 index 000000000..2880db99a --- /dev/null +++ b/tests/smb2-04/test.yaml @@ -0,0 +1,58 @@ +requires: + features: + - HAVE_LIBJANSSON + - RUST + files: + - rust/src/smb/smb.rs +args: +- --set stream.reassembly.depth=0 +- --set stream.midstream=true + +checks: + - filter: + count: 6 + match: + event_type: smb + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_CREATE + smb.status: STATUS_SUCCESS + smb.filename: "atsvc" + smb.disposition: "FILE_OPEN" + smb.access: "normal" + smb.created: 0 + smb.accessed: 0 + smb.modified: 0 + smb.changed: 0 + smb.size: 0 + smb.fuid: "0000004d-0000-0000-0005-0000ffffffff" + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_WRITE + smb.status: STATUS_SUCCESS + smb.dcerpc.request: "BIND" + smb.dcerpc.response: "BINDACK" + smb.dcerpc.interfaces[0].uuid: "1ff70682-0a51-30e8-076d-740be8cee98b" + smb.dcerpc.interfaces[0].version: "1.0" + smb.dcerpc.interfaces[0].ack_result: 2 + smb.dcerpc.interfaces[0].ack_reason: 0 + smb.dcerpc.interfaces[1].uuid: "1ff70682-0a51-30e8-076d-740be8cee98b" + smb.dcerpc.interfaces[1].version: "1.0" + smb.dcerpc.interfaces[1].ack_result: 0 + smb.dcerpc.interfaces[1].ack_reason: 0 + smb.dcerpc.interfaces[2].uuid: "1ff70682-0a51-30e8-076d-740be8cee98b" + smb.dcerpc.interfaces[2].version: "1.0" + smb.dcerpc.interfaces[2].ack_result: 3 + smb.dcerpc.interfaces[2].ack_reason: 0 + - filter: + count: 1 + match: + event_type: flow + app_proto: smb + tcp.state: closed + flow.state: closed + diff --git a/tests/smb2-04/test.yaml.old b/tests/smb2-04/test.yaml.old new file mode 100644 index 000000000..42420306c --- /dev/null +++ b/tests/smb2-04/test.yaml.old @@ -0,0 +1,38 @@ +requires: + features: + - HAVE_LIBJANSSON + - RUST + files: + - rust/src/smb/smb.rs +args: +- --set stream.reassembly.depth=0 +- --set stream.midstream=true + +checks: + - filter: + count: 7 + match: + event_type: smb + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_CREATE + smb.status: STATUS_SUCCESS + smb.filename: "atsvc" + smb.disposition: "FILE_OPEN" + smb.access: "normal" + smb.created: 0 + smb.accessed: 0 + smb.modified: 0 + smb.changed: 0 + smb.size: 0 + smb.fuid: "0000004d-0000-0000-0005-0000ffffffff" + - filter: + count: 1 + match: + event_type: flow + app_proto: smb + tcp.state: closed + flow.state: closed + diff --git a/tests/smb2-05/20171220_smb_mimikatz_copy_to_host.pcap b/tests/smb2-05/20171220_smb_mimikatz_copy_to_host.pcap new file mode 100644 index 000000000..b1c066340 Binary files /dev/null and b/tests/smb2-05/20171220_smb_mimikatz_copy_to_host.pcap differ diff --git a/tests/smb2-05/README.md b/tests/smb2-05/README.md new file mode 100644 index 000000000..f5704256d --- /dev/null +++ b/tests/smb2-05/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +Pcap from the ProtectWise blog. diff --git a/tests/smb2-05/test.yaml b/tests/smb2-05/test.yaml new file mode 100644 index 000000000..fd7d899c3 --- /dev/null +++ b/tests/smb2-05/test.yaml @@ -0,0 +1,96 @@ +requires: + features: + - HAVE_LIBJANSSON + - RUST + files: + - rust/src/smb/smb.rs +args: +- --set stream.reassembly.depth=0 +- --set stream.midstream=true + +checks: + - filter: + count: 15 + match: + event_type: smb + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_TREE_CONNECT + smb.status: STATUS_SUCCESS + smb.share: "\\\\admin-pc\\c$" + smb.tree_id: 1 + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_FIND + smb.status: STATUS_NO_MORE_FILES + smb.tree_id: 1 + - filter: + count: 3 + match: + event_type: smb + smb.command: SMB2_COMMAND_CREATE + smb.status: STATUS_SUCCESS + smb.tree_id: 1 + smb.filename: "temp\\mimikatz.exe" + smb.disposition: FILE_OPEN + smb.access: "normal" + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_CREATE + smb.status: STATUS_SUCCESS + smb.tree_id: 1 + smb.filename: "temp\\mimikatz.exe" + smb.disposition: FILE_OPEN + smb.access: "normal" + smb.created: 1512585399 + smb.accessed: 1512585399 + smb.modified: 1512171135 + smb.changed: 1512585399 + smb.size: 804352 + smb.fuid: "00000049-0000-0000-0001-0000ffffffff" + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_CREATE + smb.status: STATUS_SUCCESS + smb.tree_id: 1 + smb.filename: "temp\\mimikatz.exe" + smb.disposition: FILE_OPEN + smb.access: "normal" + smb.created: 1512585399 + smb.accessed: 1512585399 + smb.modified: 1512171135 + smb.changed: 1512585399 + smb.size: 804352 + smb.fuid: "00000055-0000-0000-000d-0000ffffffff" + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.filename: "temp\\mimikatz.exe" + fileinfo.state: CLOSED + fileinfo.size: 804352 + smb.dialect: "2.10" + smb.command: "SMB2_COMMAND_READ" + smb.status: "STATUS_SUCCESS" + smb.status_code: "0x0" + smb.session_id: 4398046511121 + smb.tree_id: 1 + smb.filename: "temp\\mimikatz.exe" + smb.share: "\\\\admin-pc\\c$" + smb.fuid: "00000055-0000-0000-000d-0000ffffffff" + - filter: + count: 1 + match: + event_type: flow + app_proto: smb + tcp.state: established + flow.state: established + diff --git a/tests/smb2-06/20171220_smb_net_user.pcap b/tests/smb2-06/20171220_smb_net_user.pcap new file mode 100644 index 000000000..7f53dc9bd Binary files /dev/null and b/tests/smb2-06/20171220_smb_net_user.pcap differ diff --git a/tests/smb2-06/README.md b/tests/smb2-06/README.md new file mode 100644 index 000000000..f5704256d --- /dev/null +++ b/tests/smb2-06/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +Pcap from the ProtectWise blog. diff --git a/tests/smb2-06/test.yaml b/tests/smb2-06/test.yaml new file mode 100644 index 000000000..00b737351 --- /dev/null +++ b/tests/smb2-06/test.yaml @@ -0,0 +1,52 @@ +requires: + features: + - HAVE_LIBJANSSON + - RUST + files: + - rust/src/smb/smb.rs +args: +- --set stream.reassembly.depth=0 +- --set stream.midstream=true + +checks: + - filter: + count: 65 + match: + event_type: smb + - filter: + count: 5 + match: + event_type: smb + smb.dcerpc.request: BIND + - filter: + count: 46 + match: + event_type: smb + smb.dcerpc.request: REQUEST + - filter: + count: 1 + match: + event_type: smb + smb.dialect: "2.10" + smb.command: "SMB2_COMMAND_CREATE" + smb.status: "STATUS_SUCCESS" + smb.status_code: "0x0" + smb.session_id: 35184439197745 + smb.tree_id: 1 + smb.filename: "lsarpc" + smb.disposition: "FILE_OPEN" + smb.access: "normal" + smb.created: 0 + smb.accessed: 0 + smb.modified: 0 + smb.changed: 0 + smb.size: 0 + smb.fuid: "0000002a-0008-0000-0009-000000000008" + - filter: + count: 1 + match: + event_type: flow + app_proto: smb + tcp.state: established + flow.state: established + diff --git a/tests/smb2-07/20171220_smb_psexec_add_user.pcap b/tests/smb2-07/20171220_smb_psexec_add_user.pcap new file mode 100644 index 000000000..d0f5196fd Binary files /dev/null and b/tests/smb2-07/20171220_smb_psexec_add_user.pcap differ diff --git a/tests/smb2-07/README.md b/tests/smb2-07/README.md new file mode 100644 index 000000000..f5704256d --- /dev/null +++ b/tests/smb2-07/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +Pcap from the ProtectWise blog. diff --git a/tests/smb2-07/test.yaml b/tests/smb2-07/test.yaml new file mode 100644 index 000000000..5e5597150 --- /dev/null +++ b/tests/smb2-07/test.yaml @@ -0,0 +1,64 @@ +requires: + features: + - HAVE_LIBJANSSON + - RUST + files: + - rust/src/smb/smb.rs +args: +- --set stream.reassembly.depth=0 +- --set stream.midstream=true +- -k none + +checks: + - filter: + count: 58 + match: + event_type: smb + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_CREATE + smb.filename: "PSEXESVC.exe" + smb.disposition: "FILE_OVERWRITE_IF" + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_CREATE + smb.filename: "PSEXESVC-VICTIM-PC-2412-stderr" + smb.disposition: "FILE_OPEN" + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_CREATE + smb.filename: "PSEXESVC-VICTIM-PC-2412-stdout" + smb.disposition: "FILE_OPEN" + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_CREATE + smb.filename: "PSEXESVC-VICTIM-PC-2412-stdin" + smb.disposition: "FILE_OPEN" + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_TREE_CONNECT + smb.named_pipe: "\\\\dc1\\IPC$" + - filter: + count: 2 + match: + event_type: smb + smb.command: SMB2_COMMAND_TREE_CONNECT + smb.share: "\\\\dc1\\ADMIN$" + - filter: + count: 4 + match: + event_type: flow + app_proto: smb + tcp.state: closed + flow.state: closed + diff --git a/tests/smb3-01/README.md b/tests/smb3-01/README.md new file mode 100644 index 000000000..21635f46a --- /dev/null +++ b/tests/smb3-01/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +PCAP found on Wireshark Wiki. diff --git a/tests/smb3-01/input.pcap b/tests/smb3-01/input.pcap new file mode 100644 index 000000000..0adc7740e Binary files /dev/null and b/tests/smb3-01/input.pcap differ diff --git a/tests/smb3-01/test.yaml b/tests/smb3-01/test.yaml new file mode 100644 index 000000000..7f98ec051 --- /dev/null +++ b/tests/smb3-01/test.yaml @@ -0,0 +1,36 @@ +requires: + features: + - HAVE_LIBJANSSON + - RUST + files: + - rust/src/smb/smb.rs +args: +- --set stream.reassembly.depth=0 +- --set stream.midstream=true +- -k none + +checks: + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_NEGOTIATE_PROTOCOL + smb.status: STATUS_SUCCESS + smb.dialect: "3.00" + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_TREE_CONNECT + smb.status: STATUS_SUCCESS + smb.dialect: "3.00" + smb.share: "\\\\WS2016\\encrypted" + - filter: + count: 1 + match: + event_type: smb + smb.command: SMB2_COMMAND_TREE_CONNECT + smb.status: STATUS_SUCCESS + smb.dialect: "3.00" + smb.named_pipe: "\\\\10.160.65.202\\IPC$" + diff --git a/tests/smb3-02-midstream/README.md b/tests/smb3-02-midstream/README.md new file mode 100644 index 000000000..21635f46a --- /dev/null +++ b/tests/smb3-02-midstream/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +PCAP found on Wireshark Wiki. diff --git a/tests/smb3-02-midstream/input.pcap b/tests/smb3-02-midstream/input.pcap new file mode 100644 index 000000000..b010ed5bd Binary files /dev/null and b/tests/smb3-02-midstream/input.pcap differ diff --git a/tests/smb3-02-midstream/test.yaml b/tests/smb3-02-midstream/test.yaml new file mode 100644 index 000000000..8d8fd7808 --- /dev/null +++ b/tests/smb3-02-midstream/test.yaml @@ -0,0 +1,26 @@ +requires: + features: + - HAVE_LIBJANSSON + - RUST + files: + - rust/src/smb/smb.rs +args: +- --set stream.reassembly.depth=0 +- --set stream.midstream=true +- -k none + +checks: + - filter: + count: 1 + match: + event_type: flow + app_proto: smb + dest_port: 445 + - filter: + count: 1 + match: + event_type: smb + dest_port: 445 + smb.command: SMB2_COMMAND_TREE_CONNECT + smb.status: STATUS_SUCCESS + smb.named_pipe: "\\\\10.160.65.202\\IPC$" diff --git a/tests/smb3-03-midstream/README.md b/tests/smb3-03-midstream/README.md new file mode 100644 index 000000000..21635f46a --- /dev/null +++ b/tests/smb3-03-midstream/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +PCAP found on Wireshark Wiki. diff --git a/tests/smb3-03-midstream/input.pcap b/tests/smb3-03-midstream/input.pcap new file mode 100644 index 000000000..0ab986f79 Binary files /dev/null and b/tests/smb3-03-midstream/input.pcap differ diff --git a/tests/smb3-03-midstream/test.yaml b/tests/smb3-03-midstream/test.yaml new file mode 100644 index 000000000..60650ee2a --- /dev/null +++ b/tests/smb3-03-midstream/test.yaml @@ -0,0 +1,27 @@ +requires: + features: + - HAVE_LIBJANSSON + - RUST + files: + - rust/src/smb/smb.rs + min-version: 5.0.0 +args: +- --set stream.reassembly.depth=0 +- --set stream.midstream=true +- -k none + +checks: + - filter: + count: 1 + match: + event_type: flow + app_proto: smb + dest_port: 445 + - filter: + count: 1 + match: + event_type: smb + dest_port: 445 + smb.command: SMB2_COMMAND_TREE_CONNECT + smb.status: STATUS_SUCCESS + smb.named_pipe: "\\\\10.160.65.202\\IPC$"