From: Philippe Antoine <contact@catenacyber.fr>
Date: Fri, 23 Jul 2021 15:56:35 +0000 (+0200)
Subject: Ads various tests about IPv6 denial of service
X-Git-Tag: suricata-6.0.4~32
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1cf73ab08953e1f48a26b0106fb3c0be149f36d8;p=thirdparty%2Fsuricata-verify.git

Ads various tests about IPv6 denial of service
---

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/README.md b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/README.md
new file mode 100644
index 000000000..6d97a8107
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test detection of DoS attack that tries to increase decoding effort by including a huge amount of unknown options for Hop-by-Hop Options Header.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
+
+# Notes
+
+It might be better to have a dedicated rule that focuses on the DoS aspect in combination with the decoder-event
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/denial6-1.pcap b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/denial6-1.pcap
new file mode 100644
index 000000000..7fa02b75d
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/denial6-1.pcap differ
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/test.rules b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/test.rules
new file mode 100644
index 000000000..bbddd3215
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 HOPOPTS unknown option"; decode-event:ipv6.hopopts_unknown_opt; classtype:protocol-command-decode; sid:2200086; rev:2;)
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/test.yaml b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/test.yaml
new file mode 100644
index 000000000..4bd4a441d
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-1/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 34114
+        match:
+            event_type: alert
+            alert.signature_id: 2200086
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/README.md b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/README.md
new file mode 100644
index 000000000..031e13d36
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test detection of DoS attack that tries to increase decoding effort by including a huge amount of unknown options for Destination Options Header.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
+
+# Notes
+
+It might be better to have a dedicated rule that focuses on the DoS aspect in combination with the decoder-event
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/denial6-2.pcap b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/denial6-2.pcap
new file mode 100644
index 000000000..e54a02eac
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/denial6-2.pcap differ
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/test.rules b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/test.rules
new file mode 100644
index 000000000..b371664f7
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/test.rules
@@ -0,0 +1,2 @@
+# DST option that we don't understand
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 DSTOPTS unknown option"; decode-event:ipv6.dstopts_unknown_opt; classtype:protocol-command-decode; sid:2200088; rev:2;)
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/test.yaml b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/test.yaml
new file mode 100644
index 000000000..d48a7eb13
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-2/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 16188
+        match:
+            event_type: alert
+            alert.signature_id: 2200088
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/README.md b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/README.md
new file mode 100644
index 000000000..031e13d36
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test detection of DoS attack that tries to increase decoding effort by including a huge amount of unknown options for Destination Options Header.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
+
+# Notes
+
+It might be better to have a dedicated rule that focuses on the DoS aspect in combination with the decoder-event
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/denial6-3.pcap b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/denial6-3.pcap
new file mode 100644
index 000000000..98e3b699a
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/denial6-3.pcap differ
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/test.rules b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/test.rules
new file mode 100644
index 000000000..cbb712e61
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/test.rules
@@ -0,0 +1,2 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Destination Options extension header"; decode-event:ipv6.exthdr_dupl_dh; classtype:protocol-command-decode; sid:2200018; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 DSTOPTS only padding"; decode-event:ipv6.dstopts_only_padding; classtype:protocol-command-decode; sid:2200089; rev:2;)
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/test.yaml b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/test.yaml
new file mode 100644
index 000000000..ac6086ac9
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-3/test.yaml
@@ -0,0 +1,15 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 17674
+        match:
+            event_type: alert
+            alert.signature_id: 2200018
+    - filter:
+        count: 17674
+        match:
+            event_type: alert
+            alert.signature_id: 2200089
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/README.md b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/README.md
new file mode 100644
index 000000000..031e13d36
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test detection of DoS attack that tries to increase decoding effort by including a huge amount of unknown options for Destination Options Header.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
+
+# Notes
+
+It might be better to have a dedicated rule that focuses on the DoS aspect in combination with the decoder-event
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/denial6-4.pcap b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/denial6-4.pcap
new file mode 100644
index 000000000..4fa2cf8b4
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/denial6-4.pcap differ
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/test.rules b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/test.rules
new file mode 100644
index 000000000..cbb712e61
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/test.rules
@@ -0,0 +1,2 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Destination Options extension header"; decode-event:ipv6.exthdr_dupl_dh; classtype:protocol-command-decode; sid:2200018; rev:2;)
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 DSTOPTS only padding"; decode-event:ipv6.dstopts_only_padding; classtype:protocol-command-decode; sid:2200089; rev:2;)
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/test.yaml b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/test.yaml
new file mode 100644
index 000000000..bc9f8f875
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-4/test.yaml
@@ -0,0 +1,15 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 17424
+        match:
+            event_type: alert
+            alert.signature_id: 2200018
+    - filter:
+        count: 17424
+        match:
+            event_type: alert
+            alert.signature_id: 2200089
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/README.md b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/README.md
new file mode 100644
index 000000000..6d97a8107
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test detection of DoS attack that tries to increase decoding effort by including a huge amount of unknown options for Hop-by-Hop Options Header.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
+
+# Notes
+
+It might be better to have a dedicated rule that focuses on the DoS aspect in combination with the decoder-event
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/denial6-7.pcap b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/denial6-7.pcap
new file mode 100644
index 000000000..33aac0ccf
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/denial6-7.pcap differ
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/test.rules b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/test.rules
new file mode 100644
index 000000000..bbddd3215
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 HOPOPTS unknown option"; decode-event:ipv6.hopopts_unknown_opt; classtype:protocol-command-decode; sid:2200086; rev:2;)
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/test.yaml b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/test.yaml
new file mode 100644
index 000000000..12f73ef13
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-7/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 37341
+        match:
+            event_type: alert
+            alert.signature_id: 2200086