From: Victor Julien Date: Mon, 9 Dec 2024 16:13:07 +0000 (+0100) Subject: tests: tcp urgent tests X-Git-Tag: suricata-7.0.8~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=24a9a26686e8f1f2af9fefca61924acbda1acfe5;p=thirdparty%2Fsuricata-verify.git tests: tcp urgent tests --- diff --git a/tests/tcp-urgp-01-oob/suricata.rules b/tests/tcp-urgp-01-oob/suricata.rules new file mode 100644 index 000000000..ae3a59c3c --- /dev/null +++ b/tests/tcp-urgp-01-oob/suricata.rules @@ -0,0 +1,3 @@ +drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; content:"malicious"; nocase; sid:1000001; rev:1;) +drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; http.uri; content:"malicious"; nocase; sid:1000002; rev:1;) +drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; frame:http1.request; content:"malicious"; nocase; sid:1000003; rev:1;) diff --git a/tests/tcp-urgp-01-oob/tcp-urgent1.pcap b/tests/tcp-urgp-01-oob/tcp-urgent1.pcap new file mode 100644 index 000000000..471535219 Binary files /dev/null and b/tests/tcp-urgp-01-oob/tcp-urgent1.pcap differ diff --git a/tests/tcp-urgp-01-oob/test.yaml b/tests/tcp-urgp-01-oob/test.yaml new file mode 100644 index 000000000..332492409 --- /dev/null +++ b/tests/tcp-urgp-01-oob/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 8 + +args: +- --set stream.reassembly.urgent.policy=oob + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000002 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000003 diff --git a/tests/tcp-urgp-02-drop-ips/suricata.rules b/tests/tcp-urgp-02-drop-ips/suricata.rules new file mode 100644 index 000000000..ae3a59c3c --- /dev/null +++ b/tests/tcp-urgp-02-drop-ips/suricata.rules @@ -0,0 +1,3 @@ +drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; content:"malicious"; nocase; sid:1000001; rev:1;) +drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; http.uri; content:"malicious"; nocase; sid:1000002; rev:1;) +drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; frame:http1.request; content:"malicious"; nocase; sid:1000003; rev:1;) diff --git a/tests/tcp-urgp-02-drop-ips/tcp-urgent1.pcap b/tests/tcp-urgp-02-drop-ips/tcp-urgent1.pcap new file mode 100644 index 000000000..471535219 Binary files /dev/null and b/tests/tcp-urgp-02-drop-ips/tcp-urgent1.pcap differ diff --git a/tests/tcp-urgp-02-drop-ips/test.yaml b/tests/tcp-urgp-02-drop-ips/test.yaml new file mode 100644 index 000000000..342190e55 --- /dev/null +++ b/tests/tcp-urgp-02-drop-ips/test.yaml @@ -0,0 +1,34 @@ +requires: + min-version: 8 + +args: +- --set stream.reassembly.urgent.policy=drop + +checks: + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000002 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1000003 + - filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 6 + stats.ips.blocked: 10 + stats.ips.drop_reason.flow_drop: 8 + stats.ips.drop_reason.rules: 1 + stats.ips.drop_reason.stream_urgent: 1 + stats.tcp.urg: 1 + stats.tcp.reassembly_gap: 1 + stats.detect.alert: 1 diff --git a/tests/tcp-urgp-03-inline/suricata.rules b/tests/tcp-urgp-03-inline/suricata.rules new file mode 100644 index 000000000..ae3a59c3c --- /dev/null +++ b/tests/tcp-urgp-03-inline/suricata.rules @@ -0,0 +1,3 @@ +drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; content:"malicious"; nocase; sid:1000001; rev:1;) +drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; http.uri; content:"malicious"; nocase; sid:1000002; rev:1;) +drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; frame:http1.request; content:"malicious"; nocase; sid:1000003; rev:1;) diff --git a/tests/tcp-urgp-03-inline/tcp-urgent1.pcap b/tests/tcp-urgp-03-inline/tcp-urgent1.pcap new file mode 100644 index 000000000..471535219 Binary files /dev/null and b/tests/tcp-urgp-03-inline/tcp-urgent1.pcap differ diff --git a/tests/tcp-urgp-03-inline/test.yaml b/tests/tcp-urgp-03-inline/test.yaml new file mode 100644 index 000000000..332492409 --- /dev/null +++ b/tests/tcp-urgp-03-inline/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 8 + +args: +- --set stream.reassembly.urgent.policy=oob + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000002 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000003 diff --git a/tests/tcp-urgp-04-2byte-XY/README.md b/tests/tcp-urgp-04-2byte-XY/README.md new file mode 100644 index 000000000..ddd5b1cc6 --- /dev/null +++ b/tests/tcp-urgp-04-2byte-XY/README.md @@ -0,0 +1,15 @@ +Test +==== + +Test to show last urg byte is treated as OOB. +``` +$ python3 proof_of_concept_2bytes_unique_XY.py +HTTP/1.1 200 OK +Server: Werkzeug/3.0.1 Python/3.12.3 +Date: Sun, 08 Dec 2024 08:57:56 GMT +Content-Type: text/html; charset=utf-8 +Content-Length: 37 +Connection: close + +You've accessed the path: /malicXious +``` diff --git a/tests/tcp-urgp-04-2byte-XY/suricata.rules b/tests/tcp-urgp-04-2byte-XY/suricata.rules new file mode 100644 index 000000000..38b71b122 --- /dev/null +++ b/tests/tcp-urgp-04-2byte-XY/suricata.rules @@ -0,0 +1,3 @@ +drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicXious'"; content:"malicXious"; nocase; sid:1000001; rev:1;) +drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicXious'"; http.uri; content:"malicXious"; nocase; sid:1000002; rev:1;) +drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicXious'"; frame:http1.request; content:"malicXious"; nocase; sid:1000003; rev:1;) diff --git a/tests/tcp-urgp-04-2byte-XY/tcp-urgent-2byte-XY.pcap b/tests/tcp-urgp-04-2byte-XY/tcp-urgent-2byte-XY.pcap new file mode 100644 index 000000000..223c50703 Binary files /dev/null and b/tests/tcp-urgp-04-2byte-XY/tcp-urgent-2byte-XY.pcap differ diff --git a/tests/tcp-urgp-04-2byte-XY/test.yaml b/tests/tcp-urgp-04-2byte-XY/test.yaml new file mode 100644 index 000000000..332492409 --- /dev/null +++ b/tests/tcp-urgp-04-2byte-XY/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 8 + +args: +- --set stream.reassembly.urgent.policy=oob + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000002 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000003 diff --git a/tests/tcp-urgp-06-oob-within-limit/suricata.rules b/tests/tcp-urgp-06-oob-within-limit/suricata.rules new file mode 100644 index 000000000..ae3a59c3c --- /dev/null +++ b/tests/tcp-urgp-06-oob-within-limit/suricata.rules @@ -0,0 +1,3 @@ +drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; content:"malicious"; nocase; sid:1000001; rev:1;) +drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; http.uri; content:"malicious"; nocase; sid:1000002; rev:1;) +drop tcp any any -> any 9090 (msg:"Block traffic containing the word 'malicious'"; frame:http1.request; content:"malicious"; nocase; sid:1000003; rev:1;) diff --git a/tests/tcp-urgp-06-oob-within-limit/tcp-urgent-1byte-64k.pcap b/tests/tcp-urgp-06-oob-within-limit/tcp-urgent-1byte-64k.pcap new file mode 100644 index 000000000..8a57ab468 Binary files /dev/null and b/tests/tcp-urgp-06-oob-within-limit/tcp-urgent-1byte-64k.pcap differ diff --git a/tests/tcp-urgp-06-oob-within-limit/test.yaml b/tests/tcp-urgp-06-oob-within-limit/test.yaml new file mode 100644 index 000000000..d3ddeb474 --- /dev/null +++ b/tests/tcp-urgp-06-oob-within-limit/test.yaml @@ -0,0 +1,28 @@ +requires: + min-version: 8 + +args: +- --set stream.reassembly.urgent.policy=oob + +checks: + - filter: + count: 0 # TODO find out why + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000002 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000003 + - filter: + count: 1 + match: + event_type: stats + stats.tcp.urg: 64000 + stats.tcp.reassembly_gap: 0 diff --git a/tests/tcp-urgp-07-oob-exceed-limit/suricata.rules b/tests/tcp-urgp-07-oob-exceed-limit/suricata.rules new file mode 100644 index 000000000..f6efe9371 --- /dev/null +++ b/tests/tcp-urgp-07-oob-exceed-limit/suricata.rules @@ -0,0 +1,4 @@ +alert tcp any any -> any 9090 (content:"malicious"; nocase; sid:1000001; rev:1;) +alert tcp any any -> any 9090 (http.uri; content:"malicious"; nocase; sid:1000002; rev:1;) +alert tcp any any -> any 9090 (frame:http1.request; content:"malicious"; nocase; sid:1000003; rev:1;) +alert tcp any any -> any any (msg:"SURICATA STREAM urgent OOB limit reached"; stream-event:reassembly_urgent_oob_limit_reached; classtype:protocol-command-decode; sid:2210066; rev:1;) diff --git a/tests/tcp-urgp-07-oob-exceed-limit/tcp-urgent-1byte-66k.pcap b/tests/tcp-urgp-07-oob-exceed-limit/tcp-urgent-1byte-66k.pcap new file mode 100644 index 000000000..25a25c280 Binary files /dev/null and b/tests/tcp-urgp-07-oob-exceed-limit/tcp-urgent-1byte-66k.pcap differ diff --git a/tests/tcp-urgp-07-oob-exceed-limit/test.yaml b/tests/tcp-urgp-07-oob-exceed-limit/test.yaml new file mode 100644 index 000000000..6cff4b0a1 --- /dev/null +++ b/tests/tcp-urgp-07-oob-exceed-limit/test.yaml @@ -0,0 +1,43 @@ +requires: + min-version: 8 + +args: +- --set stream.reassembly.urgent.policy=oob +- --set stream.reassembly.urgent.oob-limit-policy=drop +- --simulate-ips + +checks: + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000002 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1000003 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2210066 + - filter: + count: 1 + match: + event_type: http + http.url: "/malicious" + - filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 131549 + stats.ips.blocked: 465 + stats.ips.drop_reason.stream_urgent: 465 + stats.tcp.urg: 66000 + stats.tcp.reassembly_gap: 1 diff --git a/tests/tcp-urgp-08-oob-exceed-limit-gap/suricata.rules b/tests/tcp-urgp-08-oob-exceed-limit-gap/suricata.rules new file mode 100644 index 000000000..668891637 --- /dev/null +++ b/tests/tcp-urgp-08-oob-exceed-limit-gap/suricata.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any 9090 (content:"malicious"; nocase; sid:1000001; rev:1;) +alert tcp any any -> any 9090 (http.uri; content:"malicious"; nocase; sid:1000002; rev:1;) +alert tcp any any -> any 9090 (frame:http1.request; content:"malicious"; nocase; sid:1000003; rev:1;) diff --git a/tests/tcp-urgp-08-oob-exceed-limit-gap/tcp-urgent-1byte-66k.pcap b/tests/tcp-urgp-08-oob-exceed-limit-gap/tcp-urgent-1byte-66k.pcap new file mode 100644 index 000000000..25a25c280 Binary files /dev/null and b/tests/tcp-urgp-08-oob-exceed-limit-gap/tcp-urgent-1byte-66k.pcap differ diff --git a/tests/tcp-urgp-08-oob-exceed-limit-gap/test.yaml b/tests/tcp-urgp-08-oob-exceed-limit-gap/test.yaml new file mode 100644 index 000000000..c09d19537 --- /dev/null +++ b/tests/tcp-urgp-08-oob-exceed-limit-gap/test.yaml @@ -0,0 +1,38 @@ +requires: + min-version: 8 + +args: +- --set stream.reassembly.urgent.policy=oob +- --set stream.reassembly.urgent.oob-limit-policy=gap +- --simulate-ips + +checks: + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000002 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1000003 + - filter: + count: 1 + match: + event_type: http + http.url: "/malicious" + - filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 132014 + stats.ips.blocked: 0 + stats.ips.drop_reason.stream_reassembly: 0 + stats.tcp.urg: 66000 + stats.tcp.reassembly_gap: 1 diff --git a/tests/tcp-urgp-09-oob-exceed-limit-inline/suricata.rules b/tests/tcp-urgp-09-oob-exceed-limit-inline/suricata.rules new file mode 100644 index 000000000..668891637 --- /dev/null +++ b/tests/tcp-urgp-09-oob-exceed-limit-inline/suricata.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any 9090 (content:"malicious"; nocase; sid:1000001; rev:1;) +alert tcp any any -> any 9090 (http.uri; content:"malicious"; nocase; sid:1000002; rev:1;) +alert tcp any any -> any 9090 (frame:http1.request; content:"malicious"; nocase; sid:1000003; rev:1;) diff --git a/tests/tcp-urgp-09-oob-exceed-limit-inline/tcp-urgent-1byte-66k.pcap b/tests/tcp-urgp-09-oob-exceed-limit-inline/tcp-urgent-1byte-66k.pcap new file mode 100644 index 000000000..25a25c280 Binary files /dev/null and b/tests/tcp-urgp-09-oob-exceed-limit-inline/tcp-urgent-1byte-66k.pcap differ diff --git a/tests/tcp-urgp-09-oob-exceed-limit-inline/test.yaml b/tests/tcp-urgp-09-oob-exceed-limit-inline/test.yaml new file mode 100644 index 000000000..9559a702d --- /dev/null +++ b/tests/tcp-urgp-09-oob-exceed-limit-inline/test.yaml @@ -0,0 +1,38 @@ +requires: + min-version: 8 + +args: +- --set stream.reassembly.urgent.policy=oob +- --set stream.reassembly.urgent.oob-limit-policy=inline +- --simulate-ips + +checks: + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1000002 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1000003 + - filter: + count: 1 + match: + event_type: http + http.url: "/malicXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXious" + - filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 132014 + stats.ips.blocked: 0 + stats.ips.drop_reason.stream_reassembly: 0 + stats.tcp.urg: 66000 + stats.tcp.reassembly_gap: 0