From: Pierre Chifflier Date: Mon, 4 Mar 2019 20:34:35 +0000 (+0100) Subject: Add test for IKEv2 Weak DH parameters detection X-Git-Tag: suricata-6.0.4~474 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=48b0b8f0b7745c8bb89226a6a9cd9ce226dd1fb2;p=thirdparty%2Fsuricata-verify.git Add test for IKEv2 Weak DH parameters detection --- diff --git a/tests/ikev2-weak-dh/IKEv2_SA_INIT_2-8-weak.pcap b/tests/ikev2-weak-dh/IKEv2_SA_INIT_2-8-weak.pcap new file mode 100644 index 000000000..77c314d27 Binary files /dev/null and b/tests/ikev2-weak-dh/IKEv2_SA_INIT_2-8-weak.pcap differ diff --git a/tests/ikev2-weak-dh/README.md b/tests/ikev2-weak-dh/README.md new file mode 100644 index 000000000..4e23237ec --- /dev/null +++ b/tests/ikev2-weak-dh/README.md @@ -0,0 +1,4 @@ +Simple test that tests a IKEv2 SA_INIT initiator request with weak Diffie-Hellman parameters. + +PCAP URL: + https://redmine.openinfosecfoundation.org/attachments/1630 diff --git a/tests/ikev2-weak-dh/test.rules b/tests/ikev2-weak-dh/test.rules new file mode 100644 index 000000000..f6080bd7b --- /dev/null +++ b/tests/ikev2-weak-dh/test.rules @@ -0,0 +1 @@ +alert ikev2 any any -> any any (msg:"SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman)"; flow:to_server; app-layer-event:ikev2.weak_crypto_dh; classtype:protocol-command-decode; sid:1; rev:1;) diff --git a/tests/ikev2-weak-dh/test.yaml b/tests/ikev2-weak-dh/test.yaml new file mode 100644 index 000000000..5f0044a97 --- /dev/null +++ b/tests/ikev2-weak-dh/test.yaml @@ -0,0 +1,26 @@ +requires: + features: + - HAVE_LIBJANSSON + - RUST + min-version: 4.1.0 + +args: + - -k none + +checks: + + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + alert.signature: "SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman)" + + - filter: + count: 1 + match: + event_type: ikev2 + ikev2.version_major: 2 + ikev2.exchange_type: 34 + ikev2.init_spi: "61d3693ce12af528" + ikev2.resp_spi: "0000000000000000"