From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 2 Feb 2023 15:07:24 +0000 (+0100)
Subject: Adds test about smb2 for bug 5786
X-Git-Tag: suricata-6.0.12~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=643ed437bdbe45879727e63e987069716366eb00;p=thirdparty%2Fsuricata-verify.git

Adds test about smb2 for bug 5786
---

diff --git a/tests/smb-length-5786/README.md b/tests/smb-length-5786/README.md
new file mode 100644
index 000000000..f61cf0b37
--- /dev/null
+++ b/tests/smb-length-5786/README.md
@@ -0,0 +1,9 @@
+# Description
+
+Test SMB evasion with write data length lesser than NBSS record length (there is padding)
+
+# PCAP
+
+The pcap comes from running MacOS with a shared SMB directory named public (with user toto and password toto).
+There is a proxy on port 4445 that rewrites the smb2 write command if the file data begins by 'E' to have a lesser field length.
+Then fuzzpcap was used to split the write command in 2 tcp packets with an ACK in between, so that Suricata processes partial data.
diff --git a/tests/smb-length-5786/input.pcap b/tests/smb-length-5786/input.pcap
new file mode 100644
index 000000000..a1bbfe469
Binary files /dev/null and b/tests/smb-length-5786/input.pcap differ
diff --git a/tests/smb-length-5786/proxy_smb2.py b/tests/smb-length-5786/proxy_smb2.py
new file mode 100644
index 000000000..d4fef60bb
--- /dev/null
+++ b/tests/smb-length-5786/proxy_smb2.py
@@ -0,0 +1,40 @@
+import sys
+import binascii
+from threading import Thread
+import time
+import socket
+
+
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.bind(("127.0.0.1", 4445))
+s.listen(1)
+conn, addr = s.accept()
+s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+print("accpeted, now connecting")
+s2.connect(("127.0.0.1", 445))
+print("connected")
+ok = True
+while ok:
+    data = conn.recv(32768)
+    print("received", len(data), data[16])
+    if len(data) == 0:
+        break
+    data = bytearray(data)
+    changed = 0
+    if data[16] == 9:
+        # write request
+        print("write", data[116])
+        if data[116] == 69:
+            # if the first letter of payload is E
+            # let's remove 512 to the length
+            data[73] = data[73] - 2
+            print("modified", binascii.hexlify(data))
+    s2.send(data)
+    resp = s2.recv(32768)
+    print("response", len(resp))
+    resp = bytearray(resp)
+    conn.send(resp)
+
+conn.close()
+s.close()
diff --git a/tests/smb-length-5786/test.yaml b/tests/smb-length-5786/test.yaml
new file mode 100644
index 000000000..98489e63c
--- /dev/null
+++ b/tests/smb-length-5786/test.yaml
@@ -0,0 +1,11 @@
+# disables checksum verification
+args:
+- -k none --set app-layer.protocols.smb.max-write-size=200
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.filename: "toto.txt"
+        dest_port: 445