From: Victor Julien Date: Mon, 27 May 2024 14:43:37 +0000 (+0200) Subject: tests: add tcp split handshake tests X-Git-Tag: suricata-7.0.7~79 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9d633f24e484ced29adf8e702721e222fe490758;p=thirdparty%2Fsuricata-verify.git tests: add tcp split handshake tests --- diff --git a/tests/tcp-split-handshake-01-4whs/README.md b/tests/tcp-split-handshake-01-4whs/README.md new file mode 100644 index 000000000..9694431b1 --- /dev/null +++ b/tests/tcp-split-handshake-01-4whs/README.md @@ -0,0 +1,3 @@ +Based on split handshake research by Tod Beardsley + +https://www.macrothink.org/journal/index.php/npa/article/view/285/807 diff --git a/tests/tcp-split-handshake-01-4whs/split-handshake-4whs.pcap b/tests/tcp-split-handshake-01-4whs/split-handshake-4whs.pcap new file mode 100644 index 000000000..ddee6c38f Binary files /dev/null and b/tests/tcp-split-handshake-01-4whs/split-handshake-4whs.pcap differ diff --git a/tests/tcp-split-handshake-01-4whs/split-handshake.py b/tests/tcp-split-handshake-01-4whs/split-handshake.py new file mode 100755 index 000000000..45c00941b --- /dev/null +++ b/tests/tcp-split-handshake-01-4whs/split-handshake.py @@ -0,0 +1,67 @@ +#!/usr/bin/env python +from scapy.all import * + +src='1.1.1.1' +dst='2.2.2.2' +dport=80 +sport=12345 +smac='11:11:11:11:11:11' +dmac='22:22:22:22:22:22' + +pkts = [] + +# CLIENT: SYN +pkts += Ether(dst=dmac, src=smac)/ \ + IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="S",seq=1000) +# SERVER: ACK +pkts += Ether(dst=smac, src=dmac)/ \ + IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="A",seq=2000,ack=1001) +# SERVER: SYN +pkts += Ether(dst=smac, src=dmac)/ \ + IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="S",seq=3000) +# CLIENT: SYN/ACK +pkts += Ether(dst=dmac, src=smac)/ \ + IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="SA",seq=1000,ack=3001) +# SERVER: ACK +pkts += Ether(dst=smac, src=dmac)/ \ + IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="A",seq=3001,ack=1001) + +# CLIENT: EVIL DATA +pkts += Ether(dst=dmac, src=smac)/ \ + IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="A",seq=1001,ack=3001)/"EVIL" +# SERVER: ACK EVIL DATA +pkts += Ether(dst=smac, src=dmac)/ \ + IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="A",seq=3001,ack=1005) + +pkts += Ether(dst=dmac, src=smac)/ \ + IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="R",seq=1005) + +wrpcap('split-handshake-5whs.pcap', pkts) + + +pkts = [] + +# CLIENT: SYN +pkts += Ether(dst=dmac, src=smac)/ \ + IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="S",seq=1000) +# SERVER: SYN +pkts += Ether(dst=smac, src=dmac)/ \ + IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="S",seq=3000) +# CLIENT: SYN/ACK +pkts += Ether(dst=dmac, src=smac)/ \ + IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="SA",seq=1000,ack=3001) +# SERVER: ACK +pkts += Ether(dst=smac, src=dmac)/ \ + IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="A",seq=3001,ack=1001) + +# CLIENT: EVIL DATA +pkts += Ether(dst=dmac, src=smac)/ \ + IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="A",seq=1001,ack=3001)/"EVIL" +# SERVER: ACK EVIL DATA +pkts += Ether(dst=smac, src=dmac)/ \ + IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="A",seq=3001,ack=1005) + +pkts += Ether(dst=dmac, src=smac)/ \ + IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="R",seq=1005) + +wrpcap('split-handshake-4whs.pcap', pkts) diff --git a/tests/tcp-split-handshake-01-4whs/test.rules b/tests/tcp-split-handshake-01-4whs/test.rules new file mode 100644 index 000000000..50c499513 --- /dev/null +++ b/tests/tcp-split-handshake-01-4whs/test.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any any (content:"EVIL"; sid:1;) +alert tcp-stream any any -> any any (content:"EVIL"; sid:2;) +alert tcp-pkt any any -> any any (content:"EVIL"; sid:3;) diff --git a/tests/tcp-split-handshake-01-4whs/test.yaml b/tests/tcp-split-handshake-01-4whs/test.yaml new file mode 100644 index 000000000..4bb2f0a5a --- /dev/null +++ b/tests/tcp-split-handshake-01-4whs/test.yaml @@ -0,0 +1,16 @@ +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/tcp-split-handshake-02-5whs/README.md b/tests/tcp-split-handshake-02-5whs/README.md new file mode 100644 index 000000000..9694431b1 --- /dev/null +++ b/tests/tcp-split-handshake-02-5whs/README.md @@ -0,0 +1,3 @@ +Based on split handshake research by Tod Beardsley + +https://www.macrothink.org/journal/index.php/npa/article/view/285/807 diff --git a/tests/tcp-split-handshake-02-5whs/split-handshake-5whs.pcap b/tests/tcp-split-handshake-02-5whs/split-handshake-5whs.pcap new file mode 100644 index 000000000..b37bb5704 Binary files /dev/null and b/tests/tcp-split-handshake-02-5whs/split-handshake-5whs.pcap differ diff --git a/tests/tcp-split-handshake-02-5whs/test.rules b/tests/tcp-split-handshake-02-5whs/test.rules new file mode 100644 index 000000000..50c499513 --- /dev/null +++ b/tests/tcp-split-handshake-02-5whs/test.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any any (content:"EVIL"; sid:1;) +alert tcp-stream any any -> any any (content:"EVIL"; sid:2;) +alert tcp-pkt any any -> any any (content:"EVIL"; sid:3;) diff --git a/tests/tcp-split-handshake-02-5whs/test.yaml b/tests/tcp-split-handshake-02-5whs/test.yaml new file mode 100644 index 000000000..4bb2f0a5a --- /dev/null +++ b/tests/tcp-split-handshake-02-5whs/test.yaml @@ -0,0 +1,16 @@ +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3