From: Shivani Bhardwaj Date: Fri, 22 Jan 2021 13:17:08 +0000 (+0530) Subject: dcerpc/udp: test with Scapy gen PCAP X-Git-Tag: suricata-6.0.4~149 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a195232186c6978094ce8c4ceeee92d9a222cd09;p=thirdparty%2Fsuricata-verify.git dcerpc/udp: test with Scapy gen PCAP --- diff --git a/tests/dcerpc/dcerpc-udp-scapy/dcerpc_udp_scapy.py b/tests/dcerpc/dcerpc-udp-scapy/dcerpc_udp_scapy.py new file mode 100644 index 000000000..054482e89 --- /dev/null +++ b/tests/dcerpc/dcerpc-udp-scapy/dcerpc_udp_scapy.py @@ -0,0 +1,62 @@ +#!/usr/bin/env python + +from uuid import uuid4 +from scapy.all import wrpcap, Ether, IP, UDP +from scapy.contrib.dce_rpc import DceRpc + + +def create_pkt(rtype, seqnum, obj, iface, act): + """ + Create a DCE/RPC over UDP packet as per the given arguments. + This function is responsible for creating request as well as + response packets. + + Scapy layering has been done (default) as per the TCP/IP model. + + Data Link Layer (Ether) + | + Internet Layer (IP) + | + Transport Layer (UDP) + | + Application Layer (DceRpc) + + """ + # sport and dport at default make the packet be detected as + # a DNS packet by Wireshark so change it + return Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05') / \ + IP(dst='255.255.255.255', src='192.168.0.1') / \ + UDP(sport=80, dport=8000) / \ + DceRpc( + type=rtype, + flags1=0x01, + sequence_num=seqnum, + object_uuid=obj, + interface_uuid=iface, + activity=act, + ) + + +def create_pcap(): + """ + Method to create a few request response cycles + """ + pkts = list() + for i in range(0, 10): + if i % 2 == 0: + activity_uuid = uuid4() + pkts.append(create_pkt(rtype=0, + seqnum=i, + obj=uuid4(), + iface=uuid4(), + act=activity_uuid,)) + else: + pkts.append(create_pkt(rtype=2, + seqnum=i-1, + obj=uuid4(), + iface=uuid4(), + act=activity_uuid,)) + return pkts + + +wrpcap('input.pcap', create_pcap()) diff --git a/tests/dcerpc/dcerpc-udp-scapy/input.pcap b/tests/dcerpc/dcerpc-udp-scapy/input.pcap new file mode 100644 index 000000000..313b697c4 Binary files /dev/null and b/tests/dcerpc/dcerpc-udp-scapy/input.pcap differ diff --git a/tests/dcerpc/dcerpc-udp-scapy/test.yaml b/tests/dcerpc/dcerpc-udp-scapy/test.yaml new file mode 100644 index 000000000..115ec4511 --- /dev/null +++ b/tests/dcerpc/dcerpc-udp-scapy/test.yaml @@ -0,0 +1,125 @@ +requires: + min-version: 6.0 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + dcerpc.activityuuid: dddc324e-03d8-af4e-86ee-7650df599e40 + dcerpc.req.frag_cnt: 1 + dcerpc.req.opnum: 0 + dcerpc.req.stub_data_size: 0 + dcerpc.request: REQUEST + dcerpc.res.frag_cnt: 1 + dcerpc.res.stub_data_size: 0 + dcerpc.response: RESPONSE + dcerpc.rpc_version: '4.0' + dcerpc.seqnum: 0 + dest_ip: 255.255.255.255 + dest_port: 8000 + event_type: dcerpc + pcap_cnt: 2 + proto: UDP + src_ip: 192.168.0.1 + src_port: 80 +- filter: + count: 1 + match: + dcerpc.activityuuid: 83d81b49-4532-1e4b-9e9d-b3264564992e + dcerpc.req.frag_cnt: 1 + dcerpc.req.opnum: 0 + dcerpc.req.stub_data_size: 0 + dcerpc.request: REQUEST + dcerpc.res.frag_cnt: 1 + dcerpc.res.stub_data_size: 0 + dcerpc.response: RESPONSE + dcerpc.rpc_version: '4.0' + dcerpc.seqnum: 2 + dest_ip: 255.255.255.255 + dest_port: 8000 + event_type: dcerpc + pcap_cnt: 4 + proto: UDP + src_ip: 192.168.0.1 + src_port: 80 +- filter: + count: 1 + match: + dcerpc.activityuuid: 34c2dfa9-aaa5-3b4a-a899-1ff934073dcb + dcerpc.req.frag_cnt: 1 + dcerpc.req.opnum: 0 + dcerpc.req.stub_data_size: 0 + dcerpc.request: REQUEST + dcerpc.res.frag_cnt: 1 + dcerpc.res.stub_data_size: 0 + dcerpc.response: RESPONSE + dcerpc.rpc_version: '4.0' + dcerpc.seqnum: 4 + dest_ip: 255.255.255.255 + dest_port: 8000 + event_type: dcerpc + pcap_cnt: 6 + proto: UDP + src_ip: 192.168.0.1 + src_port: 80 +- filter: + count: 1 + match: + dcerpc.activityuuid: 45c10d80-5695-384c-b710-0d51f16d9406 + dcerpc.req.frag_cnt: 1 + dcerpc.req.opnum: 0 + dcerpc.req.stub_data_size: 0 + dcerpc.request: REQUEST + dcerpc.res.frag_cnt: 1 + dcerpc.res.stub_data_size: 0 + dcerpc.response: RESPONSE + dcerpc.rpc_version: '4.0' + dcerpc.seqnum: 6 + dest_ip: 255.255.255.255 + dest_port: 8000 + event_type: dcerpc + pcap_cnt: 8 + proto: UDP + src_ip: 192.168.0.1 + src_port: 80 +- filter: + count: 1 + match: + dcerpc.activityuuid: de28b15f-be84-f74c-8d6d-47b041bfba76 + dcerpc.req.frag_cnt: 1 + dcerpc.req.opnum: 0 + dcerpc.req.stub_data_size: 0 + dcerpc.request: REQUEST + dcerpc.res.frag_cnt: 1 + dcerpc.res.stub_data_size: 0 + dcerpc.response: RESPONSE + dcerpc.rpc_version: '4.0' + dcerpc.seqnum: 8 + dest_ip: 255.255.255.255 + dest_port: 8000 + event_type: dcerpc + pcap_cnt: 10 + proto: UDP + src_ip: 192.168.0.1 + src_port: 80 +- filter: + count: 1 + match: + app_proto: dcerpc + dest_ip: 255.255.255.255 + dest_port: 8000 + event_type: flow + flow.age: 0 + flow.alerted: false + flow.bytes_toclient: 0 + flow.bytes_toserver: 1220 + flow.pkts_toclient: 0 + flow.pkts_toserver: 10 + flow.reason: shutdown + flow.state: new + proto: UDP + src_ip: 192.168.0.1 + src_port: 80