From: Philippe Antoine <contact@catenacyber.fr>
Date: Fri, 28 Feb 2020 14:17:59 +0000 (+0100)
Subject: Adds passing test for IPv6 evasion atomic fragment
X-Git-Tag: suricata-6.0.4~347
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a8022fc9f545d262373bfb0f9b5a385eeb76f7c6;p=thirdparty%2Fsuricata-verify.git

Adds passing test for IPv6 evasion atomic fragment
---

diff --git a/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/README.md b/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/README.md
new file mode 100644
index 000000000..43a196297
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test an attack causing atomic fragments and therefore a DOS attack as described in RFC8021
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
diff --git a/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/test.rules b/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/test.rules
new file mode 100644
index 000000000..b68419410
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 atomic fragment"; icmpv6.mtu:<1280; sid:1;)
diff --git a/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/test.yaml b/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/test.yaml
new file mode 100644
index 000000000..0f1f776ba
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 1
diff --git a/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/toobig.pcap b/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/toobig.pcap
new file mode 100644
index 000000000..1766edf59
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/toobig.pcap differ