From: Eloy Pérez González <zer1t0ps@protonmail.com>
Date: Fri, 25 Feb 2022 10:18:40 +0000 (+0100)
Subject: smb2-named-pipe-unicode: new test for smb_named_pipe keyword
X-Git-Tag: suricata-5.0.10~47
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a99d11e43458a5d9382187c81c1324c6e750f0bf;p=thirdparty%2Fsuricata-verify.git

smb2-named-pipe-unicode: new test for smb_named_pipe keyword
---

diff --git a/tests/smb2-named-pipe-unicode/README.md b/tests/smb2-named-pipe-unicode/README.md
new file mode 100644
index 000000000..844d73408
--- /dev/null
+++ b/tests/smb2-named-pipe-unicode/README.md
@@ -0,0 +1,10 @@
+# Description
+
+Tests SMBv2 named pipe.
+
+# PCAP
+
+The pcap comes from running Linux client smbclient against a Windows 10
+
+Command is
+`smbclient '\\ServerIP\IPC$ -U domain\\username` where ServerIP is the IP address of the Windows 10 server
diff --git a/tests/smb2-named-pipe-unicode/input.pcap b/tests/smb2-named-pipe-unicode/input.pcap
new file mode 100644
index 000000000..f6230fa6a
Binary files /dev/null and b/tests/smb2-named-pipe-unicode/input.pcap differ
diff --git a/tests/smb2-named-pipe-unicode/test.rules b/tests/smb2-named-pipe-unicode/test.rules
new file mode 100644
index 000000000..4647daa4e
--- /dev/null
+++ b/tests/smb2-named-pipe-unicode/test.rules
@@ -0,0 +1 @@
+alert smb any any -> any any (msg:"named_pipe"; flow:established; smb_named_pipe; content:"IPC$"; sid:1; rev:1;)
diff --git a/tests/smb2-named-pipe-unicode/test.yaml b/tests/smb2-named-pipe-unicode/test.yaml
new file mode 100644
index 000000000..54b53cc40
--- /dev/null
+++ b/tests/smb2-named-pipe-unicode/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - RUST
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1