From: frank honza Date: Fri, 27 Mar 2020 15:18:24 +0000 (+0100) Subject: ikev1: add ikev1 test X-Git-Tag: suricata-6.0.4~130 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c43375f6e6912b4ece0e93c654ecfdd019f598b9;p=thirdparty%2Fsuricata-verify.git ikev1: add ikev1 test --- diff --git a/tests/ikev1-rules/ikev1-isakmp-main-mode.pcap b/tests/ikev1-rules/ikev1-isakmp-main-mode.pcap new file mode 100644 index 000000000..2b1d5cf12 Binary files /dev/null and b/tests/ikev1-rules/ikev1-isakmp-main-mode.pcap differ diff --git a/tests/ikev1-rules/suricata.yaml b/tests/ikev1-rules/suricata.yaml new file mode 100644 index 000000000..31c15fe17 --- /dev/null +++ b/tests/ikev1-rules/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + +app-layer: + protocols: + ike: + enabled: yes diff --git a/tests/ikev1-rules/test.rules b/tests/ikev1-rules/test.rules new file mode 100644 index 000000000..6982351cb --- /dev/null +++ b/tests/ikev1-rules/test.rules @@ -0,0 +1,16 @@ +alert ike any any -> any any (msg:"ike initiator"; ike.init_spi; content:"e47a591fd057587f"; sid:1;) +alert ike any any -> any any (msg:"ike responder"; ike.resp_spi; content:"a00b8ef0902bb8ec"; sid:2;) +alert ike any any -> any any (msg:"ike hash algorithm"; ike.chosen_sa_attribute:alg_hash=2;sid:5;) +alert ike any any -> any any (msg:"ike encryption algorithm"; ike.chosen_sa_attribute:alg_enc=7;sid:6;) +alert ike any any -> any any (msg:"ike auth method"; ike.chosen_sa_attribute:alg_auth=1;sid:7;) +alert ike any any -> any any (msg:"ike group description"; ike.chosen_sa_attribute:alg_dh=2;sid:8;) +alert ike any any -> any any (msg:"ike life type"; ike.chosen_sa_attribute:sa_life_type=1;sid:15;) +alert ike any any -> any any (msg:"ike life duration"; ike.chosen_sa_attribute:sa_life_duration=86400;sid:16;) +alert ike any any -> any any (msg:"ike key length"; ike.chosen_sa_attribute:sa_key_length=128;sid:17;) +alert ike any any -> any any (msg:"ike exchange type"; ike.exchtype:2; sid:11;) +alert ike any any -> any any (msg:"ike vendor"; ike.vendor; content:"4a131c81070358455c5728f20e95452f"; sid:12;) +alert ike any any -> any any (msg:"ike server key exchange"; ike.key_exchange_payload; content:"|6d026d5616c45be05e5b898411e9f95d195cea009ad22c62bef06c571b7cfbc4792f45564ec710ac584aa18d20cbc8f5f8910666b89e4ee2f95abc0230e2cba1b88ac4bba7fcc818a986c01a4ca865a5eb82884dbec85bfd7d1a303b09894dcf2e3785fd79dba225377cf8cca009ceffbb6aa38b648c4b05404f1cfaac361aff|"; flow:to_client; sid:13;) +alert ike any any -> any any (msg:"ike client key exchange"; ike.key_exchange_payload; content:"|3504d3d2ed14e0ca03b851a51a9da2e5a4c14c1d7ec3e1fbe950025424514b3c69ed7fbb44e09225da52d2a92604a99bf61b7beed7fbfa635e82f065f4fe780751354dbe474c3de7207dcf69fdbbed32c1691cc149b318eee00370e65fc3069bbacfb013467173966e9d5f4bc4f3857e359bba3adbb6efeea516f3897d8534f3|"; flow:to_server; sid:14;) +alert ike any any -> any any (msg:"ike key payload length"; ike.key_exchange_payload_length:>100; sid:9;) +alert ike any any -> any any (msg:"ike nonce payload length"; ike.nonce_payload_length:<200; sid:3;) +alert ike any any -> any any (msg:"ike nonce payload"; ike.nonce_payload; content:"|89d7c8fbf94b515b521d5d9589c2602021e1a709|"; sid:4;) diff --git a/tests/ikev1-rules/test.yaml b/tests/ikev1-rules/test.yaml new file mode 100644 index 000000000..425774a56 --- /dev/null +++ b/tests/ikev1-rules/test.yaml @@ -0,0 +1,104 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/ike/parser.rs + min-version: 6.0.0 + +checks: + - filter: + count: 5 + match: + event_type: alert + alert.signature: "ike initiator" + + - filter: + count: 4 + match: + event_type: alert + alert.signature: "ike responder" + + - filter: + count: 1 + match: + event_type: alert + alert.signature: "ike nonce payload" + + - filter: + count: 2 + match: + event_type: alert + alert.signature: "ike nonce payload length" + + - filter: + count: 1 + match: + event_type: alert + alert.signature: "ike hash algorithm" + + - filter: + count: 1 + match: + event_type: alert + alert.signature: "ike encryption algorithm" + + - filter: + count: 1 + match: + event_type: alert + alert.signature: "ike auth method" + + - filter: + count: 1 + match: + event_type: alert + alert.signature: "ike group description" + + - filter: + count: 2 + match: + event_type: alert + alert.signature: "ike key payload length" + + - filter: + count: 6 + match: + event_type: alert + alert.signature: "ike exchange type" + + + - filter: + count: 1 + match: + event_type: alert + alert.signature: "ike vendor" + + - filter: + count: 1 + match: + event_type: alert + alert.signature: "ike server key exchange" + + - filter: + count: 1 + match: + event_type: alert + alert.signature: "ike client key exchange" + + - filter: + count: 1 + match: + event_type: alert + alert.signature: "ike life type" + + - filter: + count: 1 + match: + event_type: alert + alert.signature: "ike life duration" + + - filter: + count: 1 + match: + event_type: alert + alert.signature: "ike key length" diff --git a/tests/ikev1/ikev1-isakmp-main-mode.pcap b/tests/ikev1/ikev1-isakmp-main-mode.pcap new file mode 100644 index 000000000..2b1d5cf12 Binary files /dev/null and b/tests/ikev1/ikev1-isakmp-main-mode.pcap differ diff --git a/tests/ikev1/suricata.yaml b/tests/ikev1/suricata.yaml new file mode 100644 index 000000000..d14afc023 --- /dev/null +++ b/tests/ikev1/suricata.yaml @@ -0,0 +1,16 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - ike + - flow + +app-layer: + protocols: + ike: + enabled: yes diff --git a/tests/ikev1/test.yaml b/tests/ikev1/test.yaml new file mode 100644 index 000000000..6374aba36 --- /dev/null +++ b/tests/ikev1/test.yaml @@ -0,0 +1,27 @@ +requires: + features: + - HAVE_LIBJANSSON + files: + - rust/src/ike/parser.rs + min-version: 6.0.0 + +checks: + - filter: + count: 1 + match: + event_type: flow + app_proto: ike + + - filter: + count: 1 + match: + event_type: ike + ike.init_spi: "e47a591fd057587f" + ike.resp_spi: "a00b8ef0902bb8ec" + ike.exchange_type: 2 + ike.ikev1.client.nonce_payload: "89d7c8fbf94b515b521d5d9589c2602021e1a709" + ike.ikev1.server.nonce_payload: "15b688421ed5c3dd92d3b86e47a76f0d39cc09e0" + ike.alg_enc: "EncAesCbc" + ike.alg_hash: "HashSha" + ike.alg_dh: "GroupAlternate1024BitModpGroup" + ike.alg_auth: "AuthPreSharedKey" diff --git a/tests/ikev2-weak-dh/test.yaml b/tests/ikev2-weak-dh/test.yaml index 436d6444f..0ef35ceca 100644 --- a/tests/ikev2-weak-dh/test.yaml +++ b/tests/ikev2-weak-dh/test.yaml @@ -18,6 +18,7 @@ checks: - filter: count: 1 + version: 4 match: event_type: ikev2 ikev2.version_major: 2 @@ -31,3 +32,38 @@ checks: ikev2.payload[1]: KeyExchange ikev2.payload[2]: SecurityAssociation ikev2.payload[3]: NoNextPayload + + - filter: + count: 1 + version: 5 + match: + event_type: ikev2 + ikev2.version_major: 2 + ikev2.exchange_type: 34 + ikev2.message_id: 0 + ikev2.init_spi: "61d3693ce12af528" + ikev2.resp_spi: "0000000000000000" + ikev2.role: initiator + ikev2.errors: 0 + ikev2.payload[0]: Nonce + ikev2.payload[1]: KeyExchange + ikev2.payload[2]: SecurityAssociation + ikev2.payload[3]: NoNextPayload + + # from suricata version >=6 the event_type for ikev2 is ike + - filter: + count: 1 + min-version: 6 + match: + event_type: ike + ike.version_major: 2 + ike.exchange_type: 34 + ike.message_id: 0 + ike.init_spi: "61d3693ce12af528" + ike.resp_spi: "0000000000000000" + ike.role: initiator + ike.ikev2.errors: 0 + ike.payload[0]: Nonce + ike.payload[1]: KeyExchange + ike.payload[2]: SecurityAssociation + ike.payload[3]: NoNextPayload