From: Haleema Khan Date: Fri, 3 Feb 2023 18:49:27 +0000 (+0500) Subject: ttl: add tests for prefilter keyword for ipv6 packets X-Git-Tag: suricata-6.0.12~32 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c9f98e597cd006eab8e2ccb1f6b50aa3c0969a13;p=thirdparty%2Fsuricata-verify.git ttl: add tests for prefilter keyword for ipv6 packets Ticket #5800 --- diff --git a/tests/detect-ttl-ipv6/README.md b/tests/detect-ttl-ipv6/README.md new file mode 100644 index 000000000..4becd44be --- /dev/null +++ b/tests/detect-ttl-ipv6/README.md @@ -0,0 +1,11 @@ +Description +=========== +Tests the `prefilter` keyword for `ttl` for `ipv6` packets which is used to check for a specific IP time-to-live value in the header of a packet. + +PCAP +==== +PCAP comes from an [existing IPV6 test](https://github.com/OISF/suricata-verify/blob/master/tests/ipv6-evasion/ipv6-covert-dstopts/covert_send6.pcap04-vnc-openwall-3.8.pcap) + +Redmine ticket +============== +https://redmine.openinfosecfoundation.org/issues/5800 \ No newline at end of file diff --git a/tests/detect-ttl-ipv6/test.rules b/tests/detect-ttl-ipv6/test.rules new file mode 100644 index 000000000..e604b05eb --- /dev/null +++ b/tests/detect-ttl-ipv6/test.rules @@ -0,0 +1,3 @@ +alert ip any any -> any any (ttl:254; prefilter; sid:1;) +alert ip any any -> any any (ttl:64; prefilter; sid:2;) +alert ip any any -> any any (ttl:255; prefilter; sid:3;) \ No newline at end of file diff --git a/tests/detect-ttl-ipv6/test.yaml b/tests/detect-ttl-ipv6/test.yaml new file mode 100644 index 000000000..665602d11 --- /dev/null +++ b/tests/detect-ttl-ipv6/test.yaml @@ -0,0 +1,20 @@ +pcap: ../ipv6-evasion/ipv6-covert-dstopts/covert_send6.pcap + +checks: + - filter: + count: 18 + match: + event_type: alert + alert.signature_id: 1 + + - filter: + count: 18 + match: + event_type: alert + alert.signature_id: 2 + + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 \ No newline at end of file