From: Angelo Mirabella Date: Thu, 20 Jan 2022 14:49:54 +0000 (+0000) Subject: bug-4877: add test for stream-tcp-reassembly issue X-Git-Tag: suricata-6.0.5~28 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc76a632850b6de14cc545229a15af0f08409f06;p=thirdparty%2Fsuricata-verify.git bug-4877: add test for stream-tcp-reassembly issue --- diff --git a/tests/bug-4877/input.pcap b/tests/bug-4877/input.pcap new file mode 100644 index 000000000..6e9903814 Binary files /dev/null and b/tests/bug-4877/input.pcap differ diff --git a/tests/bug-4877/suricata.yaml b/tests/bug-4877/suricata.yaml new file mode 100644 index 000000000..f6812cd7f --- /dev/null +++ b/tests/bug-4877/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - files + - file-store: + version: 2 + enabled: yes + force-filestore: yes + stream-depth: 0 diff --git a/tests/bug-4877/test.rules b/tests/bug-4877/test.rules new file mode 100644 index 000000000..c1c7b65c2 --- /dev/null +++ b/tests/bug-4877/test.rules @@ -0,0 +1,2 @@ +alert ftp-data any any -> any any (msg:"FILE FTP signature: windows executable"; flow:established; content: "MZ"; within:2; filestore; noalert; sid:1; rev:1;) +alert ftp-data any any -> any any (msg:"FILE FTP signature: pdf document"; flow:established; content: "%PDF-"; within:1024; filestore; noalert; sid:2; rev:1;) diff --git a/tests/bug-4877/test.yaml b/tests/bug-4877/test.yaml new file mode 100644 index 000000000..56f4c8652 --- /dev/null +++ b/tests/bug-4877/test.yaml @@ -0,0 +1,76 @@ +requires: + features: + - HAVE_NSS + +args: +- -k none --runmode=single + +checks: +- filter: + count: 1 + match: + app_proto: ftp-data + dest_ip: 192.168.100.16 + dest_port: 42987 + event_type: fileinfo + fileinfo.filename: test.pdf + fileinfo.gaps: false + fileinfo.sha256: 7d400735ff3054837da5d92a10ad2faa8b6825f100dc167a6b008e753015b382 + fileinfo.size: 118196 + fileinfo.state: CLOSED + fileinfo.stored: true + fileinfo.tx_id: 0 + proto: TCP + src_ip: 192.168.100.230 + src_port: 20 +- filter: + count: 1 + match: + app_proto: ftp-data + dest_ip: 192.168.100.230 + dest_port: 20 + event_type: fileinfo + fileinfo.filename: test.pdf + fileinfo.gaps: false + fileinfo.sha256: 7d400735ff3054837da5d92a10ad2faa8b6825f100dc167a6b008e753015b382 + fileinfo.size: 118196 + fileinfo.state: CLOSED + fileinfo.stored: true + fileinfo.tx_id: 0 + proto: TCP + src_ip: 192.168.100.16 + src_port: 52407 +- filter: + count: 1 + match: + app_proto: ftp-data + dest_ip: 192.168.100.230 + dest_port: 20 + event_type: fileinfo + fileinfo.filename: notepad.exe + fileinfo.gaps: false + fileinfo.sha256: fefeac4c10bbe237cc6c861229ecaacbd2a366ac4fbd04a3862b62bd7a778093 + fileinfo.size: 69120 + fileinfo.state: CLOSED + fileinfo.stored: true + fileinfo.tx_id: 0 + proto: TCP + src_ip: 192.168.100.16 + src_port: 48902 +- filter: + count: 1 + match: + app_proto: ftp-data + dest_ip: 192.168.100.16 + dest_port: 57829 + event_type: fileinfo + fileinfo.filename: notepad.exe + fileinfo.gaps: false + fileinfo.sha256: fefeac4c10bbe237cc6c861229ecaacbd2a366ac4fbd04a3862b62bd7a778093 + fileinfo.size: 69120 + fileinfo.state: CLOSED + fileinfo.stored: true + fileinfo.tx_id: 0 + proto: TCP + src_ip: 192.168.100.230 + src_port: 20 diff --git a/tests/decode-teredo-01/test.yaml b/tests/decode-teredo-01/test.yaml index 1f506bcd6..499114a99 100644 --- a/tests/decode-teredo-01/test.yaml +++ b/tests/decode-teredo-01/test.yaml @@ -298,7 +298,7 @@ checks: http.protocol: HTTP/1.1 http.status: 200 http.url: / - pcap_cnt: 75 + pcap_cnt: 74 proto: TCP src_ip: 192.168.2.16 src_port: 1580 diff --git a/tests/dnp3-del-measure/test.yaml b/tests/dnp3-del-measure/test.yaml index 6bf445787..d4b300f32 100644 --- a/tests/dnp3-del-measure/test.yaml +++ b/tests/dnp3-del-measure/test.yaml @@ -64,7 +64,7 @@ checks: dnp3.src: 2 dnp3.type: response event_type: dnp3 - pcap_cnt: 9 + pcap_cnt: 7 proto: TCP src_ip: 130.126.142.250 src_port: 49413 diff --git a/tests/dnp3-en-spon/test.yaml b/tests/dnp3-en-spon/test.yaml index ba5356591..3efc7dff9 100644 --- a/tests/dnp3-en-spon/test.yaml +++ b/tests/dnp3-en-spon/test.yaml @@ -77,7 +77,7 @@ checks: dnp3.src: 2 dnp3.type: response event_type: dnp3 - pcap_cnt: 9 + pcap_cnt: 7 proto: TCP src_ip: 130.126.142.250 src_port: 50059 diff --git a/tests/dnp3-file-del/test.yaml b/tests/dnp3-file-del/test.yaml index 75715cbb3..2ff06d3b4 100644 --- a/tests/dnp3-file-del/test.yaml +++ b/tests/dnp3-file-del/test.yaml @@ -92,7 +92,7 @@ checks: dnp3.src: 4 dnp3.type: response event_type: dnp3 - pcap_cnt: 9 + pcap_cnt: 7 proto: TCP src_ip: 130.126.142.250 src_port: 50301 diff --git a/tests/dnp3-file-read/test.yaml b/tests/dnp3-file-read/test.yaml index 70d8a033a..4ad7b9bcb 100644 --- a/tests/dnp3-file-read/test.yaml +++ b/tests/dnp3-file-read/test.yaml @@ -337,7 +337,7 @@ checks: dnp3.src: 4 dnp3.type: response event_type: dnp3 - pcap_cnt: 29 + pcap_cnt: 27 proto: TCP src_ip: 130.126.142.250 src_port: 50276 diff --git a/tests/dnp3-file-write/test.yaml b/tests/dnp3-file-write/test.yaml index 2ed631dff..b1a28128b 100644 --- a/tests/dnp3-file-write/test.yaml +++ b/tests/dnp3-file-write/test.yaml @@ -176,7 +176,7 @@ checks: dnp3.src: 4 dnp3.type: response event_type: dnp3 - pcap_cnt: 21 + pcap_cnt: 19 proto: TCP src_ip: 130.126.142.250 src_port: 50300 diff --git a/tests/dnp3-select-operate/test.yaml b/tests/dnp3-select-operate/test.yaml index 200401454..555087e10 100644 --- a/tests/dnp3-select-operate/test.yaml +++ b/tests/dnp3-select-operate/test.yaml @@ -179,7 +179,7 @@ checks: dnp3.src: 2 dnp3.type: response event_type: dnp3 - pcap_cnt: 12 + pcap_cnt: 10 proto: TCP src_ip: 130.126.142.250 src_port: 49404 diff --git a/tests/dnp3-write/test.yaml b/tests/dnp3-write/test.yaml index d6413fe33..2edb15a7f 100644 --- a/tests/dnp3-write/test.yaml +++ b/tests/dnp3-write/test.yaml @@ -64,7 +64,7 @@ checks: dnp3.src: 2 dnp3.type: response event_type: dnp3 - pcap_cnt: 9 + pcap_cnt: 7 proto: TCP src_ip: 130.126.142.250 src_port: 49411