From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Sat, 20 Feb 2021 14:46:31 +0000 (+0530)
Subject: dcerpc: test for bug 4198
X-Git-Tag: suricata-6.0.4~139
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d935245c4eafffcccb3e5bc6809802bed7fbe1ef;p=thirdparty%2Fsuricata-verify.git

dcerpc: test for bug 4198
---

diff --git a/tests/dcerpc/zerologon/input.pcap b/tests/dcerpc/zerologon/input.pcap
new file mode 100644
index 000000000..a158c5db5
Binary files /dev/null and b/tests/dcerpc/zerologon/input.pcap differ
diff --git a/tests/dcerpc/zerologon/test.rules b/tests/dcerpc/zerologon/test.rules
new file mode 100644
index 000000000..9b886d439
--- /dev/null
+++ b/tests/dcerpc/zerologon/test.rules
@@ -0,0 +1,2 @@
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Attempt"; flow:established,to_server; dce_opnum:26; content:"|00 00 00 00 00 00 00 00 ff ff 2f 21|"; endswith; reference:url,https://github.com/corelight/zerologon; classtype:attempted-admin; sid:20166330; rev:2;)
+alert dcerpc any any -> any ![139,445] (msg:"Possible Zerologon Password Reset"; flow:established,to_server; dce_opnum:30; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; reference:url,https://github.com/corelight/zerologon; classtype:attempted-admin; sid:20166331; rev:2;)
diff --git a/tests/dcerpc/zerologon/test.yaml b/tests/dcerpc/zerologon/test.yaml
new file mode 100644
index 000000000..91a74093e
--- /dev/null
+++ b/tests/dcerpc/zerologon/test.yaml
@@ -0,0 +1,33 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  min-version: 6.0.0
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 21
+      match:
+        event_type: alert
+        alert:
+          gid: 1
+          signature_id: 20166330
+          rev: 2
+          signature: "Possible Zerologon Attempt"
+          category: Attempted Administrator Privilege Gain
+          severity: 1
+          action: "allowed"
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert:
+          gid: 1
+          signature_id: 20166331
+          rev: 2
+          signature: "Possible Zerologon Password Reset"
+          category: Attempted Administrator Privilege Gain
+          severity: 1
+          action: "allowed"