From: Philippe Antoine <contact@catenacyber.fr>
Date: Fri, 23 Jul 2021 15:44:06 +0000 (+0200)
Subject: Adds test about IPv6 smurf detection
X-Git-Tag: suricata-6.0.4~33
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc5df3728045a49a7c96b57f408487a289fdf0ed;p=thirdparty%2Fsuricata-verify.git

Adds test about IPv6 smurf detection

aka (spoofed) ping to multicast
---

diff --git a/tests/ipv6-evasion/ipv6-rsmurf/README.md b/tests/ipv6-evasion/ipv6-rsmurf/README.md
new file mode 100644
index 000000000..f56d54dbc
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-rsmurf/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Detect an attack that sends a ping from a multicast address to the victim.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
diff --git a/tests/ipv6-evasion/ipv6-rsmurf/rsmurf6.pcap b/tests/ipv6-evasion/ipv6-rsmurf/rsmurf6.pcap
new file mode 100644
index 000000000..39fb18929
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-rsmurf/rsmurf6.pcap differ
diff --git a/tests/ipv6-evasion/ipv6-rsmurf/test.rules b/tests/ipv6-evasion/ipv6-rsmurf/test.rules
new file mode 100644
index 000000000..ab12d8898
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-rsmurf/test.rules
@@ -0,0 +1,2 @@
+# It detects pings to multicast addresses
+alert icmpv6 any any -> ff00::/8 any (itype:128; sid:1;)
diff --git a/tests/ipv6-evasion/ipv6-rsmurf/test.yaml b/tests/ipv6-evasion/ipv6-rsmurf/test.yaml
new file mode 100644
index 000000000..5855ad2ac
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-rsmurf/test.yaml
@@ -0,0 +1,11 @@
+
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1000
+        match:
+            event_type: alert
+            alert.signature_id: 1
diff --git a/tests/ipv6-evasion/ipv6-smurf/README.md b/tests/ipv6-evasion/ipv6-smurf/README.md
new file mode 100644
index 000000000..ecdee5287
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-smurf/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Detect an attack that sends a ping with the IP of the victim to a multicast address.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
diff --git a/tests/ipv6-evasion/ipv6-smurf/smurf6.pcap b/tests/ipv6-evasion/ipv6-smurf/smurf6.pcap
new file mode 100644
index 000000000..6a7e3e8a2
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-smurf/smurf6.pcap differ
diff --git a/tests/ipv6-evasion/ipv6-smurf/test.rules b/tests/ipv6-evasion/ipv6-smurf/test.rules
new file mode 100644
index 000000000..ab12d8898
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-smurf/test.rules
@@ -0,0 +1,2 @@
+# It detects pings to multicast addresses
+alert icmpv6 any any -> ff00::/8 any (itype:128; sid:1;)
diff --git a/tests/ipv6-evasion/ipv6-smurf/test.yaml b/tests/ipv6-evasion/ipv6-smurf/test.yaml
new file mode 100644
index 000000000..a22a0af70
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-smurf/test.yaml
@@ -0,0 +1,11 @@
+
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 282345
+        match:
+            event_type: alert
+            alert.signature_id: 1