From: jason taylor <jtfas90@gmail.com>
Date: Tue, 18 Dec 2018 21:07:07 +0000 (-0500)
Subject: krb5: Add parser test with fragmented packets
X-Git-Tag: suricata-6.0.4~480
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e278b194abf76f35d9e65ff8bc7d847914c79cb4;p=thirdparty%2Fsuricata-verify.git

krb5: Add parser test with fragmented packets

- adds test case
- reference: https://github.com/OISF/suricata/pull/3583
- reference: https://redmine.openinfosecfoundation.org/issues/2528

Signed-off-by: jason taylor <jtfas90@gmail.com>
---

diff --git a/tests/krb5-request-frag-log/README.md b/tests/krb5-request-frag-log/README.md
new file mode 100644
index 000000000..a72942258
--- /dev/null
+++ b/tests/krb5-request-frag-log/README.md
@@ -0,0 +1 @@
+Test krb5 EVE decoding/output for fragmented/partial transactions
diff --git a/tests/krb5-request-frag-log/krb5-frag.pcap b/tests/krb5-request-frag-log/krb5-frag.pcap
new file mode 100644
index 000000000..209fd190a
Binary files /dev/null and b/tests/krb5-request-frag-log/krb5-frag.pcap differ
diff --git a/tests/krb5-request-frag-log/suricata.yaml b/tests/krb5-request-frag-log/suricata.yaml
new file mode 100644
index 000000000..955cf95e2
--- /dev/null
+++ b/tests/krb5-request-frag-log/suricata.yaml
@@ -0,0 +1,8 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: true
+      types:
+        - krb5
diff --git a/tests/krb5-request-frag-log/test.yaml b/tests/krb5-request-frag-log/test.yaml
new file mode 100644
index 000000000..900f14d46
--- /dev/null
+++ b/tests/krb5-request-frag-log/test.yaml
@@ -0,0 +1,31 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - RUST
+  min-version: 4.1.0-dev
+  script:
+    - grep "record_mark > 16384" rust/src/krb/krb5.rs > /dev/null 2>&1
+
+args:
+  - --set pcap-file.checksum-checks=no
+checks:
+
+  - filter:
+      comment: authentication service (AS) response
+      count: 1
+      match:
+        event_type: krb5
+        krb5.msg_type: KRB_AS_REP
+        krb5.cname: user01
+        krb5.realm: dom.test.lo.com
+        krb5.sname: krbtgt/dom.test.lo.com
+
+  - filter:
+      comment: ticket granting service (TGS) reponse
+      count: 1
+      match:
+        event_type: krb5
+        krb5.msg_type: KRB_TGS_REP
+        krb5.cname: user01
+        krb5.realm: dom.test.lo.com
+        krb5.sname: HTTP/epgidvwman1088.epga.dom.lo.com