From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 20 Jul 2021 08:51:27 +0000 (+0200)
Subject: Adds test about ICMPv6 kill router
X-Git-Tag: suricata-6.0.4~34
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ef87b5d1e22b57436bf9cbc3326f31b371a49190;p=thirdparty%2Fsuricata-verify.git

Adds test about ICMPv6 kill router
---

diff --git a/tests/ipv6-evasion/ipv6-kill-router-gateway/README.md b/tests/ipv6-evasion/ipv6-kill-router-gateway/README.md
new file mode 100644
index 000000000..4fa620fa1
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-kill-router-gateway/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Detect an attack where the given router is removed as a gateway from all SLAAC configured systems.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
diff --git a/tests/ipv6-evasion/ipv6-kill-router-gateway/kill_router6.pcap b/tests/ipv6-evasion/ipv6-kill-router-gateway/kill_router6.pcap
new file mode 100644
index 000000000..fcc3a02e1
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-kill-router-gateway/kill_router6.pcap differ
diff --git a/tests/ipv6-evasion/ipv6-kill-router-gateway/test.rules b/tests/ipv6-evasion/ipv6-kill-router-gateway/test.rules
new file mode 100644
index 000000000..d95885235
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-kill-router-gateway/test.rules
@@ -0,0 +1,2 @@
+# It detects Router Advertisement messages (ie itype:134) that are send with a lifetime of zero (ie content:"|00 00|") and can be misused to signal to hosts that a particular router is going down and it should be removed from routing tables.
+alert icmpv6 any any -> any any (itype:134; icmpv6.hdr; content:"|00 00|"; offset:6; depth:2; sid:1;)
diff --git a/tests/ipv6-evasion/ipv6-kill-router-gateway/test.yaml b/tests/ipv6-evasion/ipv6-kill-router-gateway/test.yaml
new file mode 100644
index 000000000..2ba3bbe92
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-kill-router-gateway/test.yaml
@@ -0,0 +1,11 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+    min-version: 6
+
+checks:
+    - filter:
+        count: 4
+        match:
+            event_type: alert
+            alert.signature_id: 1