From: Shivani Bhardwaj Date: Mon, 21 Mar 2022 14:14:56 +0000 (+0530) Subject: tests: add test for bug 5162 X-Git-Tag: suricata-5.0.10~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2de32f26ce0862e8503aa69dc208deb99740313;p=thirdparty%2Fsuricata-verify.git tests: add test for bug 5162 --- diff --git a/tests/bug-5162/README.md b/tests/bug-5162/README.md new file mode 100644 index 000000000..1572923df --- /dev/null +++ b/tests/bug-5162/README.md @@ -0,0 +1,13 @@ +Description +=========== +This test demonstrates bug 5162. +Inspection of SMB traffic without SMB/DCERPC does not work correctly. +In the test, sid:1 and sid:2 are identical except sid:2 has an extra byte in first `content` +match. But, only sid:2 alerts when sid:1 should as well. +This works with a standalone `within` as in sid:5. +Logically, sid:3 and sid:4 are the same but only sid:4 alerts. +As demonstrated by sid:6 and sid:7, this issue may be related to redmine ticket 5197. + +PCAP +==== +PCAP comes from Redmine bug https://redmine.openinfosecfoundation.org/issues/5162 diff --git a/tests/bug-5162/input.pcap b/tests/bug-5162/input.pcap new file mode 100644 index 000000000..9da7d7f86 Binary files /dev/null and b/tests/bug-5162/input.pcap differ diff --git a/tests/bug-5162/test.rules b/tests/bug-5162/test.rules new file mode 100644 index 000000000..7496ea1bd --- /dev/null +++ b/tests/bug-5162/test.rules @@ -0,0 +1,7 @@ +alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; sid:1;) +alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"|fe|SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; sid:2;) +alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"|fe|SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00 00|"; distance:20; within:5; sid:3;) +alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"|fe|SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; pcre:"/^\x00/R"; sid:4;) +alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; within:24; sid:5;) +alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; sid:6;) +alert tcp any any -> any 445 (msg:"SVCCTL CreateService Command via SMB"; flow:established,to_server; content:"SMB"; depth:8; fast_pattern; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00|"; distance:20; within:4; sid:7;) diff --git a/tests/bug-5162/test.yaml b/tests/bug-5162/test.yaml new file mode 100644 index 000000000..0e9396bc3 --- /dev/null +++ b/tests/bug-5162/test.yaml @@ -0,0 +1,55 @@ +args: +- -k none + +checks: +- filter: + count: 1445 + match: + event_type: dcerpc +- filter: + count: 4 + match: + event_type: dns +- filter: + count: 22 + match: + event_type: smb +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 4 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 5 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 6 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 7 +- filter: + count: 11 + match: + event_type: flow