From: Victor Julien Date: Fri, 25 Nov 2022 16:31:43 +0000 (+0100) Subject: tests: add tests for bug 5633 X-Git-Tag: suricata-6.0.9~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1017%2Fhead;p=thirdparty%2Fsuricata-verify.git tests: add tests for bug 5633 --- diff --git a/tests/bug-5633-gre-01/gre-udp.pcap b/tests/bug-5633-gre-01/gre-udp.pcap new file mode 100644 index 000000000..e62163ba6 Binary files /dev/null and b/tests/bug-5633-gre-01/gre-udp.pcap differ diff --git a/tests/bug-5633-gre-01/gre-udp.py b/tests/bug-5633-gre-01/gre-udp.py new file mode 100755 index 000000000..ed9740979 --- /dev/null +++ b/tests/bug-5633-gre-01/gre-udp.py @@ -0,0 +1,15 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='1.1.1.2')/GRE()/IP(dst='2.2.2.2', src='2.2.2.3')/UDP(dport=514,sport=12345)/"EVIL" +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='1.1.1.2')/GRE()/IP(dst='2.2.2.2', src='2.2.2.3')/UDP(dport=514,sport=12345)/"GOOD" +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='1.1.1.2')/GRE()/IP(dst='2.2.2.2', src='2.2.2.3')/UDP(dport=514,sport=12345)/"EVIL" + +# VLAN tagged packet +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('gre-udp.pcap', pkts) diff --git a/tests/bug-5633-gre-01/test.rules b/tests/bug-5633-gre-01/test.rules new file mode 100644 index 000000000..f754b96ff --- /dev/null +++ b/tests/bug-5633-gre-01/test.rules @@ -0,0 +1,2 @@ +pass ip any any <> 2.2.2.2 any (msg:"GRE Tunnel Pass Test"; classtype:misc-activity; sid:60000000; rev:1;) +alert udp any any -> any any (content:"EVIL"; sid:1;) diff --git a/tests/bug-5633-gre-01/test.yaml b/tests/bug-5633-gre-01/test.yaml new file mode 100644 index 000000000..cd4d10b7a --- /dev/null +++ b/tests/bug-5633-gre-01/test.yaml @@ -0,0 +1,8 @@ +args: +- -k none + +checks: + - filter: + count: 0 + match: + event_type: alert diff --git a/tests/bug-5633-gre-02/README.md b/tests/bug-5633-gre-02/README.md new file mode 100644 index 000000000..2a9e9135b --- /dev/null +++ b/tests/bug-5633-gre-02/README.md @@ -0,0 +1 @@ +Pcap from https://redmine.openinfosecfoundation.org/issues/5633 diff --git a/tests/bug-5633-gre-02/gre-sample.pcap b/tests/bug-5633-gre-02/gre-sample.pcap new file mode 100644 index 000000000..31c08b6ba Binary files /dev/null and b/tests/bug-5633-gre-02/gre-sample.pcap differ diff --git a/tests/bug-5633-gre-02/test.rules b/tests/bug-5633-gre-02/test.rules new file mode 100644 index 000000000..694db1796 --- /dev/null +++ b/tests/bug-5633-gre-02/test.rules @@ -0,0 +1,2 @@ +pass ip any any <> 172.28.2.3 any (msg:"GRE Tunnel Pass Test"; classtype:misc-activity; sid:60000000; rev:1;) +alert icmp any any -> any any (itype:8; sid:1;) diff --git a/tests/bug-5633-gre-02/test.yaml b/tests/bug-5633-gre-02/test.yaml new file mode 100644 index 000000000..bc67faa2d --- /dev/null +++ b/tests/bug-5633-gre-02/test.yaml @@ -0,0 +1,16 @@ +args: +- -k none + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: ssh + ssh.client.proto_version: "2.0" + ssh.client.software_version: "OpenSSH_3.6.1p1" + ssh.server.proto_version: "1.99" + ssh.server.software_version: "OpenSSH_3.1p1"