From: Cole Dishington Date: Wed, 24 May 2023 23:25:08 +0000 (+1200) Subject: decode-event: Add test for too small UDP and TCP packets X-Git-Tag: suricata-6.0.13~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1263%2Fhead;p=thirdparty%2Fsuricata-verify.git decode-event: Add test for too small UDP and TCP packets Add test for IPv4 and IPv6 packets that set proto/next-header to UDP and TCP but have no payload. Bug: #6086. --- diff --git a/tests/decode-too-small/README.md b/tests/decode-too-small/README.md new file mode 100644 index 000000000..9bcf613a3 --- /dev/null +++ b/tests/decode-too-small/README.md @@ -0,0 +1,8 @@ +# Test Purpose + +Test that an empty TCP and UDP packets ontop of IPv4 and IPv6 are +detected as decode-event failures. + +## PCAP + +This PCAP was generated with scapy. \ No newline at end of file diff --git a/tests/decode-too-small/test.pcap b/tests/decode-too-small/test.pcap new file mode 100644 index 000000000..4ca04409a Binary files /dev/null and b/tests/decode-too-small/test.pcap differ diff --git a/tests/decode-too-small/test.py b/tests/decode-too-small/test.py new file mode 100644 index 000000000..b94dee34c --- /dev/null +++ b/tests/decode-too-small/test.py @@ -0,0 +1,16 @@ +from scapy.all import Ether, IP, IPv6, PcapWriter, Raw + +with PcapWriter('test.pcap') as pcap: + # TCP and UDP too small packets + udp_payload = Raw(b'\x81\x58\x00\x35') # Half a UDP header + s_mac = 'cb:cf:2b:50:a7:61' + d_mac = '49:a2:25:1a:07:4a' + proto_udp = 17 + proto_tcp = 6 + + pcap.write(Ether(src=s_mac, dst=d_mac) / IP(src='1.1.1.1', dst='2.2.2.2', proto=proto_tcp)) + pcap.write(Ether(src=s_mac, dst=d_mac) / IP(src='1.1.1.1', dst='2.2.2.2', proto=proto_udp)) + pcap.write(Ether(src=s_mac, dst=d_mac) / IP(src='1.1.1.1', dst='2.2.2.2', proto=proto_udp) / udp_payload) + pcap.write(Ether(src=s_mac, dst=d_mac) / IPv6(src='fd01::1.1.1.1', dst='fd02::2.2.2.2', nh=proto_tcp)) + pcap.write(Ether(src=s_mac, dst=d_mac) / IPv6(src='fd01::1.1.1.1', dst='fd02::2.2.2.2', nh=proto_udp)) + pcap.write(Ether(src=s_mac, dst=d_mac) / IPv6(src='fd01::1.1.1.1', dst='fd02::2.2.2.2', nh=proto_udp) / udp_payload) diff --git a/tests/decode-too-small/test.rules b/tests/decode-too-small/test.rules new file mode 100644 index 000000000..0266a9ce8 --- /dev/null +++ b/tests/decode-too-small/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (msg:"TCP packet too small"; decode-event:tcp.pkt_too_small; sid:1;) +alert udp any any -> any any (msg:"UDP packet too small"; decode-event:udp.hlen_too_small; sid:2;) diff --git a/tests/decode-too-small/test.yaml b/tests/decode-too-small/test.yaml new file mode 100644 index 000000000..63cf6bba1 --- /dev/null +++ b/tests/decode-too-small/test.yaml @@ -0,0 +1,32 @@ +checks: + # Look for IPv4 TCP too small + - filter: + count: 1 + match: + event_type: alert + src_ip: 1.1.1.1 + alert.signature_id: 1 + + # Look for IPv6 TCP too small + - filter: + count: 1 + match: + event_type: alert + src_ip: fd01:0000:0000:0000:0000:0000:0101:0101 + alert.signature_id: 1 + + # Look for IPv4 UDP too small + - filter: + count: 2 + match: + event_type: alert + src_ip: 1.1.1.1 + alert.signature_id: 2 + + # Look for IPv6 UDP too small + - filter: + count: 2 + match: + event_type: alert + src_ip: fd01:0000:0000:0000:0000:0000:0101:0101 + alert.signature_id: 2