From: Victor Julien <victor@inliniac.net>
Date: Fri, 4 Aug 2023 06:59:16 +0000 (+0200)
Subject: tests: add bug 6244 RST with data tests
X-Git-Tag: suricata-6.0.14~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1344%2Fhead;p=thirdparty%2Fsuricata-verify.git

tests: add bug 6244 RST with data tests
---

diff --git a/tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.pcap b/tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.pcap
new file mode 100644
index 000000000..fbd0f6769
Binary files /dev/null and b/tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.pcap differ
diff --git a/tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.py b/tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.py
new file mode 100755
index 000000000..33fa262e0
--- /dev/null
+++ b/tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535)
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1001,ack=2,window=65535)/"Please "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1008,ack=2,window=65535)/"Let "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1012,ack=2,window=65535)/"Me "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1015,ack=2,window=65535)/"In!"
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='R',seq=1018,window=65535)/"Access Denied"
+
+wrpcap('tcp-rst-with-data.pcap', pkts)
diff --git a/tests/bug-6244-tcp-rst-with-data-02/test.rules b/tests/bug-6244-tcp-rst-with-data-02/test.rules
new file mode 100644
index 000000000..f5cc64864
--- /dev/null
+++ b/tests/bug-6244-tcp-rst-with-data-02/test.rules
@@ -0,0 +1,7 @@
+alert tcp-pkt any any -> any any (tcp.flags:R,A; content:"Access Denied"; startswith; endswith; sid:1;)
+# FP as RST data is not part of the stream
+alert tcp any any -> any any (flow:only_stream; content:"Access Denied"; sid:2;)
+# TODO why is this not the same as sid 2?
+#alert tcp-stream any any -> any any (content:"Access Denied"; sid:3;)
+alert tcp any any -> any any (content:"Please Let Me In!"; sid:4;)
+alert tcp any any -> any any (content:"Please Let Me In!Access Denied"; sid:5;)
diff --git a/tests/bug-6244-tcp-rst-with-data-02/test.yaml b/tests/bug-6244-tcp-rst-with-data-02/test.yaml
new file mode 100644
index 000000000..74185ef46
--- /dev/null
+++ b/tests/bug-6244-tcp-rst-with-data-02/test.yaml
@@ -0,0 +1,25 @@
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 5
diff --git a/tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.pcap b/tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.pcap
new file mode 100644
index 000000000..ba08ec4c1
Binary files /dev/null and b/tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.pcap differ
diff --git a/tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.py b/tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.py
new file mode 100755
index 000000000..1bb842039
--- /dev/null
+++ b/tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535)
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1001,ack=2,window=65535)/"Please "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1008,ack=2,window=65535)/"Let "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1012,ack=2,window=65535)/"Me "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1015,ack=2,window=65535)/"In!"
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='RA',seq=2,ack=1018,window=65535)/"Access Denied"
+
+wrpcap('tcp-rst-with-data.pcap', pkts)
diff --git a/tests/bug-6244-tcp-rst-with-data/test.rules b/tests/bug-6244-tcp-rst-with-data/test.rules
new file mode 100644
index 000000000..06c283f09
--- /dev/null
+++ b/tests/bug-6244-tcp-rst-with-data/test.rules
@@ -0,0 +1,5 @@
+alert tcp-pkt any any -> any any (tcp.flags:R,A; content:"Access Denied"; startswith; endswith; sid:1;)
+alert tcp any any -> any any (flow:only_stream; content:"Access Denied"; sid:2;)
+# TODO why is this not the same as sid 2?
+#alert tcp-stream any any -> any any (content:"Access Denied"; sid:3;)
+alert tcp any any -> any any (content:"Please Let Me In!"; sid:4;)
diff --git a/tests/bug-6244-tcp-rst-with-data/test.yaml b/tests/bug-6244-tcp-rst-with-data/test.yaml
new file mode 100644
index 000000000..dc6cd450e
--- /dev/null
+++ b/tests/bug-6244-tcp-rst-with-data/test.yaml
@@ -0,0 +1,20 @@
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4