From: Victor Julien Date: Fri, 12 Apr 2024 09:09:01 +0000 (+0200) Subject: tests: add defrag datalink tests X-Git-Tag: suricata-6.0.19~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1769%2Fhead;p=thirdparty%2Fsuricata-verify.git tests: add defrag datalink tests Bug: 6887. --- diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/frag-eth-vlan-ip-tcp-syn.pcap b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/frag-eth-vlan-ip-tcp-syn.pcap new file mode 100644 index 000000000..e8b3bed69 Binary files /dev/null and b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/frag-eth-vlan-ip-tcp-syn.pcap differ diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/frag-eth-vlan-ip-tcp-syn.py b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/frag-eth-vlan-ip-tcp-syn.py new file mode 100644 index 000000000..f80632d7a --- /dev/null +++ b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/frag-eth-vlan-ip-tcp-syn.py @@ -0,0 +1,9 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +packet = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)]) + +frags = fragment(packet,fragsize=8) +wrpcap('frag-eth-vlan-ip-tcp-syn.pcap', frags) diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/suricata.yaml b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/suricata.yaml new file mode 100644 index 000000000..159d885ba --- /dev/null +++ b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/test.rules b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/test.rules new file mode 100644 index 000000000..4836c6bbd --- /dev/null +++ b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (tcp.flags:S; sid:1;) diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/test.yaml b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/test.yaml new file mode 100644 index 000000000..80cad222e --- /dev/null +++ b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/test.yaml @@ -0,0 +1,11 @@ +requires: + min-version: 8 + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAQAAAABgAiAAGQwAAAMDDgA=" + packet_info.linktype: 1 diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/frag-eth-vlan-ipv6-tcp.pcap b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/frag-eth-vlan-ipv6-tcp.pcap new file mode 100644 index 000000000..f919dd525 Binary files /dev/null and b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/frag-eth-vlan-ipv6-tcp.pcap differ diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/frag-eth-vlan-ipv6-tcp.py b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/frag-eth-vlan-ipv6-tcp.py new file mode 100644 index 000000000..1318eb175 --- /dev/null +++ b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/frag-eth-vlan-ipv6-tcp.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +data = 'A' * 1000 +packet = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IPv6()/IPv6ExtHdrFragment()/TCP(dport=8080,sport=12345,flags='A',seq=1)/data + +frags = fragment6(packet,512) +wrpcap('frag-eth-vlan-ipv6-tcp.pcap', frags) diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/suricata.yaml b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/suricata.yaml new file mode 100644 index 000000000..159d885ba --- /dev/null +++ b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/test.rules b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/test.rules new file mode 100644 index 000000000..714e46a3d --- /dev/null +++ b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (dsize:1000; sid:1;) diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/test.yaml b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/test.yaml new file mode 100644 index 000000000..9c8816f7b --- /dev/null +++ b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/test.yaml @@ -0,0 +1,11 @@ +requires: + min-version: 8 + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + packet: "BQQDAgEAAAECAwQFgQAABobdYAAAAAP8BkAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAATA5H5AAAAABAAAAAFAQIADIrQAAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ==" + packet_info.linktype: 1 diff --git a/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/frag-ip-tcp-syn.pcap b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/frag-ip-tcp-syn.pcap new file mode 100644 index 000000000..3c1e34662 Binary files /dev/null and b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/frag-ip-tcp-syn.pcap differ diff --git a/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/frag-ip-tcp-syn.py b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/frag-ip-tcp-syn.py new file mode 100644 index 000000000..d5746a9d2 --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/frag-ip-tcp-syn.py @@ -0,0 +1,9 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +packet = IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)]) + +frags = fragment(packet,fragsize=8) +wrpcap('frag-ip-tcp-syn.pcap', frags) diff --git a/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/suricata.yaml b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/suricata.yaml new file mode 100644 index 000000000..159d885ba --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) diff --git a/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/test.rules b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/test.rules new file mode 100644 index 000000000..4836c6bbd --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (tcp.flags:S; sid:1;) diff --git a/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/test.yaml b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/test.yaml new file mode 100644 index 000000000..f7ccf0304 --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/test.yaml @@ -0,0 +1,11 @@ +requires: + min-version: 8 + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + packet: "RQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAQAAAABgAiAAGQwAAAMDDgA=" + packet_info.linktype: 228 # LINKTYPE_IPV4 diff --git a/tests/defrag/bug-6887-defrag-ipv6-tcp/frag-ip-tcp.pcap b/tests/defrag/bug-6887-defrag-ipv6-tcp/frag-ip-tcp.pcap new file mode 100644 index 000000000..64cd2f5a2 Binary files /dev/null and b/tests/defrag/bug-6887-defrag-ipv6-tcp/frag-ip-tcp.pcap differ diff --git a/tests/defrag/bug-6887-defrag-ipv6-tcp/frag-ip-tcp.py b/tests/defrag/bug-6887-defrag-ipv6-tcp/frag-ip-tcp.py new file mode 100644 index 000000000..9277ba830 --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ipv6-tcp/frag-ip-tcp.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +data = 'A' * 1000 +packet = IPv6()/IPv6ExtHdrFragment()/TCP(dport=8080,sport=12345,flags='A',seq=1)/data + +frags = fragment6(packet,512) +wrpcap('frag-ip-tcp.pcap', frags) diff --git a/tests/defrag/bug-6887-defrag-ipv6-tcp/suricata.yaml b/tests/defrag/bug-6887-defrag-ipv6-tcp/suricata.yaml new file mode 100644 index 000000000..159d885ba --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ipv6-tcp/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) diff --git a/tests/defrag/bug-6887-defrag-ipv6-tcp/test.rules b/tests/defrag/bug-6887-defrag-ipv6-tcp/test.rules new file mode 100644 index 000000000..714e46a3d --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ipv6-tcp/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (dsize:1000; sid:1;) diff --git a/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml b/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml new file mode 100644 index 000000000..0a8aeeab3 --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml @@ -0,0 +1,11 @@ +requires: + min-version: 8 + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + packet: "YAAAAAP8BkAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAATA5H5AAAAABAAAAAFAQIADIrQAAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ==" + packet_info.linktype: 229 diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/frag-ppp-ip-tcp-syn.pcap b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/frag-ppp-ip-tcp-syn.pcap new file mode 100644 index 000000000..b28b36204 Binary files /dev/null and b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/frag-ppp-ip-tcp-syn.pcap differ diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/frag-ppp-ip-tcp-syn.py b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/frag-ppp-ip-tcp-syn.py new file mode 100644 index 000000000..2a394e213 --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/frag-ppp-ip-tcp-syn.py @@ -0,0 +1,9 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +packet = PPP()/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)]) + +frags = fragment(packet,fragsize=8) +wrpcap('frag-ppp-ip-tcp-syn.pcap', frags) diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/suricata.yaml b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/suricata.yaml new file mode 100644 index 000000000..159d885ba --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/test.rules b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/test.rules new file mode 100644 index 000000000..4836c6bbd --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (tcp.flags:S; sid:1;) diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/test.yaml b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/test.yaml new file mode 100644 index 000000000..d3e01be8a --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/test.yaml @@ -0,0 +1,11 @@ +requires: + min-version: 8 + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + packet: "IUUAACwAAQAAQAZ0xgEBAQECAgICMDkfkAAAAAEAAAAAYAIgABkMAAADAw4A" + packet_info.linktype: 9 diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/frag-ip-tcp.py b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/frag-ip-tcp.py new file mode 100644 index 000000000..b9a073e4c --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/frag-ip-tcp.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +data = 'A' * 1000 +packet = PPP()/IPv6()/IPv6ExtHdrFragment()/TCP(dport=8080,sport=12345,flags='A',seq=1)/data + +frags = fragment6(packet,512) +wrpcap('frag-ppp-ipv6-tcp.pcap', frags) diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/frag-ppp-ipv6-tcp.pcap b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/frag-ppp-ipv6-tcp.pcap new file mode 100644 index 000000000..7fdd9fe4b Binary files /dev/null and b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/frag-ppp-ipv6-tcp.pcap differ diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/suricata.yaml b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/suricata.yaml new file mode 100644 index 000000000..159d885ba --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/test.rules b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/test.rules new file mode 100644 index 000000000..714e46a3d --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (dsize:1000; sid:1;) diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/test.yaml b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/test.yaml new file mode 100644 index 000000000..9d46d2d81 --- /dev/null +++ b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/test.yaml @@ -0,0 +1,11 @@ +requires: + min-version: 8 + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + packet: "V2AAAAAD/AZAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEwOR+QAAAAAQAAAABQECAAyK0AAEFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUE=" + packet_info.linktype: 9 diff --git a/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/eth-ip-gre-ppp-max-ip-packet.pcap b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/eth-ip-gre-ppp-max-ip-packet.pcap new file mode 100644 index 000000000..76899ebd5 Binary files /dev/null and b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/eth-ip-gre-ppp-max-ip-packet.pcap differ diff --git a/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/eth-ip-gre-ppp-max-ip-packet.py b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/eth-ip-gre-ppp-max-ip-packet.py new file mode 100755 index 000000000..b6457ee38 --- /dev/null +++ b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/eth-ip-gre-ppp-max-ip-packet.py @@ -0,0 +1,11 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +data = 'A' * (65535 - 20 - 8) +encap = IP(src='1.1.1.1', dst='2.2.2.2')/UDP(sport=11111,dport=9999)/data +frags = fragment(encap, 64) +for f in frags: + pkts += Ether()/IP(src='7.7.7.7', dst='9.9.9.9')/GRE(proto=0x880b)/PPP()/f +wrpcap('eth-ip-gre-ppp-max-ip-packet.pcap', pkts, snaplen=262144) diff --git a/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/suricata.yaml b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/suricata.yaml new file mode 100644 index 000000000..159d885ba --- /dev/null +++ b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + packet: yes # enable dumping of packet (without stream segments) diff --git a/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/test.rules b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/test.rules new file mode 100644 index 000000000..bde5e4b79 --- /dev/null +++ b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/test.rules @@ -0,0 +1 @@ +alert udp any any -> any any (dsize:>65000; sid:1;) diff --git a/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/test.yaml b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/test.yaml new file mode 100644 index 000000000..89262988a --- /dev/null +++ b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/test.yaml @@ -0,0 +1,11 @@ +requires: + min-version: 8 + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + packet.__len: 87384 + #packet_info.linktype: 12 # Bug 6954: on OpenBSD this value in 14.