From: Jeff Lucovsky Date: Thu, 21 Mar 2024 13:25:49 +0000 (-0400) Subject: detect/ipopts: IP option tests X-Git-Tag: suricata-6.0.19~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1780%2Fhead;p=thirdparty%2Fsuricata-verify.git detect/ipopts: IP option tests --- diff --git a/tests/detect-ipopts/README b/tests/detect-ipopts/README new file mode 100644 index 000000000..c8e0769e8 --- /dev/null +++ b/tests/detect-ipopts/README @@ -0,0 +1,12 @@ +Test the IP options. There's already a test for the extended security option; the following IP options are +tested: +- Record Route "rr" +- Loose source route "lsrr" +- EOL "eol" +- NOP "nop" +- Timestamp "ts" +- Security "sec" +- Strict source route "ssrr" +- Stream id "satid" + +The pcap was generated using ipopt.py diff --git a/tests/detect-ipopts/input.pcap b/tests/detect-ipopts/input.pcap new file mode 100644 index 000000000..faee4bcad Binary files /dev/null and b/tests/detect-ipopts/input.pcap differ diff --git a/tests/detect-ipopts/ipopt.py b/tests/detect-ipopts/ipopt.py new file mode 100644 index 000000000..697b0cdaa --- /dev/null +++ b/tests/detect-ipopts/ipopt.py @@ -0,0 +1,27 @@ +from scapy.all import * +from scapy.layers.inet import IP + + +def main(): + ip_option_list = { + "rr": [IPOption_RR(), "Record route"], + "lsrr": [IPOption_LSRR(routers=["1.2.3.4", "5.6.7.8"]), "Loose source route"], + "eol": [IPOption_EOL(), "EOL"], + "nop": [IPOption_NOP(), "NOP"], + "ts": [IPOption_Timestamp(flg=0, length=8), "Timestamp"], + "sec": [IPOption_Security(transmission_control_code="XYZ"), "Security"], + "ssrr": [IPOption_SSRR(routers=["1.1.1.1", "8.8.8.8"]), "Strict source route"], + "satid": [IPOption_Stream_Id(), "Stream id"], + } + + # Create and send a packet for each IP option + src_ip = "9.10.11.12" + dst_ip = "13.14.15.16" + for option in ip_option_list: + print(f"Creating packet with ip option {option}") + packet = IP(src=src_ip, dst=dst_ip, options=ip_option_list[option][0]) / TCP() + wrpcap("input.pcap", packet, append=True) + + +if __name__ == "__main__": + main() diff --git a/tests/detect-ipopts/test.rules b/tests/detect-ipopts/test.rules new file mode 100644 index 000000000..9d2215a62 --- /dev/null +++ b/tests/detect-ipopts/test.rules @@ -0,0 +1,10 @@ +alert ip any any -> any any (msg:"RR option set"; ipopts:rr; sid: 1;) +alert ip any any -> any any (msg:"LSRR option set"; ipopts:lsrr; sid: 2;) +alert ip any any -> any any (msg:"EOL option set"; ipopts:eol; sid: 3;) +alert ip any any -> any any (msg:"NOP option set"; ipopts:nop; sid: 4;) +alert ip any any -> any any (msg:"TS option set"; ipopts:ts; sid: 5;) +alert ip any any -> any any (msg:"SEC option set"; ipopts:sec; sid: 6;) +alert ip any any -> any any (msg:"SSRR option set"; ipopts:ssrr; sid: 7;) +alert ip any any -> any any (msg:"SID option set"; ipopts:satid; sid: 8;) +# covered in ipopts-sec +#alert ip any any <> any any (msg:"ESEC option set"; ipopts:esec; sid: 42;) diff --git a/tests/detect-ipopts/test.yaml b/tests/detect-ipopts/test.yaml new file mode 100644 index 000000000..a7de363f7 --- /dev/null +++ b/tests/detect-ipopts/test.yaml @@ -0,0 +1,54 @@ +requires: + min-version: 8 + +args: + - --set stream.midstream=true -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 1 + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 2 + alert.signature_id: 2 + - filter: + count: 6 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 4 + alert.signature_id: 4 + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 5 + alert.signature_id: 5 + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 6 + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 7 + alert.signature_id: 7 + - filter: + count: 1 + match: + event_type: alert + pcap_cnt: 8 + alert.signature_id: 8