From: Jeff Lucovsky Date: Mon, 20 Jan 2025 13:40:58 +0000 (-0500) Subject: detect/csum: Test interaction btw csum/stream setting X-Git-Tag: suricata-7.0.9~53 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2263%2Fhead;p=thirdparty%2Fsuricata-verify.git detect/csum: Test interaction btw csum/stream setting Issue: 7467 Validate that there is no interaction between the csum keyword and stream.checksum-validation settings. --- diff --git a/tests/detect-chksum-01/README.md b/tests/detect-chksum-01/README.md new file mode 100644 index 000000000..ee3e2100f --- /dev/null +++ b/tests/detect-chksum-01/README.md @@ -0,0 +1,11 @@ +# Test Description + +Contributed by Hans Vermeer + +Verify that `stream.checksum-validation` setting does not affect csum validation keyword checks. + +This test enables `stream.checksum-validation` + +## PCAP + +Contributed by Hans Vermeer diff --git a/tests/detect-chksum-01/input.pcap b/tests/detect-chksum-01/input.pcap new file mode 100644 index 000000000..1b4ffc446 Binary files /dev/null and b/tests/detect-chksum-01/input.pcap differ diff --git a/tests/detect-chksum-01/test.rules b/tests/detect-chksum-01/test.rules new file mode 100644 index 000000000..1eb9c450f --- /dev/null +++ b/tests/detect-chksum-01/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"SURICATA TCPv4 invalid checksum"; tcpv4-csum:invalid; classtype:protocol-command-decode; sid:1;) diff --git a/tests/detect-chksum-01/test.yaml b/tests/detect-chksum-01/test.yaml new file mode 100644 index 000000000..60b75fefd --- /dev/null +++ b/tests/detect-chksum-01/test.yaml @@ -0,0 +1,32 @@ +requires: + min-version: 8 + +args: +- --set stream.checksum-validation=yes + +checks: +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Generic Protocol Command Decode + alert.gid: 1 + alert.severity: 3 + alert.signature: SURICATA TCPv4 invalid checksum + alert.signature_id: 1 + dest_ip: 209.85.225.105 + dest_port: 80 + direction: to_server + event_type: alert + flow.bytes_toclient: 0 + flow.bytes_toserver: 74 + flow.dest_ip: 209.85.225.105 + flow.dest_port: 80 + flow.pkts_toclient: 0 + flow.pkts_toserver: 1 + flow.src_ip: 192.168.2.3 + flow.src_port: 39867 + pcap_cnt: 1 + proto: TCP + src_ip: 192.168.2.3 + src_port: 39867 diff --git a/tests/detect-chksum-02/README.md b/tests/detect-chksum-02/README.md new file mode 100644 index 000000000..67e0ec280 --- /dev/null +++ b/tests/detect-chksum-02/README.md @@ -0,0 +1,11 @@ +# Test Description + +Contributed by Hans Vermeer + +Verify that `stream.checksum-validation` setting does not affect csum validation keyword checks. + +This test disables `stream.checksum-validation` + +## PCAP + +Contributed by Hans Vermeer diff --git a/tests/detect-chksum-02/test.rules b/tests/detect-chksum-02/test.rules new file mode 100644 index 000000000..1eb9c450f --- /dev/null +++ b/tests/detect-chksum-02/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"SURICATA TCPv4 invalid checksum"; tcpv4-csum:invalid; classtype:protocol-command-decode; sid:1;) diff --git a/tests/detect-chksum-02/test.yaml b/tests/detect-chksum-02/test.yaml new file mode 100644 index 000000000..1af4ca7f7 --- /dev/null +++ b/tests/detect-chksum-02/test.yaml @@ -0,0 +1,34 @@ +requires: + min-version: 8 + +pcap: ../detect-chksum-01/input.pcap + +args: +- --set stream.checksum-validation=no + +checks: +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Generic Protocol Command Decode + alert.gid: 1 + alert.severity: 3 + alert.signature: SURICATA TCPv4 invalid checksum + alert.signature_id: 1 + dest_ip: 209.85.225.105 + dest_port: 80 + direction: to_server + event_type: alert + flow.bytes_toclient: 0 + flow.bytes_toserver: 74 + flow.dest_ip: 209.85.225.105 + flow.dest_port: 80 + flow.pkts_toclient: 0 + flow.pkts_toserver: 1 + flow.src_ip: 192.168.2.3 + flow.src_port: 39867 + pcap_cnt: 1 + proto: TCP + src_ip: 192.168.2.3 + src_port: 39867