From: Philippe Antoine <contact@catenacyber.fr>
Date: Mon, 19 Jul 2021 15:23:04 +0000 (+0200)
Subject: Adds a test about IPv6 fragment invalid length
X-Git-Tag: suricata-6.0.4~58
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F527%2Fhead;p=thirdparty%2Fsuricata-verify.git

Adds a test about IPv6 fragment invalid length
---

diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-6/README.md b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-6/README.md
new file mode 100644
index 000000000..c5bbd43b5
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-6/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test detection of DoS attack that tries to increase decoding effort.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
+
+# Notes
+
+It might be better to have a dedicated rule that focuses on the DoS aspect, ie that is many fragments with different identifications between the same pair of ipv6 addresses
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-6/denial6-6.pcap b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-6/denial6-6.pcap
new file mode 100644
index 000000000..55e668983
Binary files /dev/null and b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-6/denial6-6.pcap differ
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-6/test.rules b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-6/test.rules
new file mode 100644
index 000000000..9d9eae989
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-6/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;)
diff --git a/tests/ipv6-evasion/ipv6-dos-with-ext-headers-6/test.yaml b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-6/test.yaml
new file mode 100644
index 000000000..7330be47c
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-dos-with-ext-headers-6/test.yaml
@@ -0,0 +1,11 @@
+
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 39812
+        match:
+            event_type: alert
+            alert.signature_id: 2200119