From 002f1d80145357a1c0e71c96c455d92065cf749e Mon Sep 17 00:00:00 2001
From: DEL VALLE Bastien <bastien.del-valle@telecomnancy.eu>
Date: Tue, 3 Mar 2020 18:25:10 +0100
Subject: [PATCH] Adds test for SMB EICAR file nbss-more-ffsmb

Readme edited
---
 tests/smb-eicar-file-nbss-more-ffsmb/README.md  |  15 +++++++++++++++
 tests/smb-eicar-file-nbss-more-ffsmb/input.pcap | Bin 0 -> 4178 bytes
 tests/smb-eicar-file-nbss-more-ffsmb/test.rules |   1 +
 tests/smb-eicar-file-nbss-more-ffsmb/test.yaml  |  14 ++++++++++++++
 4 files changed, 30 insertions(+)
 create mode 100644 tests/smb-eicar-file-nbss-more-ffsmb/README.md
 create mode 100644 tests/smb-eicar-file-nbss-more-ffsmb/input.pcap
 create mode 100644 tests/smb-eicar-file-nbss-more-ffsmb/test.rules
 create mode 100644 tests/smb-eicar-file-nbss-more-ffsmb/test.yaml

diff --git a/tests/smb-eicar-file-nbss-more-ffsmb/README.md b/tests/smb-eicar-file-nbss-more-ffsmb/README.md
new file mode 100644
index 000000000..e5766743a
--- /dev/null
+++ b/tests/smb-eicar-file-nbss-more-ffsmb/README.md
@@ -0,0 +1,15 @@
+# Description
+
+Test SMB EICAR file rule.
+
+# PCAP
+
+The pcap comes from running Linux client smbclient against a Windows 2019 Server (with a shared folder public without needed authentication)
+
+Needs a Proxy that sends two NetBIOS messages in one TCP packet
+
+Command is
+`smbclient //localhost/public/ -U % -m NT1`
+Than in the smbclient shell :
+`put eicar` where eicar is the name of a file with the EICAR contents :
+https://en.wikipedia.org/wiki/EICAR_test_file
diff --git a/tests/smb-eicar-file-nbss-more-ffsmb/input.pcap b/tests/smb-eicar-file-nbss-more-ffsmb/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a96332011201c42238e145803ba87079f3c9aed5
GIT binary patch
literal 4178
zc-qZZeM}Q)7=Nxk+FB1Nh}vuhD<T0I*dkw|xR!E^PWrL7DjAA^II|^+;s-3t6tLSL
z&c%sF8#PKzOqMKJVzZezzl9}6ld&wQpcAth7bn5!hM>r}J?~pu?0M8I+aJ5jd-vXZ
z@BN<V`Tc(H_1e|$_sM{T@r?xrj|-B`l?PincpLkqfqwV-Di-wVJ^5uS-~kr#14b|^
zHfk<>$<$(#pYCAJ_6=YEflO|b)oXVA1|VajzF}o5b$V{eX)?~p<w}CQeLn|9cwI!1
z31$GFB4_(28KFt>y^Np|bmr{oj>3WGR}j6kDP9l^g#lzlQ!xxHBZ!9)F&DvdrE*Q>
zpU_-qi*oHm)T<5++}rUJ7KAAGog6$xfTvO@5BNcXvY|>6MGN;l`zV3u1edj_p7gZl
z%MiAW3iNacWDc{=#=Do>olA5Mr~NIb$*MDC>Op3;n4NZ)y~G{7?IPpzC2!0p50sf~
zR+EiBTV^$6W|iypSs*L6yL5p&S(%35B-(XVudAsBnaw?RKM<B&T6OwNLl))XK{*Gf
zFws*|`h4YA6MZ^%iuAeKH+*A{L#s>JCZknu5AooY<{@qp$g|LGtciMq-Wj>eG(EmE
z{cg%H*O(3g3Lx%YVei)qDwiD4?snZ8%8ji`RVdOGOjMMtEm1$C?KQntp~h>LX~~nx
z5?|=6Ng+acL|Y6|Tg(a<^v0gTfe{<pqCaShKUZ;Z9RaROp<L#lQd=}hqG+MtLpgxM
zgpN&;wm3A0l+O`T1VJ{&1YLFDz5q?tP*oZ#da-^{Ta2E2vCw04*;Jdm%<6JE=(AH>
zR5j$;)G>H+Rs=v}VJWPK_n{H{E~tieP=m)nmAl^KU<9X;CKjD}=$}kPZ!ZZKeZ<x`
z+-*S7ryTF3B3`0ZP6N2$m8epKVheBy1H>{17+(uBS>M7a+vIA7@r9Sv{FrTi7%YnT
zDG~R4THMZ>{WFtp>G-2_gUDXom*H6rt9er7a<G66GQf(X`S_B_!LtSQPy!|>L$pMQ
zJcD`V4EB{X<gc8e1Qi6WPO4arx~zv<sDlRB1Ul4b4b;O{delJ{K4*XhbbK>vMrKyy
zomw0*KpyV7F#lhn<U%GzAYNFtmID^EVi^g?5Ax5b<KGE)e7B)+U^D?8|HRWqWw{d3
z@fw-f@r@zJ?*`vi{pMr!?1rEP<YNz(M>wl+Cua@rRm3Vgp(g12;frZC2YjRV&vobu
zW_)_^cq!PC0yiWuj`V%oYEOQ?Y(r&=vSDF_^&wx+!65brrCy5n{TzKME(u>BqY221
zK-NdjLz>8$5GP(~PH=sk!HY?-2YgC>6j>YpD`%WV7Fx02D)lb(@Wa#@mqgAGkclpI
z#;7MVpcY|ai-a=-fv_MaEC6umiwuAjxEnCPJj_Br)(kl2K&^^!9a+GPliws8&G560
z9M!K;N~aI}(Nw3)BAvSWhI=Ydr}(5gn#kf%h9aF<RUkv90E;0S&NEYJiw08xu5~xA
zZC7v&)pKwJ`$wdh`htH>nff-Ish*0$0bv?ts(^;8C3zf^U@DLY3tIY98WS2n%EX7c
ziY%NcY({MKcR7wQx(2<ln(7N<*&f}(fe-sWDc1J-V<>A!!dVlhVaDx*wU6lAAJ&Gl
z^-5=(B*0p{GLo$Fch&XI{P`Lad<TlpI+$=H3BR$GgCXn>NzwZ|KSJrP5YgL?NjFn^
z_fnu7l5qOOfq-G~W%5Y0;kbu9IB!B-q9BIo!WzTTiXkw78J6eRXF28=O^%A}6^?hy
zbFxz%m1%iqb6VcV$-KpEa%Q;PCR?$|S)5_Axh=~q&ZVvlH}7(1lvv96S;?j8rE>`l
zKQ?ecEL$g~TeUxy>eeaJt+{XbrU!M4v($-bX!-{<knpz~IkXbc_EPu?zlMhI5{3UR
z7``{~kuxturdOIwg#h!AJV6+jA3luuW%n2TvU@#T{+k{Q-j82)qroq`6WVB82SD3P
zC`<WKYNCEg6g1I}Kt5?CeRe`GC_v5{1%V__LMF|QhLw18r4(a!e;j4(j)<{-410nw
z7E9krFgp~|D;;u-C4cgZ!9?}hd4bmVhp4_2g-;-X*7s~Y*v1L#QwD>bOo>=oJguxZ
ztTGIQ0lP_Mz7$a~Z^U4|4H1J)p}}tdN5Ou@VB`N+MKorY05uyYqOltTE^H!Z>m>^)
zN=*_VV?~JgXha#oz9kGroGyjvhzr=4pj=d|U=hhtiiA{u0{tH?7m=_Kk$M~&T>PH|
Y%OzOqn21<YCH|8Ku@Z3ow+6BP2L7P{3;+NC

literal 0
Hc-jL100001

diff --git a/tests/smb-eicar-file-nbss-more-ffsmb/test.rules b/tests/smb-eicar-file-nbss-more-ffsmb/test.rules
new file mode 100644
index 000000000..fcb9e4489
--- /dev/null
+++ b/tests/smb-eicar-file-nbss-more-ffsmb/test.rules
@@ -0,0 +1 @@
+alert smb any any -> any any (msg:"EICAR file"; flow:established; file_data; content:"|58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a|"; sid:1; rev:1;)
diff --git a/tests/smb-eicar-file-nbss-more-ffsmb/test.yaml b/tests/smb-eicar-file-nbss-more-ffsmb/test.yaml
new file mode 100644
index 000000000..c1282b105
--- /dev/null
+++ b/tests/smb-eicar-file-nbss-more-ffsmb/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
-- 
2.47.2