From 0aa30e6ac6f05963b9aa1c76633e128989b84a07 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Fri, 10 Sep 2021 13:38:05 +0200 Subject: [PATCH] Adds tests about IPv6 fragmentation --- .../ipv6-malformed-fragments-1/README.md | 7 +++++++ .../ipv6-malformed-fragments-1/frag-1.pcap | Bin 0 -> 3030 bytes .../ipv6-malformed-fragments-1/test.rules | 1 + .../ipv6-malformed-fragments-1/test.yaml | 10 ++++++++++ .../ipv6-malformed-fragments-10/README.md | 7 +++++++ .../ipv6-malformed-fragments-10/frag-10.pcap | Bin 0 -> 3518 bytes .../ipv6-malformed-fragments-10/test.rules | 2 ++ .../ipv6-malformed-fragments-10/test.yaml | 15 +++++++++++++++ .../ipv6-malformed-fragments-11/README.md | 7 +++++++ .../ipv6-malformed-fragments-11/frag-11.pcap | Bin 0 -> 3714 bytes .../ipv6-malformed-fragments-11/test.rules | 2 ++ .../ipv6-malformed-fragments-11/test.yaml | 15 +++++++++++++++ .../ipv6-malformed-fragments-12/README.md | 7 +++++++ .../ipv6-malformed-fragments-12/frag-12.pcap | Bin 0 -> 3710 bytes .../ipv6-malformed-fragments-12/test.rules | 2 ++ .../ipv6-malformed-fragments-12/test.yaml | 15 +++++++++++++++ .../ipv6-malformed-fragments-15/README.md | 7 +++++++ .../ipv6-malformed-fragments-15/frag-15.pcap | Bin 0 -> 71238 bytes .../ipv6-malformed-fragments-15/test.rules | 1 + .../ipv6-malformed-fragments-15/test.yaml | 10 ++++++++++ .../ipv6-malformed-fragments-16/README.md | 7 +++++++ .../ipv6-malformed-fragments-16/frag-16.pcap | Bin 0 -> 72818 bytes .../ipv6-malformed-fragments-16/test.rules | 1 + .../ipv6-malformed-fragments-16/test.yaml | 10 ++++++++++ .../ipv6-malformed-fragments-17/README.md | 7 +++++++ .../ipv6-malformed-fragments-17/frag-17.pcap | Bin 0 -> 3030 bytes .../ipv6-malformed-fragments-17/test.rules | 1 + .../ipv6-malformed-fragments-17/test.yaml | 10 ++++++++++ .../ipv6-malformed-fragments-18/README.md | 7 +++++++ .../ipv6-malformed-fragments-18/frag-18.pcap | Bin 0 -> 3030 bytes .../ipv6-malformed-fragments-18/test.rules | 1 + .../ipv6-malformed-fragments-18/test.yaml | 10 ++++++++++ .../ipv6-malformed-fragments-2/README.md | 7 +++++++ .../ipv6-malformed-fragments-2/frag-2.pcap | Bin 0 -> 2834 bytes .../ipv6-malformed-fragments-2/test.rules | 1 + .../ipv6-malformed-fragments-2/test.yaml | 10 ++++++++++ .../ipv6-malformed-fragments-22/README.md | 7 +++++++ .../ipv6-malformed-fragments-22/frag-22.pcap | Bin 0 -> 2912 bytes .../ipv6-malformed-fragments-22/test.rules | 1 + .../ipv6-malformed-fragments-22/test.yaml | 11 +++++++++++ .../ipv6-malformed-fragments-23/README.md | 7 +++++++ .../ipv6-malformed-fragments-23/frag-23.pcap | Bin 0 -> 2432 bytes .../ipv6-malformed-fragments-23/test.rules | 1 + .../ipv6-malformed-fragments-23/test.yaml | 11 +++++++++++ .../ipv6-malformed-fragments-24/README.md | 7 +++++++ .../ipv6-malformed-fragments-24/frag-24.pcap | Bin 0 -> 2432 bytes .../ipv6-malformed-fragments-24/test.rules | 1 + .../ipv6-malformed-fragments-24/test.yaml | 11 +++++++++++ .../ipv6-malformed-fragments-25/README.md | 7 +++++++ .../ipv6-malformed-fragments-25/frag-25.pcap | Bin 0 -> 1188 bytes .../ipv6-malformed-fragments-25/test.rules | 2 ++ .../ipv6-malformed-fragments-25/test.yaml | 15 +++++++++++++++ .../ipv6-malformed-fragments-26/README.md | 7 +++++++ .../ipv6-malformed-fragments-26/frag-26.pcap | Bin 0 -> 993 bytes .../ipv6-malformed-fragments-26/test.rules | 2 ++ .../ipv6-malformed-fragments-26/test.yaml | 15 +++++++++++++++ .../ipv6-malformed-fragments-27/README.md | 7 +++++++ .../ipv6-malformed-fragments-27/frag-27.pcap | Bin 0 -> 1956 bytes .../ipv6-malformed-fragments-27/test.rules | 2 ++ .../ipv6-malformed-fragments-27/test.yaml | 15 +++++++++++++++ .../ipv6-malformed-fragments-28/README.md | 7 +++++++ .../ipv6-malformed-fragments-28/frag-28.pcap | Bin 0 -> 2571 bytes .../ipv6-malformed-fragments-28/test.rules | 2 ++ .../ipv6-malformed-fragments-28/test.yaml | 15 +++++++++++++++ .../ipv6-malformed-fragments-29/README.md | 7 +++++++ .../ipv6-malformed-fragments-29/frag-29.pcap | Bin 0 -> 1957 bytes .../ipv6-malformed-fragments-29/test.rules | 1 + .../ipv6-malformed-fragments-29/test.yaml | 10 ++++++++++ .../ipv6-malformed-fragments-3/README.md | 7 +++++++ .../ipv6-malformed-fragments-3/frag-3.pcap | Bin 0 -> 2834 bytes .../ipv6-malformed-fragments-3/test.rules | 1 + .../ipv6-malformed-fragments-3/test.yaml | 10 ++++++++++ .../ipv6-malformed-fragments-30/README.md | 7 +++++++ .../ipv6-malformed-fragments-30/frag-30.pcap | Bin 0 -> 70719 bytes .../ipv6-malformed-fragments-30/test.rules | 1 + .../ipv6-malformed-fragments-30/test.yaml | 11 +++++++++++ .../ipv6-malformed-fragments-31/README.md | 7 +++++++ .../ipv6-malformed-fragments-31/frag-31.pcap | Bin 0 -> 70516 bytes .../ipv6-malformed-fragments-31/test.rules | 1 + .../ipv6-malformed-fragments-31/test.yaml | 10 ++++++++++ .../ipv6-malformed-fragments-32/README.md | 7 +++++++ .../ipv6-malformed-fragments-32/frag-32.pcap | Bin 0 -> 69938 bytes .../ipv6-malformed-fragments-32/test.rules | 2 ++ .../ipv6-malformed-fragments-32/test.yaml | 15 +++++++++++++++ .../ipv6-malformed-fragments-33/README.md | 7 +++++++ .../ipv6-malformed-fragments-33/frag-33.pcap | Bin 0 -> 71984 bytes .../ipv6-malformed-fragments-33/test.rules | 2 ++ .../ipv6-malformed-fragments-33/test.yaml | 15 +++++++++++++++ .../ipv6-malformed-fragments-35/README.md | 7 +++++++ .../ipv6-malformed-fragments-35/frag-35.pcap | Bin 0 -> 3164 bytes .../ipv6-malformed-fragments-35/test.rules | 1 + .../ipv6-malformed-fragments-35/test.yaml | 11 +++++++++++ .../ipv6-malformed-fragments-36/README.md | 7 +++++++ .../ipv6-malformed-fragments-36/frag-36.pcap | Bin 0 -> 2984 bytes .../ipv6-malformed-fragments-36/test.rules | 1 + .../ipv6-malformed-fragments-36/test.yaml | 11 +++++++++++ .../ipv6-malformed-fragments-4/README.md | 7 +++++++ .../ipv6-malformed-fragments-4/frag-4.pcap | Bin 0 -> 3030 bytes .../ipv6-malformed-fragments-4/test.rules | 1 + .../ipv6-malformed-fragments-4/test.yaml | 10 ++++++++++ .../ipv6-malformed-fragments-6/README.md | 7 +++++++ .../ipv6-malformed-fragments-6/frag-6.pcap | Bin 0 -> 2484 bytes .../ipv6-malformed-fragments-6/test.rules | 1 + .../ipv6-malformed-fragments-6/test.yaml | 10 ++++++++++ .../ipv6-malformed-fragments-7/README.md | 11 +++++++++++ .../ipv6-malformed-fragments-7/frag-7.pcap | Bin 0 -> 2484 bytes .../ipv6-malformed-fragments-7/test.rules | 1 + .../ipv6-malformed-fragments-7/test.yaml | 10 ++++++++++ .../ipv6-malformed-fragments-8/README.md | 11 +++++++++++ .../ipv6-malformed-fragments-8/frag-8.pcap | Bin 0 -> 2484 bytes .../ipv6-malformed-fragments-8/test.rules | 1 + .../ipv6-malformed-fragments-8/test.yaml | 10 ++++++++++ .../ipv6-malformed-fragments-9/README.md | 7 +++++++ .../ipv6-malformed-fragments-9/frag-9.pcap | Bin 0 -> 3864 bytes .../ipv6-malformed-fragments-9/test.rules | 1 + .../ipv6-malformed-fragments-9/test.yaml | 10 ++++++++++ 116 files changed, 590 insertions(+) create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-1/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-1/frag-1.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-1/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-1/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-10/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-10/frag-10.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-10/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-10/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-11/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-11/frag-11.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-11/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-11/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-12/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-12/frag-12.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-12/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-12/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-15/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-15/frag-15.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-15/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-15/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-16/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-16/frag-16.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-16/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-16/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-17/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-17/frag-17.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-17/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-17/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-18/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-18/frag-18.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-18/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-18/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-2/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-2/frag-2.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-2/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-2/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-22/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-22/frag-22.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-22/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-22/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-23/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-23/frag-23.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-23/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-23/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-24/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-24/frag-24.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-24/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-24/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-25/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-25/frag-25.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-25/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-25/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-26/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-26/frag-26.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-26/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-26/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-27/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-27/frag-27.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-27/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-27/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-28/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-28/frag-28.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-28/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-28/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-29/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-29/frag-29.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-29/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-29/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-3/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-3/frag-3.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-3/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-3/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-30/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-30/frag-30.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-30/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-30/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-31/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-31/frag-31.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-31/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-31/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-32/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-32/frag-32.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-32/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-32/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-33/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-33/frag-33.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-33/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-33/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-35/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-35/frag-35.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-35/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-35/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-36/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-36/frag-36.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-36/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-36/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-4/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-4/frag-4.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-4/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-4/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-6/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-6/frag-6.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-6/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-6/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-7/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-7/frag-7.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-7/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-7/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-8/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-8/frag-8.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-8/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-8/test.yaml create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-9/README.md create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-9/frag-9.pcap create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-9/test.rules create mode 100644 tests/ipv6-evasion/ipv6-malformed-fragments-9/test.yaml diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-1/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-1/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-1/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-1/frag-1.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-1/frag-1.pcap new file mode 100644 index 0000000000000000000000000000000000000000..ec117bc4f541b2cd6ddb58ad78cf2e81c0514965 GIT binary patch literal 3030 zc-p&ic+)~A1{MYcU}0bclK;0(j~4G?X7B*AK{$mWE4tr{K{<3zv0B^R1du`@tN#j& zygR_kA%F>u&)C4Ak@4%?u6>Sh05UhH7hx{MM2P7?bGa_u2b$}EZVtLVjST8o%$3;A z#gGS-24Q1kkUo&PeVc*ivbbwASXll4*8njfjUns*KcLKiCI)1{*v8OOJxr2cbY6Hl2#)n)C`+#EmV77~)gjNRwBg}Rt<PyKhQV~b&NoVW2$4o5Cggaiycf1+onfb0^{f!(5E1b z5%-LY3v?U^#k~~+mOgE-9nJfL3orp=x2&J?*k#rjjorZqn1QkTd?NK*k|1+k zCR4v9$pSRDVl5j(7*IM4(_C;f5WOYY?}ct|J40d|mKGxuq{Z0p1+t|EXp0|E&<}g4 SNMMEvx~&}y|9K8zu>}CJpuz3{ literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-1/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-1/test.rules new file mode 100644 index 000000000..e1b4585ca --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-1/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-1/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-1/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-1/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-10/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-10/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-10/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-10/frag-10.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-10/frag-10.pcap new file mode 100644 index 0000000000000000000000000000000000000000..606f8941c664302d5669cb41692d8168542938e2 GIT binary patch literal 3518 zc-p&ic+)~A1{MYcU}0bclC!o=k3RT@k--DV2H_Njtmu9(2IbH>#cFML6F>@uto|!7 z^6mgDhX5utK4SxeM#ismyY@N40m$5hcL;MKCPGXHn#*`=(ipP-{{zbWXJSAGjBN}pMGg`SaxejA z7KZ~2jDbL177idjnmZU6p*DbQf4QH9VINRzAIx?!l+fy6V1(Juq#XMHA5aF(b}=gk zR-gzYLqCJcBOsp*6f0C<($C zanHqaLWf}7>i`KZhE=Pq!1V6j4GhbyfN^#rY7~ruQ7{UI2mqCaFFr6b@Ub$0FDcgyd6=|(=Ky`9_ksGo9+0_ any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;) +alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Fragment extension header"; decode-event:ipv6.exthdr_dupl_fh; classtype:protocol-command-decode; sid:2200015; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-10/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-10/test.yaml new file mode 100644 index 000000000..edb943475 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-10/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200080 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200015 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-11/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-11/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-11/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-11/frag-11.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-11/frag-11.pcap new file mode 100644 index 0000000000000000000000000000000000000000..54147aceadd5a3b08d83c6954c9f321cae6eff33 GIT binary patch literal 3714 zc-rmP$xl;39KiA4E5%@us;Gz?pdgE&g1BIDDQ+OHsJMU&Dk7qyf*Y=Y2)I$vgCX(a zNxf>K#seWCM!~i(7ZMZFNv5B^nR&n8d+l^y=TrBKCpNLm zK(ULVUZ1{tRQm0mLkiS;UCX7a)Ke&l#gA)~o4=Ilfzd8A!H9a}8}2VQ%dt@}sg*zb z-*)ExDLQW5`+>Ori2mp*uH)lZ71wQzW6jebDM8{!ggK>Jb?cg)tKkGBz;%Mqx8388S~51W|%76pmBz}@WJC`P@B4j zAUSN$)ZKJsIY!XkMD{qut2%WZG?OFkJsCsJC{{i8u*k za5Bc?6r76Fa5~PwIE=>xoQbnA5tDE>CSwYwVj9lDbj-lHI1lGzCT8IR%*KVd2p8iL z%)zDT!dzU2%W(y+L^tN)DqM|ga4oLGd@R8AScn^NBW}XYxCOUj5pKinxC4uEC+@=C zxCcwH6!+pj+>Zya3=iTVJdEXd1S{|;R^l2k+uNY(o#;$98<6bSWPy>m@HjJ-K>I z{!`JbVP>C0oZ;fDmglcg*KPki^z+v){q6dP9$Gy^t7mBS46U9cW%YcnR>vO=5o%6} zuUb||-xk2Si|`a${|UE9#%O(PZTIgMJcT-o*%+Z_zW8d8y;bZ$mcZH8tgX`fx+_Q) T9X-Bp_;+qPZpVk=-?{w;l#%$4 literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-11/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-11/test.rules new file mode 100644 index 000000000..1279331ec --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-11/test.rules @@ -0,0 +1,2 @@ +alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;) +alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Fragment extension header"; decode-event:ipv6.exthdr_dupl_fh; classtype:protocol-command-decode; sid:2200015; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-11/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-11/test.yaml new file mode 100644 index 000000000..edb943475 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-11/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200080 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200015 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-12/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-12/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-12/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-12/frag-12.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-12/frag-12.pcap new file mode 100644 index 0000000000000000000000000000000000000000..37d5542499554dfe3dbb8472e7404106f7e67c0a GIT binary patch literal 3710 zc-rmP$4?Yd9KiA4th*izi;9Za5CtiM6$>sRi;5st6f9stMMP9ou%V)hB4PtO7A)8c z7C>nSV#3XX@!-LWF){uDo;6{8!+sH+HQ~aE>`UH!cHX@C{bu$hznS^eT3cljvvfAI zXlmO~Uy)uIZIwjzTkn~YlU|-AfvJ`G!6jcZ^oc$;XMkpHY@hCGCd0nwkkIU(ADUa@ z{xm(V7SkEm710%4#qIO)tBPwk#xdq8k`P1OMiti_CXy?z9vP{hr^hX;Q*q4+;SyzY zwmDn@vLwgZrj9sG@^{lpq&Uy+C;lA+z0CG^q9v=dqU`#<;W|VkgPuJ;MWjVsy*<0{ zKmS T&2fvL_mb;OX}*CrM~eN+3r^;I#<`DGZ>oGP5#JWXA=`#fbR?!Z8?(AsC8bI2OY(0>|NaoPZN?5>CcQoPtwv8cxS3oPjos#+ev{ zvoIFz7>BcQ4$j4RoQDaRi1RTC7vMr%go|+rF2!VAhRZPpQ*i~Z#8tQ&(=Z*^;96XV z>oEg2;6~hpnYbCVa0_PRR?NX|xE*(3F7Cu#xEu2@ANSy1+=u(|02bguJcNg_5Rc$d zbYKx4!{bv#iiVkO?f+js}> zVin%Q`}hDK;v;;FPw*)|!{=CyFYqP4!q-@XwOEI5@GaJ312$rl(xz-yI>ZvKo{jI* zXnHmO9%~hERmt^kc;adWt>({NKXJ`s`k@yrPxbdye^2%IRR5k*{q^b?QtjPC-rSqi T-PFW(|5uwHH#x5RzuJBSb%Ffs literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-12/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-12/test.rules new file mode 100644 index 000000000..1279331ec --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-12/test.rules @@ -0,0 +1,2 @@ +alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;) +alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Fragment extension header"; decode-event:ipv6.exthdr_dupl_fh; classtype:protocol-command-decode; sid:2200015; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-12/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-12/test.yaml new file mode 100644 index 000000000..edb943475 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-12/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200080 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200015 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-15/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-15/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-15/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-15/frag-15.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-15/frag-15.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0d3593291d44b471990c61cc212d5279eb7684fb GIT binary patch literal 71238 zc-rmUO=whC7=YpLPG$*>w};b0v()zXiRrXGf}3%5o=);;A7C+RUq( zQucA=eMs=n9qipp%084qb8awq_Zk1$t$h;Y?jEaX4>RUUv(Sn&tAI7nnDm|2)Y%XWm1Bd&KOg`Qo*fPxIV-nirJ`nUatY&QWtK(x2b)5N(Is(vE$Gg?;bu2$e9RX;o z<9!cxtm>hT0JPQdR*icd>)NOz0Bv==?V*nI%c&y(ZFL-;<6g&we^EyO+Uj`2Lmiv1 zQ%3;W>Uh&b9hdi0M*!ODc(vBOjw?Q+jsUdP@tTJ^wl+{l0NU!qUy^bBscLboWj{P3$*vWiH0P5gxFYT=zO|XTBo>UebQ4-dmX=Hz9Rs2b=>cvj;ERL2tZvOzio7{gu@3Lmda0?+8F$9oH^$uj5tbI|5Kw#|{s59AdsB z0Cjcz)I%L_Fy9e?x;m~}>|V#)%y$H!u8tc#)NzFQjsVovam^C0ZZI%y$H!u8xa6)NzdYjsVovafzwpBGWp1B$KzW3CuJK>kvBh`_0e>3auswk2UbGajbU3+F$ zGR&m23v7|@Fk`Od9>*%$!;E?UUa6mCA4kszL3Sm3m)(^`vff- any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-15/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-15/test.yaml new file mode 100644 index 000000000..7c5936607 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-15/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200071 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-16/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-16/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-16/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-16/frag-16.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-16/frag-16.pcap new file mode 100644 index 0000000000000000000000000000000000000000..3223b1c8d3a9c97e65e35ebe2dd6c2bcafdf571c GIT binary patch literal 72818 zc-rmUU1*JQ9KiA4b9Ro4iP*(bN`??~frPWnnUWC~k_)Xw$y=Dsyv*Cq@v;;)Z<#{b z1y@Qaq%6z@;h-r>UZ$no*c7R$9skE;#&cG?`2WiqibI;^DoScXNG$NZv4DF5D7i@k}`I6 zXZmJS$#4GL$~8T6gNea(GdK6?TQfHio)f-LO2+guxAj{@HkhaVWAbGG`~10eSIyk$ zobfU(p6N;k16In~OqY2k6Oli8wX&}=F+_%SpU8Sfe>^SGb?TM1qBJ#@~?m~mOx zdFF*@Ung1T%xmc79ufcD6rYRzC-0`iyqk~fMAEU~$o?e9P8Ig~NsgPNtl?TmQocSi zpS<)S0Kh-x*Zq@&y2p#R&(s|Nbk+UgM*F%Krl>mr z=&Jh@2X&t`n7RXiuDU;{u&?{nM(Pd#y6T>GQ1=-VsXGAZs{8Fq`?}A%L)`&DSKaS9 zsC(%`>J9+9>V9aGecczdQg;B*Rrh)abzf9L-2p&X-49mT*L{gc-2p&X-Rm6GeJT6h z0YF*ZYc|{0eFgj70YF*Z_d2Ni8uq&bfU>%8*$*JE(gV``rORS=}4A z+Sh$M``rORS>4Y&sCy0j-2p&Z-A`?^uls)Xy90o-x}SAW_k-+r2LNStKVEHL_ap3g z2LNStZ*Wlelk9f~0A+PQyxqR;r`hig0Ltoq%t757+3yYj%Ibc?LESH~-yHyy)&0N@ z`?_CbzdHaZtNS4bb-%)XcK}dU_tZ}Nx?g9%I{+xFd#!`I-(tTz04S^b{9X2Szsr7i z08m!<*}LuQexLpB0HCbya~;(EG5g&CKv~^q*4Wp*h5haTpsemC4(k4r{q6vutnSm3 z_H}>5es=&+R`((Yb#G(8I{+xFd$EJMe`LQq04S^bq?CQ#+u8390Ltn<#X;S_u-_d3 zl+}Iw9{aj?vfmv5l+}HLgSuzlQFj2)RreG7LGdL zT{8cU}V literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-16/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-16/test.rules new file mode 100644 index 000000000..91bfd63a7 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-16/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-16/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-16/test.yaml new file mode 100644 index 000000000..7c5936607 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-16/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200071 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-17/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-17/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-17/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-17/frag-17.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-17/frag-17.pcap new file mode 100644 index 0000000000000000000000000000000000000000..b9eb5253bffd2355d18ec1a2839cdadb2e1b7558 GIT binary patch literal 3030 zc-p&ic+)~A1{MYcU}0bcl7F^MkIs3=#oz&CgK!E%R&>7?gL3GcVzsur2_S_+R{s?k zd3S)7LjV&RpRs{KBjeY(UHcs20A%i$_Xu+#CPGXHn#*|g@<<|Z(Xt^s`t z!WeNc$hbhqfl%CA0r9VMALcbMREnd<)hHMY02IsjfU$fI7-#3O$MOtfVwrI!D3+r} z!Jq>FfU)~|<8UdFK)#8pW?={ea>6ic4RFznUb^>tq5H0#L5CB>M;C{b;z0F4TS{wK z82o^8e%R|g34|>$-RQP any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-17/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-17/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-17/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-18/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-18/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-18/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-18/frag-18.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-18/frag-18.pcap new file mode 100644 index 0000000000000000000000000000000000000000..87d42018bcc454dde5756524deffb36f7a493cb2 GIT binary patch literal 3030 zc-p&ic+)~A1{MYcU}0bcl04g|M`s*kX7B*AK{$mWE4tr{K{<3zv0B^R1du`@tN#j& zygR_kA%F>u&)C4Ak@4%?u6>Sh05bQ-afG=L6CtJp&E>jqA84)vx;g0fG%~1TF;{aZ zJ3}5&8ib9FLHa=E_H725%i^xhU}5$DUjxK|G={AI|9~?8nHZ1(V;e(Dk%I(-987?j z#o+)0V<1qMg#(C><_-o%s0|?7`R=hZ>;sDJgV`>I5?UP$j4<1oltcgj1InP;E@s8R z3KU^v=x0!Q1mv@UVg*gjZ!|H+|3Kp~)G-1bj;W3TLk#E!EOsz~eDjl+Ynb?k7wDU} zz!Y~47;hkqk&=ZN7w9+;O37A0{OjC@1q}?9;;1Qa6buFcisethSUv}gvvb&Ec?L1D z%s3Mi%cJ2rxBwq8c0Eo~D|Vws!Jq>Cz}O8uMS1KpYmDaI!3P9@v1@pi`YlP2xu?%j zza=RMG>*zX0hWi`+iKcJu=_E3?) Q3>9=+I~e}+9Kd1=01i3Ow*UYD literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-18/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-18/test.rules new file mode 100644 index 000000000..e1b4585ca --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-18/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-18/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-18/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-18/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-2/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-2/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-2/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-2/frag-2.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-2/frag-2.pcap new file mode 100644 index 0000000000000000000000000000000000000000..47a60a1d9b60a6a9a10f1ef0b1d3e5accbca7372 GIT binary patch literal 2834 zc-p&ic+)~A1{MYcU}0bcl6>2yM{kZ|VekO5K{$mWE4tr{K{<3zv0B^R1du`@tN#j& zygR_kA%F>u&)C4Ak@4%?u6>Sh05X?924OD5M2P7?bGa_u2b$}EZVtLVjST8o%w0T} zlOYc%4Z_C8AblWn`!)m3WpUSLu(107uK{8}8bj9qe?Xc4Obp0?v5ldn$U%ZZ4kp0N z;&6b0F%YQB!U4oba|Z(>)CQ34?uR%T_5sEA!E6^p39SwWMwsnP%Ax=N0cFr^7qenu z1&S~-^fRbD0`l2Fv4W=NH<}pZf1q&~>KK6z$5h9FAqI2<7CV^ufxeLf#?dvPPeB+X z?wJ@D=r|CHdn*PokEwy7QXDm|M!{eJpjegx#_~B}ES2ZVsJ+n7N8mL$kr-X!X` FBmp{&l&}B* literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-2/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-2/test.rules new file mode 100644 index 000000000..e1b4585ca --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-2/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-2/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-2/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-2/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-22/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-22/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-22/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-22/frag-22.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-22/frag-22.pcap new file mode 100644 index 0000000000000000000000000000000000000000..c14c02b8397fde70e4abaa52725e0c74daac5414 GIT binary patch literal 2912 zc-p&ic+)~A1{MYcU}0bclJ485M^9YF%8&uW1B&f~*)GPQ96G014QM+^X$J!%%yuT_(EtB{GHAAoSuwBzMHm_S8B`tt`D`Fx zqN(|fCdT+5XdH$*Mxetn)iGd*0o{Pb4knOq-mYY0@Bnf^805!(FBIPhS^Y-~3nnx^ zV*`Um#;TzW~*@GgLJq=Mk98V0i>&i;fq<7BqjM*#gszZfgg_R+9uQwlFb5Oaj^B z4zy(wPz?w}MB#p6onF8YgOSFVG2G0s^(RPzR-qjZ%mvqg=7BI;?h;@SV_cx)Kqz-v z0r9VM9}YDzREneKhEXsW04SEDfwBA+7+G%_u*EXNc4A_gwGtG|L(ua-*RV0j0=)vl zXazlE-h literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-22/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-22/test.rules new file mode 100644 index 000000000..9d9eae989 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-22/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-22/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-22/test.yaml new file mode 100644 index 000000000..d206c0a47 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-22/test.yaml @@ -0,0 +1,11 @@ + +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200119 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-23/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-23/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-23/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-23/frag-23.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-23/frag-23.pcap new file mode 100644 index 0000000000000000000000000000000000000000..e794dc173f2ed4e27ec6c92ac10b50fedebdbbe9 GIT binary patch literal 2432 zc-p&ic+)~A1{MYcU}0bck}2D#M?aQgVDMmo;1q_e=zcE-<&GC&j}YpEDVCTLHTL~1XfQc>o6(Z(ty6{m1ST!#|Xh#O1BxrM5WS( aAsCgz9;5?fcdtD4+btk-BNVCMZUF%D?+~v5 literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-23/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-23/test.rules new file mode 100644 index 000000000..9d9eae989 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-23/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-23/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-23/test.yaml new file mode 100644 index 000000000..d206c0a47 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-23/test.yaml @@ -0,0 +1,11 @@ + +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200119 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-24/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-24/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-24/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-24/frag-24.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-24/frag-24.pcap new file mode 100644 index 0000000000000000000000000000000000000000..2893a077fdf88d072f5c445f36e1c499c76e4ab2 GIT binary patch literal 2432 zc-p&ic+)~A1{MYcU}0bck`>#hM{oVc!{7mAgK!E%R&>7?gL3GcVzsur2_S_+R{s?k zd3S)7LjV&RpRs{KBjeY(UHcs20A#NC4}`f86CtJp&E>jqA84)vx;g0fG%~28nOg}o zw`nsoLmp5XgpG|s`atIPZ3ddl;;zkLVfFuC1H^zdhOGbpfHMD?7?1&D8$(Nxg9L*d zOn{li;Q#|;AW)Zu1Bj324hBZ34Ita2?l3d#1B&f~*)E0>S{)3GFx#1wL;wE+%AnaU zX2rk?6k%lOXHai&~YFX_f|ms>)eO?4GfjysBtw41_J=avJfzq-vT4+Ed#b#X4p6Mug&`P~!yZ%vV|Vs%>bF}!=IZ{Xe!B$##*rFF literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-24/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-24/test.rules new file mode 100644 index 000000000..9d9eae989 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-24/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-24/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-24/test.yaml new file mode 100644 index 000000000..d206c0a47 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-24/test.yaml @@ -0,0 +1,11 @@ + +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200119 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-25/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-25/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-25/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-25/frag-25.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-25/frag-25.pcap new file mode 100644 index 0000000000000000000000000000000000000000..a75e92616a4b39f08464a927b104e0b7741b39a4 GIT binary patch literal 1188 zc-p&ic+)~A1{MYcU}0bclAYV9M}JLZVekO5K{$mWE4tr{K{<3zv0B^R1du`@tN#j& zygR_kA%F>u&)C4Ak@4%?u6>Sh05Z2V8DTEOM2P7?bGa_u2b$}EZVtLVjST8o%-wFt z$&d$>24Q1kkUo&PeVc*ivbbwASXll4*8njfjUns*KcLKiCI)1{*v8OOJxr2cbY6HmjFHxKf`+#EmV77~)gjNRwBg}Rt<PyKhQV~b&NoVW2$4o5CggaiycfL-^j3V4HMsV0evGc z$jA@|M0r;L6t^c2_5kQj$01u#KUK))Br7AYY{20x&nANKqrftg>>ZS7$A z&vO8aEg;i_fw{&G$g#sTU4TK7fkVfEP;O)c62H!Uc-RdzO+1bIc^hQz)O70SZ2+{l B*~S0> literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-25/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-25/test.rules new file mode 100644 index 000000000..3efc741af --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-25/test.rules @@ -0,0 +1,2 @@ +alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension header"; decode-event:ipv6.trunc_exthdr; classtype:protocol-command-decode; sid:2200014 ; rev:2;) +alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-25/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-25/test.yaml new file mode 100644 index 000000000..33ffa0069 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-25/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200080 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200014 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-26/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-26/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-26/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-26/frag-26.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-26/frag-26.pcap new file mode 100644 index 0000000000000000000000000000000000000000..1c75156995acc14eb6776d08410f9d4aa010be4f GIT binary patch literal 993 zc-p&ic+)~A1{MYcU}0bclGC7?gL3GcVzsur2_S_+R{s?k zd3S)7LjV&RpRs{KBjeY(UHcs20A%js&j@oNCPGXHn#*tN;HRAO@r{Wc~jKl=;uZfD9Ph7+Q)PBpBpi z0?aH92N)Owfx0XlKzuZJFfc-G0NK9dB?H4g1_%b*E`}0X9Sn>x+nJO@|NjHZpxG{F z#lQ*_VPxoMPm-P0epKF~ any any (msg:"SURICATA IPv6 truncated extension header"; decode-event:ipv6.trunc_exthdr; classtype:protocol-command-decode; sid:2200014 ; rev:2;) +alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-26/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-26/test.yaml new file mode 100644 index 000000000..33ffa0069 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-26/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200080 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200014 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-27/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-27/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-27/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-27/frag-27.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-27/frag-27.pcap new file mode 100644 index 0000000000000000000000000000000000000000..a6b259de49d5b67ccc936c53675c8aa4624818b5 GIT binary patch literal 1956 zc-p&ic+)~A1{MYcU}0bcl8d)bkM?fiVDJF4K{$mWE4tr{K{<3zv0B^R1du`@tN#j& zygR_kA%F>u&)C4Ak@4%?u6>Sh05bPcE5clei4fC)=5k%Q4>Z>S-5hj#8X45Fm^+n? zn;{P<4Z_C8AblWn`!)m3WpUSLu(107uK{8}8bj9qe?Xc4Obp0?v5ldn$U%ZZ4kp0N z;&6b0F%YQB!U4oba|Z(>)CQ34rUu*$`+#EmV77~)gjNRwBg}Rt<PyKhQV~b&NoVW2$4o5Cggaiycf$fWEm3jH7EnpMo$( z+)Fbq&~YFX_f|ms>)eND4GfjysBtw41_J=aa_#R znq`~`O0%P>V{n0Gz}P+A&cR>@j3hg3wUIOf2T>&w11NTv15NwZN&UJFWNt+__3JhO DiX^A| literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-27/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-27/test.rules new file mode 100644 index 000000000..3efc741af --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-27/test.rules @@ -0,0 +1,2 @@ +alert pkthdr any any -> any any (msg:"SURICATA IPv6 truncated extension header"; decode-event:ipv6.trunc_exthdr; classtype:protocol-command-decode; sid:2200014 ; rev:2;) +alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-27/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-27/test.yaml new file mode 100644 index 000000000..33ffa0069 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-27/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200080 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200014 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-28/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-28/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-28/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-28/frag-28.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-28/frag-28.pcap new file mode 100644 index 0000000000000000000000000000000000000000..4327675dc9e2edd9f78d272d15d4ac158d0aaf7d GIT binary patch literal 2571 zc-p&ic+)~A1{MYcU}0bcl6$vLk7g2MW;h6BgRrqNkodhKVH>yl*|xh04EiAq-GcxB zH9+-j(>C3a&|v?ci2)h>7I`W1lA)W4m4TrJ#0SgrdgW*2J!+U)tdQxOn9LKOl3JFT zoT{6dmzK{GUy@wFnvI^(kT>_}q90&(_XyzPN1`nVUKsbdVE4tr{K{<3zu^Pxj zKp4ArB~>2a5nkkhy)Ef#$NfYcp6_!6P7zA?yD?pbT0BFt#zY6gfyR$iW1d zSsV^9Fa`p3SvY|BXzpNOgxUbIUB{H4VINRzAIx?!l+fy6V1(Juq#XMHA5aF(b}=gk zR-gzYLqCJcBOsp*l+4hR2$~qKK6z$5h9FAqI2<7CV^s0e!(mRt9^Zm_0T>$S`mcRjM+8OVxuw a<2qG_QHulQp^`<^Z*hRkeYKeSEe-&XV^ any any (msg:"SURICATA IPv6 truncated extension header"; decode-event:ipv6.trunc_exthdr; classtype:protocol-command-decode; sid:2200014 ; rev:2;) +alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-28/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-28/test.yaml new file mode 100644 index 000000000..33ffa0069 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-28/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200080 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200014 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-29/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-29/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-29/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-29/frag-29.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-29/frag-29.pcap new file mode 100644 index 0000000000000000000000000000000000000000..cde4e100bda29176e72a438b30a6a557392ba182 GIT binary patch literal 1957 zc-p&ic+)~A1{MYcU}0bclBc#$k8Z!s%isZIgK!E%R&>7?gL3GcVzsur2_S_+R{s?k zd3S)7LjV&RpRs{KBjeY(UHcs20Aw!TU4*$16CtJp&E>jqA84)vx;g0fG%~28nR^;& z?v67o40%9l5H>aj=>wVDw;54IqYe6 z1~F-taV99uj;4;m1zAv3m|^9P2~sS8gD4cRr$i G>8YFm literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-29/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-29/test.rules new file mode 100644 index 000000000..e1b4585ca --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-29/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-29/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-29/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-29/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-3/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-3/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-3/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-3/frag-3.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-3/frag-3.pcap new file mode 100644 index 0000000000000000000000000000000000000000..fe850aae4a95d6ab0603975fd9adb2dea694f752 GIT binary patch literal 2834 zc-p&ic+)~A1{MYcU}0bcl5*RoM>kyOX7B*AK{$mWE4tr{K{<3zv0B^R1du`@tN#j& zygR_kA%F>u&)C4Ak@4%?u6>Sh05VtSCc<2Zi4fC)=5k%Q4>Z>S-5hj#8X45l%#{b4 zyZt*8Lmp5XgpG|s`atIPZ3ddl;;zkLVfFuC1H^zdhOGbpfHMD?7?1&D8$(Nxg9L*d zOn{li;Q#|;AW)Zu1Bj324hBZ34Itb7C7Bua0mb&gY!^cbtqul8nC(o;q5uB@WzcLF zvtnQciZC+tGpIZQ^4UPKf~Mv-ni%7Mpm7-L7=aGQRL6iJ26O`!JD5PedDO=_jC^zI z1~2aKh2*kgGHF|o`z z6BNs%;W@Z~0x))^Zc!_Cqej7?0*b)c)xAx5>@sVN=H0;ulz_1tc9;4sNszfO?oq!b F2>?$7n^FJ( literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-3/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-3/test.rules new file mode 100644 index 000000000..e1b4585ca --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-3/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-3/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-3/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-3/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-30/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-30/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-30/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-30/frag-30.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-30/frag-30.pcap new file mode 100644 index 0000000000000000000000000000000000000000..b9546107636032068856b508255c508076078fc3 GIT binary patch literal 70719 zc-rmNOK4PA7{KxG++q*|Gj z5?TtiZfpg?>ZZ6*Xk7TViYNvo#s@-#HuZs!cF_u5XoQUCWU4WDgapo^e6;^R9GSUu z=R0@2mtSt2Z`mJ7zVwwZ#{S!R^t)yI)C_I-i7 zE3tDP$Bvnd9hY;Su@|0up5z>}*YJWpBKK>=-lLoLm%0_Z_akJy`C&$CpnIRRtGn$% zA}x)h``;_lkh{z892x!}d1i0hUvuw}kpg?%t(Yr`wwF!&z^>$(`z`K;{q=7Q{u%%4 zKF_$$+*7f=Dw2x{>0P;!CB7ZZT{e4=Om9L&|C^lZp9fI=r6N>Ebt2NCdVRIO>aQF` zbyO!J9jZ43P`z*#s-rp)=}^69y}#jJ1gt_;;torrX(zNW@s^@**h zj_O3DL-ncvsux$FI;sTlJdI;sO`bN^@7d*s;`}f z>ZndcI#eGLK=taMP#x8YNQdfD@2`68o2ZWJM5IIYya1|iIfv?~PDDCXFZtMC^=;S5NeH+zLorrX(J|}?cyQ)wf z)rm-l>QlD*tG@dIs-rp)=}>)o0M++4qB^P*kq*_1KJi!mfI)RsCn6oH7Y9)N$FEQw z)rm-l>f;*xRX;Qm)lr>@bf`Wtfa)!KP#x8YNQdep8~s&3R)p%PPDDCX9}__J(+5!< z)rm-l>bC-@ets6JqdF1kQ2pAc{;FR(j_RmRL^@Qz89?>6GE_%(BGRFHM*!8Yx1u_# z6Oj(pFK_c#y`uuvQJsi%sD34Y>c4iNI;s1O any any (itype:3; icode:1; sid:1;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-30/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-30/test.yaml new file mode 100644 index 000000000..d4e086aeb --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-30/test.yaml @@ -0,0 +1,11 @@ + +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-31/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-31/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-31/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-31/frag-31.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-31/frag-31.pcap new file mode 100644 index 0000000000000000000000000000000000000000..73c4af6382aa5a8f74ec38c5ef51112e1be23a11 GIT binary patch literal 70516 zc-rmMUuczO9KiA4b2>*+3~U!_7uC$jm1fOp+fL=q$v>TSu~_NIOlwp!cM(|>jv~&Y z)=FvVg(X;|7sf6UvJ3w}!x%(fG>k;pg-IdAZdx;mJjHo?o}Je8JqI>=9_mMYKkz!w z`@ZM*ynhbgGlNGCBqS-5l49(?KOKEBe zRBf(3Hhy|ZBKFzjrKY1WbYdX;H#fKU&dIr@iKXdw?(Ea&?c7X!PJEqiSzKZ6*BvQ& z)*g0SU7h=$oBPgZc5d>4CDM?Niuuxjt^j8!wSrr{W>-oE?7o4C)#qLHw0gx%te#l3Au8G62T2u%BnR zw-P(&_t-uY*>Pp(8GGU7=SkT zpz1RhQgr~(QT6w0{i{BwpQ;0Zj;enUpz2k%R2=|xRDI8K|EkYFPSpWGN7eTRsQL|A zsty1;s=l+%zv?%iqUr#kqw0MDs$SDd)d4_9)!$g*U-dhNsX74YsQTLhs$SPl)d4_9 z)n8rdU-gC&sty1;s{UGls;}Bk)d4_9)py+OU-i|OsX74YsQN1bs@~j9)d4_9)z{Vg zSN)+`R2=|xR6Q4<>g#t?bpX&&^`-{@sy}u;RR;haRnG>f`V$AJIsoXXdVQmR)t|YI zssn(Is;2`~z4KG54gfl;z9j8m_2(L?IsoXX`mz93fAI^d4gfl;{^&jaRe!messn(I zsy`l}>iKV|IsoXX`Xl%HSG{K=RR;haRc{MW^_|~SbpX&&^_KhmtG;_1RR;haRev}@ z)%T83bpX&&_4NU&zQ2pA1AvaIuU+L|^@E101AvaIHwUQt$8S+}0MJqOHBJ6i|KvKV z4gfl;o(oX*Bm1a20O+WCW5&Pg#}-m`0MJqOrT|s{yq~HAfR3uq%=%Y-u$HO=fR3u0 z`~9o_)p4p006MCk3{drHwgl>VE{N`gg-r z9RPGx{nBdxs$XcQ>Hwgl>c0l4`p5`X2LK&aA6?^L_0jEA9RPGx{bGQsU%E`y0YFF9 ze_U(iur2!G%2nSnovIhQsX74sd&X?NFDy5*&PLd6<@J`i)2Vm#+m-cpQ}?Ve@{&F1 zw$i-PY&+F-4N4{*pK9W(BxP4*|K9#jui~P;ilZxy`C_UZF>?v!`eEsJAwf3b6)+MJX&d$_H9uG>?cj*9uxfUVLQ744Du q+&86t%lN6W{l=6gxmEhNB&EgfY^nTI7L-4g_^Q1U%{f_Nl|KQ!q%9Hv literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-31/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-31/test.rules new file mode 100644 index 000000000..91bfd63a7 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-31/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-31/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-31/test.yaml new file mode 100644 index 000000000..7c5936607 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-31/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200071 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-32/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-32/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-32/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-32/frag-32.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-32/frag-32.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0284512785e5d42dafcf942af3e04a70e37c433a GIT binary patch literal 69938 zc-rmUe`u6-9Ki9<_jWg(7UTkFGb?|T>(?K$f7S(dN8q#tHPAr!N0WY_hn3q}a%puJ zG7=#Zp%6q|1j|2!Qn5MkFb0-?bS#Qsf0Ps<4GS>}=0&@{PmgQuxxo&_ z&pr2jp6~NK_r|~cdiZ#MOyV*nF2?>$48GUVxJ_iOgyUJsbnJUfmTx%Jb5Gy5oxzUv z$?{$1=E1*r55*#{O-`D&l!`-z^gn`myI+`^H=Hq?-Of92i-Z*Hw!-Am7f!ocZ;6>adTjZI@`QaSa`c5sN!Tq$_Q{GL z?CaX#u0;0vBeKnu?Q|9U8GGWD`$@$%dk!-kBNnXYv&FSH$ZBfsYS!2%?i&-1$di1F zy{ShYNX_;nC+#Q|uPn<+wqg2{2My-fyZns(;-5=|qw+2%-l^s;n}fk!=6V9ae_!>C zhpNw6O4R{CN7XxCaHwgl z>ggW$s<(_$bpX&&^)()ulw4gfl;{*#BQ zKT${30YFF9FL|i?`u$WL0CZIS_g?p^Z@P`D1AvaIk9(;4)BRK(0CZIS@+BB`2LK&aU*w_cd%vgZ0HCAljUKALe=Ai703B7Iztg?y z?_Qzm0HCAl^&YBzC`;7=Ku6W%yWFe(zM<*>prh(_9;!aDhpGdBj;hOR?o~gwfT{z4 zj;bd-RQ>otsty1;sy^Vr$EIsoXX`kx-Eeu2LK&aAAa4v>cgw3IsoXX`Z*6( z|NJyn2LK&aA9};R>cuow2LK&aFLSLdlZ0O+Xt$((!DN87170O+XtCmyQ)-6&ND z03B67mUplEkDIAF0O+XtM;@v^Hb&I}Ku6X4-*m6~FN%u^z@v2aALRiZfGjLd$mYRtt0!5^I>OU#jKu9XD;Z+}frvJIu;P=W8OzNaGB zCDJP4n4umEs=3SM@oC?PVA{4GksT6_8NQh5YQC6lCHwon>pqP-dm5MQX{?oSL{=Ak ms6JVqZQ7hPZJGY;2J^P`PR$!x-n@|ucHUW+mzR~1dH({LcWQh9 literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-32/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-32/test.rules new file mode 100644 index 000000000..1048fffe0 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-32/test.rules @@ -0,0 +1,2 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;) +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-32/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-32/test.yaml new file mode 100644 index 000000000..5d66d8050 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-32/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200071 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200119 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-33/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-33/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-33/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-33/frag-33.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-33/frag-33.pcap new file mode 100644 index 0000000000000000000000000000000000000000..b8e34de41c49e8b3739fa4c6dcc5a99b9d05c7f4 GIT binary patch literal 71984 zc-rmPZ)jCz9KiA4x!#$1bIfT|p~U%jng(ONm^aWn5}bcP2KquJR8Y~qh*WwpdUFRc zlEOcr$-7+KN>F8f zt2||2M?QxHe;>gfeg5ivX)@cI`j1{T=xTi^LI2TXv(|-u=AFpVi;|LOwgj?YX5Tcg z$J)CR+2@bQwjea)a`p?%2hZJ4a<-YzFvKxplg!z)Yz{`z+5GrRLR!pyvn%pVE|B8j z^M$G5zR5|mdNW;f(o!>J@HY<{Og49U)y;%_pC`{(?p@A1Fp|3*)Z4qv^#p+bzUoyT zs{TSTRR;haRbP6`z3ML=r|JNpqw32%RK2j2ssn(Is=s;Lz3NlWP;~&%QT3%Bs{U#P zRR;haRez)1z3MYBP;~&%QT4?hs$Nn>)d4_9)fe7zulk}^sty1;s$S}$>SbG~IsoXX zddXe)s+V_AbpX&&^+g`4zGN3w2LK&apK;H<>Tf-x>Hwgl>T^6)eMK!*2LK&a&v>Z% znir`$0O+XtB@b0!dyuLFfR3tP?QpO9hG|qC0CZISnun@yYM|->prh)Se|4|=w)s>Y z0CZHn#Y5GrzoF^?prh(nesiz-yNjth0O+XtPadlN-gi_T0CZG6>~ydC`zxqA0O+Xt znEUQkPhX7wcYprh(N9;$w{hN=UAj;eP)bg%lcfT{z4j;eQisQQYq3S2=sX74YsQUFT_o_D*Q*{8)QT28YRX=x}ssn(Is(Hwgl>YsMISG~20ssn(Is(epMT zIsoXX`k^Q8RlmK3ssn(Isvq%C^^Ojz4gfl;UiZ|!>JN8ObpX&&^}Qad-u;ZK1AvaI ze{8DWY2s{GZq?=VNUGjj`~R!DJ@>bJ67q^U6T7l!oxK9)+=H5Cxs!~Zdl0=AaoJgH ze#S@lwR+iHtAh4~oHtMY^Fu%V_l@M-!ycag0HC4itL`Qw-}KzB+~;5X=aD@B8tl&n zJOcoX7Dc9x2~)>P6RpbJzl?0l3X|b*wM$FMj^51KronUT?+wh2RCoNvHZynF>ekA< H$lSjGj60nU literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-33/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-33/test.rules new file mode 100644 index 000000000..1048fffe0 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-33/test.rules @@ -0,0 +1,2 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Packet size too large"; decode-event:ipv6.frag_pkt_too_large; classtype:protocol-command-decode; sid:2200071; rev:3;) +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragment invalid length"; decode-event:ipv6.frag_invalid_length; classtype:protocol-command-decode; sid:2200119; rev:1;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-33/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-33/test.yaml new file mode 100644 index 000000000..5d66d8050 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-33/test.yaml @@ -0,0 +1,15 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200071 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200119 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-35/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-35/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-35/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-35/frag-35.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-35/frag-35.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0d0309fe9f8667b66df493f9cc2aaf177dd0acc0 GIT binary patch literal 3164 zc-p&ic+)~A1{MYcU}0bck_J1bN1v|ZVekO5K{$mWE4tr{K{<3zv0B^R1du`@tN#j& zygR_kA%F>u&)C4Ak@4%?u6>Sh05Uhc24OD5M2P7?bGa_u2b$}EZVtLVjST8&<{ARc zbrNT0$OB4)u(2^nAIRLk%|LTm+_f1jtp5LNfEbX*koEr`Q06}q12SN2V`wRIkYJF5 z2{5xb9AID!1nRPI0P)e>!N3T$0c5*~88gE^px8c`?P4gQ)xp3BvzKHJ@fNsEI2NTFQab}#u$T#A^ z6vqdQHxR~1$;u2jbQ}n!WF3$@7+0;b0@J&9H!xI+qo%;22|%GE4GbMNpkLXrht37U zp#uz+3!u<(93}u1Dza1v6~>96v@)DRMIIO`^ME-FgfT;fDTA0$VTu?|p)v{vZ))YQ z<6-y*OnV@V*3w|CJj{54a7%-QL243^)&Qk$#u-GFgu|+S7*44{xQ_bmS&+F>_0(_A z8Uf8c@t>I?3@9CjX)d@iir${>_d;)zwKM2&g81m-kalao7s!@lz?PIBP|go~s7N4e Rf$2uKwS(d0_5)aK0RVDn!TJCI literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-35/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-35/test.rules new file mode 100644 index 000000000..84ffabca1 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-35/test.rules @@ -0,0 +1 @@ +alert icmpv6 any any -> any any (itype:4; icode:0; sid:1;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-35/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-35/test.yaml new file mode 100644 index 000000000..d4e086aeb --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-35/test.yaml @@ -0,0 +1,11 @@ + +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-36/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-36/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-36/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-36/frag-36.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-36/frag-36.pcap new file mode 100644 index 0000000000000000000000000000000000000000..e501baef0c0b9ef39d13f818698b9ff71936daa0 GIT binary patch literal 2984 zc-p&ic+)~A1{MYcU}0bclD0dhN54{IXYc^BK{$mWE4tr{K{<3zv0B^R1du`@tN#j& zygR_kA%F>u&)C4Ak@4%?u6>Sh05aD>17R-2M2P7?bGa_u2b$}EZVtLVjST8o%oX3j z$B+k<24Q1kkUo&PeVc*ivbbwASXll4*8njfjUns*KcLKiCI)1{*v8OOJxr2cbY6Hmjujlv}_5sEA!E6^p39SwWMwsnP%Ax=N0cFr^7qenu z1&S~-^fRbD0`l2Fv4W=NH<}pZf1q&~>KK6z$5h9FAqI2<7CV^ifWCPj!8(k5qXJBE zV!(I any any (itype:4; icode:0; sid:1;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-36/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-36/test.yaml new file mode 100644 index 000000000..d4e086aeb --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-36/test.yaml @@ -0,0 +1,11 @@ + +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-4/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-4/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-4/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-4/frag-4.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-4/frag-4.pcap new file mode 100644 index 0000000000000000000000000000000000000000..044f159453bc254c263838964e64041e7926f994 GIT binary patch literal 3030 zc-p&ic+)~A1{MYcU}0bck~-U_M?XEn$lw8FgK!E%R&>7?gL3GcVzsur2_S_+R{s?k zd3S)7LjV&RpRs{KBjeY(UHcs20Az0EF@(7g6CtJp&E>jqA84)vx;g0fG%~1TF<0^r zCqo`k8ib9FLHa=E_H725%i^xhU}5$DUjxK|G={AI|9~?8nHZ1(V;e(Dk%I(-987?j z#o+)0V<1qMg#(C><_-o%s0|?7ugGyR>;sDJgV`>I5?UP$j4<1oltcgj1InP;E@s8R z3KU^v=x0!Q1mv@UVg*gjZ!|H+|3Kp~)G-1bj;W3TLk#E!EOs#I0(}z&jH7EnpMo$( z+_Nw)&~YFX_f`yG9!mp5r8sI_je@}dK(QPLjOBB{SUQJ2mS+$X%ZxKYu^crD1{DCs z?$vkf!=yyg1N!FjacZU2(Y!ynfIcvGzn!2wc9}IsV|VZY17Pg#I!*nSB*~rNzhuX)*SDfo!o{$jsme6!gO$DiWBX Pf^KUE!+)LwSZo0RjXuQh literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-4/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-4/test.rules new file mode 100644 index 000000000..e1b4585ca --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-4/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-4/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-4/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-4/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-6/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-6/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-6/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-6/frag-6.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-6/frag-6.pcap new file mode 100644 index 0000000000000000000000000000000000000000..17e174bd31e1c756b92cef1fc798b2dce5bfb638 GIT binary patch literal 2484 zc-p&ic+)~A1{MYcU}0bclAhb9M;pd4F?aykAe_RG72WT}pd31 z-W_1&5Ws}SXKY~5$oO?`*FHx$0GWF`7GW;LM2P7?bGa_u2b$}EZVtLVjST8o%yo3< zV8{bXgRrqNNFT`DzRf^$S=_Z5EUf@A5i8$69Y0}Y-4CCa*$wSL3 any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-6/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-6/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-6/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-7/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-7/README.md new file mode 100644 index 000000000..380aaaf8c --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-7/README.md @@ -0,0 +1,11 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files + +# Notes + +Triggers IPv6 checksum rule but a more precise rule would make more sense diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-7/frag-7.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-7/frag-7.pcap new file mode 100644 index 0000000000000000000000000000000000000000..e18b86f4848034b59ade8afe8aa22aa90913b506 GIT binary patch literal 2484 zc-p&ic+)~A1{MYcU}0bcl40AXM{^moF?aykAe_RG72WT}pd31 z-W_1&5Ws}SXKY~5$oO?`*FHx$0GV55f-o0iBE)o{xm*|S1I=|nHwWFGMh0~(=E`2@ zV#otZgRrqNNFT`DzRf^$S=_Z5EUf@A5i8$69Y0}Y-4CCa*$wSL3AK>!htF7 z8Zh2K7$YUKGcM3^Ae54=7{EOC28K#;)RZ?01_J=aattt*&jDlU9QIhAK};+&&IHBs zXn3N6r~w8Mz}Ven%EsUa%-bN08M{mp#KbPsiqY5|1?V6Wn7Se?sNdEBnJaBY{k9GO Drg$ia literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-7/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-7/test.rules new file mode 100644 index 000000000..e1b4585ca --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-7/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-7/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-7/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-7/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-8/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-8/README.md new file mode 100644 index 000000000..380aaaf8c --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-8/README.md @@ -0,0 +1,11 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files + +# Notes + +Triggers IPv6 checksum rule but a more precise rule would make more sense diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-8/frag-8.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-8/frag-8.pcap new file mode 100644 index 0000000000000000000000000000000000000000..08d3ff662e1ed831b60ddf90ba2d317a6155a9cd GIT binary patch literal 2484 zc-p&ic+)~A1{MYcU}0bcl4;wfM^_%u&)C4Ak@4%?u6>Sh05bQ|QG~e=6CtJp&E>jqA84)vx;g0fG%~1TF?V$V zA448c8ib9FLHa=E_H725%i^xhU}5$DUjxK|G={AI|9~?8nHZ1(V;e(Dk%I(-987?j z#o+)0V<1qMg#(C><_-o%s0|?7C(Y(#*asBb2eVxaCA2yi7-6wwJ7J5Bwz F4gmDqEz any any (msg:"SURICATA FRAG IPv6 Fragmentation overlap"; decode-event:ipv6.frag_overlap; classtype:protocol-command-decode; sid:2200072; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-8/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-8/test.yaml new file mode 100644 index 000000000..c336f6b33 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-8/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200072 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-9/README.md b/tests/ipv6-evasion/ipv6-malformed-fragments-9/README.md new file mode 100644 index 000000000..1ec302a17 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-9/README.md @@ -0,0 +1,7 @@ +# Description + +Test detection of fragmentation attack. + +# PCAP + +Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-9/frag-9.pcap b/tests/ipv6-evasion/ipv6-malformed-fragments-9/frag-9.pcap new file mode 100644 index 0000000000000000000000000000000000000000..afee3c42c2f5343576e3c3c3d93d9d0ba6e9a21f GIT binary patch literal 3864 zc-p&ic+)~A1{MYcU}0bcl2zNLNB68?WAFg7K{$mWE4tr{K{<3zv0B^R1du`@tN#j& zygR_kA%F>u&)C4Ak@4%?u6>Sh05bQ~N`$!(6CtJp&E>jqA84)vx;g0fG%~1TG54_x zH$xs!8ib9FLHa=E_H725%i^xhU}5$DUjxK|G={AI|9~?8nHZ1(V;e(Dk%I(-987?j z#o+)0V<1qMg#(C><_-o%s0|?7{WG{3_5sEA!E6^p39SwWMwsnP%Ax=N0cFr^7qenu z1&S~-^fRbD0`l2Fv4W=NH<}pZf1q&~>KK6z$5h9FAqI2<7CV@#fxZzhU>ruik>13} za1h8j2=mSF6$#t8)z5-_qaVW1EeKB;EZekAcO*2}qq|h(rN~Q$ZYEX+h8D1?AcEH` zKO^r^!^~oZOy9(0p7@m1vdrXE-ORkSe3tl<oS$2en3tKKr<;?RmwiB;fd{Hf0M(iU;UEurtzu*N z2J|fmV`NQEmIFEjv!)f0IKJ!LuLg!?*1)WEJZcn-f>AIEh6n(af;MZ|7~TO(KoG`k zNU-c6rXjI(wDcPVqhJ&aDNq9}{qC-&e)kMyuG3oTch5lPYC7>VECfm~#NG(cCbAKp zE%OA@H-iZB#wQjOFU<;bV(kRu!z{1doCBC>ci4R4s(E%xt5`L&) OL1Jc6Vp2{jL=*s!WrZ35 literal 0 Hc-jL100001 diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-9/test.rules b/tests/ipv6-evasion/ipv6-malformed-fragments-9/test.rules new file mode 100644 index 000000000..ef7df75a5 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-9/test.rules @@ -0,0 +1 @@ +alert pkthdr any any -> any any (msg:"SURICATA IPv6 useless Fragment extension header"; decode-event:ipv6.exthdr_useless_fh; classtype:protocol-command-decode; sid:2200080; rev:2;) diff --git a/tests/ipv6-evasion/ipv6-malformed-fragments-9/test.yaml b/tests/ipv6-evasion/ipv6-malformed-fragments-9/test.yaml new file mode 100644 index 000000000..f69175151 --- /dev/null +++ b/tests/ipv6-evasion/ipv6-malformed-fragments-9/test.yaml @@ -0,0 +1,10 @@ +requires: + features: + - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2200080 -- 2.47.2