From 7064e6b7f415b149b78e59d46f51f4c89362e769 Mon Sep 17 00:00:00 2001
From: DEL VALLE Bastien <bastien.del-valle@telecomnancy.eu>
Date: Tue, 3 Mar 2020 18:35:29 +0100
Subject: [PATCH] Adds test for SMB EICAR file by segmentation in random bytes

---
 .../README.md                                   |  15 +++++++++++++++
 .../input.pcap                                  | Bin 0 -> 22507 bytes
 .../test.rules                                  |   1 +
 .../test.yaml                                   |  14 ++++++++++++++
 4 files changed, 30 insertions(+)
 create mode 100644 tests/smb-eicar-file-segmentation-random/README.md
 create mode 100644 tests/smb-eicar-file-segmentation-random/input.pcap
 create mode 100644 tests/smb-eicar-file-segmentation-random/test.rules
 create mode 100644 tests/smb-eicar-file-segmentation-random/test.yaml

diff --git a/tests/smb-eicar-file-segmentation-random/README.md b/tests/smb-eicar-file-segmentation-random/README.md
new file mode 100644
index 000000000..963076f28
--- /dev/null
+++ b/tests/smb-eicar-file-segmentation-random/README.md
@@ -0,0 +1,15 @@
+# Description
+
+Test SMB EICAR file rule.
+
+# PCAP
+
+The pcap comes from running Linux client smbclient against a Windows 2019 Server (with a shared folder public without needed authentication)
+
+Needs a Proxy that can cut and send the request in random bytes length pieces
+
+Command is
+`smbclient //localhost/public/ -U % -m NT1`
+Than in the smbclient shell :
+`put eicar` where eicar is the name of a file with the EICAR contents :
+https://en.wikipedia.org/wiki/EICAR_test_file
diff --git a/tests/smb-eicar-file-segmentation-random/input.pcap b/tests/smb-eicar-file-segmentation-random/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ba4f9c5457a6abfba665e411eea925ce3c5306ac
GIT binary patch
literal 22507
zc-qaJd0dp$+s4lf+qfa91f?mK8mJ&3iYv0I-~tG^<&vOf{ywjoTDGdVluMSs7E{a2
z8JBF+aNjku!mZp$Wl_P@(o$T|%5vUwu7St%oH^b7@&5DT2OSl@T-SB(bD#5UbK>ju
zb}RE__dh(Dh5x?#M#AuQ0luske=R;)#DYB|JXu7m(;fQQSa-&{*w@6dIPZX=d)HV-
z@lTKK_bj`L8_gLjzIeHHqTkGmj9ERsHhNlZHCsNr{G#}Gi-(7gAfJBNmnHDOCx9%N
zE<VW7d9~tLuJ^Z0PzBwxYx}*T3E{DvJ}$SO)0yATMdmb{#o}od#JY`rS$hs^uhSZ0
z{{&jcD_X~KYPWPhc46i*#@293+GHDx;eZ$&CDi^YC}XvhAWk{XT$m@Hx3M1lbq^h;
zgZ(pLhAEiw2Butm+iquO--L<cRZwC9s8KK2SRDU*oQ@i0{~XjDg*wfkmPlg^-d4_w
z=da^+ytei)z#F0P<{G?GfbKc*#|HxF{i2O^<bUa?1GciS1#q+ieAfUL^6#>y3sC-x
z<S?uQ=xGJCNFIhnff@3WjdkFJ4mwOr`<K8xrC=5tm=lZzry?lM>BJG8bez`qJa9%T
zoc9gRkBoKC8ki<X54>z+ojIhljud8J4^p;5T4s<=GM3RhI6Xt4rgBtQPU)&cwXtsi
zYPf=0VW3Vkmew;PzHe}(fIahyjdkIiF1q;`l2;q^v6eC)y9t-+e!&gOf0E1U4bIBq
zud{T*de}EYSPw<mr-rZ!#=;|*wQovdMp|ZCkF4NS5ne{`%;3oIh_?Jc#LpNy#m163
zK3VrOI@vejXY^BkMuG7&xL$X>;4Ys+=1>PY)YRngDRMX==kVzivide_r&p0&eQm=9
zr}k8``nG7BNr_y2JkCCXG-)bXGFw3!tdP#hB@>_8H$F8Ivg%H=v2L8xO$Up#Zv$+A
z0=s0uie0k$MutZX61b+*$mD&Id<{+VMM!?7ocw#!$i}uE(lQlk6>?*Xh=^j=q_oW7
zKJfy0mljtS;%pjm=OAvGERN-pEno-44N}D2m0N%qgD8P|J(nEMoj~<BqvkSsJi{aT
z7{sH=Rp!bb6<D}^mloz@z)mqHWQC)h#7-yk@<U!en!GBI*PC))ans2~WjAyURCLub
zFDjV=v~oHb{2qX^6p)`BeD>I!Y-mcDLHhHDKW}$`bA90NdD&n08RR_L3t4H3tN?i)
zSyQuko${&>xJxt0O~O~e^;K|<<xN7WXtaO|UbC5`)q1e%rLpP<tK(#=Av4KkJzra5
zA@Z`0HrA4sR3DN&HIf1#X^bps%}lbozJ{a>MN+6-U44Ti1gOp|(%U{=&zaj=_J*!H
zWEQz-e4|^~=7!0OMkHE8<t#Fz2FS=mlTj$osDAkXIis4dlGeV}YHH)QDW3Q$DJcMw
ztQtvSkd$Gnq}NE+17KM+tTte!%d7|H+1NJzdYg{*Sze%EeKSSFibxL%uAj3XplQZ#
zeKFsyn?77SWd9n>BZ?ncd16tr;D7!)Z^`Yob58#nWrdb~PQJkVU+8*fZO7rg7X>ZI
zEWXpe?uZa??^fOxFE8uz#u1H{KNJz<U6cRa(=sE*YHcjNu8B~%5#kW&JMB0{a5MS*
z5a_q+L!cIKk)vIp?ME(35T{g+_JFs^wP`;v$qFXYz?>G}wp4^FU{~KJw?GE~>!rXt
z7%;vCnp7og={scM1Yxk9%3$XUnkbyIeRAPA-XRy1gIbGS3{@wkL%V0+CDS?tRCfgx
zZ%)h5)n%cL#q!s&I#`7LFkp!aEZKk+RkKbt#b#<Dnb?C!?4BmEcqFz%R<>#(SzF&j
zS&E`8-L1CnEhL-v54t0ax%~`GAts;zEqIR{!6VwFvg8r0?X1$&aS=I!M}dk{P=n<W
zbULk~F9=x5A~N%bkon)5%+rzi=W^zri^=`PF$n9b2peGtD+Z{SfvdHcl-3Z^{?bUx
zg0wZVv?5yCaY*Z;NE;(d%i7Cwv)PDbZ-IMs2`Q}+q}|m>8v$ucWod1ekd=BuTNxAO
zN`<6ZOUOzs)K<kLxl(zH7obM(linVNw?8%BCc@i1*;|wM$!_{1M8ztiCd=JaEJ%X1
z^L_G|;Uq|%71B!vi61k>Ms!*3iw)E++F@fj{6ph#G911pJAC^CvICxit`3T>T)6|*
zu3B8tPnVL)nn2m_8fCdq_KK`5c`4a(PD5EIMcEv=;~2|*@P}k=6=}nNL#{1HOHTos
z`yp8m#Q=3wK>wBNAtW^mJM%jql1T+4sXLma-au00<)p03$Qf9owfC+(197Hk!ZLD0
zU8*&=(7^BwbtaA;57TnaXgP~yIXJVK_z{^<QzUd-lhC_J=xI5j$3G$^oz+(PVz<@w
z<VR#e=YVOiV3x=Uxfau#w6#ZItx{uc5v)BaTbsC?tnD&ridHmzU|Qi>fB?;3PKtUI
zqHbwKErF<!vZ#)Ba-Nh!RFooWnLJNs*m6KRXD7SBd5|I$lEbuf<m!Pcvy%p!!Qf4e
z!DTQwTsHWEgWSXX1X*E<tdHGyp&<emxPlbc9KvpBgnbNQ{bgZ~tRUB!3tC}o<#mRC
zc)QAU><Y5nFKV;jD3`lS)8Q55?7O7pY<8P{*(=FP|5<Boi>cD<0yKIhnRg51eO;6H
zM&zAr+L)~*>+=_gYN?3YF4t#&Hja(KW@8l@(`Bu{J#I0LTSboA6<}H^n7#6-y#UUZ
zRb)z!A*BjUO52fAf}GM0TGOxEl=9sxsl{rtulxqiV+v=V+*dN0>%8PEt4VhuaCc4P
zZZF(*k=;#OO%~==t*QdKFvqeS0lK}KET(G!HB&$bP0cR5O4EvuNq?d6cU9xB0REz7
ze@SadR!gvc)3A<!)mml^{ldon;>T{{Q)OAM=Cu;6eJ!-Cpy2v*aSF+jFV1#MdVsOL
zZl{n=HD!Jl=ILbl{0G#vEV9^VSZYPgu=p(ZsA;j-Ys+VX9Mi9RPQS`GWPLL;)0vfj
zcVqrb)M&trc{zbG`@a6->U!e@*kb-mob0Q~Ms^piWFSjnsVt23<^S4&C9rn<&lDEH
zda!ubhtnD}`YSB|`W2r4`V}7k`V~IR#;Q-82^Ry|7~XG2vGMGAHi-rE`S2v0$R^|W
zU>3!{FOt`>`1fadEs3wp=KnK_|4SrqOfjrIYx{qqv}fTUh+24YE!prYwDaaj(S(RO
zyxc2|hUc-4T=K31(^SD6H85E64)BT+tpBVd*Yz7<HBne64HjS56DHwC1OeN$j_g)9
zwZhIAFy5_1b>qV3mt<qOrIl4~kWNYyFzZWlGPlNLzG9w$5p#q~F`3UkVcJ%INgAxw
z%DN;QtR@}$k{rX^AT?4*SIlE5=DuM4O*;&O!^;|n<#3o~I<(3oOY{zO1uMF)%O&cE
zD_42s3h_HI4=b1(28OQ?R#sbp-pV5v(m%AIN(00fQYU<!&LcAlM@GMBGP;6{ddnG=
z(HZ@z)pW;g8aG%^W^@;rhZM~3az@PQ#L~W=^wtL6e%5%agtvIv+pFuz3jYhDf)r7A
z<qEe}9rIPJCoBAKkOCBvQ>pN(tyzl=Wa9V0deF?8=jE38qzz;-Ie`gOFy3-8xi|+m
zkby@a@JpJ&?;`Nda^OccP*vbyx|rtKOjVGzSAaTiq(;tR0jRzLs%7d;xeFla<&C7h
zNZ7mRZf~9!>_y7<rqZk^ur6p=Hn74?+s=(-R93CSx^h(Z$vB@_ypdX693BAqDWH1t
z>hi2(qUSRL6|jk_OoyjdQ=nX#xWi)ZCNieBi0LOyOmz{{W2Q5lo2bkD4lhWmp-2ic
zB$e=ja%~VjT)cu!WbEGH)m3<pm@3o-ir!3`jE2ec8k2!A*~D}qYcpBxJ`hz$5!Kwh
z5)T4t!e-K*O-l;Z*ej*&wS&EKjlJgFUcIyRWP9f}lVex|qP!GQt>rO<KZDn73t6T$
zwI<uUHP97XNQ>=Zu}ovJH7wSWEq=a*v{(z0JQPVWvc)QYRpWSm3ptLpwPhb~9!DE)
z^xaCDjDg8>8j~?FX}aE;wUsnk2cj&Bs3g-k+ThdAwXa&Zm0H0ZzTnvuUaDyY8-ZJa
zXpbG>@vO#UlJI!urtI;Ttz>Q0)oMz2tF6}CNNaw;cq^EG?u+v(n&YpXI+-#jV4mQ7
zyp4>gBO*GZi6|8j{US%?v7PKz^`ObBXzFk3RynSVef_tSsyabcsYX>lsJdu6HL;zX
zG4-{o25UOsJ2a?)w#tW^L3MFHXggU-0a`^*$fZ<?S+|2Mfd_zL3TA{{0_AZir5$A0
zoe_44ChWlo`-~j+Cp4=ISj8IF6JVV(-9Eg7+`j}0e+~Xp{N>2|muurLe2PQ%hjvoO
z|BfJ_{!mb(<>UV}$GR3F*<m<5-boJMgMi&rVB_TBdsblf?<Aw@il~Y-QRN`2LOH5~
zJIMz85G37FB#oCFa576{nJkN4LrK)yMV3}W@a`(S7v<9Oc>!0kc99-q;qkP_<7jw1
zB71y!7dibJX~*zodHM|;`=$Ubp+$9rs8bqI;~}a*7PWjASql$C)Srr|sd6n`5SYl_
zq@*}VI;oNLG9>MkB}H>q5`UeflhoeP7?OTfBuz6Uonvh6s+gm*5^Xo`U&DBAH)*p8
zn7=E`H{2G#LfU3LZ2qXRISn?q$~H@BNx_hGN0IcVED04_Zx2~jO|>&;fo64>y@y=<
z9s%fv0(x6s{Hm{El<pz>-lHH@D5Uq~zBiWTux!lZy=34C2)s}e_yPoOx>w0}FBy0<
z$hxV>`oOIQrqYrUA?buh(%X=<%5)lMFWIJ=L(+9c(o*-$RNz;nrX*-OuF<p<nm#by
z6G^kWgLO>9S_ak<nKi7y#%}Z1w{@(a^Ll{guVn=V*PG`9&`w-c(cYLVuBuqYRTa@d
zYOuGM-6z6JTv7Rdbv@zT{bb>_(2nx5q6v}7e3b7Qg;)Ckxkf$)%q0c$k%7U%<{**f
zb5*C=4p7h7I6}a?pzuC1c%{`3HX5V7^Z@BI6u_$raHE^gz=LD~_C(PfF&9l_vd|_9
zu=IPm0E0Lyg}+YGN$Tuq2}#9@q)mpT3soqmQ&gIVs5Is};oa*X*>+n2d|3e(7~uOi
zuzo?iO@`YaG;TM+ZNBU_kFyf_>qMQXc8=B%byg8|&=AFsiNhEh%6~=j+KzD@uG2ol
zfc#lOo|1irGn~vzK1BLVfzR(XJ`cjD>4w;pL-;Oyx`~Q$glk8&*br65po)J+a<A!p
zmmr{14w2Q{M(gylT)nu_J)id33qB8Pd=|r}=@!;+4pDd4IwG{=dBu<<Zv5@TOFyv+
z=XIEL7zx}(1$Rq!*bQgm4wDXh!{H%~!z*w&Uv~K7VREYw1xaO!q)I~)-zs$DA3)uq
zW%YrqgBn?tkTpY=)$<1%djXd<G_3#R^#yB=hV`ddw<ga9D7LECx~*HDHdi<Cak5xe
zhwZV{$7dZD--)I2Lzo_XJ*k?|N5~Oti+Fxg;`x(nnP*-(j*=-yYwPH)fx%_kQBK@M
z+3zTIxyaEDs8TcPb!MQ%GlmI{>eG}*se61K?ZGNiSl$M!=>GbHr!tR`lO+bUQwq)3
zpcPBwBXFt5$Z|?W3G7!&V4g6Ga%v}+Q~zV+*17|vl_=5z4QYI9ZL7M5JmVNy5FJ4}
zqmUZP1%dOESLm!d0aK`88p&CCvLHMZ<y(y-vPwf%1)8jUk(KGPNa}HNm(v;2jw{ld
z8`9*rNcaesS&oz1(xL4;jkbndn}2CT(<PhZ<UHyEZ6_6NZRB}msaJi%<2bplcGXsE
zw1K*R*w*3%If-HcI;MbPOq0m<;UQ?vPmpQ#Lt5Wz(rS*h{N=R%=LBi78<hR1DC?%N
zxRw@`0a4#*L`6fCRTj1W1lhmhv~eZK{mTo*DOk2b(qKGTClpq)*`O6q+7*&#JQ4sZ
zP(Zy6&^ebqf3bIak{_{*6wJ$oWN4WPZJ#EzWD#1)RXMbqg=D)(guX+HzQLx}Dvpb)
zadl3T(y}1!YmKzQkX9;7TXD+9?EJM|$9gBPKUf1btQ@{l`^UMW8!c99$3L#rp6n4P
z8_h>P&O;ol&mVuLNlBq4xZ&%#d(G`n_KzPzaPDccgC}YGTMidpX<E|DPm^2V?!fF*
zFe43&*aEXz!giag!#JE6E~4J_#?b@Nd<8nufR>xxitq$=W)XRkqbI08DAXASRh;C&
zqLo)fPPb%m4lA5l2B%O=T`X5V#pDu`0?;=KXtn_=5jQJ|YN#I48pUKi4?qomrPN@h
zhz|8UST2uF#pG6@7qlHvw7q3$lWtvGL8}@FReLq6W<yny>8Vf7>d9aC)T!#|=nYjn
z6;%rjRp+Z&Nv_Prci|@WVsbt01MGJScC~@!>*=6&X-)A|PC^Okb`ad|(YSpJZabOo
zD=wkln#R!=vbHI*J~L$f#8~sV`1B#sL(?B0)Gj(CeRyaL-puH^5^^G>YTNuSc_Ji+
z;tqJ)>tJ}@t?~L9yavl&x0R3=meRCSevhH)G;cOjnsrY}biK(+2{}X4wG-=Gd4^_$
z;V2`klyvww9PZLM+yjTTWrqVe>;4;+DWaks{UB<GB5J=O>I`F9@u^Ai8A)OBsaYv_
z)0R@QY%@UoN+A}?Wji1xqd$!PN*f&lqdPT5_rs`ZYjd-d?B1D>wMmgxBzNzytnQgv
zVLej%bZ^=$xm9vYJlB4PR5%n0cW4xfclGfvzAh_t(yU=%ZP&0agH<N8>}PFEybs72
z9cxJ5aIjv}viQOu<=S1gF;+nB!tcerovaP-T27}_Pv^)5JPR>@t;Bq}XhKwoX#rn(
zjx3`7!0c8qR}2h}$wOVo<mb<kd)fio?p$G@a7^x5C97K*xi$_2Ym36VZLmtzbHa<t
z$dk;2bVWIz8N5={fMDZOM%K_1827E_agPcSB2hyQxrPLb=vRYv!OgE_h~qWn=k0nP
zyPO0)uIn-LePxh`7p_}BQ%<@Y0e4&6-OXokw^(*JyPPbGA-bWQ?=P2y(<usHuzsg?
zWkc6yjV@p4GCjQh-g%Oh1J))DD-f*dGAryi8ym)757V*I@<xL7hL**<z)07$epGY;
z&wuO!-bSET$(cV?JIaCl2d0^3e&tniT!v|<M38|wRV`Vtp1MXZ-^0P$ps*SnEb&~(
z1mn37$2D^A`Gi(ja|0$l7jpR;+1y5GWrZ3f`MHoD6=b!H!U%6rMmSBl<kjL=Y<g-U
zxq_Ug*^sqSkri&px_?IEr3x~s9Dvp<ph!6>QCx!beFb@FJrbnP6;eBcRP4G2>SNq1
zcAZS?Nu;%2lU69wN|DpLMYEm)D^J6U1<UlP-hXe9^K>*=bG59XV86<|`}1_dKh9Gl
zgrJ+$yC^wEX@@zM|G>%V{yfvFcTu`>i?shVB(GB>Pv)d<uy5Lf4!uLN#(=d}%WA;b
J-JojL{{ld1fO7x<

literal 0
Hc-jL100001

diff --git a/tests/smb-eicar-file-segmentation-random/test.rules b/tests/smb-eicar-file-segmentation-random/test.rules
new file mode 100644
index 000000000..fcb9e4489
--- /dev/null
+++ b/tests/smb-eicar-file-segmentation-random/test.rules
@@ -0,0 +1 @@
+alert smb any any -> any any (msg:"EICAR file"; flow:established; file_data; content:"|58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a|"; sid:1; rev:1;)
diff --git a/tests/smb-eicar-file-segmentation-random/test.yaml b/tests/smb-eicar-file-segmentation-random/test.yaml
new file mode 100644
index 000000000..c1282b105
--- /dev/null
+++ b/tests/smb-eicar-file-segmentation-random/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
-- 
2.47.2