From 9d633f24e484ced29adf8e702721e222fe490758 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Mon, 27 May 2024 16:43:37 +0200
Subject: [PATCH] tests: add tcp split handshake tests

---
 tests/tcp-split-handshake-01-4whs/README.md   |   3 +
 .../split-handshake-4whs.pcap                 | Bin 0 -> 518 bytes
 .../split-handshake.py                        |  67 ++++++++++++++++++
 tests/tcp-split-handshake-01-4whs/test.rules  |   3 +
 tests/tcp-split-handshake-01-4whs/test.yaml   |  16 +++++
 tests/tcp-split-handshake-02-5whs/README.md   |   3 +
 .../split-handshake-5whs.pcap                 | Bin 0 -> 588 bytes
 tests/tcp-split-handshake-02-5whs/test.rules  |   3 +
 tests/tcp-split-handshake-02-5whs/test.yaml   |  16 +++++
 9 files changed, 111 insertions(+)
 create mode 100644 tests/tcp-split-handshake-01-4whs/README.md
 create mode 100644 tests/tcp-split-handshake-01-4whs/split-handshake-4whs.pcap
 create mode 100755 tests/tcp-split-handshake-01-4whs/split-handshake.py
 create mode 100644 tests/tcp-split-handshake-01-4whs/test.rules
 create mode 100644 tests/tcp-split-handshake-01-4whs/test.yaml
 create mode 100644 tests/tcp-split-handshake-02-5whs/README.md
 create mode 100644 tests/tcp-split-handshake-02-5whs/split-handshake-5whs.pcap
 create mode 100644 tests/tcp-split-handshake-02-5whs/test.rules
 create mode 100644 tests/tcp-split-handshake-02-5whs/test.yaml

diff --git a/tests/tcp-split-handshake-01-4whs/README.md b/tests/tcp-split-handshake-01-4whs/README.md
new file mode 100644
index 000000000..9694431b1
--- /dev/null
+++ b/tests/tcp-split-handshake-01-4whs/README.md
@@ -0,0 +1,3 @@
+Based on split handshake research by Tod Beardsley
+
+https://www.macrothink.org/journal/index.php/npa/article/view/285/807
diff --git a/tests/tcp-split-handshake-01-4whs/split-handshake-4whs.pcap b/tests/tcp-split-handshake-01-4whs/split-handshake-4whs.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ddee6c38f6112c5eea73dd9e63b33a167478409e
GIT binary patch
literal 518
zc-p&ic+)~A1{MYw`2U}Qfe}cb=?+OVIn2gj24sV<5*P@A0SALC1A_)gnFCwNDMlb*
z0s;d|h5!Zz<`*DS0+<vSLUSOd6dy&H0?`jK3)K{m2_Tag0)XZ)aPNSb;yVXoO6PI%
z+`_#xKuCeXb1}q}IVZ_*%TAz4F9QUCrYwP&vh_3@gB8#OD{OAjftqp*%`Gp%ZULII
p>n{U?YnZ1G$fWZZ$#l<KuzMCj-1G4=8DaAl9KtNXcuHkp002oLP_zI5

literal 0
Hc-jL100001

diff --git a/tests/tcp-split-handshake-01-4whs/split-handshake.py b/tests/tcp-split-handshake-01-4whs/split-handshake.py
new file mode 100755
index 000000000..45c00941b
--- /dev/null
+++ b/tests/tcp-split-handshake-01-4whs/split-handshake.py
@@ -0,0 +1,67 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+src='1.1.1.1'
+dst='2.2.2.2'
+dport=80
+sport=12345
+smac='11:11:11:11:11:11'
+dmac='22:22:22:22:22:22'
+
+pkts = []
+
+# CLIENT: SYN
+pkts += Ether(dst=dmac, src=smac)/ \
+    IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="S",seq=1000)
+# SERVER: ACK
+pkts += Ether(dst=smac, src=dmac)/ \
+    IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="A",seq=2000,ack=1001)
+# SERVER: SYN
+pkts += Ether(dst=smac, src=dmac)/ \
+    IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="S",seq=3000)
+# CLIENT: SYN/ACK
+pkts += Ether(dst=dmac, src=smac)/ \
+    IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="SA",seq=1000,ack=3001)
+# SERVER: ACK
+pkts += Ether(dst=smac, src=dmac)/ \
+    IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="A",seq=3001,ack=1001)
+
+# CLIENT: EVIL DATA
+pkts += Ether(dst=dmac, src=smac)/ \
+    IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="A",seq=1001,ack=3001)/"EVIL"
+# SERVER: ACK EVIL DATA
+pkts += Ether(dst=smac, src=dmac)/ \
+    IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="A",seq=3001,ack=1005)
+
+pkts += Ether(dst=dmac, src=smac)/ \
+    IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="R",seq=1005)
+
+wrpcap('split-handshake-5whs.pcap', pkts)
+
+
+pkts = []
+
+# CLIENT: SYN
+pkts += Ether(dst=dmac, src=smac)/ \
+    IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="S",seq=1000)
+# SERVER: SYN
+pkts += Ether(dst=smac, src=dmac)/ \
+    IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="S",seq=3000)
+# CLIENT: SYN/ACK
+pkts += Ether(dst=dmac, src=smac)/ \
+    IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="SA",seq=1000,ack=3001)
+# SERVER: ACK
+pkts += Ether(dst=smac, src=dmac)/ \
+    IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="A",seq=3001,ack=1001)
+
+# CLIENT: EVIL DATA
+pkts += Ether(dst=dmac, src=smac)/ \
+    IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="A",seq=1001,ack=3001)/"EVIL"
+# SERVER: ACK EVIL DATA
+pkts += Ether(dst=smac, src=dmac)/ \
+    IP(dst=src, src=dst)/TCP(dport=sport,sport=dport,flags="A",seq=3001,ack=1005)
+
+pkts += Ether(dst=dmac, src=smac)/ \
+    IP(dst=dst, src=src)/TCP(dport=dport,sport=sport,flags="R",seq=1005)
+
+wrpcap('split-handshake-4whs.pcap', pkts)
diff --git a/tests/tcp-split-handshake-01-4whs/test.rules b/tests/tcp-split-handshake-01-4whs/test.rules
new file mode 100644
index 000000000..50c499513
--- /dev/null
+++ b/tests/tcp-split-handshake-01-4whs/test.rules
@@ -0,0 +1,3 @@
+alert tcp any any -> any any (content:"EVIL"; sid:1;)
+alert tcp-stream any any -> any any (content:"EVIL"; sid:2;)
+alert tcp-pkt any any -> any any (content:"EVIL"; sid:3;)
diff --git a/tests/tcp-split-handshake-01-4whs/test.yaml b/tests/tcp-split-handshake-01-4whs/test.yaml
new file mode 100644
index 000000000..4bb2f0a5a
--- /dev/null
+++ b/tests/tcp-split-handshake-01-4whs/test.yaml
@@ -0,0 +1,16 @@
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
diff --git a/tests/tcp-split-handshake-02-5whs/README.md b/tests/tcp-split-handshake-02-5whs/README.md
new file mode 100644
index 000000000..9694431b1
--- /dev/null
+++ b/tests/tcp-split-handshake-02-5whs/README.md
@@ -0,0 +1,3 @@
+Based on split handshake research by Tod Beardsley
+
+https://www.macrothink.org/journal/index.php/npa/article/view/285/807
diff --git a/tests/tcp-split-handshake-02-5whs/split-handshake-5whs.pcap b/tests/tcp-split-handshake-02-5whs/split-handshake-5whs.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b37bb5704b69cf08f5f15b7f290f48d1a4a2cc2b
GIT binary patch
literal 588
zc-p&ic+)~A1{MYw`2U}Qfe}cb=?+P|yoQaz49EsyB`^>K0}cjP1_lj~G6%MjQ;a~s
z1Ox__3;_%b%r8Ku1TZNugyuj@G2DPK1)?8f7OE*A6F??01OUxpV7~w~>1BX`0)uZa
z#FT_hq?^LM1LhXrIS^Cowvgu|?wtWb3Jji$A*RgPMuuB<!hGbp1Y*jL9c&C%KohL6
zxkU$R$}u#zyac-iXv(g?3=FPeo<1Ox_U$IqJ#WG8Spad*>%C-z&0BB?vjAf|m4N{O
DldoF@

literal 0
Hc-jL100001

diff --git a/tests/tcp-split-handshake-02-5whs/test.rules b/tests/tcp-split-handshake-02-5whs/test.rules
new file mode 100644
index 000000000..50c499513
--- /dev/null
+++ b/tests/tcp-split-handshake-02-5whs/test.rules
@@ -0,0 +1,3 @@
+alert tcp any any -> any any (content:"EVIL"; sid:1;)
+alert tcp-stream any any -> any any (content:"EVIL"; sid:2;)
+alert tcp-pkt any any -> any any (content:"EVIL"; sid:3;)
diff --git a/tests/tcp-split-handshake-02-5whs/test.yaml b/tests/tcp-split-handshake-02-5whs/test.yaml
new file mode 100644
index 000000000..4bb2f0a5a
--- /dev/null
+++ b/tests/tcp-split-handshake-02-5whs/test.yaml
@@ -0,0 +1,16 @@
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
-- 
2.47.2