From a8022fc9f545d262373bfb0f9b5a385eeb76f7c6 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Fri, 28 Feb 2020 15:17:59 +0100
Subject: [PATCH] Adds passing test for IPv6 evasion atomic fragment

---
 .../ipv6-atomic-fragments-toobig/README.md       |   7 +++++++
 .../ipv6-atomic-fragments-toobig/test.rules      |   1 +
 .../ipv6-atomic-fragments-toobig/test.yaml       |  10 ++++++++++
 .../ipv6-atomic-fragments-toobig/toobig.pcap     | Bin 0 -> 3072 bytes
 4 files changed, 18 insertions(+)
 create mode 100644 tests/ipv6-evasion/ipv6-atomic-fragments-toobig/README.md
 create mode 100644 tests/ipv6-evasion/ipv6-atomic-fragments-toobig/test.rules
 create mode 100644 tests/ipv6-evasion/ipv6-atomic-fragments-toobig/test.yaml
 create mode 100644 tests/ipv6-evasion/ipv6-atomic-fragments-toobig/toobig.pcap

diff --git a/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/README.md b/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/README.md
new file mode 100644
index 000000000..43a196297
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Test an attack causing atomic fragments and therefore a DOS attack as described in RFC8021
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
diff --git a/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/test.rules b/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/test.rules
new file mode 100644
index 000000000..b68419410
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/test.rules
@@ -0,0 +1 @@
+alert pkthdr any any -> any any (msg:"SURICATA IPv6 atomic fragment"; icmpv6.mtu:<1280; sid:1;)
diff --git a/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/test.yaml b/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/test.yaml
new file mode 100644
index 000000000..0f1f776ba
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/test.yaml
@@ -0,0 +1,10 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+
+checks:
+    - filter:
+        count: 1
+        match:
+            event_type: alert
+            alert.signature_id: 1
diff --git a/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/toobig.pcap b/tests/ipv6-evasion/ipv6-atomic-fragments-toobig/toobig.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..1766edf593784c9a112dab0936e22695c754606f
GIT binary patch
literal 3072
zc-p&ic+)~A1{MYcU}0bcl4rTsMZZ16%CH|O1;Qx|S<(Go3<29Dp9QqtO#rFuwEC~W
z$h(7q39gmtUju}Z#*p>@A5eV*gWC6B=XULL90j9b6pVs_0-)loXd)ZKdtg!a9(!@N
zlW=jy#Bja{sB#0e__IfsN7vuTpgLOoje=1y3I@LTd!4|}kOwT4K-kzANHBs5!M@GF
z;*a}rAcKX~f7IfvZ}Wd924uk4#?VsaAi*F96JTa>IKaRd2-Ica0OEs-KSm@CP#ZwD
zo3*kt>;sDJgV`>IT=+6{FfhVwXA0Q%{~u5W&2}*>23DX5BSSyKy;LBd4b)~uQ}Y{5
ijPXCvI1F`+K!;<hW55stx&ezFOd#L5tl$|Yz5xI$6x=fa

literal 0
Hc-jL100001

-- 
2.47.2