From acd24f92a73b894dbb39be550d02337d8022b871 Mon Sep 17 00:00:00 2001
From: DEL VALLE Bastien <bastien.del-valle@telecomnancy.eu>
Date: Tue, 3 Mar 2020 18:45:20 +0100
Subject: [PATCH] Adds test for SMB EICAR file by segmentation between NetBIOS
 and SMB

---
 .../README.md                                    |  15 +++++++++++++++
 .../input.pcap                                   | Bin 0 -> 4901 bytes
 .../test.rules                                   |   1 +
 .../test.yaml                                    |  14 ++++++++++++++
 4 files changed, 30 insertions(+)
 create mode 100644 tests/smb-eicar-file-segmentation-postheader/README.md
 create mode 100644 tests/smb-eicar-file-segmentation-postheader/input.pcap
 create mode 100644 tests/smb-eicar-file-segmentation-postheader/test.rules
 create mode 100644 tests/smb-eicar-file-segmentation-postheader/test.yaml

diff --git a/tests/smb-eicar-file-segmentation-postheader/README.md b/tests/smb-eicar-file-segmentation-postheader/README.md
new file mode 100644
index 000000000..b96763086
--- /dev/null
+++ b/tests/smb-eicar-file-segmentation-postheader/README.md
@@ -0,0 +1,15 @@
+# Description
+
+Test SMB EICAR file rule.
+
+# PCAP
+
+The pcap comes from running Linux client smbclient against a Windows 2019 Server (with a shared folder public without needed authentication)
+
+Needs a Proxy that can cut and send the request into 2 pieces at the end of the smb header
+
+Command is
+`smbclient //localhost/public/ -U % -m NT1`
+Than in the smbclient shell :
+`put eicar` where eicar is the name of a file with the EICAR contents :
+https://en.wikipedia.org/wiki/EICAR_test_file
diff --git a/tests/smb-eicar-file-segmentation-postheader/input.pcap b/tests/smb-eicar-file-segmentation-postheader/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..229c102576a60961a1ed8e3a698af4a45fdca4e3
GIT binary patch
literal 4901
zc-qZZYfw~W7=F*$Wmy(Q&@MYxxCAE1u<inK8?s$sjZJphVK*TW1O(0G78Wp07j>C_
zl%<VhGUOysGdN?lXqsl4j+JTII5|3v*reT?F)YhlX`J5g-AlWN&*P8&v}ewq@7$jE
zd7tO`&e=Wr;f?_j)bQ^|4FZ0bjTY5jy<Y_n;h3#pT6dsM4W{(dd1YF#0Tg<xEMU=O
zy?Jn}(1@#Q@364{=wNdfySQKMi1+>oAgZHwszt4C=Aw7kv*UtF70r+f=Bl6w_lpRb
zVfyh2Ioo&M0;@Ei7#J!;7xwQRHX5^&5xslWWJ!9Z)sKv5T0u~Y3~?DE<{(%Ok87&;
z5#oA4#<d$!Q(W=zgZBi015s=(F|Ysu7VuEYybB1WkBg#5lq)3Q2a?-S)WJsj;v*38
z8I#yIt5kR}1`2Up$WtKI_X{bIE>j={t8I408*bYj6GUWKm56l`$0vEL4|}VL^)wml
z%|X^Z?ReL#Ai9bTPMfE)ykefgRZ;$6h1Fp&8%-cO?8O!3?((^w;AuBIp2a<p#cn9G
zIvrLg-CO1`8#Aj+rc4k^%H0P4nM|WOco7ZV^(_tcAUZvP^Zv4I*I_Uj&6(7r>u?Ob
zheY4w>9x%_%Je!sG+wWk0+-$}C4M)F^=!zQUcNI4F`&xC{Hv{$RyuRzJ7Lw9yK7Q3
z-<%RYlAr(*ez^bZxASY~ZPKrEpShYdsV-HcN!JKbQDT3h>F)liCcQ?7`)XlLt|%sk
zjdiS%E^I_0s0+!geUWCh6ksz$7}U{VP!qmX3~CLbY~rHm5yc<W%}kCJ+@S6^u=ZJ{
zngX3tP%ltW(`3RAVYONe>Xcm{hX?gZ#M*)59X!@=cx#FE92x7{AnP6{zyxNKB#8lU
z=*a}0gRrU|>Pka4%rO=A$C)OCOFuYMo$B<IIoxg+-Fy2QZ3DYEH9(JTHGa@Z@G!K(
zGU&#!8|tA28t~iS!3>KIZs28Xm8&6K@cqiv__%?i#t4hy#y2Tehe-E301oz!*Im?N
z{3JMp1ttlbgn>0etZ9u9-LKLK!a!t8t1qfoUkElO;@ye3<WY0aH@tIt?aEIU_k9sW
z?!{$3ZgsHO#+s}IJ2)W&9C$PjAH=h9YX=j|1uK*xS|TW4A>8r`^)0VZ-SUcP(890h
z>S^+^E-KNNR%nDa=z<ksK!2K`13Ky30GW878S?4)6X+ScvL4Sg;t@0C;*tYd{|O}r
zjD*0l@TXO$GzS+^nm5YQJYqEFv|ySq2j<|XN^?-uid3n!OK}eVMssjRWa@HSu-X`#
zgYPT~pM%dK);S!X<FP*Bts~ZPGS*{3);&*+n}gk<Ik*l6I!#XucBtEfp;QG5S1D|@
zxUg+JE_E!t&qG6SCjN9LVe0YEhC7^h<`@2vRT5VU<!FirPL*yMJuiNKT>AFNU1y_n
zPb<vW@1E5GlllrzyPtg*>BX^RymqZyamG&W${-^9LN4|4UBVf=4|ihVWf+JyMX}lX
zzsl<1YQ?P9lj|EIU2olLH0EZY>tlheRxuTx<YZNnm<lSYw11~!R)43gPLI?(Hv_93
z!>mr;ej+@pClL#O>(M%nb)C0?SU)3UeJsejM+eLo3@j!UeO!o(85PS#T}*-1jK^G<
zo+5nK*r6CNet><bdfgr!C90d($z#4hC^_Gb@1#x5lGF4SwJ|58nJhV?)~{K#1an{_
z91y0^IuWb|_&oIB^Uobnp?R;OcZ*4dmm^hZQzMtQFz*@}k3o)iejaM7wCkdxcbCY!
zWLd{;SS=O3OV~a;+`G>aYbB0X@>n-}8;NzhjCE>|bq~HB_4Jc0F2r<;Fgar8v4=|(
zt`^n>{d!{_H{pC)OmiT}r2C2v25>yU>uQ7VGWoch(^WJ2n6U3t0$Li<ua~diy%H?N
zJqu%%x3=x;X<wZZ4(XQBn@hemz)e4laQ-z#!<$IDbu#Iik@QHI;XRD-teYAhMU^^@
zu}X$tA;Xho(u`oW^~~_$hH%y|Ayyxb`*^I^dY2Gur;PRbAnP9dJsigj7cG&3lz{&L
zf>g~ePjXGSSY6fG3tbDUW@o3mYSVIyi_>zSPO;gGtrZz=kJVXXttiQ`Iz9IJ_KJty
z86KP4lQGv`W=l#bO)s6vn4UGqVn~42aa~vYu2LXIIbC03fk?Ved}f98?d9vMkzf|G
zm!y9sI-V7)Wb9Is=tY@CmyE`|iDAa3vBK(`8msZY<(DfOdyR~p7TIFn#G`}ldS<L|
zDBRfB5bFW<WaP0ndmkm%Ly@f8^&!@0aHfhDNn%1UxYs*lp$3s^c+|>$f0FuFIn<I+
z{do6%#49-@LN8y00QdFXii$5I?k~u=Ct<<tFvY3Z<2O}2nkqfLRZ;Q3Nb!4QZDnIM
z8!8^}^MotD5wY@doX=yO?tP3{Z<DdMg;<{o0cGt})cQJUeVIe5lxh9_m$LSI`Rxaa
z9orSF^v`xVv3^U&x)cjmyAqIf;Gb>s9z`8*kdAlBC|4tropekK*D?8hMXbLGYbqD(
KHh|-y_t`&Q3#=Xh

literal 0
Hc-jL100001

diff --git a/tests/smb-eicar-file-segmentation-postheader/test.rules b/tests/smb-eicar-file-segmentation-postheader/test.rules
new file mode 100644
index 000000000..fcb9e4489
--- /dev/null
+++ b/tests/smb-eicar-file-segmentation-postheader/test.rules
@@ -0,0 +1 @@
+alert smb any any -> any any (msg:"EICAR file"; flow:established; file_data; content:"|58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a|"; sid:1; rev:1;)
diff --git a/tests/smb-eicar-file-segmentation-postheader/test.yaml b/tests/smb-eicar-file-segmentation-postheader/test.yaml
new file mode 100644
index 000000000..c1282b105
--- /dev/null
+++ b/tests/smb-eicar-file-segmentation-postheader/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
-- 
2.47.2