From ef87b5d1e22b57436bf9cbc3326f31b371a49190 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Tue, 20 Jul 2021 10:51:27 +0200
Subject: [PATCH] Adds test about ICMPv6 kill router

---
 .../ipv6-kill-router-gateway/README.md           |   7 +++++++
 .../ipv6-kill-router-gateway/kill_router6.pcap   | Bin 0 -> 2678 bytes
 .../ipv6-kill-router-gateway/test.rules          |   2 ++
 .../ipv6-kill-router-gateway/test.yaml           |  11 +++++++++++
 4 files changed, 20 insertions(+)
 create mode 100644 tests/ipv6-evasion/ipv6-kill-router-gateway/README.md
 create mode 100644 tests/ipv6-evasion/ipv6-kill-router-gateway/kill_router6.pcap
 create mode 100644 tests/ipv6-evasion/ipv6-kill-router-gateway/test.rules
 create mode 100644 tests/ipv6-evasion/ipv6-kill-router-gateway/test.yaml

diff --git a/tests/ipv6-evasion/ipv6-kill-router-gateway/README.md b/tests/ipv6-evasion/ipv6-kill-router-gateway/README.md
new file mode 100644
index 000000000..4fa620fa1
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-kill-router-gateway/README.md
@@ -0,0 +1,7 @@
+# Description
+
+Detect an attack where the given router is removed as a gateway from all SLAAC configured systems.
+
+# PCAP
+
+Pcap from https://redmine.cs.uni-potsdam.de/projects/pcap/files
diff --git a/tests/ipv6-evasion/ipv6-kill-router-gateway/kill_router6.pcap b/tests/ipv6-evasion/ipv6-kill-router-gateway/kill_router6.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..fcc3a02e165190ed61d8522fab9578c3a098ab27
GIT binary patch
literal 2678
zc-p&ic+)~A1{MYcU}0bck{QhFqJOt@FeCxlAe_RG72UU)$M@yYk~?j86Bxe+G3c;4
zC@}Kw04X=fE1r9A*~}#hjAA?78D1w?30(dE&u{g!%L$CT55J$E4KjBF)Bpb*E({Dz
zEUXI{nVH!b89BJr?30#)?PP-3DBHooFbT*9VTfH2dx17`9Pnp|v4YzO1<dF!U}Vtd
z1xe7#g{j>*!-QdqHBmMuG49Siupu67<DvimefHwFv7?*vFzHbRhY5{bSoMmN!41d<
zVPj(;!N?G>P4Zbl+ub~nG6Adq{~91pOJm6T{}1T)|4a<XfU%9?o`eGjLLd`p>bg}d
z3?Th^a8u#_=6)Q=U_p$jEkzCz407;*VR1OXz!(VBW#ItgqlFs-Bh&_v?RJ-081@0h
z_Q7lygZU`|q_l&95oSA6z_$PYfHG*di&-(SGJ%4kpW$9Akk1CnV`yrAqlq#82L&{`
zI!2(wG1W0(hymSz#SSKrZ#q7*4kO=Ky`pL!1m=3rspu&@trwQUK{jT+8qhpQgbV-p
zb25Yh`C(YX1eDYfxrL=f>g3zK)i&t4r=8)<Z4e(_oRJY?637<!08R!!pqw9OIDoWB
zVCG45TRRxaFCV~SOBT>{5nWCy$E)jV^iazxhlLu*Mt`7<0~@dST$l}XVZSN0!^H6*
zx{Y~>$Tprb9q2G2<igh1)UI#xfTlVoB61Lxw5>omZMQRQn2el*VB)ZP1!T*+WJC_a
hl20WF=hF^`v#TAj*a9-$>@BrJrVwcAn|IVU6#!)~u4n)N

literal 0
Hc-jL100001

diff --git a/tests/ipv6-evasion/ipv6-kill-router-gateway/test.rules b/tests/ipv6-evasion/ipv6-kill-router-gateway/test.rules
new file mode 100644
index 000000000..d95885235
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-kill-router-gateway/test.rules
@@ -0,0 +1,2 @@
+# It detects Router Advertisement messages (ie itype:134) that are send with a lifetime of zero (ie content:"|00 00|") and can be misused to signal to hosts that a particular router is going down and it should be removed from routing tables.
+alert icmpv6 any any -> any any (itype:134; icmpv6.hdr; content:"|00 00|"; offset:6; depth:2; sid:1;)
diff --git a/tests/ipv6-evasion/ipv6-kill-router-gateway/test.yaml b/tests/ipv6-evasion/ipv6-kill-router-gateway/test.yaml
new file mode 100644
index 000000000..2ba3bbe92
--- /dev/null
+++ b/tests/ipv6-evasion/ipv6-kill-router-gateway/test.yaml
@@ -0,0 +1,11 @@
+requires:
+    features:
+        - HAVE_LIBJANSSON
+    min-version: 6
+
+checks:
+    - filter:
+        count: 4
+        match:
+            event_type: alert
+            alert.signature_id: 1
-- 
2.47.2