From d28d26435650809c1f1a8d2cef3dc0c9d8e23243 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 25 Nov 2022 17:31:43 +0100 Subject: [PATCH] tests: add tests for bug 5633 --- tests/bug-5633-gre-01/gre-udp.pcap | Bin 0 -> 294 bytes tests/bug-5633-gre-01/gre-udp.py | 15 +++++++++++++++ tests/bug-5633-gre-01/test.rules | 2 ++ tests/bug-5633-gre-01/test.yaml | 8 ++++++++ tests/bug-5633-gre-02/README.md | 1 + tests/bug-5633-gre-02/gre-sample.pcap | Bin 0 -> 7395 bytes tests/bug-5633-gre-02/test.rules | 2 ++ tests/bug-5633-gre-02/test.yaml | 16 ++++++++++++++++ 8 files changed, 44 insertions(+) create mode 100644 tests/bug-5633-gre-01/gre-udp.pcap create mode 100755 tests/bug-5633-gre-01/gre-udp.py create mode 100644 tests/bug-5633-gre-01/test.rules create mode 100644 tests/bug-5633-gre-01/test.yaml create mode 100644 tests/bug-5633-gre-02/README.md create mode 100644 tests/bug-5633-gre-02/gre-sample.pcap create mode 100644 tests/bug-5633-gre-02/test.rules create mode 100644 tests/bug-5633-gre-02/test.yaml diff --git a/tests/bug-5633-gre-01/gre-udp.pcap b/tests/bug-5633-gre-01/gre-udp.pcap new file mode 100644 index 0000000000000000000000000000000000000000..e62163ba6deb5fa15cd78004c19aaafab1c7d03a GIT binary patch literal 294 zc-p&ic+)~A1{MYw`2U}Qfe}b^O|DP&zRJ$v1!Q}H#X*39k%^gwwUL2=jf26Jfx!Z# z)Iq;&5+frc6A%M=U~vVoxM0x{CMG6kAZ9YKWMX3AG5g>e=IH}6Ir0W|P1gJG?(gpc LGWpUiTDTbi+-Ns^ literal 0 Hc-jL100001 diff --git a/tests/bug-5633-gre-01/gre-udp.py b/tests/bug-5633-gre-01/gre-udp.py new file mode 100755 index 000000000..ed9740979 --- /dev/null +++ b/tests/bug-5633-gre-01/gre-udp.py @@ -0,0 +1,15 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='1.1.1.2')/GRE()/IP(dst='2.2.2.2', src='2.2.2.3')/UDP(dport=514,sport=12345)/"EVIL" +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='1.1.1.2')/GRE()/IP(dst='2.2.2.2', src='2.2.2.3')/UDP(dport=514,sport=12345)/"GOOD" +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='1.1.1.2')/GRE()/IP(dst='2.2.2.2', src='2.2.2.3')/UDP(dport=514,sport=12345)/"EVIL" + +# VLAN tagged packet +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('gre-udp.pcap', pkts) diff --git a/tests/bug-5633-gre-01/test.rules b/tests/bug-5633-gre-01/test.rules new file mode 100644 index 000000000..f754b96ff --- /dev/null +++ b/tests/bug-5633-gre-01/test.rules @@ -0,0 +1,2 @@ +pass ip any any <> 2.2.2.2 any (msg:"GRE Tunnel Pass Test"; classtype:misc-activity; sid:60000000; rev:1;) +alert udp any any -> any any (content:"EVIL"; sid:1;) diff --git a/tests/bug-5633-gre-01/test.yaml b/tests/bug-5633-gre-01/test.yaml new file mode 100644 index 000000000..cd4d10b7a --- /dev/null +++ b/tests/bug-5633-gre-01/test.yaml @@ -0,0 +1,8 @@ +args: +- -k none + +checks: + - filter: + count: 0 + match: + event_type: alert diff --git a/tests/bug-5633-gre-02/README.md b/tests/bug-5633-gre-02/README.md new file mode 100644 index 000000000..2a9e9135b --- /dev/null +++ b/tests/bug-5633-gre-02/README.md @@ -0,0 +1 @@ +Pcap from https://redmine.openinfosecfoundation.org/issues/5633 diff --git a/tests/bug-5633-gre-02/gre-sample.pcap b/tests/bug-5633-gre-02/gre-sample.pcap new file mode 100644 index 0000000000000000000000000000000000000000..31c08b6ba4761ebcb5fe702c9854a43d2e586b62 GIT binary patch literal 7395 zc-qxjc|4R`A3rmLtf8zi89N!vknGvoFhw_ty3t@XWF4fs*K4Sh?HcKZHnR1J7PnoC zqC`=uD_h0YCEBDSk?K9?VQA*Mf8442em?K`9OpTYdCqs4@A*B?9F5mb9>N0wz*T)ibz_5;A{uXO$-3>E?q41gW@VmRCWs1nY>!73yP0PMUw zI&X(-V>?)dRUB2u6NJH{n{^BvHe(i?QCLJ&Ok85Rq?GiGnKH6+@(PNxl$43HRYKd9_+B&*(^vL=KhDH=)lewnz%+Phmou*GR!8nZZnPl?PkYbNmAT}H(Y{N*A&k}*$&COu()6B8!9&PDb6cv4we z#~=VSqk<}bO!_;-`SBzL^F(mclbhefBobaXqVs(`k-AXF5CCY#8Xf+aEE3@>C#jex z0+XI7d=ryscwN(wIAB5&%&9!_ANRzG%M&R;#XON_$|4psW(fp>pWu&q`XzNSq1R(I z3*QtMhr?B|`(L&mPS=EeP0$Mxfc@Fegj3I8KiHafR1-0Eh^D{!nyucV-eyf2O>H~mq2~O2@`%<|oM9S_m$^#t4D)t)@tEc?{>p!r-7Rcaw zsu=Kv;J#CN;6Cnw7f&v%J({2gLfdY0a&ce@kTZ%4??IE~Rmp`17(xyLg8K#V!lFXI zX;RR69D#r#%GildBJyf>AJ^=~quCmrw-tI=F!A}z9au8Fa&0z5?ali^E>AQGLp+TT zfsMc+gvvqu5hAXJV5_InNFCQmwEeD~o6y);i!^e;yN&!M!v0{ln#lXTs-!+^b z3I{$W29$7$C?Ze-3GgAc1(W*w6jIADsg4s;GZ6`dG$bMMcZ&xjelqZLCs zKP8faT=?t`ZX_ht*udy3rSm4VrrrKZD{qjf<7U%%f;8953Nt&L$LunrxCj8X=9v#q zm|cWeAf#@HAF&)6C&F92L=QL()Ahi;NTEisQ!9pSai5PeUl%97P_9UAIYFm$Wy(A zg8d0jAQ>6S&}T-{$f);^jD)A0eS^bd0s`UK&)1JkqeoJV&9Orhe|jW#;75y$;+&*0 z{Q|f%$W%u|C6{yilSZ(5Fu(il%7ovpbe3$2a*p$si~?EBQu2)Kdqig1p*BH$i**-$?Mv!=Knk>vT#R6ZoTbkQCbzPHzRMDm^+$obZbTf>p+XH zM04Uuih#;U^=51HcRN-+U(a4Vrz%i&`x*B#fzVW;AG57R>(dOkm%6+fx}$C+qMEuV zbPc$?&qF!7(cg9J??V@AKKz2{=j@?cvmR3F&9TN6iRTK)v z=~P*D5n{>{FS|R|H{k8oq}G>+^vdVr7>#>!cFWHSYE6&Ft*KomRk&>SCj(*M>U$-h zb8w4g3mD*GYjL$QUaLN#czIjbkd6EGdxT0GW!Z+*Tk9XxS@c^6ygRojF8x!zThwiF zB~9~>!z;6t-et<%c}(j3O`=h~k!+9IRz zYi8!V?LZI6f|Dy6CBhLVf{zvb7)$>h?(|2(rw*DOON!{GmoSn3N|XwOl%-4nBQPnb z@vbx6%kk%%E8Oc0*XYrXkhbbgiKIYudwpvHsUIQ1(f(;9lsy;kqEBDsnraM4?c}Gsr5G_i7M&_roSTazskx;Q|0&XnH99i; zVxm(q{e9`%h7N7ToCgo9|MfrxK^|j5f+LdpN)_v%? zwr}9(fUihR{Kki$^cFN6vkMzAHz6u+4SrpkvZ>I3ZZ@NUsUdeZQ$Dt9ZOg*4pp02H zwG_AOrk^?rleH|JT>V`)8<0|a8Lx{B2cL~7DRp@Ut2MUS;>%trX6!Po+%9Xf_0aI) zFE695=Wf#5UtYILPtR}CqLX}Pj^0@N z!YzQ>SViBYw^(pKPCwGaR()Bb!SaIyZPpeC33>WgnLFkz$WOhq!|L4z?kYsHGm4AK zLz&Y(GEs%jqck9-x2;0Jk^r#ATkiX3{Utyaz{?LNfnmYUy4~i>|7q(HPbDMK|y$7CKo^m;UJoyPIC`k@^Z%B`o*z@k( zTGJJ2zHXap`xop5jfyds@AN&_?Ypm{S4=G(B5$iPIG^TuqnIMBlpu3aEkDq+^vcDE z1x`}B9%snuds_-B6x%fNG|jdSC2e#Rjh14UG>LV03ho}A$$sOcCXH7_i@{jHBJZ>@ z<6wyzCAFaW^_mB3)R)SrS135kS_ZeTYO=H#)*t9GAeFtAK3L;$x@LOQ3F{LLE{0yT zX8+|n@pqZo(FX?S#q=y+ux~?JQnzZFfv1aQsCM=+^QlQjp;%Vrt47{g1db_>GB8N zpKH6O&)jYNv!rT;(ixwPwUUM#yqj26S$)!5Ssw#mSyitcVmA*(#T<=gb}I@U?8hDT zd`tZO@P#YZ;)&CqggpCHJu1|ib0=m_i}-C1;Vu@d!E!_9R&?J6~{>^-J2e{=lh4B+TUvJDTBmlH8Zp_i6cC|G^#J{sn@HBB>4m zkNsvY-jyp*WamHsX>F;iSWBR+Q3Wi8D+pe_=`~z+9wrXNBbubw%=W zA5}2*NJ-nmPF*G9RidL#OG||<#hb0;N-a;mWj=aDv52C)V_(Ys*&=Bd9xeUYw6bHs zNUiNad6|w$_525Zi=L;wiIBB^)3>qi@x{(Iu?N>OH~sViSt86NZBaNE4ANIsWWx4MY_H9D^+$TD)`$Ro=^^VFLUg=L_ zNvW|&`JC#l-HldLEJPZh^0mA02ZmHPC6crnOMVUqiSi={$z_nQ@AeK@9SY>G4*n#F zc8DcSbW?iFsSbkk5E??-HOQByPE6A+9!-ZJnksTnZsIOW*@4iuLZn}t0ont?+Fy`7 z#*sXEkZi`b8{4utNSS)T6zIwmFPGrP{xbq!gqWC^Y3qaObl+e)A&j{mfG+@tAV1{c zKpcES+*CG3jN53^@R$ zkU`x5{~ioJL+J4((gI@)7JmN9gO@xWJfi;I@E-Pc_@Y9{?2UNq>bJWQgLp}Pw%rHI w;lh`u+9C8w4{};G@Ir$C2%d$dS?#Kz?mg%MO 172.28.2.3 any (msg:"GRE Tunnel Pass Test"; classtype:misc-activity; sid:60000000; rev:1;) +alert icmp any any -> any any (itype:8; sid:1;) diff --git a/tests/bug-5633-gre-02/test.yaml b/tests/bug-5633-gre-02/test.yaml new file mode 100644 index 000000000..bc67faa2d --- /dev/null +++ b/tests/bug-5633-gre-02/test.yaml @@ -0,0 +1,16 @@ +args: +- -k none + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: ssh + ssh.client.proto_version: "2.0" + ssh.client.software_version: "OpenSSH_3.6.1p1" + ssh.server.proto_version: "1.99" + ssh.server.software_version: "OpenSSH_3.1p1" -- 2.47.2