From 045e37a1a2e06d9b5d5089e5619b21f476e98754 Mon Sep 17 00:00:00 2001 From: Cole Dishington Date: Thu, 25 May 2023 11:25:08 +1200 Subject: [PATCH] decode-event: Add test for too small UDP and TCP packets Add test for IPv4 and IPv6 packets that set proto/next-header to UDP and TCP but have no payload. Bug: #6086. --- tests/decode-too-small/README.md | 8 ++++++++ tests/decode-too-small/test.pcap | Bin 0 -> 392 bytes tests/decode-too-small/test.py | 16 +++++++++++++++ tests/decode-too-small/test.rules | 2 ++ tests/decode-too-small/test.yaml | 32 ++++++++++++++++++++++++++++++ 5 files changed, 58 insertions(+) create mode 100644 tests/decode-too-small/README.md create mode 100644 tests/decode-too-small/test.pcap create mode 100644 tests/decode-too-small/test.py create mode 100644 tests/decode-too-small/test.rules create mode 100644 tests/decode-too-small/test.yaml diff --git a/tests/decode-too-small/README.md b/tests/decode-too-small/README.md new file mode 100644 index 000000000..9bcf613a3 --- /dev/null +++ b/tests/decode-too-small/README.md @@ -0,0 +1,8 @@ +# Test Purpose + +Test that an empty TCP and UDP packets ontop of IPv4 and IPv6 are +detected as decode-event failures. + +## PCAP + +This PCAP was generated with scapy. \ No newline at end of file diff --git a/tests/decode-too-small/test.pcap b/tests/decode-too-small/test.pcap new file mode 100644 index 0000000000000000000000000000000000000000..4ca04409ac407725dcdf723487b0cb23772d8783 GIT binary patch literal 392 zc-p&ic+)~A1{MYw`2U}Qfe}dSHP)qcP3LA%01d2#Fa_xnn8VFr2Gn7O yrmO940@xR94u2WpUSa_0{>y~m!|WEDi{BJMqD=V;G{p+Yx591;3t>}0z5)O(U`F@= literal 0 Hc-jL100001 diff --git a/tests/decode-too-small/test.py b/tests/decode-too-small/test.py new file mode 100644 index 000000000..b94dee34c --- /dev/null +++ b/tests/decode-too-small/test.py @@ -0,0 +1,16 @@ +from scapy.all import Ether, IP, IPv6, PcapWriter, Raw + +with PcapWriter('test.pcap') as pcap: + # TCP and UDP too small packets + udp_payload = Raw(b'\x81\x58\x00\x35') # Half a UDP header + s_mac = 'cb:cf:2b:50:a7:61' + d_mac = '49:a2:25:1a:07:4a' + proto_udp = 17 + proto_tcp = 6 + + pcap.write(Ether(src=s_mac, dst=d_mac) / IP(src='1.1.1.1', dst='2.2.2.2', proto=proto_tcp)) + pcap.write(Ether(src=s_mac, dst=d_mac) / IP(src='1.1.1.1', dst='2.2.2.2', proto=proto_udp)) + pcap.write(Ether(src=s_mac, dst=d_mac) / IP(src='1.1.1.1', dst='2.2.2.2', proto=proto_udp) / udp_payload) + pcap.write(Ether(src=s_mac, dst=d_mac) / IPv6(src='fd01::1.1.1.1', dst='fd02::2.2.2.2', nh=proto_tcp)) + pcap.write(Ether(src=s_mac, dst=d_mac) / IPv6(src='fd01::1.1.1.1', dst='fd02::2.2.2.2', nh=proto_udp)) + pcap.write(Ether(src=s_mac, dst=d_mac) / IPv6(src='fd01::1.1.1.1', dst='fd02::2.2.2.2', nh=proto_udp) / udp_payload) diff --git a/tests/decode-too-small/test.rules b/tests/decode-too-small/test.rules new file mode 100644 index 000000000..0266a9ce8 --- /dev/null +++ b/tests/decode-too-small/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (msg:"TCP packet too small"; decode-event:tcp.pkt_too_small; sid:1;) +alert udp any any -> any any (msg:"UDP packet too small"; decode-event:udp.hlen_too_small; sid:2;) diff --git a/tests/decode-too-small/test.yaml b/tests/decode-too-small/test.yaml new file mode 100644 index 000000000..63cf6bba1 --- /dev/null +++ b/tests/decode-too-small/test.yaml @@ -0,0 +1,32 @@ +checks: + # Look for IPv4 TCP too small + - filter: + count: 1 + match: + event_type: alert + src_ip: 1.1.1.1 + alert.signature_id: 1 + + # Look for IPv6 TCP too small + - filter: + count: 1 + match: + event_type: alert + src_ip: fd01:0000:0000:0000:0000:0000:0101:0101 + alert.signature_id: 1 + + # Look for IPv4 UDP too small + - filter: + count: 2 + match: + event_type: alert + src_ip: 1.1.1.1 + alert.signature_id: 2 + + # Look for IPv6 UDP too small + - filter: + count: 2 + match: + event_type: alert + src_ip: fd01:0000:0000:0000:0000:0000:0101:0101 + alert.signature_id: 2 -- 2.47.2