From c0bae48e83be2e4b9b9be1803814483784fa25f5 Mon Sep 17 00:00:00 2001 From: Cole Dishington Date: Mon, 10 Jul 2023 14:09:16 +1200 Subject: [PATCH] decode-event: Add test case for GRE packet too small Add test for IPv4 and IPv6 packets that set proto/next-header to GRE but have an invalid payload. Bug: #6222 --- tests/decode-too-small/test.pcap | Bin 392 -> 516 bytes tests/decode-too-small/test.py | 33 ++++++++++++++++++++++-------- tests/decode-too-small/test.rules | 1 + tests/decode-too-small/test.yaml | 16 +++++++++++++++ 4 files changed, 41 insertions(+), 9 deletions(-) diff --git a/tests/decode-too-small/test.pcap b/tests/decode-too-small/test.pcap index 4ca04409ac407725dcdf723487b0cb23772d8783..efd0dcf4e0a806f9c49a61f765924f8431df3308 100644 GIT binary patch delta 167 zc-re=Zef`q!ET?iI%Vbw#)*Ln6YaUdyy{axo;H|y{50dlW_@cAbIw^t1{DSdF!o%e zD#h+~`n-0)@R|W<#21W)32mO-Gj6lEy1PlxyJe)h05NI+ delta 80 zc-m`W>0q89!LHX>m(n$zdt#u%M0;*9FKZ@{rwwK{&*GlgtPf@i%;BE+)*j3hn+s&h SP7YvH0&~C4<(^#0=nMco4jY>Q diff --git a/tests/decode-too-small/test.py b/tests/decode-too-small/test.py index b94dee34c..7195c0709 100644 --- a/tests/decode-too-small/test.py +++ b/tests/decode-too-small/test.py @@ -1,16 +1,31 @@ from scapy.all import Ether, IP, IPv6, PcapWriter, Raw with PcapWriter('test.pcap') as pcap: - # TCP and UDP too small packets + # Too small packets udp_payload = Raw(b'\x81\x58\x00\x35') # Half a UDP header - s_mac = 'cb:cf:2b:50:a7:61' - d_mac = '49:a2:25:1a:07:4a' + gre_payload = Raw(b'\x00\x00') # Half of non-optional GRE hdr + + proto_gre = 47 proto_udp = 17 proto_tcp = 6 - pcap.write(Ether(src=s_mac, dst=d_mac) / IP(src='1.1.1.1', dst='2.2.2.2', proto=proto_tcp)) - pcap.write(Ether(src=s_mac, dst=d_mac) / IP(src='1.1.1.1', dst='2.2.2.2', proto=proto_udp)) - pcap.write(Ether(src=s_mac, dst=d_mac) / IP(src='1.1.1.1', dst='2.2.2.2', proto=proto_udp) / udp_payload) - pcap.write(Ether(src=s_mac, dst=d_mac) / IPv6(src='fd01::1.1.1.1', dst='fd02::2.2.2.2', nh=proto_tcp)) - pcap.write(Ether(src=s_mac, dst=d_mac) / IPv6(src='fd01::1.1.1.1', dst='fd02::2.2.2.2', nh=proto_udp)) - pcap.write(Ether(src=s_mac, dst=d_mac) / IPv6(src='fd01::1.1.1.1', dst='fd02::2.2.2.2', nh=proto_udp) / udp_payload) + def mk_pkt(proto, ver=4): + s_mac, d_mac = 'cb:cf:2b:50:a7:61', '49:a2:25:1a:07:4a' + pkt = Ether(src=s_mac, dst=d_mac) + if ver == 4: + s_ip, d_ip = '1.1.1.1', '2.2.2.2' + pkt /= IP(src=s_ip, dst=d_ip, proto=proto) + else: + s_ipv6 = f'fd01::1.1.1.1' + d_ipv6 = f'fd02::2.2.2.2' + pkt /= IPv6(src=s_ipv6, dst=d_ipv6, nh=proto) + return pkt + + pcap.write(mk_pkt(proto_tcp)) + pcap.write(mk_pkt(proto_udp)) + pcap.write(mk_pkt(proto_udp) / udp_payload) + pcap.write(mk_pkt(proto_gre) / gre_payload) + pcap.write(mk_pkt(proto_tcp, ver=6)) + pcap.write(mk_pkt(proto_udp, ver=6)) + pcap.write(mk_pkt(proto_udp, ver=6) / udp_payload) + pcap.write(mk_pkt(proto_gre, ver=6) / gre_payload) diff --git a/tests/decode-too-small/test.rules b/tests/decode-too-small/test.rules index 0266a9ce8..399d4cd4d 100644 --- a/tests/decode-too-small/test.rules +++ b/tests/decode-too-small/test.rules @@ -1,2 +1,3 @@ alert tcp any any -> any any (msg:"TCP packet too small"; decode-event:tcp.pkt_too_small; sid:1;) alert udp any any -> any any (msg:"UDP packet too small"; decode-event:udp.hlen_too_small; sid:2;) +alert ip any any -> any any (msg:"GRE packet too small"; decode-event:gre.pkt_too_small; sid:3;) diff --git a/tests/decode-too-small/test.yaml b/tests/decode-too-small/test.yaml index 63cf6bba1..ffbcfd880 100644 --- a/tests/decode-too-small/test.yaml +++ b/tests/decode-too-small/test.yaml @@ -30,3 +30,19 @@ checks: event_type: alert src_ip: fd01:0000:0000:0000:0000:0000:0101:0101 alert.signature_id: 2 + + # Look for IPv4 GRE too small + - filter: + count: 1 + match: + event_type: alert + src_ip: 1.1.1.1 + alert.signature_id: 3 + + # Look for IPv6 GRE too small + - filter: + count: 1 + match: + event_type: alert + src_ip: fd01:0000:0000:0000:0000:0000:0101:0101 + alert.signature_id: 3 -- 2.47.2