From e6524a35f992c6cd0fa3d20b34124528c2922342 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Fri, 4 Aug 2023 08:59:16 +0200
Subject: [PATCH] tests: add bug 6244 RST with data tests

---
 .../tcp-rst-with-data.pcap                    | Bin 0 -> 654 bytes
 .../tcp-rst-with-data.py                      |  15 +++++++++++
 .../bug-6244-tcp-rst-with-data-02/test.rules  |   7 +++++
 tests/bug-6244-tcp-rst-with-data-02/test.yaml |  25 ++++++++++++++++++
 .../tcp-rst-with-data.pcap                    | Bin 0 -> 654 bytes
 .../tcp-rst-with-data.py                      |  15 +++++++++++
 tests/bug-6244-tcp-rst-with-data/test.rules   |   5 ++++
 tests/bug-6244-tcp-rst-with-data/test.yaml    |  20 ++++++++++++++
 8 files changed, 87 insertions(+)
 create mode 100644 tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.pcap
 create mode 100755 tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.py
 create mode 100644 tests/bug-6244-tcp-rst-with-data-02/test.rules
 create mode 100644 tests/bug-6244-tcp-rst-with-data-02/test.yaml
 create mode 100644 tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.pcap
 create mode 100755 tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.py
 create mode 100644 tests/bug-6244-tcp-rst-with-data/test.rules
 create mode 100644 tests/bug-6244-tcp-rst-with-data/test.yaml

diff --git a/tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.pcap b/tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..fbd0f676912da8f2af682d2830fd1ae5543febb7
GIT binary patch
literal 654
zc-p&ic+)~A1{MYw`2U}Qfe}dC?L3pxt-!)y2Vw&;D+@CdP@Iv8nT55Hfq{*K!IgnQ
z2c*=2t>hRZ5HJCOfu;Ne28aO+2}}wMk~|Cy%*=dX(|A=7ra{bsn2Bi`$Rv=7@)Ha!
zf%;zn)iWgs{r_(&j4<uA8ViFJP{InA+cco2okDXP6VQy80RsR3he<<xnWf3X;0Tm(
z#N{r1s7Z&>-1QP<T7bm=|2#Jt7y@!q6N^(7Kn8x*A=9HDU<OWYVqow|EdiTWWx&E<
z3zV?MWtukBwBu-|eSw+wVm<?dFT`oDjL9_YJIt`xlNlI1^Atgb8Je>&xC6!AaT#U`
hHEb`MVZT5c0$Be4f3*!5?8(Wg#l;FPsd<^HDFC`@XR-hQ

literal 0
Hc-jL100001

diff --git a/tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.py b/tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.py
new file mode 100755
index 000000000..33fa262e0
--- /dev/null
+++ b/tests/bug-6244-tcp-rst-with-data-02/tcp-rst-with-data.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535)
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1001,ack=2,window=65535)/"Please "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1008,ack=2,window=65535)/"Let "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1012,ack=2,window=65535)/"Me "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1015,ack=2,window=65535)/"In!"
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='R',seq=1018,window=65535)/"Access Denied"
+
+wrpcap('tcp-rst-with-data.pcap', pkts)
diff --git a/tests/bug-6244-tcp-rst-with-data-02/test.rules b/tests/bug-6244-tcp-rst-with-data-02/test.rules
new file mode 100644
index 000000000..f5cc64864
--- /dev/null
+++ b/tests/bug-6244-tcp-rst-with-data-02/test.rules
@@ -0,0 +1,7 @@
+alert tcp-pkt any any -> any any (tcp.flags:R,A; content:"Access Denied"; startswith; endswith; sid:1;)
+# FP as RST data is not part of the stream
+alert tcp any any -> any any (flow:only_stream; content:"Access Denied"; sid:2;)
+# TODO why is this not the same as sid 2?
+#alert tcp-stream any any -> any any (content:"Access Denied"; sid:3;)
+alert tcp any any -> any any (content:"Please Let Me In!"; sid:4;)
+alert tcp any any -> any any (content:"Please Let Me In!Access Denied"; sid:5;)
diff --git a/tests/bug-6244-tcp-rst-with-data-02/test.yaml b/tests/bug-6244-tcp-rst-with-data-02/test.yaml
new file mode 100644
index 000000000..74185ef46
--- /dev/null
+++ b/tests/bug-6244-tcp-rst-with-data-02/test.yaml
@@ -0,0 +1,25 @@
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 5
diff --git a/tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.pcap b/tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ba08ec4c14a33a7f93f10114f90af9e948df123d
GIT binary patch
literal 654
zc-p&ic+)~A1{MYw`2U}Qfe}d0-hL*<F`Avh4#);!Ru*O^pg1EFGYe}Y0|OfegDV4r
z4oIm3Tgfp-AYcLl155b{3=jht5||ViBzYJZn3?&&rag{Bm<BNiVkV|(Ad^5Q%1<z`
z1nPeQRL_(k^#8x9Fv7I`iR=tkKnW{cZqtC8b_&gHOh7YU1_=EBA0`d)Wkm`*gCkJF
z5tqC4p(Y(hbJt6dX#o=d|MT2rU<k-bO)O4T02!#7L8eDPzzm$)#K7Q_S^_q0UN$>}
zEl|Q1mucEi(~hH=_626zi}?%;z7VI0=aXsJcbH+XCo?d3<|%><Ybs)Aa0iOJ<B9@P
gs9}4tM8U5Bk^lc+Edd65a&l^Mv4Tr#US?_v04kbm+W-In

literal 0
Hc-jL100001

diff --git a/tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.py b/tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.py
new file mode 100755
index 000000000..1bb842039
--- /dev/null
+++ b/tests/bug-6244-tcp-rst-with-data/tcp-rst-with-data.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535)
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1001,ack=2,window=65535)/"Please "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1008,ack=2,window=65535)/"Let "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1012,ack=2,window=65535)/"Me "
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1015,ack=2,window=65535)/"In!"
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='RA',seq=2,ack=1018,window=65535)/"Access Denied"
+
+wrpcap('tcp-rst-with-data.pcap', pkts)
diff --git a/tests/bug-6244-tcp-rst-with-data/test.rules b/tests/bug-6244-tcp-rst-with-data/test.rules
new file mode 100644
index 000000000..06c283f09
--- /dev/null
+++ b/tests/bug-6244-tcp-rst-with-data/test.rules
@@ -0,0 +1,5 @@
+alert tcp-pkt any any -> any any (tcp.flags:R,A; content:"Access Denied"; startswith; endswith; sid:1;)
+alert tcp any any -> any any (flow:only_stream; content:"Access Denied"; sid:2;)
+# TODO why is this not the same as sid 2?
+#alert tcp-stream any any -> any any (content:"Access Denied"; sid:3;)
+alert tcp any any -> any any (content:"Please Let Me In!"; sid:4;)
diff --git a/tests/bug-6244-tcp-rst-with-data/test.yaml b/tests/bug-6244-tcp-rst-with-data/test.yaml
new file mode 100644
index 000000000..dc6cd450e
--- /dev/null
+++ b/tests/bug-6244-tcp-rst-with-data/test.yaml
@@ -0,0 +1,20 @@
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
-- 
2.47.2