From b45e3d2c936a738b187f17ebafd610ad8abb455c Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Fri, 12 Apr 2024 11:09:01 +0200
Subject: [PATCH] tests: add defrag datalink tests

Bug: 6887.
---
 .../frag-eth-vlan-ip-tcp-syn.pcap              | Bin 0 -> 210 bytes
 .../frag-eth-vlan-ip-tcp-syn.py                |   9 +++++++++
 .../suricata.yaml                              |  11 +++++++++++
 .../test.rules                                 |   1 +
 .../test.yaml                                  |  11 +++++++++++
 .../frag-eth-vlan-ipv6-tcp.pcap                | Bin 0 -> 1290 bytes
 .../frag-eth-vlan-ipv6-tcp.py                  |  10 ++++++++++
 .../suricata.yaml                              |  11 +++++++++++
 .../test.rules                                 |   1 +
 .../test.yaml                                  |  11 +++++++++++
 .../frag-ip-tcp-syn.pcap                       | Bin 0 -> 156 bytes
 .../frag-ip-tcp-syn.py                         |   9 +++++++++
 .../bug-6887-defrag-ipv4-tcp-syn/suricata.yaml |  11 +++++++++++
 .../bug-6887-defrag-ipv4-tcp-syn/test.rules    |   1 +
 .../bug-6887-defrag-ipv4-tcp-syn/test.yaml     |  11 +++++++++++
 .../bug-6887-defrag-ipv6-tcp/frag-ip-tcp.pcap  | Bin 0 -> 1236 bytes
 .../bug-6887-defrag-ipv6-tcp/frag-ip-tcp.py    |  10 ++++++++++
 .../bug-6887-defrag-ipv6-tcp/suricata.yaml     |  11 +++++++++++
 .../defrag/bug-6887-defrag-ipv6-tcp/test.rules |   1 +
 .../defrag/bug-6887-defrag-ipv6-tcp/test.yaml  |  11 +++++++++++
 .../frag-ppp-ip-tcp-syn.pcap                   | Bin 0 -> 159 bytes
 .../frag-ppp-ip-tcp-syn.py                     |   9 +++++++++
 .../suricata.yaml                              |  11 +++++++++++
 .../test.rules                                 |   1 +
 .../bug-6887-defrag-ppp-ipv4-tcp-syn/test.yaml |  11 +++++++++++
 .../frag-ip-tcp.py                             |  10 ++++++++++
 .../frag-ppp-ipv6-tcp.pcap                     | Bin 0 -> 1239 bytes
 .../bug-6887-defrag-ppp-ipv6-tcp/suricata.yaml |  11 +++++++++++
 .../bug-6887-defrag-ppp-ipv6-tcp/test.rules    |   1 +
 .../bug-6887-defrag-ppp-ipv6-tcp/test.yaml     |  11 +++++++++++
 .../eth-ip-gre-ppp-max-ip-packet.pcap          | Bin 0 -> 142339 bytes
 .../eth-ip-gre-ppp-max-ip-packet.py            |  11 +++++++++++
 .../suricata.yaml                              |  11 +++++++++++
 .../test.rules                                 |   1 +
 .../test.yaml                                  |  11 +++++++++++
 35 files changed, 229 insertions(+)
 create mode 100644 tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/frag-eth-vlan-ip-tcp-syn.pcap
 create mode 100644 tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/frag-eth-vlan-ip-tcp-syn.py
 create mode 100644 tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/suricata.yaml
 create mode 100644 tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/test.rules
 create mode 100644 tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/test.yaml
 create mode 100644 tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/frag-eth-vlan-ipv6-tcp.pcap
 create mode 100644 tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/frag-eth-vlan-ipv6-tcp.py
 create mode 100644 tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/suricata.yaml
 create mode 100644 tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/test.rules
 create mode 100644 tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/test.yaml
 create mode 100644 tests/defrag/bug-6887-defrag-ipv4-tcp-syn/frag-ip-tcp-syn.pcap
 create mode 100644 tests/defrag/bug-6887-defrag-ipv4-tcp-syn/frag-ip-tcp-syn.py
 create mode 100644 tests/defrag/bug-6887-defrag-ipv4-tcp-syn/suricata.yaml
 create mode 100644 tests/defrag/bug-6887-defrag-ipv4-tcp-syn/test.rules
 create mode 100644 tests/defrag/bug-6887-defrag-ipv4-tcp-syn/test.yaml
 create mode 100644 tests/defrag/bug-6887-defrag-ipv6-tcp/frag-ip-tcp.pcap
 create mode 100644 tests/defrag/bug-6887-defrag-ipv6-tcp/frag-ip-tcp.py
 create mode 100644 tests/defrag/bug-6887-defrag-ipv6-tcp/suricata.yaml
 create mode 100644 tests/defrag/bug-6887-defrag-ipv6-tcp/test.rules
 create mode 100644 tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml
 create mode 100644 tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/frag-ppp-ip-tcp-syn.pcap
 create mode 100644 tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/frag-ppp-ip-tcp-syn.py
 create mode 100644 tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/suricata.yaml
 create mode 100644 tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/test.rules
 create mode 100644 tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/test.yaml
 create mode 100644 tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/frag-ip-tcp.py
 create mode 100644 tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/frag-ppp-ipv6-tcp.pcap
 create mode 100644 tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/suricata.yaml
 create mode 100644 tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/test.rules
 create mode 100644 tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/test.yaml
 create mode 100644 tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/eth-ip-gre-ppp-max-ip-packet.pcap
 create mode 100755 tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/eth-ip-gre-ppp-max-ip-packet.py
 create mode 100644 tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/suricata.yaml
 create mode 100644 tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/test.rules
 create mode 100644 tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/test.yaml

diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/frag-eth-vlan-ip-tcp-syn.pcap b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/frag-eth-vlan-ip-tcp-syn.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..e8b3bed69715f05f83f63076bc09d2a74b42499f
GIT binary patch
literal 210
zc-p&ic+)~A1{MYw`2U}Qfe}b6zLZFlXk%f}1F}Jwm4%rJD9*^l%);8pz`(}A;L5-t
z!@#J(;J_AgjS&c#fWW{~egaT2Bhk7Ufx554bc5_qU{WC3ZU!a?wvsC_-I6>E49v`Y
F3;@-Q7FPfO

literal 0
Hc-jL100001

diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/frag-eth-vlan-ip-tcp-syn.py b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/frag-eth-vlan-ip-tcp-syn.py
new file mode 100644
index 000000000..f80632d7a
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/frag-eth-vlan-ip-tcp-syn.py
@@ -0,0 +1,9 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+packet = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+
+frags = fragment(packet,fragsize=8)
+wrpcap('frag-eth-vlan-ip-tcp-syn.pcap', frags)
diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/suricata.yaml b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/suricata.yaml
new file mode 100644
index 000000000..159d885ba
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            packet: yes              # enable dumping of packet (without stream segments)
diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/test.rules b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/test.rules
new file mode 100644
index 000000000..4836c6bbd
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (tcp.flags:S; sid:1;)
diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/test.yaml b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/test.yaml
new file mode 100644
index 000000000..80cad222e
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-eth-vlan-ipv4-tcp-syn/test.yaml
@@ -0,0 +1,11 @@
+requires:
+  min-version: 8
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      packet: "BQQDAgEAAAECAwQFgQAABggARQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAQAAAABgAiAAGQwAAAMDDgA="
+      packet_info.linktype: 1
diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/frag-eth-vlan-ipv6-tcp.pcap b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/frag-eth-vlan-ipv6-tcp.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..f919dd525111b443873c6df655117ce15899c5e0
GIT binary patch
literal 1290
zc-p&ic+)~A1{MYw`2U}Qfe}bY{FF#5<X~g?1>}G*D+@CdkYZ$FW?^k)U|?&zn*dbB
zctFR20TnQ!^VxuS>18Wj155b{F!=xh1%?xA85kT#!Jr4!ObLuTK`CK0Oow(#I0uYO
T5XPPo7^V=D5||4HTS@=`vhyR{

literal 0
Hc-jL100001

diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/frag-eth-vlan-ipv6-tcp.py b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/frag-eth-vlan-ipv6-tcp.py
new file mode 100644
index 000000000..1318eb175
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/frag-eth-vlan-ipv6-tcp.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+data = 'A' * 1000
+packet = Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IPv6()/IPv6ExtHdrFragment()/TCP(dport=8080,sport=12345,flags='A',seq=1)/data
+
+frags = fragment6(packet,512)
+wrpcap('frag-eth-vlan-ipv6-tcp.pcap', frags)
diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/suricata.yaml b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/suricata.yaml
new file mode 100644
index 000000000..159d885ba
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            packet: yes              # enable dumping of packet (without stream segments)
diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/test.rules b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/test.rules
new file mode 100644
index 000000000..714e46a3d
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (dsize:1000; sid:1;)
diff --git a/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/test.yaml b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/test.yaml
new file mode 100644
index 000000000..9c8816f7b
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-eth-vlan-ipv6-tcp/test.yaml
@@ -0,0 +1,11 @@
+requires:
+  min-version: 8
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      packet: "BQQDAgEAAAECAwQFgQAABobdYAAAAAP8BkAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAATA5H5AAAAABAAAAAFAQIADIrQAAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ=="
+      packet_info.linktype: 1
diff --git a/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/frag-ip-tcp-syn.pcap b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/frag-ip-tcp-syn.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..3c1e34662b4385a95d286cb847432bec21cd4962
GIT binary patch
literal 156
zc-p&ic+)~A1{MYw`2U}Q;R%qw@meB{|1TGV43G`Nt{{q0fx&?-<QgLoFad#qrThe-
m6eA9`j6k(lVQN8UCon1CFqeVJfvw~UOsymj0|PTN9|Hj3(HKqu

literal 0
Hc-jL100001

diff --git a/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/frag-ip-tcp-syn.py b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/frag-ip-tcp-syn.py
new file mode 100644
index 000000000..d5746a9d2
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/frag-ip-tcp-syn.py
@@ -0,0 +1,9 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+packet = IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+
+frags = fragment(packet,fragsize=8)
+wrpcap('frag-ip-tcp-syn.pcap', frags)
diff --git a/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/suricata.yaml b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/suricata.yaml
new file mode 100644
index 000000000..159d885ba
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            packet: yes              # enable dumping of packet (without stream segments)
diff --git a/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/test.rules b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/test.rules
new file mode 100644
index 000000000..4836c6bbd
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (tcp.flags:S; sid:1;)
diff --git a/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/test.yaml b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/test.yaml
new file mode 100644
index 000000000..f7ccf0304
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-ipv4-tcp-syn/test.yaml
@@ -0,0 +1,11 @@
+requires:
+  min-version: 8
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      packet: "RQAALAABAABABnTGAQEBAQICAgIwOR+QAAAAAQAAAABgAiAAGQwAAAMDDgA="
+      packet_info.linktype: 228 # LINKTYPE_IPV4
diff --git a/tests/defrag/bug-6887-defrag-ipv6-tcp/frag-ip-tcp.pcap b/tests/defrag/bug-6887-defrag-ipv6-tcp/frag-ip-tcp.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..64cd2f5a2ebf135718e97689394398fb1716c22f
GIT binary patch
literal 1236
zc-p&ic+)~A1{MYw`2U}Q;VF<V{w9&ek-*Ntz{CK?2|$YRhK>URDquwCvjOqKJ*h<o
zmhux|@&N)03@6qyFgT8aAq&V)4~!Q<>0vYkhi7`|0Y)+igVF;-3Nh({c>%4{0|002
B8=n9G

literal 0
Hc-jL100001

diff --git a/tests/defrag/bug-6887-defrag-ipv6-tcp/frag-ip-tcp.py b/tests/defrag/bug-6887-defrag-ipv6-tcp/frag-ip-tcp.py
new file mode 100644
index 000000000..9277ba830
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-ipv6-tcp/frag-ip-tcp.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+data = 'A' * 1000
+packet = IPv6()/IPv6ExtHdrFragment()/TCP(dport=8080,sport=12345,flags='A',seq=1)/data
+
+frags = fragment6(packet,512)
+wrpcap('frag-ip-tcp.pcap', frags)
diff --git a/tests/defrag/bug-6887-defrag-ipv6-tcp/suricata.yaml b/tests/defrag/bug-6887-defrag-ipv6-tcp/suricata.yaml
new file mode 100644
index 000000000..159d885ba
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-ipv6-tcp/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            packet: yes              # enable dumping of packet (without stream segments)
diff --git a/tests/defrag/bug-6887-defrag-ipv6-tcp/test.rules b/tests/defrag/bug-6887-defrag-ipv6-tcp/test.rules
new file mode 100644
index 000000000..714e46a3d
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-ipv6-tcp/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (dsize:1000; sid:1;)
diff --git a/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml b/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml
new file mode 100644
index 000000000..0a8aeeab3
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-ipv6-tcp/test.yaml
@@ -0,0 +1,11 @@
+requires:
+  min-version: 8
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      packet: "YAAAAAP8BkAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAATA5H5AAAAABAAAAAFAQIADIrQAAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQ=="
+      packet_info.linktype: 229
diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/frag-ppp-ip-tcp-syn.pcap b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/frag-ppp-ip-tcp-syn.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b28b362043c15946c57c104fc3a7b3baaa0ecdfb
GIT binary patch
literal 159
zc-p&ic+)~A1{MYw`2U}QffGnie=U)=vWb;J7RUx+MOOv}83slL1_!o~Ym7j^1Ox__
p@)Lk^jJOmt0u^6{DF&IIz@&i7WCkV&wvsC_#gaS>49v`Y3;>TD7iRzf

literal 0
Hc-jL100001

diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/frag-ppp-ip-tcp-syn.py b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/frag-ppp-ip-tcp-syn.py
new file mode 100644
index 000000000..2a394e213
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/frag-ppp-ip-tcp-syn.py
@@ -0,0 +1,9 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+packet = PPP()/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+
+frags = fragment(packet,fragsize=8)
+wrpcap('frag-ppp-ip-tcp-syn.pcap', frags)
diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/suricata.yaml b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/suricata.yaml
new file mode 100644
index 000000000..159d885ba
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            packet: yes              # enable dumping of packet (without stream segments)
diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/test.rules b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/test.rules
new file mode 100644
index 000000000..4836c6bbd
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (tcp.flags:S; sid:1;)
diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/test.yaml b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/test.yaml
new file mode 100644
index 000000000..d3e01be8a
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-ppp-ipv4-tcp-syn/test.yaml
@@ -0,0 +1,11 @@
+requires:
+  min-version: 8
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      packet: "IUUAACwAAQAAQAZ0xgEBAQECAgICMDkfkAAAAAEAAAAAYAIgABkMAAADAw4A"
+      packet_info.linktype: 9
diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/frag-ip-tcp.py b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/frag-ip-tcp.py
new file mode 100644
index 000000000..b9a073e4c
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/frag-ip-tcp.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+data = 'A' * 1000
+packet = PPP()/IPv6()/IPv6ExtHdrFragment()/TCP(dport=8080,sport=12345,flags='A',seq=1)/data
+
+frags = fragment6(packet,512)
+wrpcap('frag-ppp-ipv6-tcp.pcap', frags)
diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/frag-ppp-ipv6-tcp.pcap b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/frag-ppp-ipv6-tcp.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..7fdd9fe4b8d82fc4045585e4e90373d4aad641b6
GIT binary patch
literal 1239
zc-p&ic+)~A1{MYw`2U}QffGpo=9Wx5K7pIzCnEzGhbI69887HKFrWfPbUqspD@!G$
z8Cc3sfXN34C@`E@%fR3`3Wgk@AR#cG1SN#gARJx^VJ<LoK^UA67)ppq2+R}coe%(q
Cj2+Sd

literal 0
Hc-jL100001

diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/suricata.yaml b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/suricata.yaml
new file mode 100644
index 000000000..159d885ba
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            packet: yes              # enable dumping of packet (without stream segments)
diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/test.rules b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/test.rules
new file mode 100644
index 000000000..714e46a3d
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (dsize:1000; sid:1;)
diff --git a/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/test.yaml b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/test.yaml
new file mode 100644
index 000000000..9d46d2d81
--- /dev/null
+++ b/tests/defrag/bug-6887-defrag-ppp-ipv6-tcp/test.yaml
@@ -0,0 +1,11 @@
+requires:
+  min-version: 8
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      packet: "V2AAAAAD/AZAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEwOR+QAAAAAQAAAABQECAAyK0AAEFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUE="
+      packet_info.linktype: 9
diff --git a/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/eth-ip-gre-ppp-max-ip-packet.pcap b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/eth-ip-gre-ppp-max-ip-packet.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..76899ebd5ada7d95b3a102d5bf2d849edf6dbb0e
GIT binary patch
literal 142339
zc-pPqee}!q|HtutTs0r%vqc(`xomPZmkr^a4_Q<e(v(<H=If#rWh%atuPl{TDl5rK
zYKWGL3}J{C$x>>OtdNmdL?iKg^t(8}bAG?SevjYddCqor&i2Rcoc*(N-}C)?f4yb-
zTNO-|O#eNVOeJ`J@VeR$_PM62=?T34`*G>t$L4GN{G7FBQ!kTg?B5?VTHoE{GE7yB
z$rP^E0B;O5mDo*&b>Qq0Oa)Byk=K=7`X&1LP2~Jd`K$>`F@y5#e^GAwf6m{OHO*Oy
z1(az@N{cou#Rkd~O3DKrS&AK$@k+|sE-b|X%4j8}-c2mU3CeIK#d9-Dae;D=lCrxm
zOEEwhprjN$EX55<UnRvlh^2TyDOXZ@-@{V8pmb4EHu+eJ50rLFO6~!c;s>R<lG1iG
zO9_C|NJ&{2U@1XR>MAMw9%U&ZP--YC=O1S&VNj|mDGfp_B?3xCCFQy4EG24K2mGm|
z?3&3^VxXK>QZBy0QsSWeqNL1zg{34wIVk;tUS}yuQ1&S)KhI|=DNw#rQm$CYQqrL8
zP*OsRSxN?!ElSF~4_HbTlyyqV#+5832g(X1<<_+<B@fCHCB?syr4&F}prow)gryWg
znX9Dy{uxPWU;<^fk}@~LQp})8`$}dHOR<0=?JHOAV<|RJq<zJeV<~n}q<v-aVV2?m
zMcP-k9b+j@P^5k3yOS)%1&Xw<l$>EH1}M_LGT}T+af2f5E7LEr6b~rUzVd0MQj+2Y
zMcP*?m$DQeDAK<2Vi`;EgCgxK8*8$Z04UPFa-=p(34$W+E8hAnB?OAJugq%9Qo^7}
z`%1DIONoFY?JK)mv6QG`?Jw;secH2>7%0-d66(ZK;-E<TN~9Z0Nq{2lD-C<Hlq4w9
zzEXY*OG$wu?JKw6&Qj8#Nc+k|16WE16lq`C?`0`jP^5k3_`NJ82a2?>G#k!R@}Nlj
z%7=cIQUFETSJsSWDMe7EedX6jNJ>K!DAK;-3bGV4DAK;NZ8A%-fFkWHwrMQI28y(=
z+#6;oc2J~!W#{uO#Q}=6uk3z_r8q&6_LZ;ZuoM?4(!O%+4VGenBJC?LzRgnHph)}5
zp7&Ua2NY>vIsHCM@q!}lE6rE16dx$kzA`GwQv9Gu`^sbMSxNvDX<zwfGfN4ABJC@l
zG)oDABJC@_oh&5`inOmx+09ZSph)}5+;3S*)Ue(m?JK4GSxO8PX<zC36HAGMBJC^p
z9$_g7P^5k3q2nwi35v9@9RH1_q(G7OmEX>?lr$*PzEX05rDQ;n_LT`G)ksPf6lq_X
zUWKLPK#}&97pk$8JSft>vf9E@3ZO{)ioF&~DS{&HE6%zkrI85~X<zAUXDMb-q<v*|
z6P98DMcP+Bzn-PoK#}&9Ut6;jJ1Ek=@>hG7;s8b3SMKV}Qk<Yj`^xj(S&9o3X<u2?
zlcgA-Nc+kaeOQVc6lq_n+mEGqK#}$p$3T|i1x4CdZWzo`e4t4CN_;3w@q;4mD+h+N
zlmIBwzEbeBlprY5zA|zgO9_D@?JJLuXDMM&q<tk6WGN9)q<v+@WR?;&tR87!X*rFh
z#6Xeum0n?%5(h=vSB5>$QWBs@`^w_kEF}qww6CP2EF}esw69#6$5PUuNc&2|1uP{4
zinOmRjI)$1DAK-idMQiEfg<fI?N_jrJSft>a&MBQ6hM*om80ufN)Z%kUpc#(q%<~x
zBJC@tG)pmqBJC^ooh-!yinOmhvzw*ZK#}&9m%n8xc2J~!W!d*E#Q}=6uWbC0r8q&6
z_7&$5mf`|M+E<1gXDJ3K(!MhCH<scCMcP*?|G`o`ph)}5{TEn@7Zhn<d9UPhlHvnJ
z+E+fQ!czR8Nc&2+%UMbQ6lq^EtSlu6inOovuf<YAph)}5*19Yu42ra`?6I?y2q@CN
zvZo14i5k{^(!TQh^(-X@inOl`cCwT>DAK-iPY0Hg07cqY9`4LilAuWY%K7drB?XGK
zub6tVlr$*PzH((BmXZNQ+E*I%V<}lsq<v-TK$emNMcP+h9?Vkmph)}5lA$c60E)D)
zl#XC2MNp)D#XgFpG%<l9?JEt&u@o~X(!SDqJWH{FBJC^TNi4+%inOo9r?3<|DAK<2
z!8DfQ07cqYwuf1Y6BKD*X*Y|dxImHimGapv#Q;UxR|ZE}iW?MZUl})#rFcM*_Lc10
zEX50ow67e0kEQrPk@l4{@3Ry?DAK-Cc{xi7fFkWH<5#nkASlwl^2o<5B?OAJuRO7d
zrG!C|_LZNvv6KiX(!O$L2TO?>*4w3hrQVk;B?gMLulT=VDREGwedWYHmXZKP+E*^-
zSV|HUX<xbSXO@xzMcP+Z{lZexph)}5+5$_-fFkWHznozySx}^XrQ)9~B?pSMuiR(4
zf~4d@k@l5|m03yw6lq_1sg$J@L6P>A^JOHZsR<NmU+H`mOEH5Y?JGm-uoMd@(!MgO
zK1;EIBJC^38nYBTDAK-CXvR_;ph)}5#a1lE35v9@jBL+RT%bt%%D7G}#Q;UxS4MSX
zDQ-}tePvELOYwjr?JK9;EX50ow69#ajivZNk@l5t16Yb56lq@>GMJ?VK#}&92Zpkg
zASlwlGGRDN34tQ*E6e;WB@BwRuUN;iln5x&zS3hnONkoR+oXM^e~_ibK+*26OlB!@
zP^5ij<5Mgp0gAM*{5*rDBten(m3q&!loTk^zS8d{mXZcV+E-T0VJR6<q<v-e8!ROY
zinOn6ev75#K#}&9ChxJ7JSft>((HYfQUFETS2}*kQi`BR`%3voB;`62DAK+%e;rFP
zgCgxK@f1t3fFkWHnXN3v28y(=l<#0Ec2J~!WqgLEI6#s1l^J_jiW3xRUwL6KOL2iB
z?JLCtEX4pt+E@NM#8TX#Nc&3jV=To3inOo%e3GSjL6P>AW@lK64-{!%>3g1~_(75O
zm8q9lN&pmTU-_+4b&?VUMcP-2Rar_16lq^+TgFntph){ltR_o|fFkWHi)*u#sA0WT
z+E>24mZii%k@l4njaW(?6lq`S*^H$mK#}&9DXmya5)^4)nc0q|q(G7Ol@B|ylr$*P
zzVdN5mXZNQ+E><>vy?0-(!R3I%~EopNc&256-&v3BJC^Ybu6U-inOm>lVT}FP^5h&
zw3VbdOrS{n%G=vniWwAXUrFv_DHc$qeWl+XmSO`%+E*fbS&AJLX<vEg084RzBJC?{
z4zUy`DAK;t=@?6Kfg<fIy-%_f0~Bdr8S*<zaf2f5D_@>tDIQRyedX*$mf{6P+E*%7
zDkCXAP^5jOX;qfu2SwUf-l)z}0-#9y%KjQGB?yYNuhgl{QbM3e`^vOySxOibX<wP$
zh^0h8k@l5$9V{hkSo=!*%Bq$uB?gMLuhePBQsSUU`$~HkOG$tt?JK>yvXmq!vc59%
z??3GRlktD2q(J#fNqMd^OG$&WLrGaw%2G0*Y*A9aFJmcLP}V6aH(kY2a-ghGQrvY|
zN*<IYO3EGeSxNzv1xiY~F-s|eGFM62-HfC(Gl4Q&N%^J~OEH7;tdjCuJC<SrWtx&Q
zs1r-Ef%1fsGO-&=v4b*RNjY53QXHU+R#Gf|Sc(&r;Yy0VA4_q8a*vYIY#>W9KpCK<
zv>D7&+@SPTQeGd*QaqrPD=F^`XDMD#x+p2T{4B)>N;@TG?^u@N2c@}^Qa+xg1VCw|
zq}&>0DM3)`Dk%devy>1hHI$SIPqCCRDAlAtoo29<2q+bml-zSHC2Cmv{HdgzdXc5X
zKsl|Xl+0l%aZr9yQbxSNQWBsXR8n4ki=`w%k@l7O@3NE>DAK-C;eD2p21VLeYJA92
zGN4HN%Ak)}N){ApUzxd%rQ|@7_LU)<SV|rgX<r$&jinSok@l4-J6K8)6lq^MnjtCI
zn?RBFmE(I@iWwAXUpcy$rC30b_7!uErPx4`_LV0OvlKfh(!R3b7)x=0BJC?%PqGvz
zDAK;t<qS)4fg<fIozJrr0~Bdr>3fN#xIvNjl?jzfNQws(X<s>5m8Ez=k@l6wWh})9
zinOovsL4|Nph)}5+qGFr02FCo`Sx0t5(GusSAJ^5QbM3e`^p&yO9_J_?JKofvy=!Z
z(!NrsJxhri)?1`~rEVvd5(7orS8nXaQsSUU`%0{wr6fR+_LX<tEF}qww6CnZjisbO
zk@l4x{aH#H6lq_X<7FusP^5ij&Aluo3yQR_Y`LGM<Uo=3l|3U_N*)wxUl}`=r4&Gs
z_LZrRu#_Sw(!MftB1vg(0!7+a3Qw{WGbqx&Qt>I4VgW_kS4wBF6dNegzS8nJmSP7*
z+E*67$Wk1jNc+mRS6PY^6lq^+{{~BOfg<fIOW$HC1}M_Ll6;q?xIvNjl~0$j6b~rU
zzLHC@6fY>!zS8?6mf{0N+E<3HV<~=6q<!V#6iW$!BJC>&wz8BUDAK-iVmnI-fg<fI
z=XbG`FeuW#QnrVsL_m@Dl^J_kO4P8rrF|uOfThGhk@l4(hgeD+6lq_%`WQ<|fFkWH
zbxyLBBq-9pa`W#jB?XGKuZ%gzQqrJE`^py=SxN>JX<s=|u>wiSf+FoJf0$WH4isr$
zv6ZouJSft>(xN6yDS#sFD;;aIlp-k7zS8GflG4HiinOn+Zp2c|ph)}5AqPvbfFkWH
zzqMp3Hc+H}rP!9G*g=u@m4J(-I6#s1l}J~X;siz7R}wu~iVGBJU-_~(OEEx^_LUoM
zV<~P>q<y7rf0p6_McP+xzKf-JL6P>A4~DQ5A1Knk^1*#9#Se<KuYB_$O9_A??JK2Y
zSV|BSX<zy9VU`jCMcP;DO=KxyP^5k3#wS@y1QcmsiBDxIQN!9>+E<P|%~E2ZNc+mK
z&$5&_DAK-SdXc3hK#}&9#jmoIBq-9p^6^}jk^)8AS9Zo&N*WYtU%BsHmXZNQ+E>Ob
zVJTTqq<tlrU@19Jq<v-DDwdK5McP-sU&~Soph)}5;f*Y%2#U0?oc)BPv^0St?JIX|
zXDMb-q<y9TE|y{eMcP+Je$7&Bph)}5r0-aY9TaI_sd<2<I6#s1l>vuXiW3xRUm1Fo
zrMN(m_Lay<mSTV+?JKYT&Qjc<Nc+kw=U9pd6lq^sbdjZaL6P>AT9qo26dx$kzGAP+
zQv9Gu`%2sDEF}Pnw6FB6!BT>tNc+miHkJ|sMcP;P*JCMRP^5k3a6^_70Y%zZPF=@R
zqK5TmX<r%DlBL8zk@l4dZCOej6lq_Xd;?2KfFkWH^KWD+Nl>JHrK|@_Nr58mD_8es
zDQQroeWmfOEF}Yqw6DB*2TRF<BJC>+2eFhKDAK;N{2rE)2SwUfw)$8~0TgLp>G~i`
zDS{&HD<ejelvXBCq<!V708250BJC^3A7v>PP^5jO!V@gT28#Cjpb$&3gCgxKH%@0M
z4p5|hWx-6A;siz7R}Q|wQe2=&`^trvS&9LQw66?*ou#-zk@l5Q^I3`q6lq_1<Q<mc
z1x4CdCNE+sK2W56<-{_U;s-_ASE{UJDFINVeWl(SmJ$R-+E?amU@0L`q<v+{7M2nQ
zMcP-krCCY@6lq`ic_&MW8rELYzH;d+mJ$O++E*%k$5P^;Nc+l-Kd_VpDAK+%=pai;
zf+FoJ$MY;D1&Xw<R6fB{(x6EDN}JOxB?F4Iul%dXQnH{(`%3kTEF}kuw69!Qu@Xti
zgCgxKP0cK&0E)D)lwZM8il9jQ%12j{l-4Ftq<v-M)hxvfinOonzlNn)K#}&9UJY4_
z4HRi#8Gap0v4bM*D`Q)*6bC5MzVc)nmf{3O+E)&BWGOCCq<!T~7nWjxBJC>|4VK~t
zMcP+J-^@}xph)}5V|`hQ7Zhn<8Sh~!K2W56W!jxA#Se<Kul#;DO9_A??JH$ImJ$R-
z+E)fVz*0h>Nc&3mA1oydinOondx)h(K#}&9A1APssA26X?JMUdv6L7n(!O%XKUqo~
z6lq@>{4bW007cqY#y`VSlAuWYN_G}YNr58mD|=_Nlr$*PzEbHmmXZNQ+E*-ZvXm?+
z(!TQA0+x~kMcP*u$5~1q6z%!8%UDVQ6lq^Mx{{?7L6P>Ai)%=V(*%mNuUy)|Qp})8
z`^r_HuoMd@(!TQ0XDr1AinOnc{eq>~L6P>AiC?i42Po3M63Vg^Cn(asvUfjAae*T3
zD?k3kQVdX}edWg^EX56qw67dK&Qd&}Nc&3nQ!K>`inOnk|G`pxph)|Q`vObxgCgxK
zOG_$~lmIBwzEZ5hQi7mJ`-<gqmJ$L*d;W@*rG!C|_LV8MSV{yGX<wOIm!(7vYq|D(
zTRTgMfg<fIm721YI4IJ-QnfitNq{2lD;6h9NrEEnD?K}~loTk^z7p@uQqrJE`^vKJ
zEF}Yqw6E;$$x^bQNc)P>ho$5|k@l7Q`>~WfDAK<2#z2-*07cqY_6%kzMNp)DrSmY7
z(#8aew6F9Y!BWhiNc+l=Q7pv*inOn68OKs=ph){lVLVH*gCgxK#UM*@fFkWHt){RP
zCn(as^8PfI;sQn5S5}8viUEqWuWWjrrMN-S_LbQz#RH18uN;rE6fY>!zH)RPOYwms
z?JHFluoOQi(!LUivy=cR(!MfzDN6~0BJC^hEoUhqP^5ij!)lfi21VLeu3gVkBA`h7
zO1sT0C2ClENc&2sPgzO~6lq^EK4&R$P^5ij`Ijsu0gAM*Z1{$yBten(l~4AuloTk^
zzOpCBQqrJE`%34ZSxN>JX<xbL7nYI*McP;96<A6R6lq^6Im=S=ph){lr9W9p0TgLp
zsb{J}Qi`BR`--D7Noi{WMcP+pma-HxDAK<2N*PPBfFkWH(V8s928y(={8^i&*g=u@
zmD2hw#Q}=6uaq`sDNazNeWgn?mf`|M+E=!;VkrhF(!O%G9ZPY8BJC?Bomh$o6lq@>
z-HoMqL6P>A(d8_~2a2?>jB~RTKPb|^GUqmy5&%WoSE>(SDM3)AeWlFHQbM3;_gC&^
zDPd5gedY1{SxN*HX<wN#lBGlq>rK+W^7I&%5(7orSDty8rNlvz_LX@PSxN#FX<zyH
zNtTiXMcP-^PGu=6P^5ij%hN0+4T`j{^m>k^WI&Pjm0mBhlq@LHzS8GamXZTS+E?zL
z%Tn^7Nc+ml7)vRDBJC@y7P6EgDAK;NVlhc+X97jqSCSvF6f-E&zEW=$OR<0=?JKR;
zvJ@LA(!S!{$WrW}Nc+mOpRg1MDAK;N>ob<(1V!3c4u8Q?T%bt%iur4nVt^v;D^tH?
zDQ-}teI@b(OYwjr?JM&SvJ@{U(!OFk%2IrwNc)QU1WWOQqCMaCG)oD9BJC@kiYz4v
zinOof{$eR1P^5k3NQKKtN*EMrU%A@MQX-&8`^u~<SW48e8q&Tp>q?dq14Y_bqF1w&
zI4IJ-^42vhB>{@Gub3LLlq4w9zEb@<mXZQR+E<#jU@2)(q<!UuHY_CrinOmR?8s8G
zph)}5qAn~Y2a2?>tTI?i9u#R`aox;P3ZO{)inlLIDS{&HE5ke_rM(FhX<wN-h^3f8
z(eAI@!%{4uNc+khA4{=;BJC@SA7CkVP_+9iqgjdr6lq_n6JRM$P^5k3?nhaQ3lwQz
zi9XI!3{a$frACOQxIvNjmA2DaiU$;FUl}};rFcP+_LVU&uoNFC(!TP;%PhqYinOmB
zeT}6AK#}&9lW($=ASlwl5_pHDgg}w@m6?lJN*EMrUs<?}r9?oH_LXxhSW48ec9-^*
z32RtN3>5AD$_ADa2SvNTvW2B2K#}&9%Ac{6Bq-9pQsE1hk^)8ASIWL(DQQroeWgK`
zrDQ;n_LW)tSxOcZX<u3S6HCc~BJC^RA7LqZP^5k3re9e~0TgLpx&0JNDS{&HE1o|{
zN(U1t(!S!oz*5YhNc+m#5;IA$fFkWH8>_Gs8z|Dgvb`Ehv4bM*E3K_8#Q}=6uQ+P4
z6elRszS5*FOL2iB?JG_@OEEx^_LZ4USc)4IX<u1+JxlR`BJC@OTC)@{DBAOFJF*lX
zDAK+%qYF#%gCgxKuNy2S0E)D)eB6tr1VNGZm23L4ln^M=zS7FWQo^7}`^t@XvXlrY
z(!O%n-7F<)Si4F4%AsK_B?gMLubddcQsSUU`^t$?EF}Soc7Np|mXZWT+E*T&z*176
zNc+m@Nh~D|inOoHn8H#rph){lVj4@yf+FoJS3JW~a-c~2ienZ_$%7*8EA3~qlmaNy
zzVdREr4&Jt_LVvFNJ>W&DAK+Xd7Gt}L6P>ASKnhP7Eq*prNUB{Vgp6mS86P0DRxk#
zeWmtlmf`?K+E*ri%u<}7Nc+mWn^=kq6lq_1dmBqJK#}&9<PMhN21VLeEMKw|4=B>U
za`iVX#S4nGuhieiQhcCD`^xkjOYwsu?JH9cvy=cR(!TQ6F_sbpMcP;PpJXW^P^5jO
z>lv0321VLe?mEv>BA`h7%Cbu=C2Cl^O8ZLf%2i293>0Z!X<W)u;-E<TN{cd<k^n{8
zS8lG!Qj(xZ`^sZ=SV{^MX<vD&K1)f1BJC?rH)bgrP^5k3)n+Uu3yQR_oNL8Wa-c~2
zO0gYF$%7*8D-AlalmaN){grMkr3i|&uY6EWQf@GTBJC?H+$_ZmigthHHkM)mMcP+(
z^=BzIP^5jO+{;qzph){l?|WH_0~Bdr8FW8Oae^Z4E9*zH6c;GczOsD`OEEx^_Lbca
zvlKTd(!TQJV=To3inOncf0CtmL6P>AsZ&{s4-{!%dGTqM;s-_AS5806QUahz`^wn}
zO9_G^?JM?ISxN{LX<xZ*E=vi6QcZidAWMmWBJC@gg)Aj%SZ|c}71I)y5(7orSH>q;
zN*okvUzxs&r6fR+_LcBjmXZWT+E-?8WGN|7q<zJ_m8GOXk@l6Q+gVBm6lq`Su#2T+
zL6P>AIbXAs94OMhvgkXOk_ScFR~G)jQVO6*`^v8eSxONUX<wOnl%%*!ph)}5n<rR`
z85C(>S$LYISU{2Xm6PXKiVYNLUpaS?rPx7{_LU12OG%0Y6lq_%p(;ypf+FoJuT*C#
zE>NU>Wo-?XVt^v;D>)lWaf2f5E63}x6b~rc^H&<N6fY>!zB1IoQhcCD`^xZ^EX5Cs
zw6Bb5%TfZMNc+lFE|wAmMcP+vU0F&96lq^++JmKpL6P>AjlEe)1Qcms*?KEWi5k`}
z(!R3m4we!FMcP+#gIG!&6lq`SGK8fhK#}&9yY6EtNl>JH<-P}5N(vNdUs*qzrKCZT
z_LWTmmXZNQ+E=zb%2KkRNc+kckF%5<DAK;tJj7D+ph)}5Q`1>W0TgLp`CukXDS{&H
zD_2EGN+%O2(!Nst6_#QKMcP*`d!40NK#}&9E9bKm8z|Dg5`2fH*g=u@mCz!V;s8b3
zS0c+;iW3xRU$L)bDK1c?eWk@3mSTV+?JM0juoO2a(!Mfw3rq2UBJC?1(k#UbinOn6
z+{sdWph)}5?%gcK4~n#}{F!Ab0Z^oU#qtA734)@%Kl4GB5&}iqS8C;1N*EMrU-A62
z8cB(OBJC>^|HV?GhPAV_uS|Z1rNlsy_LY(sSV|leX<w=QGD}H-BJC@6Ut=jrP^5ij
z`I{^y1&Xw<Y+t}q(x6ED$~SSAk^x29SI#eGDOpgYeP!GVmXZTS+E*qeSxO!hX<vC~
zJxeKoBJC^JZ(%7#P^5k3mNZG}Yyw4l{>o04Vg^OpS61z2DHc$qeWhWRrPx4`_LcVg
zS&AJLX<xbNCzj#>McP+39bqX>P^5ij*KwBO0!7+a_W#CG3{a$f<@i~a;s!<9SMIyO
zQaqqY`^uP-%SnnC6lq_XR)wYbK#}&94wthOKPb|^GSSLX0-#9y$`iF%N)QxjUwOMO
zO9_D@?JK1XSV|ZaX<up3l%+&Kk@l4i%~?v+uy&I6mAOuq5(7orR~B?&DREGwePu;w
zmXZKP+E+GoXDLZgq<!VOUMwXAinOnc?88#hph)}5qy1P)1{7&uS#c*z$$}#7E1%uX
zQgWb3`^t`CEF}+$w67c*!BPsKNc&2kf3TDyDAK+%=pmBQ#RQ79uRJ_~rI<mH_LV7<
zSc(M{X<x}tVJS9Hq<!VgG?roqMcP+dJi}5Pph)}5j9Dzj35v9@6lb#(7bw!cQsp(4
zVt^v;D>dI_DQ-}teWl|9mf``WT>IA)OYwpt?JN72vJ@XE(!TQ7a+cx;McP;Xkz^?W
zP^5h&u%4v^L6P>A&}Nnr0!7+awtUJ`!k|d|O3R%rB?5}Huk_!|Qlf^{CG9KEeali}
zph){lkNqqq4vMs|4Ec$rBtVh&l`%(HN)i-lUzu{8rKCWS_La(~SV|fcX<xDb!BR4y
zNc&2g3oIoIinOoHExCfE<Uo=3mHAazN*)wxUzt~pr4&HXULRy(DMe7EeWkP(Nx9Jk
zinOl`t;<r(ph)}5^LCbE0Y%zZ>`hsU4HRi#xwbh=v4bM*D@~m&#Q}=6uXO3aQk<Yj
z`^p1dSc(f2X<r#?uoMFnX<r%Bi>0_hk@l6x`>+%bDAK-C(Zf=_ph){l!#i1u4-{!%
z>3BCw@q;4mE4K_|DFINVeP#U!mJ$R-+E+G@Vksd|q<v-IIF=FyMcP+RjAtnkP^5ij
z_#~DRHLN#C`^tnVEF}htw6BDxv6MI{(!O#!%u*7dNc&3JES8c4McP;Hn9WjBph)}5
zt5KGc21VLeD!$25GN4HN%H<1KN){ApU#SykDLGK2ePz~CmXZfW+E->TXDJ0xq<v-1
zYL-$2MSK6Ck4Z{b6DZQY(seUSF@qxQEACHOiUkyDUm5Z_OR<3>?JK9gWGQw~q<!Vg
zH!Q^ginOm>+{aR!ph){l?;lx;3lwQzS^P6gF+h>_l{LSx6gMc+zOuQ%QaqqY`%0U$
zEX50ow66^Mlco4Tk@l6vrs^cc4~n#}d{mjG1VEAYl}6QAN)QxjU%Au5QbM3e`^vDZ
zSV|ZaX<v!dWhoI*q<tlBXDLy`+ELn9-fhBCVxUO-%KGbBN*okvU%AG~QWBs@`%2>u
zEF}qww6ApT%u-UINc+mo-C0T+6lq_1zb8w{fFkWHAKt=JvY<%&%G%pmN)8lhU-@zX
zOUZ*G?JFGzvy=iT(!Mf$C`&1VBJC@~hm(|UCQzh(<#RtvF@qxQEBUc3#R7`<`k+Tx
ziVYNLU-@GqOR<9@?JH9zvlIs?(!MhNDVE{{McP;9&R{7nP^5k3;&Uv;07cqYN?u|q
zZcwCs<+3>}#RH18uXK8YrFcP+_LaqNu@oOD(!R3vU6$epMcP*mFJUPGP^5k3&JS5i
z5EN-&>HiT+34tQ*D}&atlrSjLzA_}mQX-&8`^x)USxVHfc98a!joVpD3>0Z!*|v+N
z#6gkvm3n(vN&*yVUm3KQr6fU-_LX}Mu#^-i(!Mh65KBpeBJC?%j<S>tDAK;N=>$v3
zf}*{D&}o*E14Y_b&YWW@c~GQ%<@`mKQUFETS58$dBPm5tq<!VGswAbm2^48x8C#vD
zm_d>Dl?gRiiUkyDUs+&dDK=1~edVuuEX59rw68qeh^06{k@l5|4wm8sMcP+_Em?{S
z6lq_1rY%b`K#}&98ZMUN21VLeuI<WFJfKMXN{b#W#S4n8ulPY}RoO&Re4w;bQdXC;
z6hA1<m6Xk8EF}O+BPFHLRV*b4N?j#oc^#G#0;PtM@@0LN5(cH3l2Y1)r9?ofsH7Oz
zvy`Y|ZU3i|vb{A+iGgxjNx7^8ONoQ>i;{AAXO@xx<)D)CQg@b;1ZAI+@^w#^k^<!`
zCFS>9SV|g{9ZE{gek>&e$`&PM<v^B_1!bL*vTiU-$$_#$NjWx@rQ|_bqNI!;!BPsK
kEKpJcqfDj;P5<%uUli|uQttYnl<uaI`bEP!FhNlM4Zr?)UH||9

literal 0
Hc-jL100001

diff --git a/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/eth-ip-gre-ppp-max-ip-packet.py b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/eth-ip-gre-ppp-max-ip-packet.py
new file mode 100755
index 000000000..b6457ee38
--- /dev/null
+++ b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/eth-ip-gre-ppp-max-ip-packet.py
@@ -0,0 +1,11 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+data = 'A' * (65535 - 20 - 8)
+encap = IP(src='1.1.1.1', dst='2.2.2.2')/UDP(sport=11111,dport=9999)/data
+frags = fragment(encap, 64)
+for f in frags:
+    pkts += Ether()/IP(src='7.7.7.7', dst='9.9.9.9')/GRE(proto=0x880b)/PPP()/f
+wrpcap('eth-ip-gre-ppp-max-ip-packet.pcap', pkts, snaplen=262144)
diff --git a/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/suricata.yaml b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/suricata.yaml
new file mode 100644
index 000000000..159d885ba
--- /dev/null
+++ b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            packet: yes              # enable dumping of packet (without stream segments)
diff --git a/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/test.rules b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/test.rules
new file mode 100644
index 000000000..bde5e4b79
--- /dev/null
+++ b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/test.rules
@@ -0,0 +1 @@
+alert udp any any -> any any (dsize:>65000; sid:1;)
diff --git a/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/test.yaml b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/test.yaml
new file mode 100644
index 000000000..89262988a
--- /dev/null
+++ b/tests/defrag/bug-6942-6887-defrag-eth-ip-gre-ppp-ip-udp-data/test.yaml
@@ -0,0 +1,11 @@
+requires:
+  min-version: 8
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+      packet.__len: 87384
+        #packet_info.linktype: 12 # Bug 6954: on OpenBSD this value in 14.
-- 
2.47.2