From 8eebff65e28fbcf6c1411e5806052c0a7091b9ef Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Thu, 21 Mar 2024 09:25:49 -0400
Subject: [PATCH] detect/ipopts: IP option tests

---
 tests/detect-ipopts/README     |  12 ++++++++
 tests/detect-ipopts/input.pcap | Bin 0 -> 532 bytes
 tests/detect-ipopts/ipopt.py   |  27 +++++++++++++++++
 tests/detect-ipopts/test.rules |  10 ++++++
 tests/detect-ipopts/test.yaml  |  54 +++++++++++++++++++++++++++++++++
 5 files changed, 103 insertions(+)
 create mode 100644 tests/detect-ipopts/README
 create mode 100644 tests/detect-ipopts/input.pcap
 create mode 100644 tests/detect-ipopts/ipopt.py
 create mode 100644 tests/detect-ipopts/test.rules
 create mode 100644 tests/detect-ipopts/test.yaml

diff --git a/tests/detect-ipopts/README b/tests/detect-ipopts/README
new file mode 100644
index 000000000..c8e0769e8
--- /dev/null
+++ b/tests/detect-ipopts/README
@@ -0,0 +1,12 @@
+Test the IP options. There's already a test for the extended security option; the following IP options are
+tested:
+- Record Route "rr"
+- Loose source route "lsrr"
+- EOL "eol"
+- NOP "nop"
+- Timestamp "ts"
+- Security "sec"
+- Strict source route "ssrr"
+- Stream id "satid"
+
+The pcap was generated using ipopt.py
diff --git a/tests/detect-ipopts/input.pcap b/tests/detect-ipopts/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..faee4bcad1c98a3a26b6be18d8ba482d2e74c4ed
GIT binary patch
literal 532
zc-p&ic+)~A1{MYw`2U}Q;R%p_X7nf3ERUN(2gn9tHxR|hz~I1UH<go%n}?T=Ux1w%
zs856;0H!y9Nr55W8=`k<Avc2wPz;1UKonT-ni81aW^NWnCT12^Hg*mSGxDP$W=NM{
zv)^+D%nYyw9QHSsVbkjY*UN}U@BRvI1_PiN2)lzQu-@O@Fug7uoDBHvR<Fk9cVTUq
z{w8jSo`}dOoMx2OVl!h!5zLHEVE6$62M}PGksS#!<7qv%FgQ3FW=01Kc0T|BDTGCU

literal 0
Hc-jL100001

diff --git a/tests/detect-ipopts/ipopt.py b/tests/detect-ipopts/ipopt.py
new file mode 100644
index 000000000..697b0cdaa
--- /dev/null
+++ b/tests/detect-ipopts/ipopt.py
@@ -0,0 +1,27 @@
+from scapy.all import *
+from scapy.layers.inet import IP
+
+
+def main():
+    ip_option_list = {
+        "rr": [IPOption_RR(), "Record route"],
+        "lsrr": [IPOption_LSRR(routers=["1.2.3.4", "5.6.7.8"]), "Loose source route"],
+        "eol": [IPOption_EOL(), "EOL"],
+        "nop": [IPOption_NOP(), "NOP"],
+        "ts": [IPOption_Timestamp(flg=0, length=8), "Timestamp"],
+        "sec": [IPOption_Security(transmission_control_code="XYZ"), "Security"],
+        "ssrr": [IPOption_SSRR(routers=["1.1.1.1", "8.8.8.8"]), "Strict source route"],
+        "satid": [IPOption_Stream_Id(), "Stream id"],
+    }
+
+    # Create and send a packet for each IP option
+    src_ip = "9.10.11.12"
+    dst_ip = "13.14.15.16"
+    for option in ip_option_list:
+        print(f"Creating packet with ip option {option}")
+        packet = IP(src=src_ip, dst=dst_ip, options=ip_option_list[option][0]) / TCP()
+        wrpcap("input.pcap", packet, append=True)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/tests/detect-ipopts/test.rules b/tests/detect-ipopts/test.rules
new file mode 100644
index 000000000..9d2215a62
--- /dev/null
+++ b/tests/detect-ipopts/test.rules
@@ -0,0 +1,10 @@
+alert ip any any -> any any (msg:"RR option set"; ipopts:rr; sid: 1;)
+alert ip any any -> any any (msg:"LSRR option set"; ipopts:lsrr; sid: 2;)
+alert ip any any -> any any (msg:"EOL option set"; ipopts:eol; sid: 3;)
+alert ip any any -> any any (msg:"NOP option set"; ipopts:nop; sid: 4;)
+alert ip any any -> any any (msg:"TS option set"; ipopts:ts; sid: 5;)
+alert ip any any -> any any (msg:"SEC option set"; ipopts:sec; sid: 6;)
+alert ip any any -> any any (msg:"SSRR option set"; ipopts:ssrr; sid: 7;)
+alert ip any any -> any any (msg:"SID option set"; ipopts:satid; sid: 8;)
+# covered in ipopts-sec
+#alert ip any any <> any any (msg:"ESEC option set"; ipopts:esec; sid: 42;)
diff --git a/tests/detect-ipopts/test.yaml b/tests/detect-ipopts/test.yaml
new file mode 100644
index 000000000..a7de363f7
--- /dev/null
+++ b/tests/detect-ipopts/test.yaml
@@ -0,0 +1,54 @@
+requires:
+  min-version: 8
+
+args:
+  - --set stream.midstream=true -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 1
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 2
+        alert.signature_id: 2
+  - filter:
+      count: 6
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 4
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 5
+        alert.signature_id: 5
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 6
+        alert.signature_id: 6
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 7
+        alert.signature_id: 7
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 8
+        alert.signature_id: 8
-- 
2.47.2