From 64e6515becb8567b0c30c1932f517e387f044b90 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Wed, 18 Dec 2024 21:23:36 +0100 Subject: [PATCH] doh2: add test for 65K limit Ticket: 7464 --- tests/dns-over-http2-limit/README.md | 12 ++++++++++++ tests/dns-over-http2-limit/input.pcap | Bin 0 -> 135313 bytes tests/dns-over-http2-limit/test.rules | 2 ++ tests/dns-over-http2-limit/test.yaml | 17 +++++++++++++++++ 4 files changed, 31 insertions(+) create mode 100644 tests/dns-over-http2-limit/README.md create mode 100644 tests/dns-over-http2-limit/input.pcap create mode 100644 tests/dns-over-http2-limit/test.rules create mode 100644 tests/dns-over-http2-limit/test.yaml diff --git a/tests/dns-over-http2-limit/README.md b/tests/dns-over-http2-limit/README.md new file mode 100644 index 000000000..c45a5f30b --- /dev/null +++ b/tests/dns-over-http2-limit/README.md @@ -0,0 +1,12 @@ +# Description + +Test DNS over HTTP2 respects 65K UDP limit +https://redmine.openinfosecfoundation.org/issues/7464 + +# PCAP + +Crafted with: +- a simple golang HTTP2 server always returning 415 http.StatusUnsupportedMediaType +- client `curl -H "content-type: application/dns-message" --http2-prior-knowledge 127.0.0.1:8080/dns -d @badns` with badns being a file over 65Kbytes + +(I do not know why golang server sends many RST_STREAM at packet 45) diff --git a/tests/dns-over-http2-limit/input.pcap b/tests/dns-over-http2-limit/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..9984c3e3ea9d881c6fafa52bf98b3c46bd2c9923 GIT binary patch literal 135313 zc-rmUZ)n_i9S895C6{uvlwPv7iPDj1(=F@7u9A%~ZIiXB*rA~;buuZGwiXL3uFNUH zKlI$vB7=@hMc4z2ijz(9VEABD5fzp`aAV!jArnOG(2;eR;sZe)Uj2UWlDj7RrQUA~ zW6;-&{&GhyzxVg^{r>K0-!DJ=(;u{jVrZ(r-}0d&pD%o{6h`CwbhX86PY5IF-^i*E zPKHoOSM_Y~)a`$txi{VORNLjt)xr3;#o<>9?d_`yh0^MO_YYjCrMA^GzuZD*?^N~d zh3;L4WA5>%y55>O7G`#)+=a|jF>@$p4K*_dmznc;%so;m_qx-w^Brj+yFm@^UYpJ?VhaMgKwV$QL}^X$88Z{OCwPwd~nZ`(&ce9PL^Ygdnd zD*X(hYyM%i$Ln+PX?=fwm2}9Z+RM(9p^)b2+MH`Y({Vo+v-b1*m{W{TDP8rP_$GTl z(+lUjU^t}UXzH#DD6YJWG4;{Yq(XV`S%hUUwef}3eJ2~FI zb=%g1Q`dj#rNe7)*zw7|cWwO96CQAHhH3+Cy>8q2}6yOV{q5s-8{jrapv9x%-XkKz;4B zZdyO({3~D1bj-P!mGfrH{RpG)PCr6}q67c{0000000000000000IprB6X0^o{RopQ z-j5La^Yj{wPE^VpGy4&W`EsUXPG&zsIakhPoM%JkJe~cm_AE@k%RLJXVfcQ93jhEB z000000000000000Tw78n!214D_;?7lYrb1xS9T}BOtWX%sC(LKi|xGZkf|M-8ijZEk3Of&b$XJ4$|&Elk1eu zZHlKfn{`S*k2y!<{YRTQhpw8_6LUVjI46YuV(pkhM<~ai?eY3gSQW~Jkx&TfSH;@z zOX(!jqA#^DeErd!+Y}d`s+4;gU%7=xlXCtTbH?KRW6hj9ml=MlG5pS@!-ry_K7FxN ze_dCf@^AU3{PA*AuHMpWl}9sYX_ZHF%8{US0{{R3000000000000000-nrBXux?8! z91o#(&36kN%j^WWRGh7K0`&A;tRA>pl}GDqzrWQ!f=eCC_7S`_Sup_s0000000000 z00000006ubsT1J(miq`sSGkhZrg*D>vh z$K92A+0o1>5=f*E|@9wUYdm0B2hki8;pK?yboVj@aTr=ll_5tkfZXCd$mmWZ4 zxRG$>*d14VGJOBiPcr{( any any (msg:"SURICATA HTTP2 dns request too long"; flow:established,to_server; app-layer-event:http2.dns_request_too_long; classtype:protocol-command-decode; sid:2290016; rev:1;) +alert http2 any any -> any any (msg:"SURICATA HTTP2 dns response too long"; flow:established,to_client; app-layer-event:http2.dns_response_too_long; classtype:protocol-command-decode; sid:2290017; rev:1;) diff --git a/tests/dns-over-http2-limit/test.yaml b/tests/dns-over-http2-limit/test.yaml new file mode 100644 index 000000000..40ccf57ac --- /dev/null +++ b/tests/dns-over-http2-limit/test.yaml @@ -0,0 +1,17 @@ +requires: + min-version: 8.0.0 + +# disables checksum verification +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2290016 -- 2.47.2