From fac82c33b01ef688ecaf2e5b54186b7920792b08 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Mon, 20 Jan 2025 08:40:58 -0500 Subject: [PATCH] detect/csum: Test interaction btw csum/stream setting Issue: 7467 Validate that there is no interaction between the csum keyword and stream.checksum-validation settings. --- tests/detect-chksum-01/README.md | 11 ++++++++++ tests/detect-chksum-01/input.pcap | Bin 0 -> 2763 bytes tests/detect-chksum-01/test.rules | 1 + tests/detect-chksum-01/test.yaml | 32 ++++++++++++++++++++++++++++ tests/detect-chksum-02/README.md | 11 ++++++++++ tests/detect-chksum-02/test.rules | 1 + tests/detect-chksum-02/test.yaml | 34 ++++++++++++++++++++++++++++++ 7 files changed, 90 insertions(+) create mode 100644 tests/detect-chksum-01/README.md create mode 100644 tests/detect-chksum-01/input.pcap create mode 100644 tests/detect-chksum-01/test.rules create mode 100644 tests/detect-chksum-01/test.yaml create mode 100644 tests/detect-chksum-02/README.md create mode 100644 tests/detect-chksum-02/test.rules create mode 100644 tests/detect-chksum-02/test.yaml diff --git a/tests/detect-chksum-01/README.md b/tests/detect-chksum-01/README.md new file mode 100644 index 000000000..ee3e2100f --- /dev/null +++ b/tests/detect-chksum-01/README.md @@ -0,0 +1,11 @@ +# Test Description + +Contributed by Hans Vermeer + +Verify that `stream.checksum-validation` setting does not affect csum validation keyword checks. + +This test enables `stream.checksum-validation` + +## PCAP + +Contributed by Hans Vermeer diff --git a/tests/detect-chksum-01/input.pcap b/tests/detect-chksum-01/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..1b4ffc446eff21a986d53a88b9ddfad6e793452e GIT binary patch literal 2763 zc-obgO>7%Q6vwAY+D1!Vl_FI=4i2Rs>U!6)o21TqRfnb@Y12lDqgFy3*1NOojmJCA z?!<1Wil7(Z4C2y4T27o%RX~v{Xi=evLlH>jz=Z>}AOWg4AgV~=&90rquItdXcD*z6 z{F^ubH}jr*YYw#8{oUTYve@VJ25l{@8U*1)$f0tK`%Vm`{;Bp8bwIE zcli)HwCRs)pMTWV{oVA>?xjUEVNY)ULKt7^+Hv=}L4>+`HeT!L>Xp!&cV7|x8@jtU z3o_lab(I`4BYs3)_!XhlCch-8f{rFGEykC2zX9}{SGMoi^YBDSeov4mw@+ObbRcgM zkqfZb_FT)g)|NKCaQ z?nH^|&Sv7#(L7dil%8RJDd$52)yx4DEesa*wOE`W{`2ov^zB9z z-mS!qHx?cUBEA14qOo^{_>CYoG{9*!jZZO-kFYt<3RlHJ4mm$xAsNicIj$6WnGR#K zX!rr)+3EZdc_=2GmDgIzrz=8;AcH*?c&=^7q{9XWz&P{vW0+yg@NmDHRB>`J(|<6N zI*5;s=VQ_o@vFqo;J~)Y>f9%Z=kQ_%CsRX%Vy3fGQ}Tq*ctdTqllYRP35Rv9NDNDt zv@+oaE^=Ox$?Tk4&Bo38EFAof<9aI_UtMZrrE}bthvIB;25j*WBXi9oj!%epK~fZ1)-@$k8WcBux56XItA>w# zGYhd9j?5&mi^k!tz6HX#i1=nhcU2V^oN$J0pB-Kz#zuh>5Wu&HpH;C*D6JTl<$6xG zKWu>(rf8|S=32a%O{(fHUE@C77WP?9Xq8Ph26w?hsQE@k%&u!f5o{YK$#S<$0$iV5 zRZ|BG16W7}IQ^)m2*W3uo9Sdf_}(yQ>zLaq^FVUwf19^B z{-Re1D#OuJQwkyumfmQ>D?EJB8L8ZeTD&in8W=Fm_}b}Ow>ECrMj-~_cuL0Vfuoo;-;)lUYPxzYuAPFci7H z`%%Zjx)7GZ&zj3%@A3GOyajUmsPgVg8MH-y7sO|PxCF4JcJ=4ah2KQAn7!UyE#xg> zwb+SfcK_5|Ep%Kn0@%`^wOBZ29_B?iz(JV56OePoPFI?gicZw(VQD&3YV(=WJA~LR zJJ_I*q2mo0E{6Fko7UTfOA*H%+F=z4Yw@Rt)e{j`m`w?W;P6JI{A?s8}1)sXl} zTjH}oywyys0r6o4b^5>Xd-#8WwZ!W-P{)8clXz_ any any (msg:"SURICATA TCPv4 invalid checksum"; tcpv4-csum:invalid; classtype:protocol-command-decode; sid:1;) diff --git a/tests/detect-chksum-01/test.yaml b/tests/detect-chksum-01/test.yaml new file mode 100644 index 000000000..60b75fefd --- /dev/null +++ b/tests/detect-chksum-01/test.yaml @@ -0,0 +1,32 @@ +requires: + min-version: 8 + +args: +- --set stream.checksum-validation=yes + +checks: +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Generic Protocol Command Decode + alert.gid: 1 + alert.severity: 3 + alert.signature: SURICATA TCPv4 invalid checksum + alert.signature_id: 1 + dest_ip: 209.85.225.105 + dest_port: 80 + direction: to_server + event_type: alert + flow.bytes_toclient: 0 + flow.bytes_toserver: 74 + flow.dest_ip: 209.85.225.105 + flow.dest_port: 80 + flow.pkts_toclient: 0 + flow.pkts_toserver: 1 + flow.src_ip: 192.168.2.3 + flow.src_port: 39867 + pcap_cnt: 1 + proto: TCP + src_ip: 192.168.2.3 + src_port: 39867 diff --git a/tests/detect-chksum-02/README.md b/tests/detect-chksum-02/README.md new file mode 100644 index 000000000..67e0ec280 --- /dev/null +++ b/tests/detect-chksum-02/README.md @@ -0,0 +1,11 @@ +# Test Description + +Contributed by Hans Vermeer + +Verify that `stream.checksum-validation` setting does not affect csum validation keyword checks. + +This test disables `stream.checksum-validation` + +## PCAP + +Contributed by Hans Vermeer diff --git a/tests/detect-chksum-02/test.rules b/tests/detect-chksum-02/test.rules new file mode 100644 index 000000000..1eb9c450f --- /dev/null +++ b/tests/detect-chksum-02/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"SURICATA TCPv4 invalid checksum"; tcpv4-csum:invalid; classtype:protocol-command-decode; sid:1;) diff --git a/tests/detect-chksum-02/test.yaml b/tests/detect-chksum-02/test.yaml new file mode 100644 index 000000000..1af4ca7f7 --- /dev/null +++ b/tests/detect-chksum-02/test.yaml @@ -0,0 +1,34 @@ +requires: + min-version: 8 + +pcap: ../detect-chksum-01/input.pcap + +args: +- --set stream.checksum-validation=no + +checks: +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Generic Protocol Command Decode + alert.gid: 1 + alert.severity: 3 + alert.signature: SURICATA TCPv4 invalid checksum + alert.signature_id: 1 + dest_ip: 209.85.225.105 + dest_port: 80 + direction: to_server + event_type: alert + flow.bytes_toclient: 0 + flow.bytes_toserver: 74 + flow.dest_ip: 209.85.225.105 + flow.dest_port: 80 + flow.pkts_toclient: 0 + flow.pkts_toserver: 1 + flow.src_ip: 192.168.2.3 + flow.src_port: 39867 + pcap_cnt: 1 + proto: TCP + src_ip: 192.168.2.3 + src_port: 39867 -- 2.47.2