From c6d68da26c4a4e3136060801de395bfda664830c Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Thu, 5 Jun 2025 12:43:12 -0300 Subject: [PATCH] tests: add tests for decode encapsulation types Add simple tests for alert to match on TCP traffic over: - IPv4 over IPv4 - bug-4571-01 - IPv6 - bug-4571-02 - IPv6 over IPv6 - bug-4571-03 - IPv6 over IPv4 - bug-4571-04 - IPv4 - bug-4571-05 - IPv4 over IPv6 - bug-4571-06 Related to Bug #4571 Bug #7725 Bug #7752 --- tests/bug-4571-01/README.md | 12 +++++++ tests/bug-4571-01/ipv4_over_ipv4.pcap | Bin 0 -> 166 bytes tests/bug-4571-01/suricata.yaml | 25 ++++++++++++++ tests/bug-4571-01/test.rules | 1 + tests/bug-4571-01/test.yaml | 43 ++++++++++++++++++++++++ tests/bug-4571-02/README.md | 12 +++++++ tests/bug-4571-02/ipv6.pcap | Bin 0 -> 126 bytes tests/bug-4571-02/suricata.yaml | 24 ++++++++++++++ tests/bug-4571-02/test.rules | 1 + tests/bug-4571-02/test.yaml | 28 ++++++++++++++++ tests/bug-4571-03/README.md | 11 +++++++ tests/bug-4571-03/ipv6_over_ipv6.pcap | Bin 0 -> 166 bytes tests/bug-4571-03/suricata.yaml | 24 ++++++++++++++ tests/bug-4571-03/test.rules | 1 + tests/bug-4571-03/test.yaml | 42 ++++++++++++++++++++++++ tests/bug-4571-04/README.md | 13 ++++++++ tests/bug-4571-04/ipv6_over_ipv4.pcap | Bin 0 -> 146 bytes tests/bug-4571-04/suricata.yaml | 25 ++++++++++++++ tests/bug-4571-04/test.rules | 1 + tests/bug-4571-04/test.yaml | 45 ++++++++++++++++++++++++++ tests/bug-4571-05/README.md | 12 +++++++ tests/bug-4571-05/ipv4.pcap | Bin 0 -> 106 bytes tests/bug-4571-05/suricata.yaml | 24 ++++++++++++++ tests/bug-4571-05/test.rules | 1 + tests/bug-4571-05/test.yaml | 29 +++++++++++++++++ tests/bug-4571-06/README.md | 11 +++++++ tests/bug-4571-06/ipv4_over_ipv6.pcap | Bin 0 -> 146 bytes tests/bug-4571-06/suricata.yaml | 24 ++++++++++++++ tests/bug-4571-06/test.rules | 1 + tests/bug-4571-06/test.yaml | 44 +++++++++++++++++++++++++ 30 files changed, 454 insertions(+) create mode 100644 tests/bug-4571-01/README.md create mode 100644 tests/bug-4571-01/ipv4_over_ipv4.pcap create mode 100644 tests/bug-4571-01/suricata.yaml create mode 100644 tests/bug-4571-01/test.rules create mode 100644 tests/bug-4571-01/test.yaml create mode 100644 tests/bug-4571-02/README.md create mode 100644 tests/bug-4571-02/ipv6.pcap create mode 100644 tests/bug-4571-02/suricata.yaml create mode 100644 tests/bug-4571-02/test.rules create mode 100644 tests/bug-4571-02/test.yaml create mode 100644 tests/bug-4571-03/README.md create mode 100644 tests/bug-4571-03/ipv6_over_ipv6.pcap create mode 100644 tests/bug-4571-03/suricata.yaml create mode 100644 tests/bug-4571-03/test.rules create mode 100644 tests/bug-4571-03/test.yaml create mode 100644 tests/bug-4571-04/README.md create mode 100644 tests/bug-4571-04/ipv6_over_ipv4.pcap create mode 100644 tests/bug-4571-04/suricata.yaml create mode 100644 tests/bug-4571-04/test.rules create mode 100644 tests/bug-4571-04/test.yaml create mode 100644 tests/bug-4571-05/README.md create mode 100644 tests/bug-4571-05/ipv4.pcap create mode 100644 tests/bug-4571-05/suricata.yaml create mode 100644 tests/bug-4571-05/test.rules create mode 100644 tests/bug-4571-05/test.yaml create mode 100644 tests/bug-4571-06/README.md create mode 100644 tests/bug-4571-06/ipv4_over_ipv6.pcap create mode 100644 tests/bug-4571-06/suricata.yaml create mode 100644 tests/bug-4571-06/test.rules create mode 100644 tests/bug-4571-06/test.yaml diff --git a/tests/bug-4571-01/README.md b/tests/bug-4571-01/README.md new file mode 100644 index 000000000..5ea1f1371 --- /dev/null +++ b/tests/bug-4571-01/README.md @@ -0,0 +1,12 @@ +# Test + +Check for proper engine behavior for IPv4 over IPv4 tunneling. + +## Pcap + +Shared by reporter on Redmine ticket. + +## Ticket + +https://redmine.openinfosecfoundation.org/issues/4571 +https://redmine.openinfosecfoundation.org/issues/7752 diff --git a/tests/bug-4571-01/ipv4_over_ipv4.pcap b/tests/bug-4571-01/ipv4_over_ipv4.pcap new file mode 100644 index 0000000000000000000000000000000000000000..21697bc8f411a1da471ae3e116d0de1c92b020c4 GIT binary patch literal 166 zc-p&ic+)~A1{MYw`2U}Qfe}cvLiu%2%*CJ%lmL?q91N}u3v2_ xn1Et2U@ any any (msg:"found"; content: "hello"; sid:1;) diff --git a/tests/bug-4571-01/test.yaml b/tests/bug-4571-01/test.yaml new file mode 100644 index 000000000..15d0ef44a --- /dev/null +++ b/tests/bug-4571-01/test.yaml @@ -0,0 +1,43 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pkt_src: wire/pcap + proto: TCP + pkt_src: ipv4 tunnel + src_ip: 10.1.0.3 + dest_ip: 10.1.0.4 + tunnel.src_ip: 10.1.0.1 + tunnel.dest_ip: 10.1.0.2 + tunnel.proto: IP-in-IP + - filter: + count: 1 + match: + event_type: flow + proto: IP-in-IP + src_ip: 10.1.0.1 + dest_ip: 10.1.0.2 + flow.alerted: false + - filter: + count: 1 + match: + event_type: flow + proto: TCP + src_ip: 10.1.0.3 + dest_ip: 10.1.0.4 + flow.alerted: true + - filter: + count: 1 + match: + event_type: stats + stats.decoder.ipv4_in_ipv4: 1 diff --git a/tests/bug-4571-02/README.md b/tests/bug-4571-02/README.md new file mode 100644 index 000000000..a622a7110 --- /dev/null +++ b/tests/bug-4571-02/README.md @@ -0,0 +1,12 @@ +# Test + +Check for proper engine behavior for IPv6 decoding. + +## Pcap + +Shared by reporter on Redmine ticket. + +## Ticket + +https://redmine.openinfosecfoundation.org/issues/4571 + diff --git a/tests/bug-4571-02/ipv6.pcap b/tests/bug-4571-02/ipv6.pcap new file mode 100644 index 0000000000000000000000000000000000000000..f5ea8414983496e56f62a3f1799cebabbcd6aa7a GIT binary patch literal 126 zc-p&ic+)~A1{MYw`2U}Qfsp}%K_Co@xfs-ef?$%N?QQ}{N`b9jfsuDd>tYb6OOLsr l*aVGl$`AmAjNgBOL;`@ea7|=j$Vkn}$=6XR&o9bJ0RTBV7%~6= literal 0 Hc-jL100001 diff --git a/tests/bug-4571-02/suricata.yaml b/tests/bug-4571-02/suricata.yaml new file mode 100644 index 000000000..b9297ca70 --- /dev/null +++ b/tests/bug-4571-02/suricata.yaml @@ -0,0 +1,24 @@ +%YAML 1.1 +--- + +stats: + enabled: yes + interval: 8 + +logging: + default-log-level: notice + default-output-filter: + outputs: + - console: + enabled: yes + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert + - drop: + alerts: yes + - flow diff --git a/tests/bug-4571-02/test.rules b/tests/bug-4571-02/test.rules new file mode 100644 index 000000000..859286df2 --- /dev/null +++ b/tests/bug-4571-02/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;) diff --git a/tests/bug-4571-02/test.yaml b/tests/bug-4571-02/test.yaml new file mode 100644 index 000000000..755babec1 --- /dev/null +++ b/tests/bug-4571-02/test.yaml @@ -0,0 +1,28 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pkt_src: wire/pcap + proto: TCP + ip_v: 6 + pkt_src: wire/pcap + src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335 + - filter: + count: 1 + match: + event_type: flow + proto: TCP + src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335 + flow.alerted: true diff --git a/tests/bug-4571-03/README.md b/tests/bug-4571-03/README.md new file mode 100644 index 000000000..ab920cb6a --- /dev/null +++ b/tests/bug-4571-03/README.md @@ -0,0 +1,11 @@ +# Test + +Check for proper engine behavior for IPv6 over IPv6 tunneling. + +## Pcap + +Shared by reporter on Redmine ticket. + +## Ticket + +https://redmine.openinfosecfoundation.org/issues/4571 diff --git a/tests/bug-4571-03/ipv6_over_ipv6.pcap b/tests/bug-4571-03/ipv6_over_ipv6.pcap new file mode 100644 index 0000000000000000000000000000000000000000..9a54716192f0e3ce255478f6756b001b377aa718 GIT binary patch literal 166 zc-p&ic+)~A1{MYw`2U}Qfe}cnN1x7v-b?0N7t5l>h($ literal 0 Hc-jL100001 diff --git a/tests/bug-4571-03/suricata.yaml b/tests/bug-4571-03/suricata.yaml new file mode 100644 index 000000000..b9297ca70 --- /dev/null +++ b/tests/bug-4571-03/suricata.yaml @@ -0,0 +1,24 @@ +%YAML 1.1 +--- + +stats: + enabled: yes + interval: 8 + +logging: + default-log-level: notice + default-output-filter: + outputs: + - console: + enabled: yes + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert + - drop: + alerts: yes + - flow diff --git a/tests/bug-4571-03/test.rules b/tests/bug-4571-03/test.rules new file mode 100644 index 000000000..859286df2 --- /dev/null +++ b/tests/bug-4571-03/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;) diff --git a/tests/bug-4571-03/test.yaml b/tests/bug-4571-03/test.yaml new file mode 100644 index 000000000..034d6e772 --- /dev/null +++ b/tests/bug-4571-03/test.yaml @@ -0,0 +1,42 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pkt_src: ipv6 tunnel + proto: TCP + ip_v: 6 + src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:8334 + dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:8335 + tunnel.src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + tunnel.dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335 + tunnel.proto: IPv6 + - filter: + count: 1 + match: + event_type: flow + proto: TCP + ip_v: 6 + src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:8334 + dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:8335 + flow.alerted: true + - filter: + count: 1 + match: + proto: IPv6 + ip_v: 6 + src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335 + - filter: + count: 2 + match: + event_type: flow diff --git a/tests/bug-4571-04/README.md b/tests/bug-4571-04/README.md new file mode 100644 index 000000000..6f114b44b --- /dev/null +++ b/tests/bug-4571-04/README.md @@ -0,0 +1,13 @@ +# Test + +Check for proper engine behavior for IPv6 over IPv4 tunneling. + +## Pcap + +Shared by reporter on Redmine ticket. + +## Ticket + +https://redmine.openinfosecfoundation.org/issues/4571 +https://redmine.openinfosecfoundation.org/issues/7752 + diff --git a/tests/bug-4571-04/ipv6_over_ipv4.pcap b/tests/bug-4571-04/ipv6_over_ipv4.pcap new file mode 100644 index 0000000000000000000000000000000000000000..c3a961f9f393cfca4e3789e1af15fc0a1feff0ef GIT binary patch literal 146 zc-p&ic+)~A1{MYw`2U}Qfe}bEL-|=y%*CJ%lmL?q91N}u3^6R17#Qj`l@@a`0>v2_ zm=ZwB71-((7w`I{Gyx` E0AFz#{r~^~ literal 0 Hc-jL100001 diff --git a/tests/bug-4571-04/suricata.yaml b/tests/bug-4571-04/suricata.yaml new file mode 100644 index 000000000..1099e1a86 --- /dev/null +++ b/tests/bug-4571-04/suricata.yaml @@ -0,0 +1,25 @@ +%YAML 1.1 +--- + +stats: + enabled: yes + interval: 8 + +logging: + default-log-level: notice + default-output-filter: + outputs: + - console: + enabled: yes + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert + - drop: + alerts: yes + - flow + - stats diff --git a/tests/bug-4571-04/test.rules b/tests/bug-4571-04/test.rules new file mode 100644 index 000000000..859286df2 --- /dev/null +++ b/tests/bug-4571-04/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;) diff --git a/tests/bug-4571-04/test.yaml b/tests/bug-4571-04/test.yaml new file mode 100644 index 000000000..25319c734 --- /dev/null +++ b/tests/bug-4571-04/test.yaml @@ -0,0 +1,45 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pkt_src: wire/pcap + proto: TCP + pkt_src: ipv4 tunnel + src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335 + tunnel.src_ip: 10.1.0.1 + tunnel.dest_ip: 10.1.0.2 + tunnel.proto: IPv6 + - filter: + count: 1 + match: + event_type: flow + proto: IPv6 + src_ip: 10.1.0.1 + dest_ip: 10.1.0.2 + ip_v: 4 + flow.alerted: false + - filter: + count: 1 + match: + event_type: flow + proto: TCP + ip_v: 6 + src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335 + flow.alerted: true + - filter: + count: 1 + match: + event_type: stats + stats.decoder.ipv6_in_ipv4: 1 diff --git a/tests/bug-4571-05/README.md b/tests/bug-4571-05/README.md new file mode 100644 index 000000000..824aaa593 --- /dev/null +++ b/tests/bug-4571-05/README.md @@ -0,0 +1,12 @@ +# Test + +Check for proper engine behavior for IPv4 decoding. + +## Pcap + +Shared by reporter on Redmine ticket. + +## Ticket + +https://redmine.openinfosecfoundation.org/issues/4571 + diff --git a/tests/bug-4571-05/ipv4.pcap b/tests/bug-4571-05/ipv4.pcap new file mode 100644 index 0000000000000000000000000000000000000000..23befb3519dd04caef443076bf4b42868d07e94b GIT binary patch literal 106 zc-p&ic+)~A1{MYw`2U}Qfsp|LoS>MCK^-UoCK)&wTp1WlSS~Rz)UzqQ<6;DgGcqtS g1OOr9_g^4g0YDSu-Y_s^q~_%0>nN1x7v-b?047xtlmGw# literal 0 Hc-jL100001 diff --git a/tests/bug-4571-05/suricata.yaml b/tests/bug-4571-05/suricata.yaml new file mode 100644 index 000000000..b9297ca70 --- /dev/null +++ b/tests/bug-4571-05/suricata.yaml @@ -0,0 +1,24 @@ +%YAML 1.1 +--- + +stats: + enabled: yes + interval: 8 + +logging: + default-log-level: notice + default-output-filter: + outputs: + - console: + enabled: yes + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert + - drop: + alerts: yes + - flow diff --git a/tests/bug-4571-05/test.rules b/tests/bug-4571-05/test.rules new file mode 100644 index 000000000..859286df2 --- /dev/null +++ b/tests/bug-4571-05/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;) diff --git a/tests/bug-4571-05/test.yaml b/tests/bug-4571-05/test.yaml new file mode 100644 index 000000000..ae6b0e525 --- /dev/null +++ b/tests/bug-4571-05/test.yaml @@ -0,0 +1,29 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pkt_src: wire/pcap + proto: TCP + ip_v: 4 + pkt_src: wire/pcap + src_ip: 10.1.0.1 + dest_ip: 10.1.0.2 + - filter: + count: 1 + match: + event_type: flow + proto: TCP + src_ip: 10.1.0.1 + dest_ip: 10.1.0.2 + ip_v: 4 + flow.alerted: true diff --git a/tests/bug-4571-06/README.md b/tests/bug-4571-06/README.md new file mode 100644 index 000000000..01e22d6a4 --- /dev/null +++ b/tests/bug-4571-06/README.md @@ -0,0 +1,11 @@ +# Test + +Check for proper engine behavior for IPv4 over IPv6 tunneling. + +## Pcap + +Shared by reporter on Redmine ticket. + +## Ticket + +https://redmine.openinfosecfoundation.org/issues/4571 diff --git a/tests/bug-4571-06/ipv4_over_ipv6.pcap b/tests/bug-4571-06/ipv4_over_ipv6.pcap new file mode 100644 index 0000000000000000000000000000000000000000..9c1f7d61555f75e0d69359afc19ddfaf2ed550e0 GIT binary patch literal 146 zc-p&ic+)~A1{MYw`2U}Qfe}bELHSuw%*CJ%lmL?qZFdtuQYI|*3XHrvS{H*jU3$y~ z#U^NcQ`ZKds!I$E^=wLcT#P{dj6j0}fROR~FOaGLpv`e_7#K2Ab8_-^6w339a#8>( CvK$!z literal 0 Hc-jL100001 diff --git a/tests/bug-4571-06/suricata.yaml b/tests/bug-4571-06/suricata.yaml new file mode 100644 index 000000000..b9297ca70 --- /dev/null +++ b/tests/bug-4571-06/suricata.yaml @@ -0,0 +1,24 @@ +%YAML 1.1 +--- + +stats: + enabled: yes + interval: 8 + +logging: + default-log-level: notice + default-output-filter: + outputs: + - console: + enabled: yes + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert + - drop: + alerts: yes + - flow diff --git a/tests/bug-4571-06/test.rules b/tests/bug-4571-06/test.rules new file mode 100644 index 000000000..859286df2 --- /dev/null +++ b/tests/bug-4571-06/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"found"; content: "hello"; sid:1;) diff --git a/tests/bug-4571-06/test.yaml b/tests/bug-4571-06/test.yaml new file mode 100644 index 000000000..1ff608d4e --- /dev/null +++ b/tests/bug-4571-06/test.yaml @@ -0,0 +1,44 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + proto: TCP + ip_v: 4 + pkt_src: ipv6 tunnel + src_ip: 10.1.0.1 + dest_ip: 10.1.0.2 + tunnel.src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + tunnel.dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335 + tunnel.proto: IP-in-IP + - filter: + count: 1 + match: + event_type: flow + proto: TCP + ip_v: 4 + src_ip: 10.1.0.1 + dest_ip: 10.1.0.2 + flow.alerted: true + - filter: + count: 1 + match: + event_type: flow + proto: IP-in-IP + ip_v: 6 + src_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + dest_ip: 2001:0db8:85a3:0000:0000:8a2e:0370:7335 + flow.alerted: false + - filter: + count: 2 + match: + event_type: flow -- 2.47.2