From dfbd8d3b15b12ff68c9f60db7d33c4cfcb20eb52 Mon Sep 17 00:00:00 2001
From: Philippe Antoine <contact@catenacyber.fr>
Date: Wed, 25 Nov 2020 16:04:55 +0100
Subject: [PATCH] Adds test for SMB AndX evasion

---
 tests/smb-eicar-andx/README.md    |  21 +++++++++++++++++++++
 tests/smb-eicar-andx/smbandx.pcap | Bin 0 -> 4961 bytes
 tests/smb-eicar-andx/test.rules   |   1 +
 tests/smb-eicar-andx/test.yaml    |  14 ++++++++++++++
 4 files changed, 36 insertions(+)
 create mode 100644 tests/smb-eicar-andx/README.md
 create mode 100644 tests/smb-eicar-andx/smbandx.pcap
 create mode 100644 tests/smb-eicar-andx/test.rules
 create mode 100644 tests/smb-eicar-andx/test.yaml

diff --git a/tests/smb-eicar-andx/README.md b/tests/smb-eicar-andx/README.md
new file mode 100644
index 000000000..a3b606b2f
--- /dev/null
+++ b/tests/smb-eicar-andx/README.md
@@ -0,0 +1,21 @@
+# Description
+
+Test SMB EICAR file rule with AndX evasion.
+
+# PCAP
+
+The pcap comes from running Linux client smbclient against a server which is a Windows10 with public shared folder named catena without password
+Command is
+`smbclient -p 4445 //192.168.1.12/catena/ -U" "%" " -m NT1`
+Than in the smbclient shell :
+`put eicar` where eicar is the name of a file with the EICAR contents :
+https://en.wikipedia.org/wiki/EICAR_test_file
+
+cf https://redmine.openinfosecfoundation.org/issues/3475
+
+The proxy changes the Write request with chained AndX commands :
+- Locking
+- Write
+- Close
+
+and putting the data written to the file after the Close Request
diff --git a/tests/smb-eicar-andx/smbandx.pcap b/tests/smb-eicar-andx/smbandx.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..1542954dfd41141f71add603d0d732373125e992
GIT binary patch
literal 4961
zc-qaE4^R~M702Ii?^up2$bn!ksp4T!Q41XZ<ZplzP*9G$-kpX?5CP*+G+?8}KRBu9
zDaNr80cnP491oICN!v`*G^1^zC!<qiokE(F(srE0skYRyq_M_7bB(%vZ|`p9jzvRe
zI@8_z?cV<T?0et$XLpCszSGNr5*|!SV7Tmv`KV@A0}qw>pN0zN|L3Xh;ku*K@3>S@
z3Q$D9BK}0;KtBt|kv`JJPI=t#&m_j%oFK&A2H=z-?=poVgfW%+n}7J{Hj&SH=^2eY
zEXQpcelFcZr03fg7lDJ<+$J*Jft?!Z%5Hgf5brR{6)gyZS0%bi$*I&V>vwzT4n*!i
z@)D#jk+VC)XLm-B-LsHB<j`nh$BqH`?A=aOBE~fFphQ_{Od#I&5|3|^C2BRX2X6!t
z(JZ%MH7?mia%hXsL%?)j5LZWlGZ*VBOKne^EGu+oi)op~VAQ21>wz<t7h6nL(^8xN
zu$A_w%N|Il3n~niMnk1|ZG|y4Iju^sPXn&RWYu|(q$Q{NPZIxH>zeB8fUC6mj(cxQ
zn?{{JIW<j;-^CYrxQKet2#y~cv}aNLBA*M2-w^6@$)Q!nf7a>M1ohZUy5QCiB~5zd
zHHiuXg&MO{8AV%6JaYF6bBqdYw+1pt*ggTwY;WVjA?{qO!PWnH=<wD<&(}IxKF=@W
zSx5-yax%T%$-d=!La*i3xKGKPSsWKP?!UUv$-<RRrm8GmW-6_+S((p-S{&cSk+WrP
zeCdgKKRdJdiKzXVGm?|vd#`5E?#}Pz^ktM))sNnMzua)<c;}&(3w0^e_UCQ64dbq7
z<6Npvw?<s^L>S*0TYhC*^I7SB3g3A}q=U@;g0G|Vs&MF6xomoie!gR_{>jvM{cK*b
zQmL4(wQbz6u32YoY-nz5ZqS)q>Ys01t6Q;d`&T}ZLOpNO*C?n<*)6LZu%J}ej8gjV
zpl}m0shx+*NV_aY9QGAdw=7YsQDwGC#9c&0$ZM25n`H|sOi7A{Qwj+J=L^DeacLU>
zM;+9bNeNP*&v#AJhX*9YLS<s5t-@%vn#F5lovM1eHqnQtHSdK+!b)g{MxZ`tg*s@0
zdR%(j-Czd~!&EAA<#NuREtbprz;apL;BlYaiRGe;nJ$$}J9&*;?V`ss00w#{daO`k
znF!F1H;ZIzS+A3Q0~0^grBE~08|dDye=B$W%kLoeW{AT%TXb}P{jOI}8rLgE#{A?S
zoLAvm4S&idhfC0UE35z;n7|B4Pyyw5{M)$9#%$q`^zbv-BhOGi@(jfz&j`gFYb|+6
zY!c+f(-@;>cn&tgR@e+WNCiDE%W%61)`{DhxMwk>e}!`wL$Y`t#W<pK>UDB*XLd`C
z$DxV5d-d^vtZpZw<`o|LFeo&FiCnjr`0lVQQLBL+E{V9Ci1^5?epsC-R9tYKs5yU~
z#B;q)j@LUm4qN0kY>}h>q@k9j#hKbrF3V-qCZlow2_iV0PcrXuH?B1}QxK?%{8e-D
zcymux!Y_2^&AIbFO}KC!CYg?QojCi<&h!2KUDm#>cjHye*H8VSeSDs~b<Opo|Db*U
zkEw_65MqI;FopC%zTN-Ck!RW7z2N4JQ$MPG^08RcjLwgK|9R$TiciB*F8sCsmul24
zcnX6#uolzPj)|FqiJ1dwn2f2IlG);#MjCh%-UJr3aTzX6*rd#uxCU5?$1`v?;FU{o
zs~FQh9X6f$qG0d6q`Z#bj>Wxs%=qE!(Mk;oePd|I#(i<HTLezt=iG;R7{dQUa<6p*
z_8jrGZew7dtMPc;Zh9?<J0nPau7k1`A^W6^?UBz|>~s4tnqjaSdPDUg)Z_kV74A7a
z^$K_6b8Af-R`{2HUm(@v9`aCpwRG|D2GZV;BfjE$5`HX8#0tL|D-qj>h>#l6t3{^5
z1%dQZkX``cs2Dm`jq_xQQ;i8>z_c#K4*&yRQb?1i!r49^=q+}ST#UEabHy0{Dlo=t
z+C1*l28yw5trX)fvKt`<lFdOeR;au-hYC=D77J{)xH|$2xoDLQlh*2sOw8+3kIZQU
z+VufO=HA~N0XlXOQC+Tr9Z1_DM{M#%=1W;3M&`%?iFloe2+1Tb7s>Ws--j2&D!(2y
zktumA9+)yg@FshnDEL5-;2)qlttj}czU7kO0+|zFO3xHcX+=|}taEF2OD&+z_pf9I
zs3IIfVj=dZx4}Cm5c_;OpOYn`&I5D&#9OUIM96w_u1`j1Z#IR1R{WfZk@g>B(E;w$
z11-e&4lX|b9-~V69(IGxxJ<^e4F^qR|L#J7x4=6l1m~DNUkuKHz~IyZ`f!zk^Bb2x
zI3xY!140@k`+MZ=pCdp6T2@4M9(ikQlpZerwdc*KJLA_nm~<lJM+;%<;k=3tY@k<`
z4-+NvUnB>JcyKAeD0s&N;-7ut?2sj5IMqLvh~Fn7LR=(A!ldEkL6w57j4K*{Xqplm
zL*OpJCv~;BMmrQ-k$@9^I%S&T&2x(k=4Ugi&CgV2W+a+x7GxC{FUWc^p|rf%U`evt
z43#AYOG%QU(pJ8z+_KV|WGl7Wl9rZNl*T8NEh<|`ULU^vK*tG5kYRsHOoBT>NwC4=
z9(dWIQOz95k&@tJ@|=ic_W*W+cT6C@U@s7fzm_FxRWpBJl!$*JB7I3pI`+ux$fdx1
z`j}DTgP;TiAs|s^-=BJ-47`jc^;6vsj!I$uDVapXTM_K*5~DOQcu6Au+)q3n$sQJj
uLQ%3?L6Y?&^#BFokEbQcJ|QX*^P?Gx0pgfIOtcpfF$&~}W@;}l0sI$4g!}#g

literal 0
Hc-jL100001

diff --git a/tests/smb-eicar-andx/test.rules b/tests/smb-eicar-andx/test.rules
new file mode 100644
index 000000000..fcb9e4489
--- /dev/null
+++ b/tests/smb-eicar-andx/test.rules
@@ -0,0 +1 @@
+alert smb any any -> any any (msg:"EICAR file"; flow:established; file_data; content:"|58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a|"; sid:1; rev:1;)
diff --git a/tests/smb-eicar-andx/test.yaml b/tests/smb-eicar-andx/test.yaml
new file mode 100644
index 000000000..c1282b105
--- /dev/null
+++ b/tests/smb-eicar-andx/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+# disables checksum verification
+args:
+- -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
-- 
2.47.2