quic: add tests for fragment reassembly

Ticket: 7556

diff --git a/tests/quic-ack3/README.md b/tests/quic-ack3/README.md
new file mode 100644 (file)
index 0000000..034bf4f
--- /dev/null
+++ b/tests/quic-ack3/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test quic parsing with ACK frame number 3
+
+# Ticket
+
+https://redmine.openinfosecfoundation.org/issues/7556
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/issues/7556

diff --git a/tests/quic-ack3/input.pcap b/tests/quic-ack3/input.pcap
new file mode 100644 (file)
index 0000000..8c196eb
Binary files /dev/null and b/tests/quic-ack3/input.pcap differ

diff --git a/tests/quic-ack3/test.yaml b/tests/quic-ack3/test.yaml
new file mode 100644 (file)
index 0000000..5ee342c
--- /dev/null
+++ b/tests/quic-ack3/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: quic
+        pcap_cnt: 3
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly

diff --git a/tests/quic-frag-middle-gap/README.md b/tests/quic-frag-middle-gap/README.md
new file mode 100644 (file)
index 0000000..2034ef4
--- /dev/null
+++ b/tests/quic-frag-middle-gap/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test quic parsing with crypto fragments over multiple (>2) packets, crypto fragments being out of order, and with the last packet covering a crypto fragment in the middle of the TLS handshake message
+
+# Ticket
+
+https://redmine.openinfosecfoundation.org/issues/7556
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/issues/7556

diff --git a/tests/quic-frag-middle-gap/input.pcap b/tests/quic-frag-middle-gap/input.pcap
new file mode 100644 (file)
index 0000000..fc39030
Binary files /dev/null and b/tests/quic-frag-middle-gap/input.pcap differ

diff --git a/tests/quic-frag-middle-gap/test.yaml b/tests/quic-frag-middle-gap/test.yaml
new file mode 100644 (file)
index 0000000..f6ef1ca
--- /dev/null
+++ b/tests/quic-frag-middle-gap/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: quic
+        pcap_cnt: 3
+        quic.extensions[0].name: "key_share"        
+        quic.extensions[8].name: "server_name"
+        quic.extensions[8].values[0]: "optimizationguide-pa.googleapis.com"
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly

diff --git a/tests/quic-frag-unordered/README.md b/tests/quic-frag-unordered/README.md
new file mode 100644 (file)
index 0000000..436e67f
--- /dev/null
+++ b/tests/quic-frag-unordered/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test quic parsing with crypto fragments over multiple packets, and crypto fragments being out of order
+
+# Ticket
+
+https://redmine.openinfosecfoundation.org/issues/7556
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/issues/7556

diff --git a/tests/quic-frag-unordered/input.pcap b/tests/quic-frag-unordered/input.pcap
new file mode 100644 (file)
index 0000000..7951228
Binary files /dev/null and b/tests/quic-frag-unordered/input.pcap differ

diff --git a/tests/quic-frag-unordered/test.yaml b/tests/quic-frag-unordered/test.yaml
new file mode 100644 (file)
index 0000000..6fe530f
--- /dev/null
+++ b/tests/quic-frag-unordered/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: quic
+        pcap_cnt: 2
+        quic.extensions[0].name: "supported_groups"
+        quic.extensions[7].name: "server_name"
+        quic.extensions[7].values[0]: "mastodon.social"

diff --git a/tests/quic-frag-wait/README.md b/tests/quic-frag-wait/README.md
new file mode 100644 (file)
index 0000000..e8248e3
--- /dev/null
+++ b/tests/quic-frag-wait/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test quic parsing with crypto fragments over multiple packets, crypto fragments being out of order, and with a packet in the middle without new crypto fragment
+
+# Ticket
+
+https://redmine.openinfosecfoundation.org/issues/7556
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/issues/7556

diff --git a/tests/quic-frag-wait/input.pcap b/tests/quic-frag-wait/input.pcap
new file mode 100644 (file)
index 0000000..af2ced0
Binary files /dev/null and b/tests/quic-frag-wait/input.pcap differ

diff --git a/tests/quic-frag-wait/test.yaml b/tests/quic-frag-wait/test.yaml
new file mode 100644 (file)
index 0000000..c991f88
--- /dev/null
+++ b/tests/quic-frag-wait/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: quic
+        pcap_cnt: 6
+        quic.extensions[0].name: "key_share"
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly

diff --git a/tests/quic-frag/README.md b/tests/quic-frag/README.md
new file mode 100644 (file)
index 0000000..7bdfc6d
--- /dev/null
+++ b/tests/quic-frag/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test quic parsing with crypto fragments over multiple packets
+
+# Ticket
+
+https://redmine.openinfosecfoundation.org/issues/7556
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/issues/7556

diff --git a/tests/quic-frag/input.pcap b/tests/quic-frag/input.pcap
new file mode 100644 (file)
index 0000000..0ccad22
Binary files /dev/null and b/tests/quic-frag/input.pcap differ

diff --git a/tests/quic-frag/test.yaml b/tests/quic-frag/test.yaml
new file mode 100644 (file)
index 0000000..e57dadb
--- /dev/null
+++ b/tests/quic-frag/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: quic
+        pcap_cnt: 2
+        quic.extensions[0].name: "status_request"
+        quic.extensions[4].name: "alpn"
+        quic.extensions[4].values[0]: "h3"

diff --git a/tests/quic-initial-not-first/README.md b/tests/quic-initial-not-first/README.md
new file mode 100644 (file)
index 0000000..01f9b4b
--- /dev/null
+++ b/tests/quic-initial-not-first/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test quic parsing initial (as per quic definition) packet not being the first one
+
+# Ticket
+
+https://redmine.openinfosecfoundation.org/issues/7556
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/issues/7556

diff --git a/tests/quic-initial-not-first/input.pcap b/tests/quic-initial-not-first/input.pcap
new file mode 100644 (file)
index 0000000..d001cc1
Binary files /dev/null and b/tests/quic-initial-not-first/input.pcap differ

diff --git a/tests/quic-initial-not-first/test.yaml b/tests/quic-initial-not-first/test.yaml
new file mode 100644 (file)
index 0000000..07c5518
--- /dev/null
+++ b/tests/quic-initial-not-first/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: quic
+        pcap_cnt: 8
+        quic.extensions[0].name: "supported_versions"
+  - filter:
+      count: 1
+      match:
+        event_type: quic
+        pcap_cnt: 1
+        quic.extensions[1].name: "server_name"
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly

diff --git a/tests/quic-retry/README.md b/tests/quic-retry/README.md
new file mode 100644 (file)
index 0000000..04d5ace
--- /dev/null
+++ b/tests/quic-retry/README.md
@@ -0,0 +1,11 @@
+# Description
+
+Test quic parsing with retry packets
+
+# Ticket
+
+https://redmine.openinfosecfoundation.org/issues/7556
+
+# PCAP
+
+The pcap comes from https://redmine.openinfosecfoundation.org/issues/7556

diff --git a/tests/quic-retry/input.pcap b/tests/quic-retry/input.pcap
new file mode 100644 (file)
index 0000000..c3f4d1c
Binary files /dev/null and b/tests/quic-retry/input.pcap differ

diff --git a/tests/quic-retry/test.yaml b/tests/quic-retry/test.yaml
new file mode 100644 (file)
index 0000000..2cbeed0
--- /dev/null
+++ b/tests/quic-retry/test.yaml
@@ -0,0 +1,26 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: quic
+        pcap_cnt: 2
+        quic.extensions[0].name: "supported_groups"
+  - filter:
+      count: 1
+      match:
+        event_type: quic
+        pcap_cnt: 6
+        quic.extensions[0].name: "supported_groups"
+  - filter:
+      count: 1
+      match:
+        event_type: quic
+        pcap_cnt: 8
+        quic.extensions[0].name: "supported_versions"
+  - filter:
+      count: 0
+      match:
+        event_type: anomaly