tests: add RST with unacked data file tests

Add tests for bad handling of unacked data following a RST.

The additional data should not lead to new tx's or files.

tests/tcp-rst-unacked-stream-09/README.md

@@ -0,0 +1,7 @@
+PCAP
+====
+
+Pcap from a pcap known as TLPW1 in the team. Originally from:
+malware-traffic-analysis.net
+
+Test handling of post-GAP data following a RST.

tests/tcp-rst-unacked-stream-09/suricata.yaml

@@ -0,0 +1,77 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filename: eve.json
+      types:
+        - alert
+        - anomaly:
+            enabled: yes
+        - http:
+            extended: yes     # enable this for extended logging information
+        - files:
+            force-magic: no   # force logging magic on all logged files
+            # force logging of checksums, available hash functions are md5,
+            # sha1 and sha256
+            #force-hash: [md5]
+        #- drop:
+        #    alerts: yes      # log alerts that caused drops
+        #    flows: all       # start or all: 'start' logs only a single drop
+        #                     # per flow direction. All logs each dropped pkt.
+            # Enable logging the final action taken on a packet by the engine
+            # (will show more information in case of a drop caused by 'reject')
+            # verdict: yes
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+            # Don't log stats counters that are zero. Default: true
+            #null-values: false    # False will NOT log stats counters: 0
+        # bi-directional flows
+        - flow
+
+  - file-store:
+      version: 2
+      enabled: yes
+      write-fileinfo: yes
+      force-filestore: yes
+      stream-depth: 0
+
+app-layer:
+  # error-policy: ignore
+  protocols:
+    http:
+      enabled: yes
+      libhtp:
+         default-config:
+           personality: IDS
+
+           # Can be specified in KiB, MiB, GiB.  Just a number indicates
+           # it's in bytes.
+           request-body-limit: 0
+           response-body-limit: 0
+
+           # inspection limits
+           request-body-minimal-inspect-size: 32 KiB
+           request-body-inspect-window: 4 KiB
+           response-body-minimal-inspect-size: 40 KiB
+           response-body-inspect-window: 16 KiB
+
+           # response body decompression (0 disables)
+           response-body-decompress-layer-limit: 2
+
+           # auto will use http-body-inline mode in IPS mode, yes or no set it statically
+           http-body-inline: auto
+
+           swf-decompression:
+             enabled: no
+             type: both
+             compress-depth: 100 KiB
+             decompress-depth: 100 KiB
+

tests/tcp-rst-unacked-stream-09/test.yaml

@@ -0,0 +1,19 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.sha256: b95aa84c9ac4948c8565202e016933644c592c366525b2790857615ca7e6f665
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.app_layer.tx.http: 1
+        stats.app_layer.flow.http: 1

tests/tcp-rst-unacked-stream-10/README.md

@@ -0,0 +1,7 @@
+PCAP
+====
+
+Pcap from a pcap known as TLPW1 in the team. Originally from:
+malware-traffic-analysis.net
+
+Test handling of post-GAP data following a RST.

tests/tcp-rst-unacked-stream-10/suricata.yaml

@@ -0,0 +1,77 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filename: eve.json
+      types:
+        - alert
+        - anomaly:
+            enabled: yes
+        - http:
+            extended: yes     # enable this for extended logging information
+        - files:
+            force-magic: no   # force logging magic on all logged files
+            # force logging of checksums, available hash functions are md5,
+            # sha1 and sha256
+            #force-hash: [md5]
+        #- drop:
+        #    alerts: yes      # log alerts that caused drops
+        #    flows: all       # start or all: 'start' logs only a single drop
+        #                     # per flow direction. All logs each dropped pkt.
+            # Enable logging the final action taken on a packet by the engine
+            # (will show more information in case of a drop caused by 'reject')
+            # verdict: yes
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+            # Don't log stats counters that are zero. Default: true
+            #null-values: false    # False will NOT log stats counters: 0
+        # bi-directional flows
+        - flow
+
+  - file-store:
+      version: 2
+      enabled: yes
+      write-fileinfo: yes
+      force-filestore: yes
+      stream-depth: 0
+
+app-layer:
+  # error-policy: ignore
+  protocols:
+    http:
+      enabled: yes
+      libhtp:
+         default-config:
+           personality: IDS
+
+           # Can be specified in KiB, MiB, GiB.  Just a number indicates
+           # it's in bytes.
+           request-body-limit: 0
+           response-body-limit: 0
+
+           # inspection limits
+           request-body-minimal-inspect-size: 32 KiB
+           request-body-inspect-window: 4 KiB
+           response-body-minimal-inspect-size: 40 KiB
+           response-body-inspect-window: 16 KiB
+
+           # response body decompression (0 disables)
+           response-body-decompress-layer-limit: 2
+
+           # auto will use http-body-inline mode in IPS mode, yes or no set it statically
+           http-body-inline: auto
+
+           swf-decompression:
+             enabled: no
+             type: both
+             compress-depth: 100 KiB
+             decompress-depth: 100 KiB
+

tests/tcp-rst-unacked-stream-10/test.yaml

@@ -0,0 +1,23 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.sha256: 8ff57c7fc0d4babd27e2e914ad9b556b1b980a69710d3917266ec1cb4edbb782
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+  - filter:
+      count: 1
+      match:
+        event_type: http
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.app_layer.tx.http: 1
+        stats.app_layer.flow.http: 1

tests/tcp-rst-unacked-stream-11/README.md

@@ -0,0 +1,7 @@
+PCAP
+====
+
+Pcap from a pcap known as TLPW1 in the team. Originally from:
+malware-traffic-analysis.net
+
+Test handling of post-GAP data following a RST.

tests/tcp-rst-unacked-stream-11/suricata.yaml

@@ -0,0 +1,77 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filename: eve.json
+      types:
+        - alert
+        - anomaly:
+            enabled: yes
+        - http:
+            extended: yes     # enable this for extended logging information
+        - files:
+            force-magic: no   # force logging magic on all logged files
+            # force logging of checksums, available hash functions are md5,
+            # sha1 and sha256
+            #force-hash: [md5]
+        #- drop:
+        #    alerts: yes      # log alerts that caused drops
+        #    flows: all       # start or all: 'start' logs only a single drop
+        #                     # per flow direction. All logs each dropped pkt.
+            # Enable logging the final action taken on a packet by the engine
+            # (will show more information in case of a drop caused by 'reject')
+            # verdict: yes
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+            # Don't log stats counters that are zero. Default: true
+            #null-values: false    # False will NOT log stats counters: 0
+        # bi-directional flows
+        - flow
+
+  - file-store:
+      version: 2
+      enabled: yes
+      write-fileinfo: yes
+      force-filestore: yes
+      stream-depth: 0
+
+app-layer:
+  # error-policy: ignore
+  protocols:
+    http:
+      enabled: yes
+      libhtp:
+         default-config:
+           personality: IDS
+
+           # Can be specified in KiB, MiB, GiB.  Just a number indicates
+           # it's in bytes.
+           request-body-limit: 0
+           response-body-limit: 0
+
+           # inspection limits
+           request-body-minimal-inspect-size: 32 KiB
+           request-body-inspect-window: 4 KiB
+           response-body-minimal-inspect-size: 40 KiB
+           response-body-inspect-window: 16 KiB
+
+           # response body decompression (0 disables)
+           response-body-decompress-layer-limit: 2
+
+           # auto will use http-body-inline mode in IPS mode, yes or no set it statically
+           http-body-inline: auto
+
+           swf-decompression:
+             enabled: no
+             type: both
+             compress-depth: 100 KiB
+             decompress-depth: 100 KiB
+

tests/tcp-rst-unacked-stream-11/test.yaml

@@ -0,0 +1,31 @@
+requires:
+  min-version: 8
+
+args:
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.sha256: b6e5d8314e3c65a277af9db044b0cd6df1b641c0378703a5ab5de6d54cb9033f
+  - filter:
+      count: 1
+      match:
+        event_type: fileinfo
+        fileinfo.sha256: 33d346033ff4559e8f74a90112232610f4ea63db60a3f7434745a1aae5ea9169
+  - filter:
+      count: 2
+      match:
+        event_type: fileinfo
+  - filter:
+      count: 2
+      match:
+        event_type: http
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.app_layer.tx.http: 2
+        stats.app_layer.flow.http: 1

tests/tcp-rst-unacked-stream-12/README.md

@@ -0,0 +1,7 @@
+PCAP
+====
+
+Pcap from a pcap known as TLPW1 in the team. Originally from:
+malware-traffic-analysis.net
+
+Test handling of post-GAP data following a RST.