From 8d1dac8bcb99bd1a1ee18e2492ff296512f666db Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Mon, 20 Jan 2025 08:40:58 -0500 Subject: [PATCH] detect/csum: Test interaction btw csum/stream setting Issue: 7467 Validate that there is no interaction between the csum keyword and stream.checksum-validation settings. --- tests/detect-chksum-01/README.md | 11 ++++++++++ tests/detect-chksum-01/input.pcap | Bin 0 -> 2763 bytes tests/detect-chksum-01/test.rules | 1 + tests/detect-chksum-01/test.yaml | 32 ++++++++++++++++++++++++++++ tests/detect-chksum-02/README.md | 11 ++++++++++ tests/detect-chksum-02/test.rules | 1 + tests/detect-chksum-02/test.yaml | 34 ++++++++++++++++++++++++++++++ 7 files changed, 90 insertions(+) create mode 100644 tests/detect-chksum-01/README.md create mode 100644 tests/detect-chksum-01/input.pcap create mode 100644 tests/detect-chksum-01/test.rules create mode 100644 tests/detect-chksum-01/test.yaml create mode 100644 tests/detect-chksum-02/README.md create mode 100644 tests/detect-chksum-02/test.rules create mode 100644 tests/detect-chksum-02/test.yaml diff --git a/tests/detect-chksum-01/README.md b/tests/detect-chksum-01/README.md new file mode 100644 index 000000000..ce9c35d1b --- /dev/null +++ b/tests/detect-chksum-01/README.md @@ -0,0 +1,11 @@ +# Test Description + +Contributed by Hans Vermeer + +Verify that `stream.checksum-validation` setting does not affect csum validation keyword checks. + +This test enables `stream.checksum-validatin` + +## PCAP + +Contributed by Hans Vermeer diff --git a/tests/detect-chksum-01/input.pcap b/tests/detect-chksum-01/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..1b4ffc446eff21a986d53a88b9ddfad6e793452e GIT binary patch literal 2763 zcma);Uu+ab9LJZoK(lfLFd;mSSCKzqZ})mfTdsQ-4k>>Mg{Hj*663?%?(E+7=61Kc z(>p4`ATR2(#uw0nPd*!hk|spKpb{T2n$!nhd{EFt4e`N9Na}B9@2+>(LfK}Uot@u( z<~QH(%>4GpJD*!4BHdFVvndogJgp7|~HRDbwsT6+26p2w$qr4dQe z7q1+Y4sQ7K`WK&cb$>tgi*tEF8n-4ke#wKcc5T1^;-DmT^{l_%)72|WZ{L5NzhBqg zy^)jY?#;_&!HoD3dHy#^N^Jq2W6OWD*kea9Tj2D#iu6fEEr+97*mq~cWp)`MZmeNDs96DAgjH}6n7L%t! z5-53_xGaOt*o48`WHOPC$$7&dKD^wk?v2UEybvC1wOYdVJe!h);Z|Dl{|H-BqqmXKCyp(ZIP_c%y3y&u%zQh`k0fB~2j|NU>X z^xb+%+|g25wsrlj`G=fHA3TkS_cV$3II*DtN^5C!%46t=H|v^WRt)4&3UfZmAV$tH zwZtlP7#SrTgoI_M3P+Ton0!`&`8Ok#(>@m>%plhbUB|Lw@?p#XFy^`Y5R5R2UDU57 zHIy98^dHEi4xpoBg_t}^f+`6zD6}k4u0cFWT$`0LD47}>%*lF%FpNr!`3jktb*kC8QO}#f4CAQY%Ep(c+L-Aqvy`DYAeh4_$+Zck ztIMtpZT=dL2blw8KV&RHI=Q0Qf4yOA;?1l;~HOIOjn@%<1;wm~{!GZ0# z3iEuJDLJ>?ldm&E=M7LWsrhUetpN>v>_$`(_}ss&gKNaGOR&U?9yMF?*e9?>$8Jxk zpC@E^)C1%CG`I|-T&WZ&swMX{cz6v9o=axVXo-NC^lK zm?X$*$RL#Z*fbs2&i0EIXkqY{hH8$D&}#VS{9uQz2m_9#1B9pg4fITY$?Q)m0w&)Nmu6?1$VN;ochIR?66)9D45Xj%4gL z=qU{k_FGLlT_e0BcTx|3#Vv;ZaP(hSi`)k@*J#2cY_ovBj8ty87Vk@?1_lfx-YQk+ zPOFO?uUibU#oR~`cmW>=xE=5nqe2K@65K%Q8ReN-IDepVESYPbmbwZpxlke~fU|{! zjF@O@;v~`y&m_6E3z4q!Kz_D&KW?cOogV|~#d%Q%Z?>1g-sABn$|k55BkKFjGH5}? zxW|bv0PzV_5q@`83+b=<-+8r|xzS!Nlue@k?2x8+{oGzHa;SzwSkkbHd6__-i&)7C z5u9moekb6}NX%&l|ij6R3*?7FMxll=*SJ`xnkIQzc ze7i%Br~;xEZ+W)5SB1KtucGc any any (msg:"SURICATA TCPv4 invalid checksum"; tcpv4-csum:invalid; classtype:protocol-command-decode; sid:1;) diff --git a/tests/detect-chksum-01/test.yaml b/tests/detect-chksum-01/test.yaml new file mode 100644 index 000000000..3e61693c7 --- /dev/null +++ b/tests/detect-chksum-01/test.yaml @@ -0,0 +1,32 @@ +requires: + min-version: 7 + +args: +- --set stream.checksum-validation=yes + +checks: +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Generic Protocol Command Decode + alert.gid: 1 + alert.severity: 3 + alert.signature: SURICATA TCPv4 invalid checksum + alert.signature_id: 1 + dest_ip: 209.85.225.105 + dest_port: 80 + direction: to_server + event_type: alert + flow.bytes_toclient: 0 + flow.bytes_toserver: 74 + flow.dest_ip: 209.85.225.105 + flow.dest_port: 80 + flow.pkts_toclient: 0 + flow.pkts_toserver: 1 + flow.src_ip: 192.168.2.3 + flow.src_port: 39867 + pcap_cnt: 1 + proto: TCP + src_ip: 192.168.2.3 + src_port: 39867 diff --git a/tests/detect-chksum-02/README.md b/tests/detect-chksum-02/README.md new file mode 100644 index 000000000..d4d4eb3ce --- /dev/null +++ b/tests/detect-chksum-02/README.md @@ -0,0 +1,11 @@ +# Test Description + +Contributed by Hans Vermeer + +Verify that `stream.checksum-validation` setting does not affect csum validation keyword checks. + +This test disables `stream.checksum-validatin` + +## PCAP + +Contributed by Hans Vermeer diff --git a/tests/detect-chksum-02/test.rules b/tests/detect-chksum-02/test.rules new file mode 100644 index 000000000..1eb9c450f --- /dev/null +++ b/tests/detect-chksum-02/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (msg:"SURICATA TCPv4 invalid checksum"; tcpv4-csum:invalid; classtype:protocol-command-decode; sid:1;) diff --git a/tests/detect-chksum-02/test.yaml b/tests/detect-chksum-02/test.yaml new file mode 100644 index 000000000..df9b1398c --- /dev/null +++ b/tests/detect-chksum-02/test.yaml @@ -0,0 +1,34 @@ +requires: + min-version: 7 + +pcap: ../detect-chksum-01/input.pcap + +args: +- --set stream.checksum-validation=no + +checks: +- filter: + count: 1 + match: + alert.action: allowed + alert.category: Generic Protocol Command Decode + alert.gid: 1 + alert.severity: 3 + alert.signature: SURICATA TCPv4 invalid checksum + alert.signature_id: 1 + dest_ip: 209.85.225.105 + dest_port: 80 + direction: to_server + event_type: alert + flow.bytes_toclient: 0 + flow.bytes_toserver: 74 + flow.dest_ip: 209.85.225.105 + flow.dest_port: 80 + flow.pkts_toclient: 0 + flow.pkts_toserver: 1 + flow.src_ip: 192.168.2.3 + flow.src_port: 39867 + pcap_cnt: 1 + proto: TCP + src_ip: 192.168.2.3 + src_port: 39867