-
Notifications
You must be signed in to change notification settings - Fork 90
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
test/linktype: Expand linktype_name coverage
Issue: 4974 This commit extends the linktype_name validation across the existing tests so that more linktype name values are checked: - C_HDLC - PPP - IPV4 - IPV6 - RAW - EN10B - LINUX_SLL Some existing tests required suricata.yaml configuration to enable the packet values to be in the alerts.
- Loading branch information
Showing
17 changed files
with
262 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
Ensure Cisco HDLC packets are decoded and the linktype name is correct | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
%YAML 1.1 | ||
--- | ||
|
||
outputs: | ||
- eve-log: | ||
enabled: yes | ||
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis | ||
filename: eve.json | ||
types: | ||
- alert: | ||
packet: yes # enable dumping of packet (without stream segments) | ||
- http: | ||
extended: true | ||
- files: | ||
force-magic: no | ||
- flow | ||
- stats | ||
app-layer: | ||
protocols: | ||
http: | ||
enabled: yes | ||
libhtp: | ||
default-config: | ||
response-body-limit: 100kb |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
alert http any any -> any any (http.method; content:"GET"; sid:666;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
requires: | ||
|
||
min-version: 8 | ||
|
||
pcap: ../decode-chdlc-01/hdlc-http_1tx.pcap | ||
|
||
checks: | ||
|
||
- filter: | ||
count: 1 | ||
match: | ||
event_type: http | ||
http.hostname: "view.atdmt.com" | ||
http.status: 200 | ||
http.length: 8079 | ||
|
||
- filter: | ||
count: 1 | ||
match: | ||
event_type: fileinfo | ||
fileinfo.state: CLOSED | ||
|
||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 666 | ||
packet_info.linktype_name: C_HDLC | ||
|
||
- filter: | ||
count: 1 | ||
match: | ||
event_type: flow | ||
proto: TCP | ||
|
||
- stats: | ||
decoder.ipv4: 17 | ||
decoder.chdlc: 17 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
Test the IP options and verify the linktype name value. | ||
|
||
There's already a test for the extended security option; the following IP options are tested: | ||
- Record Route "rr" | ||
- Loose source route "lsrr" | ||
- EOL "eol" | ||
- NOP "nop" | ||
- Timestamp "ts" | ||
- Security "sec" | ||
- Strict source route "ssrr" | ||
- Stream id "satid" | ||
|
||
The pcap was generated using detect-ipopts/ipopt.py |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
%YAML 1.1 | ||
--- | ||
|
||
outputs: | ||
- eve-log: | ||
enabled: yes | ||
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis | ||
filename: eve.json | ||
types: | ||
- alert: | ||
packet: yes # enable dumping of packet (without stream segments) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
alert ip any any -> any any (msg:"RR option set"; ipopts:rr; sid: 1;) | ||
alert ip any any -> any any (msg:"LSRR option set"; ipopts:lsrr; sid: 2;) | ||
alert ip any any -> any any (msg:"EOL option set"; ipopts:eol; sid: 3;) | ||
alert ip any any -> any any (msg:"NOP option set"; ipopts:nop; sid: 4;) | ||
alert ip any any -> any any (msg:"TS option set"; ipopts:ts; sid: 5;) | ||
alert ip any any -> any any (msg:"SEC option set"; ipopts:sec; sid: 6;) | ||
alert ip any any -> any any (msg:"SSRR option set"; ipopts:ssrr; sid: 7;) | ||
alert ip any any -> any any (msg:"SID option set"; ipopts:satid; sid: 8;) | ||
# covered in ipopts-sec | ||
#alert ip any any <> any any (msg:"ESEC option set"; ipopts:esec; sid: 42;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
requires: | ||
min-version: 8 | ||
|
||
args: | ||
- --set stream.midstream=true -k none | ||
|
||
pcap: ../detect-ipopts/input.pcap | ||
|
||
checks: | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
pcap_cnt: 1 | ||
alert.signature_id: 1 | ||
packet_info.linktype_name: IPv4 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
pcap_cnt: 2 | ||
alert.signature_id: 2 | ||
packet_info.linktype_name: IPv4 | ||
- filter: | ||
count: 6 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 3 | ||
packet_info.linktype_name: IPv4 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
pcap_cnt: 4 | ||
alert.signature_id: 4 | ||
packet_info.linktype_name: IPv4 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
pcap_cnt: 5 | ||
alert.signature_id: 5 | ||
packet_info.linktype_name: IPv4 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
pcap_cnt: 6 | ||
alert.signature_id: 6 | ||
packet_info.linktype_name: IPv4 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
pcap_cnt: 7 | ||
alert.signature_id: 7 | ||
packet_info.linktype_name: IPv4 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
pcap_cnt: 8 | ||
alert.signature_id: 8 | ||
packet_info.linktype_name: IPv4 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
%YAML 1.1 | ||
--- | ||
|
||
outputs: | ||
- eve-log: | ||
enabled: yes | ||
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis | ||
filename: eve.json | ||
types: | ||
- alert: | ||
packet: yes # enable dumping of packet (without stream segments) | ||
- flow |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
alert tcp any any -> any any (content:"Hello!"; sid:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
pcap: ../tcp-fastopen-05/tfo.pcap | ||
|
||
requires: | ||
min-version: 8 | ||
|
||
args: | ||
- -k none | ||
|
||
checks: | ||
- filter: | ||
count: 2 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 1 | ||
packet_info.linktype_name: LINUX_SLL | ||
- filter: | ||
count: 2 | ||
match: | ||
event_type: flow | ||
proto: TCP |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# Description | ||
|
||
Test basic VXLAN decoding | ||
|
||
# PCAP | ||
|
||
https://github.com/the-tcpdump-group/tcpdump/blob/master/tests/vxlan.pcap |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
%YAML 1.1 | ||
--- | ||
|
||
outputs: | ||
- eve-log: | ||
enabled: yes | ||
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis | ||
filename: eve.json | ||
types: | ||
- alert: | ||
packet: yes # enable dumping of packet (without stream segments) | ||
- flow |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
alert icmp any any -> any any (itype:8; sid:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
requires: | ||
min-version: 8 | ||
|
||
args: | ||
- --set decoder.vxlan.enabled=true | ||
|
||
pcap: ../vxlan-decoder-02/vxlan.pcap | ||
|
||
checks: | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: flow | ||
proto: "ICMP" | ||
flow.pkts_toserver: 4 | ||
flow.pkts_toclient: 4 | ||
- filter: | ||
count: 4 | ||
match: | ||
event_type: flow | ||
dest_port: 4789 | ||
- filter: | ||
count: 4 | ||
match: | ||
event_type: alert | ||
tunnel.dest_port: 4789 | ||
packet_info.linktype_name: RAW |