From a582ae0e00d230981b85206ca21914edb460955a Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Sat, 30 Nov 2024 08:46:56 +0100 Subject: [PATCH] tests: add bug 7422 tests Tests various forms of RST triggering handling of unACK'd data. --- tests/tcp-rst-unacked-stream-01-raw/README.md | 8 ++++++++ .../tcp-rst-unacked-stream-01-raw/input.pcap | Bin 0 -> 654 bytes .../tcp-rst-unacked-stream-01-raw/test.rules | 2 ++ tests/tcp-rst-unacked-stream-01-raw/test.yaml | 18 ++++++++++++++++++ .../writepcap.py | 15 +++++++++++++++ .../README.md | 8 ++++++++ .../input.pcap | Bin 0 -> 654 bytes .../test.rules | 2 ++ .../test.yaml | 18 ++++++++++++++++++ .../writepcap.py | 15 +++++++++++++++ tests/tcp-rst-unacked-stream-03-gap/README.md | 8 ++++++++ .../tcp-rst-unacked-stream-03-gap/input.pcap | Bin 0 -> 576 bytes .../tcp-rst-unacked-stream-03-gap/test.rules | 2 ++ tests/tcp-rst-unacked-stream-03-gap/test.yaml | 18 ++++++++++++++++++ .../writepcap.py | 15 +++++++++++++++ .../README.md | 8 ++++++++ .../input.pcap | Bin 0 -> 576 bytes .../test.rules | 2 ++ .../test.yaml | 18 ++++++++++++++++++ .../writepcap.py | 15 +++++++++++++++ .../README.md | 8 ++++++++ .../input.pcap | Bin 0 -> 679 bytes .../test.rules | 2 ++ .../test.yaml | 18 ++++++++++++++++++ .../writepcap.py | 17 +++++++++++++++++ .../README.md | 8 ++++++++ .../input.pcap | Bin 0 -> 679 bytes .../test.rules | 2 ++ .../test.yaml | 18 ++++++++++++++++++ .../writepcap.py | 17 +++++++++++++++++ .../tcp-rst-unacked-stream-07-http/README.md | 8 ++++++++ .../tcp-rst-unacked-stream-07-http/input.pcap | Bin 0 -> 589 bytes .../tcp-rst-unacked-stream-07-http/test.rules | 2 ++ .../tcp-rst-unacked-stream-07-http/test.yaml | 18 ++++++++++++++++++ .../writepcap.py | 17 +++++++++++++++++ .../README.md | 8 ++++++++ .../input.pcap | Bin 0 -> 589 bytes .../test.rules | 2 ++ .../test.yaml | 18 ++++++++++++++++++ .../writepcap.py | 17 +++++++++++++++++ 40 files changed, 352 insertions(+) create mode 100644 tests/tcp-rst-unacked-stream-01-raw/README.md create mode 100644 tests/tcp-rst-unacked-stream-01-raw/input.pcap create mode 100644 tests/tcp-rst-unacked-stream-01-raw/test.rules create mode 100644 tests/tcp-rst-unacked-stream-01-raw/test.yaml create mode 100755 tests/tcp-rst-unacked-stream-01-raw/writepcap.py create mode 100644 tests/tcp-rst-unacked-stream-02-raw-ips/README.md create mode 100644 tests/tcp-rst-unacked-stream-02-raw-ips/input.pcap create mode 100644 tests/tcp-rst-unacked-stream-02-raw-ips/test.rules create mode 100644 tests/tcp-rst-unacked-stream-02-raw-ips/test.yaml create mode 100755 tests/tcp-rst-unacked-stream-02-raw-ips/writepcap.py create mode 100644 tests/tcp-rst-unacked-stream-03-gap/README.md create mode 100644 tests/tcp-rst-unacked-stream-03-gap/input.pcap create mode 100644 tests/tcp-rst-unacked-stream-03-gap/test.rules create mode 100644 tests/tcp-rst-unacked-stream-03-gap/test.yaml create mode 100755 tests/tcp-rst-unacked-stream-03-gap/writepcap.py create mode 100644 tests/tcp-rst-unacked-stream-04-gap-ips/README.md create mode 100644 tests/tcp-rst-unacked-stream-04-gap-ips/input.pcap create mode 100644 tests/tcp-rst-unacked-stream-04-gap-ips/test.rules create mode 100644 tests/tcp-rst-unacked-stream-04-gap-ips/test.yaml create mode 100755 tests/tcp-rst-unacked-stream-04-gap-ips/writepcap.py create mode 100644 tests/tcp-rst-unacked-stream-05-http-nogap/README.md create mode 100644 tests/tcp-rst-unacked-stream-05-http-nogap/input.pcap create mode 100644 tests/tcp-rst-unacked-stream-05-http-nogap/test.rules create mode 100644 tests/tcp-rst-unacked-stream-05-http-nogap/test.yaml create mode 100755 tests/tcp-rst-unacked-stream-05-http-nogap/writepcap.py create mode 100644 tests/tcp-rst-unacked-stream-06-http-nogap-ips/README.md create mode 100644 tests/tcp-rst-unacked-stream-06-http-nogap-ips/input.pcap create mode 100644 tests/tcp-rst-unacked-stream-06-http-nogap-ips/test.rules create mode 100644 tests/tcp-rst-unacked-stream-06-http-nogap-ips/test.yaml create mode 100755 tests/tcp-rst-unacked-stream-06-http-nogap-ips/writepcap.py create mode 100644 tests/tcp-rst-unacked-stream-07-http/README.md create mode 100644 tests/tcp-rst-unacked-stream-07-http/input.pcap create mode 100644 tests/tcp-rst-unacked-stream-07-http/test.rules create mode 100644 tests/tcp-rst-unacked-stream-07-http/test.yaml create mode 100755 tests/tcp-rst-unacked-stream-07-http/writepcap.py create mode 100644 tests/tcp-rst-unacked-stream-08-http-ips/README.md create mode 100644 tests/tcp-rst-unacked-stream-08-http-ips/input.pcap create mode 100644 tests/tcp-rst-unacked-stream-08-http-ips/test.rules create mode 100644 tests/tcp-rst-unacked-stream-08-http-ips/test.yaml create mode 100755 tests/tcp-rst-unacked-stream-08-http-ips/writepcap.py diff --git a/tests/tcp-rst-unacked-stream-01-raw/README.md b/tests/tcp-rst-unacked-stream-01-raw/README.md new file mode 100644 index 000000000..66bd7beae --- /dev/null +++ b/tests/tcp-rst-unacked-stream-01-raw/README.md @@ -0,0 +1,8 @@ +Test +==== + +Test series that tests if a RST that comes in before all data is ACK'd the +unACK'd data is still reassembled and inspected, but does not trigger a GAP +event. + +This test tests raw reassembly inspection of unack'd data w/o GAP. diff --git a/tests/tcp-rst-unacked-stream-01-raw/input.pcap b/tests/tcp-rst-unacked-stream-01-raw/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..a37d82e71d91fe9a6edec8776609eb00a4adb903 GIT binary patch literal 654 zcmca|c+)~A1{MYw`2U}Qff2~LF6x!8`HY#t4#);!Ru*O^pg1EFGYe}Y0|OfegDV4r z4oIm3Tgfp-AYcLl155b{K*b;f7!sHi7$kWZ7?_#)z^2*1L6`Mnh#Nr%zg^%AI_DL~@?f1aBR3;{W*iN&c3pkTWJ3{F_EVKopQY-k34fEhTo ziGjfL}1>b&D&XlZo_UHO ue<}&EFt`K7K^SWkm_l8)7fTd;2oU-I|J6ERuqP*{78fhHq~>L&rT_r%d1Xle literal 0 HcmV?d00001 diff --git a/tests/tcp-rst-unacked-stream-01-raw/test.rules b/tests/tcp-rst-unacked-stream-01-raw/test.rules new file mode 100644 index 000000000..84c751a02 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-01-raw/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (content:"Let Me In"; sid:1;) +alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; threshold:type backoff, track by_flow, count 1, multiplier 10; classtype:protocol-command-decode; sid:2210048; rev:3;) diff --git a/tests/tcp-rst-unacked-stream-01-raw/test.yaml b/tests/tcp-rst-unacked-stream-01-raw/test.yaml new file mode 100644 index 000000000..6ba9b2abb --- /dev/null +++ b/tests/tcp-rst-unacked-stream-01-raw/test.yaml @@ -0,0 +1,18 @@ + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pkt_src: "stream (flow timeout)" + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2210048 + - filter: + count: 1 + match: + event_type: stats + stats.tcp.reassembly_gap: 0 diff --git a/tests/tcp-rst-unacked-stream-01-raw/writepcap.py b/tests/tcp-rst-unacked-stream-01-raw/writepcap.py new file mode 100755 index 000000000..c96dae0f2 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-01-raw/writepcap.py @@ -0,0 +1,15 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)]) +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535) +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535) +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1001,ack=2,window=65535)/"Please " +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1008,ack=2,window=65535)/"Let " +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1012,ack=2,window=65535)/"Me " +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1015,ack=2,window=65535)/"In!" +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='RA',seq=2,ack=1008,window=65535)/"Access Denied" + +wrpcap('input.pcap', pkts) diff --git a/tests/tcp-rst-unacked-stream-02-raw-ips/README.md b/tests/tcp-rst-unacked-stream-02-raw-ips/README.md new file mode 100644 index 000000000..4fe7d6b91 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-02-raw-ips/README.md @@ -0,0 +1,8 @@ +Test +==== + +Test series that tests if a RST that comes in before all data is ACK'd the +unACK'd data is still reassembled and inspected, but does not trigger a GAP +event. + +This test tests raw reassembly inspection of unack'd data w/o GAP in IPS mode. diff --git a/tests/tcp-rst-unacked-stream-02-raw-ips/input.pcap b/tests/tcp-rst-unacked-stream-02-raw-ips/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..a37d82e71d91fe9a6edec8776609eb00a4adb903 GIT binary patch literal 654 zcmca|c+)~A1{MYw`2U}Qff2~LF6x!8`HY#t4#);!Ru*O^pg1EFGYe}Y0|OfegDV4r z4oIm3Tgfp-AYcLl155b{K*b;f7!sHi7$kWZ7?_#)z^2*1L6`Mnh#Nr%zg^%AI_DL~@?f1aBR3;{W*iN&c3pkTWJ3{F_EVKopQY-k34fEhTo ziGjfL}1>b&D&XlZo_UHO ue<}&EFt`K7K^SWkm_l8)7fTd;2oU-I|J6ERuqP*{78fhHq~>L&rT_r%d1Xle literal 0 HcmV?d00001 diff --git a/tests/tcp-rst-unacked-stream-02-raw-ips/test.rules b/tests/tcp-rst-unacked-stream-02-raw-ips/test.rules new file mode 100644 index 000000000..84c751a02 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-02-raw-ips/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (content:"Let Me In"; sid:1;) +alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; threshold:type backoff, track by_flow, count 1, multiplier 10; classtype:protocol-command-decode; sid:2210048; rev:3;) diff --git a/tests/tcp-rst-unacked-stream-02-raw-ips/test.yaml b/tests/tcp-rst-unacked-stream-02-raw-ips/test.yaml new file mode 100644 index 000000000..5486b0412 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-02-raw-ips/test.yaml @@ -0,0 +1,18 @@ + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 7 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2210048 + - filter: + count: 1 + match: + event_type: stats + stats.tcp.reassembly_gap: 0 diff --git a/tests/tcp-rst-unacked-stream-02-raw-ips/writepcap.py b/tests/tcp-rst-unacked-stream-02-raw-ips/writepcap.py new file mode 100755 index 000000000..c96dae0f2 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-02-raw-ips/writepcap.py @@ -0,0 +1,15 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)]) +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535) +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535) +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1001,ack=2,window=65535)/"Please " +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1008,ack=2,window=65535)/"Let " +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1012,ack=2,window=65535)/"Me " +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1015,ack=2,window=65535)/"In!" +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='RA',seq=2,ack=1008,window=65535)/"Access Denied" + +wrpcap('input.pcap', pkts) diff --git a/tests/tcp-rst-unacked-stream-03-gap/README.md b/tests/tcp-rst-unacked-stream-03-gap/README.md new file mode 100644 index 000000000..cc17663e5 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-03-gap/README.md @@ -0,0 +1,8 @@ +Test +==== + +Test series that tests if a RST that comes in before all data is ACK'd the +unACK'd data is still reassembled and inspected, but does not trigger a GAP +event. + +This test tests raw reassembly inspection of unack'd data with GAP. diff --git a/tests/tcp-rst-unacked-stream-03-gap/input.pcap b/tests/tcp-rst-unacked-stream-03-gap/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..b20f5d40c1c9ba449cea76a53b60487cce49f32a GIT binary patch literal 576 zcmca|c+)~A1{MYw`2U}Qff2}=BIA{Qc_Rmd9gq#etSrn-KygMUW){{)1_m|`23H0K z9gtE7wvuCvK)?h92A1*@fQmr|FeET3Fi7$+FfcRoflbTVjxY^k4#Z4M(?BMHOq8Es zU any any (content:"Me In"; sid:1;) +alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; threshold:type backoff, track by_flow, count 1, multiplier 10; classtype:protocol-command-decode; sid:2210048; rev:3;) diff --git a/tests/tcp-rst-unacked-stream-03-gap/test.yaml b/tests/tcp-rst-unacked-stream-03-gap/test.yaml new file mode 100644 index 000000000..6ba9b2abb --- /dev/null +++ b/tests/tcp-rst-unacked-stream-03-gap/test.yaml @@ -0,0 +1,18 @@ + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pkt_src: "stream (flow timeout)" + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2210048 + - filter: + count: 1 + match: + event_type: stats + stats.tcp.reassembly_gap: 0 diff --git a/tests/tcp-rst-unacked-stream-03-gap/writepcap.py b/tests/tcp-rst-unacked-stream-03-gap/writepcap.py new file mode 100755 index 000000000..df3d93a37 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-03-gap/writepcap.py @@ -0,0 +1,15 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)]) +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535) +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535) +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1001,ack=2,window=65535)/"Please " +#pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1008,ack=2,window=65535)/"Let " +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1012,ack=2,window=65535)/"Me " +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1015,ack=2,window=65535)/"In!" +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='RA',seq=2,ack=1008,window=65535)/"Access Denied" + +wrpcap('input.pcap', pkts) diff --git a/tests/tcp-rst-unacked-stream-04-gap-ips/README.md b/tests/tcp-rst-unacked-stream-04-gap-ips/README.md new file mode 100644 index 000000000..26b966a4b --- /dev/null +++ b/tests/tcp-rst-unacked-stream-04-gap-ips/README.md @@ -0,0 +1,8 @@ +Test +==== + +Test series that tests if a RST that comes in before all data is ACK'd the +unACK'd data is still reassembled and inspected, but does not trigger a GAP +event. + +This test tests raw reassembly inspection of unack'd data with GAP in IPS mode. diff --git a/tests/tcp-rst-unacked-stream-04-gap-ips/input.pcap b/tests/tcp-rst-unacked-stream-04-gap-ips/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..da81997e2549d0e885a0939017fb2db15cead602 GIT binary patch literal 576 zcmca|c+)~A1{MYw`2U}Qff2|l-{_S-laGPH4#);!Ru*O^pg1EFGYe}Y0|OfegDV4r z4oIm3Tgfp-AYcLl155b{K*b;f7!sHi7$kWZ7?_#)z^45dM3@FK2Vy3sX&{q8CdyAR zumtLV0W^#$LFoT~Q(=T@O(F~oRzL|5#_Bc=sM}7Vxs3^E#>)VK|Nq0JA-ax9915M=r|5saq S0hOGbT3oE)lA4#9ngRfRd0A)x literal 0 HcmV?d00001 diff --git a/tests/tcp-rst-unacked-stream-04-gap-ips/test.rules b/tests/tcp-rst-unacked-stream-04-gap-ips/test.rules new file mode 100644 index 000000000..82570ea6f --- /dev/null +++ b/tests/tcp-rst-unacked-stream-04-gap-ips/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (content:"Me In"; sid:1;) +alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; threshold:type backoff, track by_flow, count 1, multiplier 10; classtype:protocol-command-decode; sid:2210048; rev:3;) diff --git a/tests/tcp-rst-unacked-stream-04-gap-ips/test.yaml b/tests/tcp-rst-unacked-stream-04-gap-ips/test.yaml new file mode 100644 index 000000000..5f7903a01 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-04-gap-ips/test.yaml @@ -0,0 +1,18 @@ + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 6 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2210048 + - filter: + count: 1 + match: + event_type: stats + stats.tcp.reassembly_gap: 0 diff --git a/tests/tcp-rst-unacked-stream-04-gap-ips/writepcap.py b/tests/tcp-rst-unacked-stream-04-gap-ips/writepcap.py new file mode 100755 index 000000000..cbe933939 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-04-gap-ips/writepcap.py @@ -0,0 +1,15 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)]) +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535) +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535) +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1001,ack=2,window=65535)/"Please " +#pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1008,ack=2,window=65535)/"Let " +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1012,ack=2,window=65535)/"Me " +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1015,ack=2,window=65535)/"In!" +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='RA',seq=2,ack=1001,window=65535)/"Access Denied" + +wrpcap('input.pcap', pkts) diff --git a/tests/tcp-rst-unacked-stream-05-http-nogap/README.md b/tests/tcp-rst-unacked-stream-05-http-nogap/README.md new file mode 100644 index 000000000..b577a6a9b --- /dev/null +++ b/tests/tcp-rst-unacked-stream-05-http-nogap/README.md @@ -0,0 +1,8 @@ +Test +==== + +Test series that tests if a RST that comes in before all data is ACK'd the +unACK'd data is still reassembled and inspected, but does not trigger a GAP +event. + +This test tests HTTP reassembly inspection of unack'd data w/o GAP. diff --git a/tests/tcp-rst-unacked-stream-05-http-nogap/input.pcap b/tests/tcp-rst-unacked-stream-05-http-nogap/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..b0272f70e7f5cbc5150a212f2c008b6393565b8b GIT binary patch literal 679 zcmca|c+)~A1{MYw`2U}Qff2|F+wPU_Rm{O)2V{dVD+@CdP@Iv8nT55Hfq{*K!IgnQ z2c*=2t>hRZ5HJCOfu;Nepkj~#3<*pM43azy49v`YVAIx@Axwjq12GfRG>}Ok6Xhou zSOWFG02;=WAoTygsW8GcyGjlQE1(1jV|AMb)NQBG+{Oen<7I%r|Nmjq5MRdDb1--T zO#xx7CRspD+J(!cmQn@=ch?XFeFcw@kN|x{Jp*1YQ24bsk!i9J%#A0K85o@N^RqKk ztrQZIl2cOCASSP9Y5e?2H*Uu%$%G=UM`4J&vqjs3Tw2(BML3rUjkhr6d(eO ID0T)00MD;$FaQ7m literal 0 HcmV?d00001 diff --git a/tests/tcp-rst-unacked-stream-05-http-nogap/test.rules b/tests/tcp-rst-unacked-stream-05-http-nogap/test.rules new file mode 100644 index 000000000..5979085d5 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-05-http-nogap/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (content:"User-Agent: Mozilla"; sid:1;) +alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; threshold:type backoff, track by_flow, count 1, multiplier 10; classtype:protocol-command-decode; sid:2210048; rev:3;) diff --git a/tests/tcp-rst-unacked-stream-05-http-nogap/test.yaml b/tests/tcp-rst-unacked-stream-05-http-nogap/test.yaml new file mode 100644 index 000000000..6ba9b2abb --- /dev/null +++ b/tests/tcp-rst-unacked-stream-05-http-nogap/test.yaml @@ -0,0 +1,18 @@ + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pkt_src: "stream (flow timeout)" + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2210048 + - filter: + count: 1 + match: + event_type: stats + stats.tcp.reassembly_gap: 0 diff --git a/tests/tcp-rst-unacked-stream-05-http-nogap/writepcap.py b/tests/tcp-rst-unacked-stream-05-http-nogap/writepcap.py new file mode 100755 index 000000000..e5f7df890 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-05-http-nogap/writepcap.py @@ -0,0 +1,17 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)]) +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535) +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535) + +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)/"GET / HTTP/1.0\r\n" +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=18,ack=1001,window=65535)/"Cookie: abcdef\r\n" +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=34,ack=1001,window=65535)/"User-Agent: " +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=46,ack=1001,window=65535)/"Mozilla\r\n\r\n" + +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='RA',seq=1001,ack=18,window=65535) + +wrpcap('input.pcap', pkts) diff --git a/tests/tcp-rst-unacked-stream-06-http-nogap-ips/README.md b/tests/tcp-rst-unacked-stream-06-http-nogap-ips/README.md new file mode 100644 index 000000000..f82be04a1 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-06-http-nogap-ips/README.md @@ -0,0 +1,8 @@ +Test +==== + +Test series that tests if a RST that comes in before all data is ACK'd the +unACK'd data is still reassembled and inspected, but does not trigger a GAP +event. + +This test tests HTTP reassembly inspection of unack'd data w/o GAP in IPS mode. diff --git a/tests/tcp-rst-unacked-stream-06-http-nogap-ips/input.pcap b/tests/tcp-rst-unacked-stream-06-http-nogap-ips/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..b0272f70e7f5cbc5150a212f2c008b6393565b8b GIT binary patch literal 679 zcmca|c+)~A1{MYw`2U}Qff2|F+wPU_Rm{O)2V{dVD+@CdP@Iv8nT55Hfq{*K!IgnQ z2c*=2t>hRZ5HJCOfu;Nepkj~#3<*pM43azy49v`YVAIx@Axwjq12GfRG>}Ok6Xhou zSOWFG02;=WAoTygsW8GcyGjlQE1(1jV|AMb)NQBG+{Oen<7I%r|Nmjq5MRdDb1--T zO#xx7CRspD+J(!cmQn@=ch?XFeFcw@kN|x{Jp*1YQ24bsk!i9J%#A0K85o@N^RqKk ztrQZIl2cOCASSP9Y5e?2H*Uu%$%G=UM`4J&vqjs3Tw2(BML3rUjkhr6d(eO ID0T)00MD;$FaQ7m literal 0 HcmV?d00001 diff --git a/tests/tcp-rst-unacked-stream-06-http-nogap-ips/test.rules b/tests/tcp-rst-unacked-stream-06-http-nogap-ips/test.rules new file mode 100644 index 000000000..5979085d5 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-06-http-nogap-ips/test.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (content:"User-Agent: Mozilla"; sid:1;) +alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; threshold:type backoff, track by_flow, count 1, multiplier 10; classtype:protocol-command-decode; sid:2210048; rev:3;) diff --git a/tests/tcp-rst-unacked-stream-06-http-nogap-ips/test.yaml b/tests/tcp-rst-unacked-stream-06-http-nogap-ips/test.yaml new file mode 100644 index 000000000..5486b0412 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-06-http-nogap-ips/test.yaml @@ -0,0 +1,18 @@ + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 7 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2210048 + - filter: + count: 1 + match: + event_type: stats + stats.tcp.reassembly_gap: 0 diff --git a/tests/tcp-rst-unacked-stream-06-http-nogap-ips/writepcap.py b/tests/tcp-rst-unacked-stream-06-http-nogap-ips/writepcap.py new file mode 100755 index 000000000..e5f7df890 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-06-http-nogap-ips/writepcap.py @@ -0,0 +1,17 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)]) +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535) +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535) + +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)/"GET / HTTP/1.0\r\n" +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=18,ack=1001,window=65535)/"Cookie: abcdef\r\n" +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=34,ack=1001,window=65535)/"User-Agent: " +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=46,ack=1001,window=65535)/"Mozilla\r\n\r\n" + +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='RA',seq=1001,ack=18,window=65535) + +wrpcap('input.pcap', pkts) diff --git a/tests/tcp-rst-unacked-stream-07-http/README.md b/tests/tcp-rst-unacked-stream-07-http/README.md new file mode 100644 index 000000000..e20c87b9a --- /dev/null +++ b/tests/tcp-rst-unacked-stream-07-http/README.md @@ -0,0 +1,8 @@ +Test +==== + +Test series that tests if a RST that comes in before all data is ACK'd the +unACK'd data is still reassembled and inspected, but does not trigger a GAP +event. + +This test tests HTTP reassembly inspection of unack'd data with GAP. diff --git a/tests/tcp-rst-unacked-stream-07-http/input.pcap b/tests/tcp-rst-unacked-stream-07-http/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..921bbaa575ef8cb771a1033da6bd33b66eaa183d GIT binary patch literal 589 zcmca|c+)~A1{MYw`2U}Qff2|t-{F-WeT<924#);!Ru*O^pg1EFGYe}Y0|OfegDV4r z4oIm3Tgfp-AYcLl155b{K*b;f7!sHi7$kWZ7?_#)z@{BMi7*Xf4#Z4M(?BMHOq8Es zU@AcMVa{SMUf43D7sxGvMU{g2E(SNCsUVEiWD}^#`_N2Q zg1IsF90NmWacYsSV|r>{iIoD#)a5t0Kw%HYSWPvCnz|p&R6UrfYg!l>eDkX^b8-@S gxgbv6dK(d(SR)4>oM@5r66g}401;qtvNJFM07R) any any (content:"User-Agent: Mozilla"; sid:1;) +alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; threshold:type backoff, track by_flow, count 1, multiplier 10; classtype:protocol-command-decode; sid:2210048; rev:3;) diff --git a/tests/tcp-rst-unacked-stream-07-http/test.yaml b/tests/tcp-rst-unacked-stream-07-http/test.yaml new file mode 100644 index 000000000..6ba9b2abb --- /dev/null +++ b/tests/tcp-rst-unacked-stream-07-http/test.yaml @@ -0,0 +1,18 @@ + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pkt_src: "stream (flow timeout)" + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2210048 + - filter: + count: 1 + match: + event_type: stats + stats.tcp.reassembly_gap: 0 diff --git a/tests/tcp-rst-unacked-stream-07-http/writepcap.py b/tests/tcp-rst-unacked-stream-07-http/writepcap.py new file mode 100755 index 000000000..81952ff74 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-07-http/writepcap.py @@ -0,0 +1,17 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)]) +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535) +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535) + +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)/"GET / HTTP/1.0\r\n" +#pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=18,ack=1001,window=65535)/"Cookie: abcdef\r\n" +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=34,ack=1001,window=65535)/"User-Agent: " +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=46,ack=1001,window=65535)/"Mozilla\r\n\r\n" + +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='RA',seq=1001,ack=18,window=65535) + +wrpcap('input.pcap', pkts) diff --git a/tests/tcp-rst-unacked-stream-08-http-ips/README.md b/tests/tcp-rst-unacked-stream-08-http-ips/README.md new file mode 100644 index 000000000..305ccf6ef --- /dev/null +++ b/tests/tcp-rst-unacked-stream-08-http-ips/README.md @@ -0,0 +1,8 @@ +Test +==== + +Test series that tests if a RST that comes in before all data is ACK'd the +unACK'd data is still reassembled and inspected, but does not trigger a GAP +event. + +This test tests HTTP reassembly inspection of unack'd data with GAP in IPS mode. diff --git a/tests/tcp-rst-unacked-stream-08-http-ips/input.pcap b/tests/tcp-rst-unacked-stream-08-http-ips/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..921bbaa575ef8cb771a1033da6bd33b66eaa183d GIT binary patch literal 589 zcmca|c+)~A1{MYw`2U}Qff2|t-{F-WeT<924#);!Ru*O^pg1EFGYe}Y0|OfegDV4r z4oIm3Tgfp-AYcLl155b{K*b;f7!sHi7$kWZ7?_#)z@{BMi7*Xf4#Z4M(?BMHOq8Es zU@AcMVa{SMUf43D7sxGvMU{g2E(SNCsUVEiWD}^#`_N2Q zg1IsF90NmWacYsSV|r>{iIoD#)a5t0Kw%HYSWPvCnz|p&R6UrfYg!l>eDkX^b8-@S gxgbv6dK(d(SR)4>oM@5r66g}401;qtvNJFM07R) any any (content:"User-Agent: Mozilla"; sid:1;) +alert tcp any any -> any any (msg:"SURICATA STREAM reassembly sequence GAP -- missing packet(s)"; stream-event:reassembly_seq_gap; threshold:type backoff, track by_flow, count 1, multiplier 10; classtype:protocol-command-decode; sid:2210048; rev:3;) diff --git a/tests/tcp-rst-unacked-stream-08-http-ips/test.yaml b/tests/tcp-rst-unacked-stream-08-http-ips/test.yaml new file mode 100644 index 000000000..5f7903a01 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-08-http-ips/test.yaml @@ -0,0 +1,18 @@ + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 6 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2210048 + - filter: + count: 1 + match: + event_type: stats + stats.tcp.reassembly_gap: 0 diff --git a/tests/tcp-rst-unacked-stream-08-http-ips/writepcap.py b/tests/tcp-rst-unacked-stream-08-http-ips/writepcap.py new file mode 100755 index 000000000..81952ff74 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-08-http-ips/writepcap.py @@ -0,0 +1,17 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)]) +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535) +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535) + +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)/"GET / HTTP/1.0\r\n" +#pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=18,ack=1001,window=65535)/"Cookie: abcdef\r\n" +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=34,ack=1001,window=65535)/"User-Agent: " +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=46,ack=1001,window=65535)/"Mozilla\r\n\r\n" + +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='RA',seq=1001,ack=18,window=65535) + +wrpcap('input.pcap', pkts)