-
Notifications
You must be signed in to change notification settings - Fork 91
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
detect/csum: Test interaction btw csum/stream setting
Issue: 7467 Validate that there is no interaction between the csum keyword and stream.checksum-validation settings.
- Loading branch information
1 parent
6d0e83b
commit fac82c3
Showing
7 changed files
with
90 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| # Test Description | ||
|
|
||
| Contributed by Hans Vermeer | ||
|
|
||
| Verify that `stream.checksum-validation` setting does not affect csum validation keyword checks. | ||
|
|
||
| This test enables `stream.checksum-validation` | ||
|
|
||
| ## PCAP | ||
|
|
||
| Contributed by Hans Vermeer |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| alert tcp any any -> any any (msg:"SURICATA TCPv4 invalid checksum"; tcpv4-csum:invalid; classtype:protocol-command-decode; sid:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| requires: | ||
| min-version: 8 | ||
|
|
||
| args: | ||
| - --set stream.checksum-validation=yes | ||
|
|
||
| checks: | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| alert.action: allowed | ||
| alert.category: Generic Protocol Command Decode | ||
| alert.gid: 1 | ||
| alert.severity: 3 | ||
| alert.signature: SURICATA TCPv4 invalid checksum | ||
| alert.signature_id: 1 | ||
| dest_ip: 209.85.225.105 | ||
| dest_port: 80 | ||
| direction: to_server | ||
| event_type: alert | ||
| flow.bytes_toclient: 0 | ||
| flow.bytes_toserver: 74 | ||
| flow.dest_ip: 209.85.225.105 | ||
| flow.dest_port: 80 | ||
| flow.pkts_toclient: 0 | ||
| flow.pkts_toserver: 1 | ||
| flow.src_ip: 192.168.2.3 | ||
| flow.src_port: 39867 | ||
| pcap_cnt: 1 | ||
| proto: TCP | ||
| src_ip: 192.168.2.3 | ||
| src_port: 39867 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| # Test Description | ||
|
|
||
| Contributed by Hans Vermeer | ||
|
|
||
| Verify that `stream.checksum-validation` setting does not affect csum validation keyword checks. | ||
|
|
||
| This test disables `stream.checksum-validation` | ||
|
|
||
| ## PCAP | ||
|
|
||
| Contributed by Hans Vermeer |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| alert tcp any any -> any any (msg:"SURICATA TCPv4 invalid checksum"; tcpv4-csum:invalid; classtype:protocol-command-decode; sid:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| requires: | ||
| min-version: 8 | ||
|
|
||
| pcap: ../detect-chksum-01/input.pcap | ||
|
|
||
| args: | ||
| - --set stream.checksum-validation=no | ||
|
|
||
| checks: | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| alert.action: allowed | ||
| alert.category: Generic Protocol Command Decode | ||
| alert.gid: 1 | ||
| alert.severity: 3 | ||
| alert.signature: SURICATA TCPv4 invalid checksum | ||
| alert.signature_id: 1 | ||
| dest_ip: 209.85.225.105 | ||
| dest_port: 80 | ||
| direction: to_server | ||
| event_type: alert | ||
| flow.bytes_toclient: 0 | ||
| flow.bytes_toserver: 74 | ||
| flow.dest_ip: 209.85.225.105 | ||
| flow.dest_port: 80 | ||
| flow.pkts_toclient: 0 | ||
| flow.pkts_toserver: 1 | ||
| flow.src_ip: 192.168.2.3 | ||
| flow.src_port: 39867 | ||
| pcap_cnt: 1 | ||
| proto: TCP | ||
| src_ip: 192.168.2.3 | ||
| src_port: 39867 |