diff --git a/tests/tcp-rst-unacked-stream-09/README.md b/tests/tcp-rst-unacked-stream-09/README.md new file mode 100644 index 000000000..c47a7dcbb --- /dev/null +++ b/tests/tcp-rst-unacked-stream-09/README.md @@ -0,0 +1,7 @@ +PCAP +==== + +Pcap from a pcap known as TLPW1 in the team. Originally from: +malware-traffic-analysis.net + +Test handling of post-GAP data following a RST. diff --git a/tests/tcp-rst-unacked-stream-09/TLPW1-tcp-110.37.219.134-10.12.14.101-tcp-990-49230.pcap b/tests/tcp-rst-unacked-stream-09/TLPW1-tcp-110.37.219.134-10.12.14.101-tcp-990-49230.pcap new file mode 100644 index 000000000..a66c8c89d Binary files /dev/null and b/tests/tcp-rst-unacked-stream-09/TLPW1-tcp-110.37.219.134-10.12.14.101-tcp-990-49230.pcap differ diff --git a/tests/tcp-rst-unacked-stream-09/suricata.yaml b/tests/tcp-rst-unacked-stream-09/suricata.yaml new file mode 100644 index 000000000..bd57f74f1 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-09/suricata.yaml @@ -0,0 +1,77 @@ +%YAML 1.1 +--- + +stats: + enabled: yes + interval: 8 + +outputs: + - eve-log: + enabled: yes + filename: eve.json + types: + - alert + - anomaly: + enabled: yes + - http: + extended: yes # enable this for extended logging information + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + # Enable logging the final action taken on a packet by the engine + # (will show more information in case of a drop caused by 'reject') + # verdict: yes + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # Don't log stats counters that are zero. Default: true + #null-values: false # False will NOT log stats counters: 0 + # bi-directional flows + - flow + + - file-store: + version: 2 + enabled: yes + write-fileinfo: yes + force-filestore: yes + stream-depth: 0 + +app-layer: + # error-policy: ignore + protocols: + http: + enabled: yes + libhtp: + default-config: + personality: IDS + + # Can be specified in KiB, MiB, GiB. Just a number indicates + # it's in bytes. + request-body-limit: 0 + response-body-limit: 0 + + # inspection limits + request-body-minimal-inspect-size: 32 KiB + request-body-inspect-window: 4 KiB + response-body-minimal-inspect-size: 40 KiB + response-body-inspect-window: 16 KiB + + # response body decompression (0 disables) + response-body-decompress-layer-limit: 2 + + # auto will use http-body-inline mode in IPS mode, yes or no set it statically + http-body-inline: auto + + swf-decompression: + enabled: no + type: both + compress-depth: 100 KiB + decompress-depth: 100 KiB + diff --git a/tests/tcp-rst-unacked-stream-09/test.yaml b/tests/tcp-rst-unacked-stream-09/test.yaml new file mode 100644 index 000000000..b1e8c4503 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-09/test.yaml @@ -0,0 +1,19 @@ +requires: + min-version: 8 + +checks: + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.sha256: b95aa84c9ac4948c8565202e016933644c592c366525b2790857615ca7e6f665 + - filter: + count: 1 + match: + event_type: fileinfo + - filter: + count: 1 + match: + event_type: stats + stats.app_layer.tx.http: 1 + stats.app_layer.flow.http: 1 diff --git a/tests/tcp-rst-unacked-stream-10/README.md b/tests/tcp-rst-unacked-stream-10/README.md new file mode 100644 index 000000000..c47a7dcbb --- /dev/null +++ b/tests/tcp-rst-unacked-stream-10/README.md @@ -0,0 +1,7 @@ +PCAP +==== + +Pcap from a pcap known as TLPW1 in the team. Originally from: +malware-traffic-analysis.net + +Test handling of post-GAP data following a RST. diff --git a/tests/tcp-rst-unacked-stream-10/TLPW1-tcp-174.56.47.59-10.3.11.101-tcp-80-49309.pcap b/tests/tcp-rst-unacked-stream-10/TLPW1-tcp-174.56.47.59-10.3.11.101-tcp-80-49309.pcap new file mode 100644 index 000000000..0e73e240e Binary files /dev/null and b/tests/tcp-rst-unacked-stream-10/TLPW1-tcp-174.56.47.59-10.3.11.101-tcp-80-49309.pcap differ diff --git a/tests/tcp-rst-unacked-stream-10/suricata.yaml b/tests/tcp-rst-unacked-stream-10/suricata.yaml new file mode 100644 index 000000000..bd57f74f1 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-10/suricata.yaml @@ -0,0 +1,77 @@ +%YAML 1.1 +--- + +stats: + enabled: yes + interval: 8 + +outputs: + - eve-log: + enabled: yes + filename: eve.json + types: + - alert + - anomaly: + enabled: yes + - http: + extended: yes # enable this for extended logging information + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + # Enable logging the final action taken on a packet by the engine + # (will show more information in case of a drop caused by 'reject') + # verdict: yes + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # Don't log stats counters that are zero. Default: true + #null-values: false # False will NOT log stats counters: 0 + # bi-directional flows + - flow + + - file-store: + version: 2 + enabled: yes + write-fileinfo: yes + force-filestore: yes + stream-depth: 0 + +app-layer: + # error-policy: ignore + protocols: + http: + enabled: yes + libhtp: + default-config: + personality: IDS + + # Can be specified in KiB, MiB, GiB. Just a number indicates + # it's in bytes. + request-body-limit: 0 + response-body-limit: 0 + + # inspection limits + request-body-minimal-inspect-size: 32 KiB + request-body-inspect-window: 4 KiB + response-body-minimal-inspect-size: 40 KiB + response-body-inspect-window: 16 KiB + + # response body decompression (0 disables) + response-body-decompress-layer-limit: 2 + + # auto will use http-body-inline mode in IPS mode, yes or no set it statically + http-body-inline: auto + + swf-decompression: + enabled: no + type: both + compress-depth: 100 KiB + decompress-depth: 100 KiB + diff --git a/tests/tcp-rst-unacked-stream-10/test.yaml b/tests/tcp-rst-unacked-stream-10/test.yaml new file mode 100644 index 000000000..614ef6a4a --- /dev/null +++ b/tests/tcp-rst-unacked-stream-10/test.yaml @@ -0,0 +1,23 @@ +requires: + min-version: 8 + +checks: + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.sha256: 8ff57c7fc0d4babd27e2e914ad9b556b1b980a69710d3917266ec1cb4edbb782 + - filter: + count: 1 + match: + event_type: fileinfo + - filter: + count: 1 + match: + event_type: http + - filter: + count: 1 + match: + event_type: stats + stats.app_layer.tx.http: 1 + stats.app_layer.flow.http: 1 diff --git a/tests/tcp-rst-unacked-stream-11/README.md b/tests/tcp-rst-unacked-stream-11/README.md new file mode 100644 index 000000000..c47a7dcbb --- /dev/null +++ b/tests/tcp-rst-unacked-stream-11/README.md @@ -0,0 +1,7 @@ +PCAP +==== + +Pcap from a pcap known as TLPW1 in the team. Originally from: +malware-traffic-analysis.net + +Test handling of post-GAP data following a RST. diff --git a/tests/tcp-rst-unacked-stream-11/TLPW1-tcp-47.32.209.86-10.11.23.101-tcp-80-49470.pcap b/tests/tcp-rst-unacked-stream-11/TLPW1-tcp-47.32.209.86-10.11.23.101-tcp-80-49470.pcap new file mode 100644 index 000000000..c78d09f5c Binary files /dev/null and b/tests/tcp-rst-unacked-stream-11/TLPW1-tcp-47.32.209.86-10.11.23.101-tcp-80-49470.pcap differ diff --git a/tests/tcp-rst-unacked-stream-11/suricata.yaml b/tests/tcp-rst-unacked-stream-11/suricata.yaml new file mode 100644 index 000000000..bd57f74f1 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-11/suricata.yaml @@ -0,0 +1,77 @@ +%YAML 1.1 +--- + +stats: + enabled: yes + interval: 8 + +outputs: + - eve-log: + enabled: yes + filename: eve.json + types: + - alert + - anomaly: + enabled: yes + - http: + extended: yes # enable this for extended logging information + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + # Enable logging the final action taken on a packet by the engine + # (will show more information in case of a drop caused by 'reject') + # verdict: yes + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # Don't log stats counters that are zero. Default: true + #null-values: false # False will NOT log stats counters: 0 + # bi-directional flows + - flow + + - file-store: + version: 2 + enabled: yes + write-fileinfo: yes + force-filestore: yes + stream-depth: 0 + +app-layer: + # error-policy: ignore + protocols: + http: + enabled: yes + libhtp: + default-config: + personality: IDS + + # Can be specified in KiB, MiB, GiB. Just a number indicates + # it's in bytes. + request-body-limit: 0 + response-body-limit: 0 + + # inspection limits + request-body-minimal-inspect-size: 32 KiB + request-body-inspect-window: 4 KiB + response-body-minimal-inspect-size: 40 KiB + response-body-inspect-window: 16 KiB + + # response body decompression (0 disables) + response-body-decompress-layer-limit: 2 + + # auto will use http-body-inline mode in IPS mode, yes or no set it statically + http-body-inline: auto + + swf-decompression: + enabled: no + type: both + compress-depth: 100 KiB + decompress-depth: 100 KiB + diff --git a/tests/tcp-rst-unacked-stream-11/test.yaml b/tests/tcp-rst-unacked-stream-11/test.yaml new file mode 100644 index 000000000..15c9855f6 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-11/test.yaml @@ -0,0 +1,31 @@ +requires: + min-version: 8 + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.sha256: b6e5d8314e3c65a277af9db044b0cd6df1b641c0378703a5ab5de6d54cb9033f + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.sha256: 33d346033ff4559e8f74a90112232610f4ea63db60a3f7434745a1aae5ea9169 + - filter: + count: 2 + match: + event_type: fileinfo + - filter: + count: 2 + match: + event_type: http + - filter: + count: 1 + match: + event_type: stats + stats.app_layer.tx.http: 2 + stats.app_layer.flow.http: 1 diff --git a/tests/tcp-rst-unacked-stream-12/README.md b/tests/tcp-rst-unacked-stream-12/README.md new file mode 100644 index 000000000..c47a7dcbb --- /dev/null +++ b/tests/tcp-rst-unacked-stream-12/README.md @@ -0,0 +1,7 @@ +PCAP +==== + +Pcap from a pcap known as TLPW1 in the team. Originally from: +malware-traffic-analysis.net + +Test handling of post-GAP data following a RST. diff --git a/tests/tcp-rst-unacked-stream-12/TLPW1-tcp-110.37.219.134-10.12.14.101-tcp-990-49254.pcap b/tests/tcp-rst-unacked-stream-12/TLPW1-tcp-110.37.219.134-10.12.14.101-tcp-990-49254.pcap new file mode 100644 index 000000000..d044f24d4 Binary files /dev/null and b/tests/tcp-rst-unacked-stream-12/TLPW1-tcp-110.37.219.134-10.12.14.101-tcp-990-49254.pcap differ diff --git a/tests/tcp-rst-unacked-stream-12/suricata.yaml b/tests/tcp-rst-unacked-stream-12/suricata.yaml new file mode 100644 index 000000000..bd57f74f1 --- /dev/null +++ b/tests/tcp-rst-unacked-stream-12/suricata.yaml @@ -0,0 +1,77 @@ +%YAML 1.1 +--- + +stats: + enabled: yes + interval: 8 + +outputs: + - eve-log: + enabled: yes + filename: eve.json + types: + - alert + - anomaly: + enabled: yes + - http: + extended: yes # enable this for extended logging information + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + #- drop: + # alerts: yes # log alerts that caused drops + # flows: all # start or all: 'start' logs only a single drop + # # per flow direction. All logs each dropped pkt. + # Enable logging the final action taken on a packet by the engine + # (will show more information in case of a drop caused by 'reject') + # verdict: yes + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values + # Don't log stats counters that are zero. Default: true + #null-values: false # False will NOT log stats counters: 0 + # bi-directional flows + - flow + + - file-store: + version: 2 + enabled: yes + write-fileinfo: yes + force-filestore: yes + stream-depth: 0 + +app-layer: + # error-policy: ignore + protocols: + http: + enabled: yes + libhtp: + default-config: + personality: IDS + + # Can be specified in KiB, MiB, GiB. Just a number indicates + # it's in bytes. + request-body-limit: 0 + response-body-limit: 0 + + # inspection limits + request-body-minimal-inspect-size: 32 KiB + request-body-inspect-window: 4 KiB + response-body-minimal-inspect-size: 40 KiB + response-body-inspect-window: 16 KiB + + # response body decompression (0 disables) + response-body-decompress-layer-limit: 2 + + # auto will use http-body-inline mode in IPS mode, yes or no set it statically + http-body-inline: auto + + swf-decompression: + enabled: no + type: both + compress-depth: 100 KiB + decompress-depth: 100 KiB + diff --git a/tests/tcp-rst-unacked-stream-12/test.yaml b/tests/tcp-rst-unacked-stream-12/test.yaml new file mode 100644 index 000000000..e42e6c53c --- /dev/null +++ b/tests/tcp-rst-unacked-stream-12/test.yaml @@ -0,0 +1,27 @@ +requires: + min-version: 8 + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: fileinfo + fileinfo.sha256: 2a6d1d2d85129cf9e84290a94e7b4d7cfe09d80c47a899dbc04cc61cc737c5a4 + - filter: + count: 1 + match: + event_type: fileinfo + - filter: + count: 1 + match: + event_type: http + - filter: + count: 1 + match: + event_type: stats + stats.app_layer.tx.http: 1 + # Should be 1, but gives 23. See https://redmine.openinfosecfoundation.org/issues/7238 + #stats.app_layer.flow.http: 1