-
Notifications
You must be signed in to change notification settings - Fork 89
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
e5994fa
commit 818c558
Showing
7 changed files
with
86 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| # Test Description | ||
|
|
||
| This test demonstrates that if the stream reassembly depth is reached on one direction, | ||
| it does not block the other side. | ||
| For the given PCAP, to server direction reaches the depth and stops processing leading | ||
| to no alert having been logged for a valid to server request in the stream which would | ||
| be processed in case there was no depth (sid: 2). | ||
| However, this does not stall the packets in other direction from being the processed, | ||
| the response to the same request is still processed and a corresponding alert is logged | ||
| (sid: 1). | ||
|
|
||
| ## PCAP | ||
|
|
||
| tshark.dev | ||
|
|
||
| ## Related issues | ||
|
|
||
| https://redmine.openinfosecfoundation.org/issues/7044 |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| alert dcerpc any any -> any any (msg:"Test Alert 1"; sid:1; flow:established,to_client; dcerpc.stub_data; bsize:2124;) | ||
| alert dcerpc any any -> any any (msg:"Test Alert 2"; sid:2; flow:established,to_server; dcerpc.stub_data; bsize:2148; dcerpc.opnum: 9;) | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| args: | ||
| - -k none --set stream.reassembly.depth=8kb | ||
|
|
||
| requires: | ||
| min-version: 7 | ||
|
|
||
| checks: | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 1 | ||
| pcap_cnt: 46 | ||
| - filter: | ||
| count: 0 # because of the depth constraints | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 2 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: dcerpc | ||
| pcap_cnt: 40 | ||
| dcerpc.request: "REQUEST_LOST" | ||
| dcerpc.response: "RESPONSE" | ||
| dcerpc.call_id: 5360 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| # Test Description | ||
|
|
||
| This test demonstrates that the pcap is properly parsed and assessed in case | ||
| there was ample stream reassembly depth (default in this case). | ||
|
|
||
| ## PCAP | ||
|
|
||
| tshark.dev | ||
|
|
||
| ## Related issues | ||
|
|
||
| https://redmine.openinfosecfoundation.org/issues/7044 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| alert dcerpc any any -> any any (msg:"Test Alert 1"; sid:1; flow:established,to_client; dcerpc.stub_data; bsize:2124;) | ||
| alert dcerpc any any -> any any (msg:"Test Alert 2"; sid:2; flow:established,to_server; dcerpc.stub_data; bsize:2148; dcerpc.opnum: 9;) | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| pcap: ../truncate-applayer-test-01/input.pcap | ||
|
|
||
| args: | ||
| - -k none | ||
|
|
||
| checks: | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 1 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: alert | ||
| alert.signature_id: 2 | ||
| - filter: | ||
| count: 1 | ||
| match: | ||
| event_type: dcerpc | ||
| pcap_cnt: 40 | ||
| dcerpc.request: "REQUEST" | ||
| dcerpc.response: "RESPONSE" | ||
| dcerpc.call_id: 5360 |