diff --git a/tests/truncate-applayer-test-01/README.md b/tests/truncate-applayer-test-01/README.md new file mode 100644 index 000000000..9c66a9d24 --- /dev/null +++ b/tests/truncate-applayer-test-01/README.md @@ -0,0 +1,18 @@ +# Test Description + +This test demonstrates that if the stream reassembly depth is reached on one direction, +it does not block the other side. +For the given PCAP, to server direction reaches the depth and stops processing leading +to no alert having been logged for a valid to server request in the stream which would +be processed in case there was no depth (sid: 2). +However, this does not stall the packets in other direction from being the processed, +the response to the same request is still processed and a corresponding alert is logged +(sid: 1). + +## PCAP + +tshark.dev + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/7044 diff --git a/tests/truncate-applayer-test-01/input.pcap b/tests/truncate-applayer-test-01/input.pcap new file mode 100644 index 000000000..2f7f92823 Binary files /dev/null and b/tests/truncate-applayer-test-01/input.pcap differ diff --git a/tests/truncate-applayer-test-01/test.rules b/tests/truncate-applayer-test-01/test.rules new file mode 100644 index 000000000..384b43433 --- /dev/null +++ b/tests/truncate-applayer-test-01/test.rules @@ -0,0 +1,3 @@ +alert dcerpc any any -> any any (msg:"Test Alert 1"; sid:1; flow:established,to_client; dcerpc.stub_data; bsize:2124;) +alert dcerpc any any -> any any (msg:"Test Alert 2"; sid:2; flow:established,to_server; dcerpc.stub_data; bsize:2148; dcerpc.opnum: 9;) + diff --git a/tests/truncate-applayer-test-01/test.yaml b/tests/truncate-applayer-test-01/test.yaml new file mode 100644 index 000000000..eaf82ee02 --- /dev/null +++ b/tests/truncate-applayer-test-01/test.yaml @@ -0,0 +1,26 @@ +args: + - -k none --set stream.reassembly.depth=8kb + +requires: + min-version: 7 + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 46 +- filter: + count: 0 # because of the depth constraints + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: dcerpc + pcap_cnt: 40 + dcerpc.request: "REQUEST_LOST" + dcerpc.response: "RESPONSE" + dcerpc.call_id: 5360 diff --git a/tests/truncate-applayer-test-02/README.md b/tests/truncate-applayer-test-02/README.md new file mode 100644 index 000000000..fb5f2c3a4 --- /dev/null +++ b/tests/truncate-applayer-test-02/README.md @@ -0,0 +1,12 @@ +# Test Description + +This test demonstrates that the pcap is properly parsed and assessed in case +there was ample stream reassembly depth (default in this case). + +## PCAP + +tshark.dev + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/7044 diff --git a/tests/truncate-applayer-test-02/test.rules b/tests/truncate-applayer-test-02/test.rules new file mode 100644 index 000000000..384b43433 --- /dev/null +++ b/tests/truncate-applayer-test-02/test.rules @@ -0,0 +1,3 @@ +alert dcerpc any any -> any any (msg:"Test Alert 1"; sid:1; flow:established,to_client; dcerpc.stub_data; bsize:2124;) +alert dcerpc any any -> any any (msg:"Test Alert 2"; sid:2; flow:established,to_server; dcerpc.stub_data; bsize:2148; dcerpc.opnum: 9;) + diff --git a/tests/truncate-applayer-test-02/test.yaml b/tests/truncate-applayer-test-02/test.yaml new file mode 100644 index 000000000..bec464e5d --- /dev/null +++ b/tests/truncate-applayer-test-02/test.yaml @@ -0,0 +1,24 @@ +pcap: ../truncate-applayer-test-01/input.pcap + +args: + - -k none + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: dcerpc + pcap_cnt: 40 + dcerpc.request: "REQUEST" + dcerpc.response: "RESPONSE" + dcerpc.call_id: 5360