diff --git a/tests/smb-inspection-7863/README.md b/tests/smb-inspection-7863/README.md new file mode 100644 index 000000000..1108996f6 --- /dev/null +++ b/tests/smb-inspection-7863/README.md @@ -0,0 +1,12 @@ +# Test Description + +Test that inspection of SMB is performed on completion of every request/response +irrespective of the stream chunk size setting. + +## PCAP + +https://forum.suricata.io/t/applayer-and-flowbits-issues/5912 + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/7863 diff --git a/tests/smb-inspection-7863/input.pcap b/tests/smb-inspection-7863/input.pcap new file mode 100644 index 000000000..4722dc451 Binary files /dev/null and b/tests/smb-inspection-7863/input.pcap differ diff --git a/tests/smb-inspection-7863/test.rules b/tests/smb-inspection-7863/test.rules new file mode 100644 index 000000000..09e21f794 --- /dev/null +++ b/tests/smb-inspection-7863/test.rules @@ -0,0 +1,5 @@ +alert dcerpc any any -> any any (msg:"dcerpc uuid [lsarpc]"; flow:established, to_server; dcerpc.iface:12345778-1234-abcd-ef00-0123456789ab; flowbits:set,lsarpc; sid:1; rev:1;) + +alert smb any any -> any any (msg:"smb uuid [lsarpc]"; flow:established, to_server; content:"SMB"; content:"|05 00 0b|"; distance:0; content:"|78 57 34 12 34 12 cd ab ef 00 01 23 45 67 89 ab|"; distance:29; flowbits:set,lsarpc; sid:2; rev:1;) + +alert smb any any -> any any (msg:"DPAPI Backup Key Extraction"; flow:established, to_server; content:"B|00|C|00|K|00|U|00|P|00|K|00|E|00|Y"; flowbits:isset,lsarpc; sid:3; rev:1;) diff --git a/tests/smb-inspection-7863/test.yaml b/tests/smb-inspection-7863/test.yaml new file mode 100644 index 000000000..246f24fc1 --- /dev/null +++ b/tests/smb-inspection-7863/test.yaml @@ -0,0 +1,21 @@ +requires: + min-version: 9 + +args: + - -k none + - --set stream.reassembly.toserver-chunk-size=15560 + +checks: + - filter: + count: 7 + match: + alert.signature_id: 1 + - filter: + count: 2 + match: + alert.signature_id: 2 + - filter: + count: 3 + match: + alert.signature_id: 3 +