diff --git a/tests/ipv4-defrag-overlaps/test_407/README.md b/tests/ipv4-defrag-overlaps/test_407/README.md new file mode 100644 index 000000000..fac9abd55 --- /dev/null +++ b/tests/ipv4-defrag-overlaps/test_407/README.md @@ -0,0 +1,17 @@ +# Test Description +Test the triplet of overlapping fragments (Oi,Di,O), illustrated bellow. + +![](./test_407.pdf) + +## PCAP +Created with PYROLYSE (https://github.com/ANSSI-FR/pyrolyse) + +## Redmine-related Tickets +https://redmine.openinfosecfoundation.org/issues/6668 +https://redmine.openinfosecfoundation.org/issues/6673 +The tested Suricata versions reassemble the triplet of overlapping fragments (Oi,Di,O) with a data hole: 001000no001001nn001002nm........000004ok. Consequently, Suricata is blind between fragment offsets 4 and 5 here. + + +## Read more about overlapping data-related issues +https://arxiv.org/pdf/2504.21618 +https://arxiv.org/pdf/2508.00735 \ No newline at end of file diff --git a/tests/ipv4-defrag-overlaps/test_407/suricata.yaml b/tests/ipv4-defrag-overlaps/test_407/suricata.yaml new file mode 100644 index 000000000..49540bda3 --- /dev/null +++ b/tests/ipv4-defrag-overlaps/test_407/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +# Configure the type of alert (and other) logging you would like. +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes # enable dumping payload in Base64 + payload-printable: yes # enable dumping payload in printable (lossy) format + packet: yes # enable dumping of packet (without stream segments) \ No newline at end of file diff --git a/tests/ipv4-defrag-overlaps/test_407/test.rules b/tests/ipv4-defrag-overlaps/test_407/test.rules new file mode 100644 index 000000000..6209079cb --- /dev/null +++ b/tests/ipv4-defrag-overlaps/test_407/test.rules @@ -0,0 +1 @@ +alert icmp any any -> 192.168.10.63 any (msg:"Bad keyword 000004ok detected !!!"; content:"000004ok"; classtype:bad-unknown; sid:1; rev:7; ) \ No newline at end of file diff --git a/tests/ipv4-defrag-overlaps/test_407/test.yaml b/tests/ipv4-defrag-overlaps/test_407/test.yaml new file mode 100644 index 000000000..e8424d46a --- /dev/null +++ b/tests/ipv4-defrag-overlaps/test_407/test.yaml @@ -0,0 +1,12 @@ +# *** Add configuration here *** + +requires: + min-version: 9 + +args: +- -k none + +checks: +- shell: + args: grep '"payload_printable":".*\.\.\.\.\.\.\.\..*"' eve.json | wc -l | xargs + expect: 0 \ No newline at end of file diff --git a/tests/ipv4-defrag-overlaps/test_407/test_407.pcap b/tests/ipv4-defrag-overlaps/test_407/test_407.pcap new file mode 100644 index 000000000..f63105c59 Binary files /dev/null and b/tests/ipv4-defrag-overlaps/test_407/test_407.pcap differ diff --git a/tests/ipv4-defrag-overlaps/test_407/test_407.pdf b/tests/ipv4-defrag-overlaps/test_407/test_407.pdf new file mode 100644 index 000000000..d3ae31764 Binary files /dev/null and b/tests/ipv4-defrag-overlaps/test_407/test_407.pdf differ diff --git a/tests/ipv4-defrag-overlaps/test_428/README.md b/tests/ipv4-defrag-overlaps/test_428/README.md new file mode 100644 index 000000000..cc77880ae --- /dev/null +++ b/tests/ipv4-defrag-overlaps/test_428/README.md @@ -0,0 +1,17 @@ +# Test Description +Test the triplet of overlapping fragments (Oi,O,O), illustrated bellow. + +![](./test_428.pdf) + +## PCAP +Created with PYROLYSE (https://github.com/ANSSI-FR/pyrolyse) + +## Redmine-related Tickets +https://redmine.openinfosecfoundation.org/issues/6668 +https://redmine.openinfosecfoundation.org/issues/6673 +The tested Suricata versions reassemble the triplet of overlapping fragments (Oi,O,O) with a data hole: 001000no001001nn001002nm........000004ok. Consequently, Suricata is blind between fragment offsets 4 and 5 here. + + +## Read more about overlapping data-related issues +https://arxiv.org/pdf/2504.21618 +https://arxiv.org/pdf/2508.00735 \ No newline at end of file diff --git a/tests/ipv4-defrag-overlaps/test_428/suricata.yaml b/tests/ipv4-defrag-overlaps/test_428/suricata.yaml new file mode 100644 index 000000000..49540bda3 --- /dev/null +++ b/tests/ipv4-defrag-overlaps/test_428/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +# Configure the type of alert (and other) logging you would like. +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes # enable dumping payload in Base64 + payload-printable: yes # enable dumping payload in printable (lossy) format + packet: yes # enable dumping of packet (without stream segments) \ No newline at end of file diff --git a/tests/ipv4-defrag-overlaps/test_428/test.rules b/tests/ipv4-defrag-overlaps/test_428/test.rules new file mode 100644 index 000000000..add3e72c2 --- /dev/null +++ b/tests/ipv4-defrag-overlaps/test_428/test.rules @@ -0,0 +1,2 @@ +alert icmp any any -> 192.168.10.63 any (msg:"Bad keyword 000004ok detected !!!"; content:"000004ok"; classtype:bad-unknown; sid:9; rev:7; ) + diff --git a/tests/ipv4-defrag-overlaps/test_428/test.yaml b/tests/ipv4-defrag-overlaps/test_428/test.yaml new file mode 100644 index 000000000..e8424d46a --- /dev/null +++ b/tests/ipv4-defrag-overlaps/test_428/test.yaml @@ -0,0 +1,12 @@ +# *** Add configuration here *** + +requires: + min-version: 9 + +args: +- -k none + +checks: +- shell: + args: grep '"payload_printable":".*\.\.\.\.\.\.\.\..*"' eve.json | wc -l | xargs + expect: 0 \ No newline at end of file diff --git a/tests/ipv4-defrag-overlaps/test_428/test_428.pcap b/tests/ipv4-defrag-overlaps/test_428/test_428.pcap new file mode 100644 index 000000000..03940d139 Binary files /dev/null and b/tests/ipv4-defrag-overlaps/test_428/test_428.pcap differ diff --git a/tests/ipv4-defrag-overlaps/test_428/test_428.pdf b/tests/ipv4-defrag-overlaps/test_428/test_428.pdf new file mode 100644 index 000000000..d59a78ca9 Binary files /dev/null and b/tests/ipv4-defrag-overlaps/test_428/test_428.pdf differ diff --git a/tests/ipv4-defrag-overlaps/test_430/README.md b/tests/ipv4-defrag-overlaps/test_430/README.md new file mode 100644 index 000000000..fb47b40d5 --- /dev/null +++ b/tests/ipv4-defrag-overlaps/test_430/README.md @@ -0,0 +1,17 @@ +# Test Description +Test the triplet of overlapping fragments (Oi,O,S), illustrated bellow. + +![](./test_430.pdf) + +## PCAP +Created with PYROLYSE (https://github.com/ANSSI-FR/pyrolyse) + +## Redmine-related Tickets +https://redmine.openinfosecfoundation.org/issues/6668 +https://redmine.openinfosecfoundation.org/issues/6673 +The tested Suricata versions reassemble the triplet of overlapping fragments (Oi,O,S) with a data hole: 001000no001001nn........000003ol. Consequently, Suricata is blind between fragment offsets 3 and 4 here. + + +## Read more about overlapping data-related issues +https://arxiv.org/pdf/2504.21618 +https://arxiv.org/pdf/2508.00735 \ No newline at end of file diff --git a/tests/ipv4-defrag-overlaps/test_430/suricata.yaml b/tests/ipv4-defrag-overlaps/test_430/suricata.yaml new file mode 100644 index 000000000..0206b1b89 --- /dev/null +++ b/tests/ipv4-defrag-overlaps/test_430/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +# Configure the type of alert (and other) logging you would like. +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes # enable dumping payload in Base64 + payload-printable: yes # enable dumping payload in printable (lossy) format + packet: yes # enable dumping of packet (without stream segments) diff --git a/tests/ipv4-defrag-overlaps/test_430/test.rules b/tests/ipv4-defrag-overlaps/test_430/test.rules new file mode 100644 index 000000000..1e1a0d7fe --- /dev/null +++ b/tests/ipv4-defrag-overlaps/test_430/test.rules @@ -0,0 +1,2 @@ +alert icmp any any -> 192.168.10.63 any (msg:"Bad keyword 000003ol detected !!!"; content:"000003ol"; classtype:bad-unknown; sid:1; rev:7; ) + diff --git a/tests/ipv4-defrag-overlaps/test_430/test.yaml b/tests/ipv4-defrag-overlaps/test_430/test.yaml new file mode 100644 index 000000000..e8424d46a --- /dev/null +++ b/tests/ipv4-defrag-overlaps/test_430/test.yaml @@ -0,0 +1,12 @@ +# *** Add configuration here *** + +requires: + min-version: 9 + +args: +- -k none + +checks: +- shell: + args: grep '"payload_printable":".*\.\.\.\.\.\.\.\..*"' eve.json | wc -l | xargs + expect: 0 \ No newline at end of file diff --git a/tests/ipv4-defrag-overlaps/test_430/test_430.pcap b/tests/ipv4-defrag-overlaps/test_430/test_430.pcap new file mode 100644 index 000000000..eea8dbd5f Binary files /dev/null and b/tests/ipv4-defrag-overlaps/test_430/test_430.pcap differ diff --git a/tests/ipv4-defrag-overlaps/test_430/test_430.pdf b/tests/ipv4-defrag-overlaps/test_430/test_430.pdf new file mode 100644 index 000000000..24bcbe543 Binary files /dev/null and b/tests/ipv4-defrag-overlaps/test_430/test_430.pdf differ diff --git a/tests/ipv4-defrag-overlaps/test_435/README.md b/tests/ipv4-defrag-overlaps/test_435/README.md new file mode 100644 index 000000000..33baf432b --- /dev/null +++ b/tests/ipv4-defrag-overlaps/test_435/README.md @@ -0,0 +1,17 @@ +# Test Description +Test the triplet of overlapping fragments (Oi,Si,O), illustrated bellow. + +![](./test_435.pdf) + +## PCAP +Created with PYROLYSE (https://github.com/ANSSI-FR/pyrolyse) + +## Redmine-related Tickets +https://redmine.openinfosecfoundation.org/issues/6668 +https://redmine.openinfosecfoundation.org/issues/6673 +The tested Suricata versions reassemble the triplet of overlapping fragments (Oi,Si,O) with a data hole: 001000no001001nn........000003ol. Consequently, Suricata is blind between fragment offsets 3 and 4 here. + + +## Read more about overlapping data-related issues +https://arxiv.org/pdf/2504.21618 +https://arxiv.org/pdf/2508.00735 \ No newline at end of file diff --git a/tests/ipv4-defrag-overlaps/test_435/suricata.yaml b/tests/ipv4-defrag-overlaps/test_435/suricata.yaml new file mode 100644 index 000000000..0206b1b89 --- /dev/null +++ b/tests/ipv4-defrag-overlaps/test_435/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +# Configure the type of alert (and other) logging you would like. +outputs: + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes # enable dumping payload in Base64 + payload-printable: yes # enable dumping payload in printable (lossy) format + packet: yes # enable dumping of packet (without stream segments) diff --git a/tests/ipv4-defrag-overlaps/test_435/test.rules b/tests/ipv4-defrag-overlaps/test_435/test.rules new file mode 100644 index 000000000..d7aca81a4 --- /dev/null +++ b/tests/ipv4-defrag-overlaps/test_435/test.rules @@ -0,0 +1 @@ +alert icmp any any -> 192.168.10.63 any (msg:"Bad keyword 000003ol detected !!!"; content:"000003ol"; classtype:bad-unknown; sid:1; rev:7; ) \ No newline at end of file diff --git a/tests/ipv4-defrag-overlaps/test_435/test.yaml b/tests/ipv4-defrag-overlaps/test_435/test.yaml new file mode 100644 index 000000000..e8424d46a --- /dev/null +++ b/tests/ipv4-defrag-overlaps/test_435/test.yaml @@ -0,0 +1,12 @@ +# *** Add configuration here *** + +requires: + min-version: 9 + +args: +- -k none + +checks: +- shell: + args: grep '"payload_printable":".*\.\.\.\.\.\.\.\..*"' eve.json | wc -l | xargs + expect: 0 \ No newline at end of file diff --git a/tests/ipv4-defrag-overlaps/test_435/test_435.pcap b/tests/ipv4-defrag-overlaps/test_435/test_435.pcap new file mode 100644 index 000000000..7f77627c0 Binary files /dev/null and b/tests/ipv4-defrag-overlaps/test_435/test_435.pcap differ diff --git a/tests/ipv4-defrag-overlaps/test_435/test_435.pdf b/tests/ipv4-defrag-overlaps/test_435/test_435.pdf new file mode 100644 index 000000000..1473ec081 Binary files /dev/null and b/tests/ipv4-defrag-overlaps/test_435/test_435.pdf differ