diff --git a/tests/igmp/igmp-v1-v2-rgmp-01/README.md b/tests/igmp/igmp-v1-v2-rgmp-01/README.md new file mode 100644 index 000000000..6e84f1431 --- /dev/null +++ b/tests/igmp/igmp-v1-v2-rgmp-01/README.md @@ -0,0 +1 @@ +Pcap from https://wiki.wireshark.org/IGMP diff --git a/tests/igmp/igmp-v1-v2-rgmp-01/test.rules b/tests/igmp/igmp-v1-v2-rgmp-01/test.rules new file mode 100644 index 000000000..c9cf8cf3e --- /dev/null +++ b/tests/igmp/igmp-v1-v2-rgmp-01/test.rules @@ -0,0 +1,8 @@ +alert igmp any any -> 224.0.0.25 any (msg:"RGMP Hello"; igmp.hdr; content:"|ff|"; startswith; ttl:1; sid:1;) +alert igmp any any -> 224.0.0.25 any (msg:"RGMP Hello"; igmp.type:0xff; ttl:1; sid:2;) +alert igmp any any -> any any (msg:"IGMP with payload"; dsize:>0; sid:3;) +alert igmp any any -> any any (msg:"IGMP with ttl > 1"; ttl:>1; sid:4;) +alert igmp any any -> any any (msg:"IGMP with router alert"; ipopts:rtralt; sid:5;) +alert igmp any any -> any any (msg:"IGMP w/o router alert"; ipv4.hdr; content:!"|94 04 00 00|"; offset:20; sid:6;) +alert igmp any any -> any any (msg:"IGMP good csum"; igmp-csum:valid; sid:7;) +alert igmp any any -> any any (msg:"IGMP bad csum"; igmp-csum:invalid; sid:8;) diff --git a/tests/igmp/igmp-v1-v2-rgmp-01/test.yaml b/tests/igmp/igmp-v1-v2-rgmp-01/test.yaml new file mode 100644 index 000000000..7d3605f3d --- /dev/null +++ b/tests/igmp/igmp-v1-v2-rgmp-01/test.yaml @@ -0,0 +1,78 @@ +requires: + min-version: 9 + +checks: + - filter: + count: 19 + match: + event_type: alert + alert.signature_id: 1 + proto: "IGMP" + rgmp.type: 255 + - filter: + count: 19 + match: + event_type: alert + alert.signature_id: 2 + proto: "IGMP" + rgmp.type: 255 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 87 + match: + event_type: alert + alert.signature_id: 5 + proto: "IGMP" + - filter: + count: 60 + match: + event_type: alert + alert.signature_id: 6 + proto: "IGMP" + - filter: + count: 147 + match: + event_type: alert + alert.signature_id: 7 + proto: "IGMP" + - filter: + count: 19 + match: + event_type: alert + alert.signature_id: 7 + proto: "IGMP" + rgmp.type: 255 + - filter: + count: 10 + match: + event_type: alert + alert.signature_id: 7 + proto: "IGMP" + igmp.version: 1 + - filter: + count: 118 + match: + event_type: alert + alert.signature_id: 7 + proto: "IGMP" + igmp.version: 2 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 8 + proto: "IGMP" + - filter: + count: 1 + match: + event_type: stats + stats.decoder.igmp: 147 diff --git a/tests/igmp/igmp-v1-v2-rgmp-01/wireshark-wiki-IGMP-dataset.pcap b/tests/igmp/igmp-v1-v2-rgmp-01/wireshark-wiki-IGMP-dataset.pcap new file mode 100644 index 000000000..72ebd44dd Binary files /dev/null and b/tests/igmp/igmp-v1-v2-rgmp-01/wireshark-wiki-IGMP-dataset.pcap differ diff --git a/tests/igmp/igmp-v1-v2-rgmp-02-decoder-events/test.rules b/tests/igmp/igmp-v1-v2-rgmp-02-decoder-events/test.rules new file mode 100644 index 000000000..8fdf9f7f1 --- /dev/null +++ b/tests/igmp/igmp-v1-v2-rgmp-02-decoder-events/test.rules @@ -0,0 +1,4 @@ +# IGMP +alert igmp any any -> any any (msg:"SURICATA IGMP packet too small"; decode-event:igmp.pkt_too_small; classtype:protocol-command-decode; sid:2200127; rev:1;) +alert igmp any any -> any any (msg:"SURICATA IGMPv3 packet too small"; decode-event:igmp.v3_pkt_too_small; classtype:protocol-command-decode; sid:2200128; rev:1;) +alert igmp any any -> any any (msg:"SURICATA IGMP malformed packet"; decode-event:igmp.malformed; classtype:protocol-command-decode; sid:2200129; rev:1;) diff --git a/tests/igmp/igmp-v1-v2-rgmp-02-decoder-events/test.yaml b/tests/igmp/igmp-v1-v2-rgmp-02-decoder-events/test.yaml new file mode 100644 index 000000000..aa3e85097 --- /dev/null +++ b/tests/igmp/igmp-v1-v2-rgmp-02-decoder-events/test.yaml @@ -0,0 +1,29 @@ +requires: + min-version: 9 + +pcap: ../igmp-v1-v2-rgmp-01/wireshark-wiki-IGMP-dataset.pcap + +checks: + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2200127 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2200128 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2200129 + - filter: + count: 1 + match: + event_type: stats + stats.decoder.igmp: 147 + stats.decoder.event.igmp.pkt_too_small: 0 + stats.decoder.event.igmp.v3_pkt_too_small: 0 + stats.decoder.event.igmp.malformed: 0 diff --git a/tests/igmp/igmp-v3-queries-01/README.md b/tests/igmp/igmp-v3-queries-01/README.md new file mode 100644 index 000000000..47f80934d --- /dev/null +++ b/tests/igmp/igmp-v3-queries-01/README.md @@ -0,0 +1 @@ +Pcap from https://github.com/the-tcpdump-group/tcpdump/blob/master/tests/igmpv3-queries.pcap diff --git a/tests/igmp/igmp-v3-queries-01/tcpdump-gh-igmpv3-queries.pcap b/tests/igmp/igmp-v3-queries-01/tcpdump-gh-igmpv3-queries.pcap new file mode 100644 index 000000000..df653ce60 Binary files /dev/null and b/tests/igmp/igmp-v3-queries-01/tcpdump-gh-igmpv3-queries.pcap differ diff --git a/tests/igmp/igmp-v3-queries-01/test.rules b/tests/igmp/igmp-v3-queries-01/test.rules new file mode 100644 index 000000000..c9cf8cf3e --- /dev/null +++ b/tests/igmp/igmp-v3-queries-01/test.rules @@ -0,0 +1,8 @@ +alert igmp any any -> 224.0.0.25 any (msg:"RGMP Hello"; igmp.hdr; content:"|ff|"; startswith; ttl:1; sid:1;) +alert igmp any any -> 224.0.0.25 any (msg:"RGMP Hello"; igmp.type:0xff; ttl:1; sid:2;) +alert igmp any any -> any any (msg:"IGMP with payload"; dsize:>0; sid:3;) +alert igmp any any -> any any (msg:"IGMP with ttl > 1"; ttl:>1; sid:4;) +alert igmp any any -> any any (msg:"IGMP with router alert"; ipopts:rtralt; sid:5;) +alert igmp any any -> any any (msg:"IGMP w/o router alert"; ipv4.hdr; content:!"|94 04 00 00|"; offset:20; sid:6;) +alert igmp any any -> any any (msg:"IGMP good csum"; igmp-csum:valid; sid:7;) +alert igmp any any -> any any (msg:"IGMP bad csum"; igmp-csum:invalid; sid:8;) diff --git a/tests/igmp/igmp-v3-queries-01/test.yaml b/tests/igmp/igmp-v3-queries-01/test.yaml new file mode 100644 index 000000000..9a3d6f3d0 --- /dev/null +++ b/tests/igmp/igmp-v3-queries-01/test.yaml @@ -0,0 +1,64 @@ +requires: + min-version: 9 + +checks: + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 + proto: "IGMP" + rgmp.type: 255 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 + proto: "IGMP" + rgmp.type: 255 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 4 + - filter: + count: 6 + match: + event_type: alert + alert.signature_id: 5 + proto: "IGMP" + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 6 + proto: "IGMP" + - filter: + count: 6 + match: + event_type: alert + alert.signature_id: 7 + proto: "IGMP" + - filter: + count: 6 + match: + event_type: alert + alert.signature_id: 7 + proto: "IGMP" + igmp.version: 3 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 8 + proto: "IGMP" + - filter: + count: 1 + match: + event_type: stats + stats.decoder.igmp: 6