diff --git a/tests/dcerpc-request-http-response/README.md b/tests/dcerpc-request-http-response/README.md new file mode 100644 index 000000000..23d917ed1 --- /dev/null +++ b/tests/dcerpc-request-http-response/README.md @@ -0,0 +1,12 @@ +# Test Description + +This test is a conversion of an applayer unittest that comprised of a dcerpc +request followed by an HTTP response. + +## PCAP + +PCAP was created with the Scapy script checked in. + +## Related issues + +None diff --git a/tests/dcerpc-request-http-response/input.pcap b/tests/dcerpc-request-http-response/input.pcap new file mode 100644 index 000000000..8b1b16bd9 Binary files /dev/null and b/tests/dcerpc-request-http-response/input.pcap differ diff --git a/tests/dcerpc-request-http-response/test.yaml b/tests/dcerpc-request-http-response/test.yaml new file mode 100644 index 000000000..81174628b --- /dev/null +++ b/tests/dcerpc-request-http-response/test.yaml @@ -0,0 +1,12 @@ +args: +- -k none +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: flow + app_proto: dcerpc + tcp.psh: true + tcp.ack: true diff --git a/tests/dcerpc-request-http-response/writepcap.py b/tests/dcerpc-request-http-response/writepcap.py new file mode 100644 index 000000000..5d2760478 --- /dev/null +++ b/tests/dcerpc-request-http-response/writepcap.py @@ -0,0 +1,14 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +load_layer("http") +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/DceRpc() +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + IP(dst='5.6.7.8', src='1.2.3.4')/TCP(sport=63, dport=6666, flags='P''A')/HTTP()/HTTPResponse(Http_Version='HTTP/1.0', Status_Code='200', Reason_Phrase='OK', Content_Type='text/html', Content_Length=7) +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='A') + +wrpcap('input.pcap', pkts)