detect/ipopts: IP option tests

jlucovsky · Mar 21, 2024 · 6be2b7b · 6be2b7b
1 parent cb53504
commit 6be2b7b
Show file tree

Hide file tree

Showing 5 changed files with 93 additions and 0 deletions.
diff --git a/tests/detect-ipopts/README b/tests/detect-ipopts/README
@@ -0,0 +1,12 @@
+Test the IP options. There's already a test for the extended security option; the following IP options are
+tested:
+- Record Route "rr"
+- Loose source route "lsrr"
+- EOL "eol"
+- NOP "nop"
+- Timestamp "ts"
+- Security "sec"
+- Strict source route "ssrr"
+- Stream id "satid"
+
+The pcap was generated using ipopt.py
diff --git a/tests/detect-ipopts/input.pcap b/tests/detect-ipopts/input.pcap
diff --git a/tests/detect-ipopts/ipopt.py b/tests/detect-ipopts/ipopt.py
@@ -0,0 +1,27 @@
+from scapy.all import *
+from scapy.layers.inet import IP
+
+
+def main():
+    ip_option_list = {
+        "rr": [IPOption_RR(), "Record route"],
+        "lsrr": [IPOption_LSRR(routers=["1.2.3.4", "5.6.7.8"]), "Loose source route"],
+        "eol": [IPOption_EOL(), "EOL"],
+        "nop": [IPOption_NOP(), "NOP"],
+        "ts": [IPOption_Timestamp(flg=0, length=8), "Timestamp"],
+        "sec": [IPOption_Security(transmission_control_code="XYZ"), "Security"],
+        "ssrr": [IPOption_SSRR(routers=["1.1.1.1", "8.8.8.8"]), "Strict source route"],
+        "satid": [IPOption_Stream_Id(), "Stream id"],
+    }
+
+    # Create and send a packet for each IP option
+    src_ip = "9.10.11.12"
+    dst_ip = "13.14.15.16"
+    for option in ip_option_list:
+        print(f"Creating packet with ip option {option}")
+        packet = IP(src=src_ip, dst=dst_ip, options=ip_option_list[option][0]) / TCP()
+        wrpcap("input.pcap", packet, append=True)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/tests/detect-ipopts/test.rules b/tests/detect-ipopts/test.rules
@@ -0,0 +1,10 @@
+alert ip any any -> any any (msg:"RR option set"; ipopts:rr; sid: 1;)
+alert ip any any -> any any (msg:"LSRR option set"; ipopts:lsrr; sid: 2;)
+alert ip any any -> any any (msg:"EOL option set"; ipopts:eol; sid: 3;)
+alert ip any any -> any any (msg:"NOP option set"; ipopts:nop; sid: 4;)
+alert ip any any -> any any (msg:"TS option set"; ipopts:ts; sid: 5;)
+alert ip any any -> any any (msg:"SEC option set"; ipopts:sec; sid: 6;)
+alert ip any any -> any any (msg:"SSRR option set"; ipopts:ssrr; sid: 7;)
+alert ip any any -> any any (msg:"SID option set"; ipopts:satid; sid: 8;)
+# covered in ipopts-sec
+#alert ip any any <> any any (msg:"ESEC option set"; ipopts:esec; sid: 42;)
diff --git a/tests/detect-ipopts/test.yaml b/tests/detect-ipopts/test.yaml
@@ -0,0 +1,44 @@
+args:
+  - --set stream.midstream=true -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 6
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 6
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 7
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 8