def test_traffic_stream_split(self):
myrpkt = RulePkt("to server", "/abcdefghij/", 0, 1, -1, False, False,
2)
mytsrule = TrafficStreamRule('tcp', '1.1.1', '2.2.2', '[100:200]',
'[10,20,30,40,50]', -1, 4, False)
mytsrule.addPktRule(myrpkt)
myConfig = SnifflesConfig()
myConfig.setFullMatch(True)
myts = rtgen.TrafficStream(mytsrule, myConfig)
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.ACK)
self.assertEqual(mypkt.get_content().get_size(), 5)
self.assertEqual(mypkt.get_content().get_data(), b'abcde')
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.ACK)
self.assertNotEqual(mypkt.get_content().get_data(), b'abcde')
self.assertEqual(mypkt.get_content().get_data(), b'fghij')
self.assertEqual(mypkt.get_content().get_size(), 5)
mypkt = myts.getNextPacket()
self.assertEqual(mypkt, None)
def test_traffic_stream_loss(self):
myrpkt = RulePkt("to server", "/abcdef/i", 0, 8, 10, False, False)
mytsrule = TrafficStreamRule('tcp', '1.1.1', '2.2.2', '[100:200]',
'[10,20,30,40,50]', -1, 4, False, True,
False, False, 0, 50)
mytsrule.addPktRule(myrpkt)
myConfig = SnifflesConfig()
myConfig.setPktLength(10)
myConfig.setPktsPerStream(1)
myConfig.setTCPACK(True)
myConfig.setTCPHandshake(True)
myConfig.setFullMatch(True)
myts = rtgen.TrafficStream(mytsrule, myConfig)
mypkt = myts.getNextPacket()
myseq = mypkt.transport_hdr.get_seq_num()
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.SYN)
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(),
(rtgen.SYN + rtgen.ACK))
while myts.hasPackets():
mypkt = myts.getNextPacket()
if mypkt.get_content() is None or \
mypkt.get_content().get_size() == 0:
self.assertIn(mypkt.transport_hdr.get_ack_num(), [
myseq + 1, myseq + 11, myseq + 21, myseq + 31, myseq + 41,
myseq + 51, myseq + 61, myseq + 71, myseq + 81
])
else:
self.assertEqual(mypkt.get_content().get_size(), 10)
def test_traffic_stream_frags(self):
myrpkt = RulePkt("to client", "/abcdef/i", 3, 2, 500, True, True)
mytsrule = TrafficStreamRule('tcp', '1.1.1', '2.2.2', '[100:200]',
'[10,20,30,40,50]', -1, 4, False, True,
True)
mytsrule.addPktRule(myrpkt)
myConfig = SnifflesConfig()
myConfig.setPktLength(500)
myConfig.setIPV6Percent(0)
myConfig.setTCPACK(True)
myConfig.setTCPHandshake(True)
myConfig.setTCPTeardown(True)
myConfig.setFullMatch(True)
myts = rtgen.TrafficStream(mytsrule, myConfig)
mypkt = myts.getNextPacket()
myseq = mypkt.transport_hdr.get_seq_num()
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.SYN)
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(),
(rtgen.SYN + rtgen.ACK))
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.ACK)
self.assertEqual(mypkt.transport_hdr.get_seq_num(), myseq + 1)
mypkt = myts.getNextPacket()
self.assertNotEqual(mypkt.network_hdr.get_frag_id(), 0)
self.assertIn(mypkt.network_hdr.get_frag_offset(), [8192, 8213, 42])
self.assertIn(mypkt.get_size(), [202, 218])
mypkt = myts.getNextPacket()
self.assertIn(mypkt.get_size(), [202, 218])
self.assertIn(mypkt.network_hdr.get_frag_offset(), [8192, 8213, 42])
mypkt = myts.getNextPacket()
self.assertIn(mypkt.network_hdr.get_frag_offset(), [8192, 8213, 42])
self.assertIn(mypkt.get_size(), [202, 218])
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.get_size(), 54)
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.ACK)
mypkt = myts.getNextPacket()
self.assertNotEqual(mypkt.network_hdr.get_frag_id(), 0)
self.assertIn(mypkt.network_hdr.get_frag_offset(), [8192, 8213, 42])
self.assertIn(mypkt.get_size(), [202, 218])
mypkt = myts.getNextPacket()
self.assertIn(mypkt.get_size(), [202, 218])
self.assertIn(mypkt.network_hdr.get_frag_offset(), [8192, 8213, 42])
mypkt = myts.getNextPacket()
self.assertIn(mypkt.network_hdr.get_frag_offset(), [8192, 8213, 42])
self.assertIn(mypkt.get_size(), [202, 218])
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.get_size(), 54)
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.ACK)
def test_rule_no_content_options(self):
myparser = SnortRuleParser()
myparser.parseRule(r'alert tcp any any -> $HOME_NET any'
' (msg:"TCP rtgen.SYN packet";sid:1000002)')
myrule = myparser.getRules()[0]
self.assertNotEqual(myrule, None)
mytsrule = myrule.getTS()[0]
mytsrule.setLen(100)
myts = rtgen.TrafficStream(mytsrule, None, 1, 1)
self.assertNotEqual(myts, None)
self.assertEqual(myts.hasPackets(), True)
mypkt = myts.getNextPacket()
self.assertNotEqual(mypkt, None)
self.assertGreater(mypkt.get_size(), 100)
self.assertEqual(myts.hasPackets(), False)
def test_traffic_stream_split_too_large(self):
myrpkt = RulePkt("to server", "/12345/", 0, 1, -1, False, False, 200)
mytsrule = TrafficStreamRule('tcp', '1.1.1', '2.2.2', '[100:200]',
'[10,20,30,40,50]', -1, 4, False)
mytsrule.addPktRule(myrpkt)
myConfig = SnifflesConfig()
myts = rtgen.TrafficStream(mytsrule, myConfig)
for i in range(0, 5):
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.ACK)
self.assertEqual(mypkt.get_content().get_size(), 1)
if i < 4:
self.assertIn(mypkt.get_content().get_data(),
[b'1', b'2', b'3', b'4', b'5'])
mypkt = myts.getNextPacket()
self.assertEqual(mypkt, None)
def test_tcp_overlap(self):
myurl = RuleList()
myurl.readRuleFile('tests/data_files/test_tcp_overlap.xml')
rules = myurl.getParsedRules()
self.assertEqual(len(rules), 1)
rules = myurl.getParsedRules()
tsrules = rules[0].getTS()
firstTSRule = tsrules[0]
self.assertEqual(firstTSRule.getTCPOverlap(), True)
self.assertEqual(firstTSRule.getHandshake(), True)
self.assertEqual(firstTSRule.getTeardown(), True)
myTS = rtgen.TrafficStream(firstTSRule)
pkt = myTS.getNextPacket()
initSeqClient = pkt.get_seq_num()
pkt = myTS.getNextPacket()
initSeqServer = pkt.get_seq_num()
pkt = myTS.getNextPacket()
self.assertEqual(pkt.get_seq_num() - initSeqClient, 1)
pkt = myTS.getNextPacket()
self.assertEqual(pkt.get_seq_num() - initSeqClient, 7)
pkt = myTS.getNextPacket()
self.assertEqual(pkt.get_seq_num() - initSeqClient, 12)
pkt = myTS.getNextPacket()
self.assertEqual(pkt.get_seq_num() - initSeqClient, 18)
pkt = myTS.getNextPacket()
self.assertEqual(pkt.get_seq_num() - initSeqClient, 24)
pkt = myTS.getNextPacket()
self.assertEqual(pkt.get_seq_num() - initSeqClient, 30)
pkt = myTS.getNextPacket()
self.assertEqual(pkt.get_seq_num() - initSeqClient, 36)
pkt = myTS.getNextPacket()
self.assertEqual(pkt.get_seq_num() - initSeqClient, 43)
pkt = myTS.getNextPacket()
self.assertEqual(pkt.get_seq_num() - initSeqServer, 1)
pkt = myTS.getNextPacket()
self.assertEqual(pkt.get_seq_num() - initSeqServer, 1)
pkt = myTS.getNextPacket()
self.assertEqual(pkt.get_seq_num() - initSeqClient, 44)
def test_traffic_stream_rand(self):
myts = rtgen.TrafficStream()
self.assertEqual(myts.hasPackets(), True)
myp = myts.getNextPacket()
self.assertNotEqual(myp.get_size(), 0)
myConfig = SnifflesConfig()
myConfig.setPktLength(100)
myConfig.setPktsPerStream(5)
myts = rtgen.TrafficStream(None, myConfig)
mycount = 0
while myts.hasPackets():
mypkt = myts.getNextPacket()
if mypkt.get_proto() == 'tcp':
self.assertEqual(mypkt.get_size(), 154)
elif mypkt.get_proto() == 'udp':
self.assertEqual(mypkt.get_size(), 142)
elif mypkt.get_proto() == 'icmp':
self.assertEqual(mypkt.get_size(), 142)
mycount += 1
self.assertEqual(mycount, 5)
myConfig = SnifflesConfig()
myConfig.setPktLength(200)
myConfig.setPktsPerStream(1)
myConfig.setTCPACK(True)
myConfig.setTCPHandshake(True)
myConfig.setTCPTeardown(True)
myts = rtgen.TrafficStream(None, myConfig)
mypkt = myts.getNextPacket()
while mypkt.get_proto() != 'tcp':
myts = rtgen.TrafficStream(None, myConfig)
mypkt = myts.getNextPacket()
myseq = mypkt.transport_hdr.get_seq_num()
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.SYN)
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(),
(rtgen.SYN + rtgen.ACK))
myack = mypkt.transport_hdr.get_seq_num()
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.ACK)
self.assertEqual(mypkt.transport_hdr.get_seq_num(), myseq + 1)
self.assertEqual(mypkt.transport_hdr.get_ack_num(), myack + 1)
self.assertEqual(mypkt.get_size(), 254)
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_ack_num(), (myseq + 201))
self.assertEqual(mypkt.get_size(), 54)
self.assertEqual(mypkt.get_content().get_size(), 0)
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(),
rtgen.FIN + rtgen.ACK)
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.ACK)
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(),
rtgen.FIN + rtgen.ACK)
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.ACK)