def test_traffic_stream_loss(self):
myrpkt = RulePkt("to server", "/abcdef/i", 0, 8, 10, False, False)
mytsrule = TrafficStreamRule('tcp', '1.1.1', '2.2.2', '[100:200]',
'[10,20,30,40,50]', -1, 4, False, True,
False, False, 0, 50)
mytsrule.addPktRule(myrpkt)
myConfig = SnifflesConfig()
myConfig.setPktLength(10)
myConfig.setPktsPerStream(1)
myConfig.setTCPACK(True)
myConfig.setTCPHandshake(True)
myConfig.setFullMatch(True)
myts = rtgen.TrafficStream(mytsrule, myConfig)
mypkt = myts.getNextPacket()
myseq = mypkt.transport_hdr.get_seq_num()
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.SYN)
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(),
(rtgen.SYN + rtgen.ACK))
while myts.hasPackets():
mypkt = myts.getNextPacket()
if mypkt.get_content() is None or \
mypkt.get_content().get_size() == 0:
self.assertIn(mypkt.transport_hdr.get_ack_num(), [
myseq + 1, myseq + 11, myseq + 21, myseq + 31, myseq + 41,
myseq + 51, myseq + 61, myseq + 71, myseq + 81
])
else:
self.assertEqual(mypkt.get_content().get_size(), 10)
def test_traffic_stream_frags(self):
myrpkt = RulePkt("to client", "/abcdef/i", 3, 2, 500, True, True)
mytsrule = TrafficStreamRule('tcp', '1.1.1', '2.2.2', '[100:200]',
'[10,20,30,40,50]', -1, 4, False, True,
True)
mytsrule.addPktRule(myrpkt)
myConfig = SnifflesConfig()
myConfig.setPktLength(500)
myConfig.setIPV6Percent(0)
myConfig.setTCPACK(True)
myConfig.setTCPHandshake(True)
myConfig.setTCPTeardown(True)
myConfig.setFullMatch(True)
myts = rtgen.TrafficStream(mytsrule, myConfig)
mypkt = myts.getNextPacket()
myseq = mypkt.transport_hdr.get_seq_num()
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.SYN)
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(),
(rtgen.SYN + rtgen.ACK))
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.ACK)
self.assertEqual(mypkt.transport_hdr.get_seq_num(), myseq + 1)
mypkt = myts.getNextPacket()
self.assertNotEqual(mypkt.network_hdr.get_frag_id(), 0)
self.assertIn(mypkt.network_hdr.get_frag_offset(), [8192, 8213, 42])
self.assertIn(mypkt.get_size(), [202, 218])
mypkt = myts.getNextPacket()
self.assertIn(mypkt.get_size(), [202, 218])
self.assertIn(mypkt.network_hdr.get_frag_offset(), [8192, 8213, 42])
mypkt = myts.getNextPacket()
self.assertIn(mypkt.network_hdr.get_frag_offset(), [8192, 8213, 42])
self.assertIn(mypkt.get_size(), [202, 218])
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.get_size(), 54)
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.ACK)
mypkt = myts.getNextPacket()
self.assertNotEqual(mypkt.network_hdr.get_frag_id(), 0)
self.assertIn(mypkt.network_hdr.get_frag_offset(), [8192, 8213, 42])
self.assertIn(mypkt.get_size(), [202, 218])
mypkt = myts.getNextPacket()
self.assertIn(mypkt.get_size(), [202, 218])
self.assertIn(mypkt.network_hdr.get_frag_offset(), [8192, 8213, 42])
mypkt = myts.getNextPacket()
self.assertIn(mypkt.network_hdr.get_frag_offset(), [8192, 8213, 42])
self.assertIn(mypkt.get_size(), [202, 218])
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.get_size(), 54)
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.ACK)
def test_snort_rule_w_pkt_p_stream_set_w_ack(self):
myparser = SnortRuleParser()
myparser.parseRule(r'alert tcp $EXTERNAL_NET any -> '
r'$HOME_NET $rtgen.HTTP_PORTS (msg:"test1-1";'
r' flow:to_server,established; content:'
r'"work.Method.denyExecution"; nocase; '
r'http_uri; content:"u0023"; nocase; http_uri;'
r' sid:1;')
sconf = SnifflesConfig()
sconf.setPktsPerStream(7)
sconf.setTCPACK(True)
self.assertEqual(7, sconf.getPktsPerStream())
myrule = myparser.getRules()[0]
mycon = rtgen.Conversation(myrule, sconf)
self.assertEqual(1, mycon.getNumberOfStreams())
count = 0
while mycon.getNextPacket():
count += 1
self.assertEqual(14, count)
def test_traffic_stream_rand(self):
myts = rtgen.TrafficStream()
self.assertEqual(myts.hasPackets(), True)
myp = myts.getNextPacket()
self.assertNotEqual(myp.get_size(), 0)
myConfig = SnifflesConfig()
myConfig.setPktLength(100)
myConfig.setPktsPerStream(5)
myts = rtgen.TrafficStream(None, myConfig)
mycount = 0
while myts.hasPackets():
mypkt = myts.getNextPacket()
if mypkt.get_proto() == 'tcp':
self.assertEqual(mypkt.get_size(), 154)
elif mypkt.get_proto() == 'udp':
self.assertEqual(mypkt.get_size(), 142)
elif mypkt.get_proto() == 'icmp':
self.assertEqual(mypkt.get_size(), 142)
mycount += 1
self.assertEqual(mycount, 5)
myConfig = SnifflesConfig()
myConfig.setPktLength(200)
myConfig.setPktsPerStream(1)
myConfig.setTCPACK(True)
myConfig.setTCPHandshake(True)
myConfig.setTCPTeardown(True)
myts = rtgen.TrafficStream(None, myConfig)
mypkt = myts.getNextPacket()
while mypkt.get_proto() != 'tcp':
myts = rtgen.TrafficStream(None, myConfig)
mypkt = myts.getNextPacket()
myseq = mypkt.transport_hdr.get_seq_num()
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.SYN)
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(),
(rtgen.SYN + rtgen.ACK))
myack = mypkt.transport_hdr.get_seq_num()
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.ACK)
self.assertEqual(mypkt.transport_hdr.get_seq_num(), myseq + 1)
self.assertEqual(mypkt.transport_hdr.get_ack_num(), myack + 1)
self.assertEqual(mypkt.get_size(), 254)
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_ack_num(), (myseq + 201))
self.assertEqual(mypkt.get_size(), 54)
self.assertEqual(mypkt.get_content().get_size(), 0)
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(),
rtgen.FIN + rtgen.ACK)
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.ACK)
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(),
rtgen.FIN + rtgen.ACK)
mypkt = myts.getNextPacket()
self.assertEqual(mypkt.transport_hdr.get_flags(), rtgen.ACK)