added IPv4 ICMP type/code validation test
authorMichael Rash <mbr@cipherdyne.org>
Sat, 24 Mar 2012 01:58:19 +0000 (21:58 -0400)
committerMichael Rash <mbr@cipherdyne.org>
Sat, 24 Mar 2012 01:58:19 +0000 (21:58 -0400)
test/scans/iptables/invalid_icmp_type_code [new file with mode: 0644]
test/test-psad.pl

diff --git a/test/scans/iptables/invalid_icmp_type_code b/test/scans/iptables/invalid_icmp_type_code
new file mode 100644 (file)
index 0000000..dc9ddc7
--- /dev/null
@@ -0,0 +1,6 @@
+Mar 23 21:29:27 minastirith kernel: [1503546.179768] ICMP IN=eth0 OUT= MAC=23:87:fc:c6:24:58:00:21:3f:98:99:78:09:00 SRC=192.168.10.55 DST=192.168.10.1 LEN=28 TOS=0x00 PREC=0x00 TTL=64 ID=18443 PROTO=ICMP TYPE=8 CODE=2 ID=2158 SEQ=512
+Mar 23 21:29:28 minastirith kernel: [1503547.179937] ICMP IN=eth0 OUT= MAC=23:87:fc:c6:24:58:00:21:3f:98:99:78:09:00 SRC=192.168.10.55 DST=192.168.10.1 LEN=28 TOS=0x00 PREC=0x00 TTL=64 ID=59523 PROTO=ICMP TYPE=8 CODE=2 ID=2158 SEQ=768
+Mar 23 21:29:29 minastirith kernel: [1503548.180078] ICMP IN=eth0 OUT= MAC=23:87:fc:c6:24:58:00:21:3f:98:99:78:09:00 SRC=192.168.10.55 DST=192.168.10.1 LEN=28 TOS=0x00 PREC=0x00 TTL=64 ID=25427 PROTO=ICMP TYPE=8 CODE=2 ID=2158 SEQ=1024
+Mar 23 21:29:30 minastirith kernel: [1503549.180231] ICMP IN=eth0 OUT= MAC=23:87:fc:c6:24:58:00:21:3f:98:99:78:09:00 SRC=192.168.10.55 DST=192.168.10.1 LEN=28 TOS=0x00 PREC=0x00 TTL=64 ID=43658 PROTO=ICMP TYPE=8 CODE=2 ID=2158 SEQ=1280
+Mar 23 21:29:31 minastirith kernel: [1503550.180389] ICMP IN=eth0 OUT= MAC=23:87:fc:c6:24:58:00:21:3f:98:99:78:09:00 SRC=192.168.10.55 DST=192.168.10.1 LEN=28 TOS=0x00 PREC=0x00 TTL=64 ID=28135 PROTO=ICMP TYPE=8 CODE=2 ID=2158 SEQ=1536
+
index 3db2f38..a5c167d 100755 (executable)
@@ -20,6 +20,7 @@ my $udp_scan_file  = 'udp_scan_1000_1150';
 my $ipv6_connect_scan_file  = 'ipv6_tcp_connect_nmap_default_scan';
 my $ipv6_ping_scan_file = 'ipv6_ping_scan';
 my $ipv6_invalid_icmp6_type_code_file = 'ipv6_invalid_icmp6_type_code';
+my $ipv4_invalid_icmp6_type_code_file = 'invalid_icmp_type_code';
 my $ignore_ipv4_auto_dl_file = "$conf_dir/auto_dl_ignore_192.168.10.55";
 my $ignore_ipv4_subnet_auto_dl_file = "$conf_dir/auto_dl_ignore_192.168.10.0_24";
 my $ignore_ipv6_addr_auto_dl_file = "$conf_dir/auto_dl_ignore_ipv6_addr";
@@ -529,6 +530,20 @@ my @tests = (
         'exec_err'  => $NO,
         'fatal'     => $NO
     },
+    {
+        'category'  => 'operations',
+        'detail'    => 'IPv4 invalid ICMP type/code detection',
+        'err_msg'   => 'did not generate detection event',
+        'positive_output_matches' => [
+                qr/Invalid\sICMP/,
+                qr/SRC\:\s+192.168.10.55/],
+        'match_all' => $MATCH_ALL_RE,
+        'function'  => \&generic_exec,
+        'cmdline'   => "$psadCmd --test-mode -A -m $scans_dir/" .
+                &fw_type() . "/$ipv4_invalid_icmp6_type_code_file -c $default_conf",
+        'exec_err'  => $NO,
+        'fatal'     => $NO
+    },
 
     {
         'category'  => 'operations',