diff --git a/tests/dcerpc-request-http-response/README.md b/tests/dcerpc-request-http-response/README.md new file mode 100644 index 000000000..23d917ed1 --- /dev/null +++ b/tests/dcerpc-request-http-response/README.md @@ -0,0 +1,12 @@ +# Test Description + +This test is a conversion of an applayer unittest that comprised of a dcerpc +request followed by an HTTP response. + +## PCAP + +PCAP was created with the Scapy script checked in. + +## Related issues + +None diff --git a/tests/dcerpc-request-http-response/input.pcap b/tests/dcerpc-request-http-response/input.pcap new file mode 100644 index 000000000..e7d410b1b Binary files /dev/null and b/tests/dcerpc-request-http-response/input.pcap differ diff --git a/tests/dcerpc-request-http-response/test.yaml b/tests/dcerpc-request-http-response/test.yaml new file mode 100644 index 000000000..508adaaf3 --- /dev/null +++ b/tests/dcerpc-request-http-response/test.yaml @@ -0,0 +1,12 @@ +args: +- -k none + +checks: + - filter: + count: 1 + match: + event_type: flow + app_proto: dcerpc + app_proto_tc: http + tcp.psh: true + tcp.ack: true diff --git a/tests/dcerpc-request-http-response/writepcap.py b/tests/dcerpc-request-http-response/writepcap.py new file mode 100644 index 000000000..ccbe818a7 --- /dev/null +++ b/tests/dcerpc-request-http-response/writepcap.py @@ -0,0 +1,15 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +load_layer("http") +load_layer("dcerpc") +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)]) +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535) +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='AP',seq=2,ack=1001,window=65535)/DceRpc(ptype=0, call_id=1)/"\x00\x00\x0b\x00\x09\x00\x45\x00" +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1001,ack=26,window=65535)/HTTP()/HTTPResponse() +#pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='AP',seq=1001,ack=2,window=65535)/HTTP()/HTTPResponse() ## This works. Why? +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=26,ack=1076,window=65535) + +wrpcap('input.pcap', pkts)