Snort mailing list archives
Re: File-inspect test automation framework and related issues
From: Russ <rucombs () cisco com>
Date: Mon, 25 Jan 2016 10:39:37 -0500
Hi - thanks for sharing this tool. We have something that we use internally but this is worth trying out.
I will forward this to bugs to address the ftp issue you mention. You may find some interest on snort-users too.
Russ On 1/20/16 3:54 PM, Vladimir Kunschikov wrote:
Hello All, has anyone thought about automation of the Snort file-inspect tests?I want to introduce such test framework for the file capture functionality of the Snort. I hope it will be useful in error detection in further extension of the file-inspect preprocessor. This framework checks equality of the files being captured from traffic to the original files which were actually transferred.It is available at https://github.com/kunschikov/snort.robot.git/ I am using this framework for quite a period.This tests have discovered that the overall level of file capturing is surprisingly good; but there exist some number of issues in many protocols, especially in the SMB protocol support. I haven't got positive SMB test yet. But other protocols have some issues too.One of this issues was fixed in the 2.9.8.0 release: the HTTP parser strictness while reading HTTP answers from ms proxy server: there were trailing spaces after content-length.Another issue is not fixed yet, and I've added test for it: it is a 'ftp mp3' test. In this test I am trying to capture file.mp3 file transfer. Its being captured with error: saved file it has different sha checksum to the original one. This issue can be fixed in src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c void SnortFTPData_EOF() function by disabling last flush stream and data processing. So it should look likevoid SnortFTPData_EOF(SFSnortPacket *p) { ...initFilePosition(&data_ssn->position, _dpd.fileAPI->get_file_processed_size(p->stream_session));finalFilePosition(&data_ssn->position); } I am going to add some SMB samples to this framework.Addition of the new tests is quite easy: you should put file which was transferred to the 'files' folder and corresponding pcap to the 'pcaps' and then add line to the file_inspect.robot. For example, if you are checking `1.txt` transmission through `HTTP` channel which was captured as 1.pcap you should simply add lineText sample pcap/http/1.pcap 1.txt to the file_inspect.robot configuration file.Hope this framework will be useful to the community. Just set ${SNORT} and ${SNORTOPT} according to your snort setup and enjoy it.Let all tests be green. ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- File-inspect test automation framework and related issues Vladimir Kunschikov (Jan 20)
- Re: File-inspect test automation framework and related issues Russ (Jan 25)
- Re: File-inspect test automation framework and related issues Hui Cao (huica) (Jan 25)
- Re: File-inspect test automation framework and related issues Vladimir Kunschikov (Jan 25)
- Re: File-inspect test automation framework and related issues Hui Cao (huica) (Jan 25)
- Re: File-inspect test automation framework and related issues Russ (Jan 25)