Re: File-inspect test automation framework and related issues

[Russ <rucombs () cisco com>]

Hi - thanks for sharing this tool.  We have something that we use 
internally but this is worth trying out.

I will forward this to bugs to address the ftp issue you mention. You 
may find some interest on snort-users too.

Russ

On 1/20/16 3:54 PM, Vladimir Kunschikov wrote:
>  Hello All,
>  has anyone thought about automation of the Snort file-inspect tests?
>
> I want to introduce such test framework for the file capture 
> functionality of the Snort. I hope it will be useful in error 
> detection in further extension of the file-inspect preprocessor. This 
> framework checks equality of the files being captured from traffic to 
> the original files which were actually transferred.
>
> It is available at
>
> https://github.com/kunschikov/snort.robot.git/
>
> I am using this framework for quite a period.
> This tests have discovered that the overall level of file capturing is 
> surprisingly good; but there exist some number of  issues in many 
> protocols,  especially in the SMB protocol support.  I haven't got 
> positive SMB test yet. But other protocols have some issues too.
>
>  One of this issues was fixed in the 2.9.8.0 release: the HTTP parser 
> strictness while reading HTTP answers from ms proxy server: there were 
> trailing spaces after content-length.
>
> Another issue is not fixed yet, and I've added test for it: it is a 
> 'ftp mp3' test. In this test I am trying to capture file.mp3 file 
> transfer. Its being captured with error: saved file it has different 
> sha checksum to the original one.  This issue can be fixed in 
> src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c void 
> SnortFTPData_EOF() function by disabling last flush stream and data 
> processing. So it should look like
>
> void SnortFTPData_EOF(SFSnortPacket *p)
> {
> ...
>     initFilePosition(&data_ssn->position, 
> _dpd.fileAPI->get_file_processed_size(p->stream_session));
>     finalFilePosition(&data_ssn->position);
> }
>
>
> I am going to add some SMB samples to this framework.
>
> Addition of the new tests is quite easy: you should put file which was 
> transferred to the 'files' folder and corresponding pcap to the 
> 'pcaps'  and then add line to the file_inspect.robot.  For example, if 
> you are checking `1.txt` transmission through `HTTP` channel which was 
> captured as 1.pcap you should simply add line
>   Text sample    pcap/http/1.pcap      1.txt
> to the file_inspect.robot configuration file.
>
> Hope this framework will be useful to the community. Just set ${SNORT} 
> and ${SNORTOPT} according to your snort setup and enjoy it.
> Let all tests be green.
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!