Snort mailing list archives
Re: File-inspect test automation framework and related issues
From: "Hui Cao (huica)" <huica () cisco com>
Date: Mon, 25 Jan 2016 15:50:08 +0000
Hi Vladimir, Do you have the following configuration in you conf? FTP for file inspection requires this is on preprocessor normalize_tcp: ips Best, Hui. From: "Russ Combs (rucombs)" <rucombs () cisco com<mailto:rucombs () cisco com>> Date: Monday, January 25, 2016 at 10:39 AM To: Vladimir Kunschikov <kunschikov () gmail com<mailto:kunschikov () gmail com>>, "snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>" <snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>> Subject: Re: [Snort-devel] File-inspect test automation framework and related issues Hi - thanks for sharing this tool. We have something that we use internally but this is worth trying out. I will forward this to bugs to address the ftp issue you mention. You may find some interest on snort-users too. Russ On 1/20/16 3:54 PM, Vladimir Kunschikov wrote: Hello All, has anyone thought about automation of the Snort file-inspect tests? I want to introduce such test framework for the file capture functionality of the Snort. I hope it will be useful in error detection in further extension of the file-inspect preprocessor. This framework checks equality of the files being captured from traffic to the original files which were actually transferred. It is available at https://github.com/kunschikov/snort.robot.git/ I am using this framework for quite a period. This tests have discovered that the overall level of file capturing is surprisingly good; but there exist some number of issues in many protocols, especially in the SMB protocol support. I haven't got positive SMB test yet. But other protocols have some issues too. One of this issues was fixed in the 2.9.8.0 release: the HTTP parser strictness while reading HTTP answers from ms proxy server: there were trailing spaces after content-length. Another issue is not fixed yet, and I've added test for it: it is a 'ftp mp3' test. In this test I am trying to capture file.mp3 file transfer. Its being captured with error: saved file it has different sha checksum to the original one. This issue can be fixed in src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c void SnortFTPData_EOF() function by disabling last flush stream and data processing. So it should look like void SnortFTPData_EOF(SFSnortPacket *p) { ... initFilePosition(&data_ssn->position, _dpd.fileAPI->get_file_processed_size(p->stream_session)); finalFilePosition(&data_ssn->position); } I am going to add some SMB samples to this framework. Addition of the new tests is quite easy: you should put file which was transferred to the 'files' folder and corresponding pcap to the 'pcaps' and then add line to the file_inspect.robot. For example, if you are checking `1.txt` transmission through `HTTP` channel which was captured as 1.pcap you should simply add line Text sample pcap/http/1.pcap 1.txt to the file_inspect.robot configuration file. Hope this framework will be useful to the community. Just set ${SNORT} and ${SNORTOPT} according to your snort setup and enjoy it. Let all tests be green. ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net<mailto:Snort-devel () lists sourceforge net>https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- File-inspect test automation framework and related issues Vladimir Kunschikov (Jan 20)
- Re: File-inspect test automation framework and related issues Russ (Jan 25)
- Re: File-inspect test automation framework and related issues Hui Cao (huica) (Jan 25)
- Re: File-inspect test automation framework and related issues Vladimir Kunschikov (Jan 25)
- Re: File-inspect test automation framework and related issues Hui Cao (huica) (Jan 25)
- Re: File-inspect test automation framework and related issues Russ (Jan 25)