[Snort-devel] File-inspect test automation framework and related issues

Vladimir Kunschikov kunschikov at ...2499...
Wed Jan 20 15:54:04 EST 2016


 Hello All,
 has anyone thought about automation of the Snort file-inspect tests?

I want to introduce such test framework for the file capture functionality
of the Snort. I hope it will be useful in error detection in further
extension of the file-inspect preprocessor. This framework checks equality
of the files being captured from traffic to the original files which were
actually transferred.

It is available at

 https://github.com/kunschikov/snort.robot.git/

I am using this framework for quite a period.
This tests have discovered that the overall level of file capturing is
surprisingly good; but there exist some number of  issues in many
protocols,  especially in the SMB protocol support.  I haven't got positive
SMB test yet. But other protocols have some issues too.

 One of this issues was fixed in the 2.9.8.0 release: the HTTP parser
strictness while reading HTTP answers from ms proxy server: there were
trailing spaces after content-length.

Another issue is not fixed yet, and I've added test for it: it is a 'ftp
mp3' test. In this test I am trying to capture file.mp3 file transfer. Its
being captured with error: saved file it has different sha checksum to the
original one.  This issue can be fixed in
src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c void
SnortFTPData_EOF() function by disabling last flush stream and data
processing. So it should look like

void SnortFTPData_EOF(SFSnortPacket *p)
{
...
    initFilePosition(&data_ssn->position,
_dpd.fileAPI->get_file_processed_size(p->stream_session));
    finalFilePosition(&data_ssn->position);
}


I am going to add some SMB samples to this framework.

Addition of the new tests is quite easy: you should put file which was
transferred to the 'files' folder and corresponding pcap to the 'pcaps'
and then add line to the file_inspect.robot.  For example, if you are
checking `1.txt` transmission through `HTTP` channel which was captured as
1.pcap you should simply add line
  Text sample    pcap/http/1.pcap      1.txt
to the file_inspect.robot configuration file.

Hope this framework will be useful to the community. Just set ${SNORT} and
${SNORTOPT} according to your snort setup and enjoy it.
Let all tests be green.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160120/160cc2f3/attachment.html>


More information about the Snort-devel mailing list