[Snort-devel] File-inspect test automation framework and related issues

Vladimir Kunschikov kunschikov at ...2499...
Tue Jan 26 02:57:05 EST 2016

Hello mr. Cao.
I have such options in the test suite Snort configuration file. It can be
viewed online

It is worth to note that framework allows to run only one test from the
suite, in this case:

 pybot --test ftp_mp3 file_inspect.robot

I added this instructions to the framework Readme.md.

On Mon, Jan 25, 2016 at 6:50 PM, Hui Cao (huica) <huica at ...3461...> wrote:

> Hi Vladimir,
> Do you have the following configuration in you conf? FTP for file
> inspection requires this is on
> preprocessor normalize_tcp: ips
> Best,
> Hui.
> From: "Russ Combs (rucombs)" <rucombs at ...3461...>
> Date: Monday, January 25, 2016 at 10:39 AM
> To: Vladimir Kunschikov <kunschikov at ...2499...>, "
> snort-devel at lists.sourceforge.net" <snort-devel at lists.sourceforge.net>
> Subject: Re: [Snort-devel] File-inspect test automation framework and
> related issues
> Hi - thanks for sharing this tool.  We have something that we use
> internally but this is worth trying out.
> I will forward this to bugs to address the ftp issue you mention.  You may
> find some interest on snort-users too.
> Russ
> On 1/20/16 3:54 PM, Vladimir Kunschikov wrote:
>  Hello All,
>  has anyone thought about automation of the Snort file-inspect tests?
> I want to introduce such test framework for the file capture functionality
> of the Snort. I hope it will be useful in error detection in further
> extension of the file-inspect preprocessor. This framework checks equality
> of the files being captured from traffic to the original files which were
> actually transferred.
> It is available at
>  https://github.com/kunschikov/snort.robot.git/
> I am using this framework for quite a period.
> This tests have discovered that the overall level of file capturing is
> surprisingly good; but there exist some number of  issues in many
> protocols,  especially in the SMB protocol support.  I haven't got positive
> SMB test yet. But other protocols have some issues too.
>  One of this issues was fixed in the release: the HTTP parser
> strictness while reading HTTP answers from ms proxy server: there were
> trailing spaces after content-length.
> Another issue is not fixed yet, and I've added test for it: it is a 'ftp
> mp3' test. In this test I am trying to capture file.mp3 file transfer. Its
> being captured with error: saved file it has different sha checksum to the
> original one.  This issue can be fixed in
> src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c void
> SnortFTPData_EOF() function by disabling last flush stream and data
> processing. So it should look like
> void SnortFTPData_EOF(SFSnortPacket *p)
> {
> ...
>     initFilePosition(&data_ssn->position,
> _dpd.fileAPI->get_file_processed_size(p->stream_session));
>     finalFilePosition(&data_ssn->position);
> }
> I am going to add some SMB samples to this framework.
> Addition of the new tests is quite easy: you should put file which was
> transferred to the 'files' folder and corresponding pcap to the 'pcaps'
> and then add line to the file_inspect.robot.  For example, if you are
> checking `1.txt` transmission through `HTTP` channel which was captured as
> 1.pcap you should simply add line
>   Text sample    pcap/http/1.pcap      1.txt
> to the file_inspect.robot configuration file.
> Hope this framework will be useful to the community. Just set ${SNORT} and
> ${SNORTOPT} according to your snort setup and enjoy it.
> Let all tests be green.
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Snort-devel mailing listSnort-devel at ...3458...://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160126/e0abbab7/attachment.html>

More information about the Snort-devel mailing list