[Snort-devel] File-inspect test automation framework and related issues

Vladimir Kunschikov kunschikov at ...2499...
Tue Jan 26 02:57:05 EST 2016


Hello mr. Cao.
I have such options in the test suite Snort configuration file. It can be
viewed online
https://github.com/kunschikov/snort.robot/blob/master/etc/snort.conf

It is worth to note that framework allows to run only one test from the
suite, in this case:

 pybot --test ftp_mp3 file_inspect.robot

I added this instructions to the framework Readme.md.



On Mon, Jan 25, 2016 at 6:50 PM, Hui Cao (huica) <huica at ...3461...> wrote:

> Hi Vladimir,
>
> Do you have the following configuration in you conf? FTP for file
> inspection requires this is on
>
> preprocessor normalize_tcp: ips
>
>
> Best,
>
> Hui.
>
>
> From: "Russ Combs (rucombs)" <rucombs at ...3461...>
> Date: Monday, January 25, 2016 at 10:39 AM
> To: Vladimir Kunschikov <kunschikov at ...2499...>, "
> snort-devel at lists.sourceforge.net" <snort-devel at lists.sourceforge.net>
> Subject: Re: [Snort-devel] File-inspect test automation framework and
> related issues
>
> Hi - thanks for sharing this tool.  We have something that we use
> internally but this is worth trying out.
>
> I will forward this to bugs to address the ftp issue you mention.  You may
> find some interest on snort-users too.
>
> Russ
>
> On 1/20/16 3:54 PM, Vladimir Kunschikov wrote:
>
>  Hello All,
>  has anyone thought about automation of the Snort file-inspect tests?
>
> I want to introduce such test framework for the file capture functionality
> of the Snort. I hope it will be useful in error detection in further
> extension of the file-inspect preprocessor. This framework checks equality
> of the files being captured from traffic to the original files which were
> actually transferred.
>
> It is available at
>
>  https://github.com/kunschikov/snort.robot.git/
>
> I am using this framework for quite a period.
> This tests have discovered that the overall level of file capturing is
> surprisingly good; but there exist some number of  issues in many
> protocols,  especially in the SMB protocol support.  I haven't got positive
> SMB test yet. But other protocols have some issues too.
>
>  One of this issues was fixed in the 2.9.8.0 release: the HTTP parser
> strictness while reading HTTP answers from ms proxy server: there were
> trailing spaces after content-length.
>
> Another issue is not fixed yet, and I've added test for it: it is a 'ftp
> mp3' test. In this test I am trying to capture file.mp3 file transfer. Its
> being captured with error: saved file it has different sha checksum to the
> original one.  This issue can be fixed in
> src/dynamic-preprocessors/ftptelnet/snort_ftptelnet.c void
> SnortFTPData_EOF() function by disabling last flush stream and data
> processing. So it should look like
>
> void SnortFTPData_EOF(SFSnortPacket *p)
> {
> ...
>     initFilePosition(&data_ssn->position,
> _dpd.fileAPI->get_file_processed_size(p->stream_session));
>     finalFilePosition(&data_ssn->position);
> }
>
>
> I am going to add some SMB samples to this framework.
>
> Addition of the new tests is quite easy: you should put file which was
> transferred to the 'files' folder and corresponding pcap to the 'pcaps'
> and then add line to the file_inspect.robot.  For example, if you are
> checking `1.txt` transmission through `HTTP` channel which was captured as
> 1.pcap you should simply add line
>   Text sample    pcap/http/1.pcap      1.txt
> to the file_inspect.robot configuration file.
>
> Hope this framework will be useful to the community. Just set ${SNORT} and
> ${SNORTOPT} according to your snort setup and enjoy it.
> Let all tests be green.
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>
>
>
> _______________________________________________
> Snort-devel mailing listSnort-devel at ...3458...://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20160126/e0abbab7/attachment.html>


More information about the Snort-devel mailing list