Add bad ARP tests

The capture file (btest/Traces/arp-leak.pcap) contains the exploitation of an ARP leak flaw against NetBSD 7.0.2 using Scapy etherleak() function.
2025-10-02 06:38:20 +00:00 · 2018-05-18 17:39:48 +02:00 · 2018-05-18 17:39:48 +02:00 · 8315aa36a6
commit 8315aa36a6
parent 7ffc162383
3 changed files with 23 additions and 0 deletions
--- a/testing/btest/Baseline/scripts.base.protocols.arp.bad/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.arp.bad/.stdout
@ -0,0 +1,6 @@
+BAD, 192.168.123.1, 7e:8e:20:d8:23:a7, 192.168.123.2, 00:00:00:00:00:00, corrupt-arp-header (hrd=1, hln=255)
+BAD, 192.168.123.2, 52:54:00:12:34:57, 192.168.123.1, 7e:8e:20:d8:23:a7, corrupt-arp-header (hrd=1, hln=255)
+BAD, 192.168.123.1, 7e:8e:20:d8:23:a7, 192.168.123.2, 00:00:00:00:00:00, corrupt-arp-header (pro=2048, pln=255)
+BAD, 192.168.123.2, 52:54:00:12:34:57, 192.168.123.1, 7e:8e:20:d8:23:a7, corrupt-arp-header (pro=2048, pln=255)
+BAD, 192.168.123.1, 7e:8e:20:d8:23:a7, 192.168.123.2, 00:00:00:00:00:00, corrupt-arp-header (hrd=1, hln=255)
+BAD, 192.168.123.2, 52:54:00:12:34:57, 192.168.123.1, 7e:8e:20:d8:23:a7, corrupt-arp-header (hrd=1, hln=255)
--- a/testing/btest/Traces/arp-leak.pcap
+++ b/testing/btest/Traces/arp-leak.pcap
--- a/testing/btest/scripts/base/protocols/arp/bad.test
+++ b/testing/btest/scripts/base/protocols/arp/bad.test
@ -0,0 +1,17 @@
+# @TEST-EXEC: bro -r $TRACES/arp-leak.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event arp_request(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print "REQ", mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event arp_reply(mac_src: string, mac_dst: string, SPA: addr, SHA: string, TPA: addr, THA: string)
+	{
+	print "REP", mac_src, mac_dst, SPA, SHA, TPA, THA;
+	}
+
+event bad_arp(SPA: addr, SHA: string, TPA: addr, THA: string, explanation: string)
+	{
+	print "BAD", SPA, SHA, TPA, THA, explanation;
+	}