tests: firewall: add basic ssh tests

diff --git a/tests/firewall/ruletype-firewall-32-proto-detect-ssh/firewall.rules b/tests/firewall/ruletype-firewall-32-proto-detect-ssh/firewall.rules
new file mode 100644 (file)
index 0000000..8983eba
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-32-proto-detect-ssh/firewall.rules
@@ -0,0 +1,22 @@
+# Packet rules
+
+# allow session setup
+accept:packet tcp:all any any <> any 22 (flow:not_established; alert; sid:1000;)
+
+# ssh protocol detect
+
+accept:packet tcp:all any any -> any 22 (flow:established,to_server; dsize:0; app-layer-protocol:unknown,to_server; alert; sid:1003;)
+accept:packet tcp:all any any -> any 22 (flow:established; app-layer-protocol:ssh,to_server; alert; sid:1001;)
+
+accept:packet tcp:all any 22 -> any any (flow:established,to_client; dsize:0; app-layer-protocol:unknown,to_client; alert; sid:1004;)
+accept:packet tcp:all any 22 -> any any (flow:established; app-layer-protocol:ssh,to_client; alert; sid:1002;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+
+# default drop

diff --git a/tests/firewall/ruletype-firewall-32-proto-detect-ssh/suricata.yaml b/tests/firewall/ruletype-firewall-32-proto-detect-ssh/suricata.yaml
new file mode 100644 (file)
index 0000000..24e38b5
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-32-proto-detect-ssh/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop

diff --git a/tests/firewall/ruletype-firewall-32-proto-detect-ssh/test.yaml b/tests/firewall/ruletype-firewall-32-proto-detect-ssh/test.yaml
new file mode 100644 (file)
index 0000000..4be2306
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-32-proto-detect-ssh/test.yaml
@@ -0,0 +1,57 @@
+requires:
+  min-version: 8
+
+pcap: ../../issue-5466-alert-then-pass-02/icmp_and_ssh-s0.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1000
+- filter:
+    count: 139
+    match:
+      event_type: alert
+      alert.signature_id: 1001
+      alert.action: allowed
+- filter:
+    count: 181
+    match:
+      event_type: alert
+      alert.signature_id: 1002
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1003
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1004
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 140
+      flow.pkts_toclient: 182
+      flow.state: "established"
+      flow.alerted: true
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 322
+      stats.ips.blocked: 0
+      stats.ips.drop_reason.default_app_policy: 0
+      stats.ips.drop_reason.rules: 0

diff --git a/tests/firewall/ruletype-firewall-33-ssh/firewall.rules b/tests/firewall/ruletype-firewall-33-ssh/firewall.rules
new file mode 100644 (file)
index 0000000..ca289c5
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-33-ssh/firewall.rules
@@ -0,0 +1,17 @@
+# Packet rules
+
+# allow session setup
+accept:hook tcp:all any any <> any 22 (alert; sid:1000;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+accept:hook ssh:request_started any any -> any any (alert; sid:2000;)
+accept:hook ssh:request_banner_wait_eol any any -> any any (alert; sid:2001;)
+accept:tx ssh:request_banner_done any any -> any any (alert; sid:2002;)
+
+# default drop

diff --git a/tests/firewall/ruletype-firewall-33-ssh/suricata.yaml b/tests/firewall/ruletype-firewall-33-ssh/suricata.yaml
new file mode 100644 (file)
index 0000000..24e38b5
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-33-ssh/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop

diff --git a/tests/firewall/ruletype-firewall-33-ssh/test.yaml b/tests/firewall/ruletype-firewall-33-ssh/test.yaml
new file mode 100644 (file)
index 0000000..1a7b538
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-33-ssh/test.yaml
@@ -0,0 +1,51 @@
+requires:
+  min-version: 8
+
+pcap: ../../issue-5466-alert-then-pass-02/icmp_and_ssh-s0.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 324
+    match:
+      event_type: alert
+      alert.signature_id: 1000
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2000
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2001
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2002
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 140
+      flow.pkts_toclient: 182
+      flow.state: "established"
+      flow.alerted: true
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 322
+      stats.ips.blocked: 0
+      stats.ips.drop_reason.default_app_policy: 0
+      stats.ips.drop_reason.rules: 0

diff --git a/tests/firewall/ruletype-firewall-34-ssh-sw/firewall.rules b/tests/firewall/ruletype-firewall-34-ssh-sw/firewall.rules
new file mode 100644 (file)
index 0000000..79f28e1
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-34-ssh-sw/firewall.rules
@@ -0,0 +1,19 @@
+# Packet rules
+
+# allow all packets while protocol detection is running
+accept:hook tcp:all any any <> any 22 (app-layer-protocol:unknown; alert; sid:1000;)
+# then when detected a protocol, only allow ssh
+accept:hook tcp:all any any <> any 22 (app-layer-protocol:ssh; alert; sid:1001;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+accept:hook ssh:request_started any any -> any any (alert; sid:2000;)
+accept:hook ssh:request_banner_wait_eol any any -> any any (alert; sid:2001;)
+accept:tx ssh:request_banner_done any any -> any any (ssh.software; content:"OpenSSH_8.2p1"; alert; sid:2002;)
+
+# default drop

diff --git a/tests/firewall/ruletype-firewall-34-ssh-sw/suricata.yaml b/tests/firewall/ruletype-firewall-34-ssh-sw/suricata.yaml
new file mode 100644 (file)
index 0000000..24e38b5
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-34-ssh-sw/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop

diff --git a/tests/firewall/ruletype-firewall-34-ssh-sw/test.yaml b/tests/firewall/ruletype-firewall-34-ssh-sw/test.yaml
new file mode 100644 (file)
index 0000000..91475bd
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-34-ssh-sw/test.yaml
@@ -0,0 +1,56 @@
+requires:
+  min-version: 8
+
+pcap: ../../issue-5466-alert-then-pass-02/icmp_and_ssh-s0.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 4
+    match:
+      event_type: alert
+      alert.signature_id: 1000
+- filter:
+    count: 320
+    match:
+      event_type: alert
+      alert.signature_id: 1001
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2000
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2001
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2002
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 140
+      flow.pkts_toclient: 182
+      flow.state: "established"
+      flow.alerted: true
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 322
+      stats.ips.blocked: 0
+      stats.ips.drop_reason.default_app_policy: 0
+      stats.ips.drop_reason.rules: 0

diff --git a/tests/firewall/ruletype-firewall-35-ssh-sw/firewall.rules b/tests/firewall/ruletype-firewall-35-ssh-sw/firewall.rules
new file mode 100644 (file)
index 0000000..03a1e73
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-35-ssh-sw/firewall.rules
@@ -0,0 +1,23 @@
+# Packet rules
+
+# allow session setup
+accept:hook tcp:all any any <> any 22 (alert; sid:1000;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+accept:hook ssh:request_started any any -> any any (alert; sid:2000;)
+accept:hook ssh:request_banner_wait_eol any any -> any any (alert; sid:2001;)
+accept:hook ssh:request_banner_done any any -> any any (ssh.software; content:"OpenSSH_8.2p1"; alert; sid:2002;)
+accept:hook ssh:request_finished any any -> any any (alert; sid:2003;)
+
+accept:hook ssh:response_started any any -> any any (alert; sid:3000;)
+accept:hook ssh:response_banner_wait_eol any any -> any any (alert; sid:3001;)
+accept:hook ssh:response_banner_done any any -> any any (ssh.software; content:"OpenSSH_7.9p1"; alert; sid:3002;)
+accept:hook ssh:response_finished any any -> any any (alert; sid:3003;)
+
+# default drop

diff --git a/tests/firewall/ruletype-firewall-35-ssh-sw/suricata.yaml b/tests/firewall/ruletype-firewall-35-ssh-sw/suricata.yaml
new file mode 100644 (file)
index 0000000..24e38b5
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-35-ssh-sw/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop

diff --git a/tests/firewall/ruletype-firewall-35-ssh-sw/test.yaml b/tests/firewall/ruletype-firewall-35-ssh-sw/test.yaml
new file mode 100644 (file)
index 0000000..31af7b1
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-35-ssh-sw/test.yaml
@@ -0,0 +1,76 @@
+requires:
+  min-version: 8
+
+pcap: ../../issue-5466-alert-then-pass-02/icmp_and_ssh-s0.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 324
+    match:
+      event_type: alert
+      alert.signature_id: 1000
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2000
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2001
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2002
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2003
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3000
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3001
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3002
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3003
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 140
+      flow.pkts_toclient: 182
+      flow.state: "established"
+      flow.alerted: true
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 322
+      stats.ips.blocked: 0
+      stats.ips.drop_reason.default_app_policy: 0
+      stats.ips.drop_reason.rules: 0

diff --git a/tests/firewall/ruletype-firewall-36-minimal/firewall.rules b/tests/firewall/ruletype-firewall-36-minimal/firewall.rules
new file mode 100644 (file)
index 0000000..2655fa5
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-36-minimal/firewall.rules
@@ -0,0 +1,15 @@
+# Packet rules
+
+# allow session setup
+accept:hook tcp:all any any <> any 22 (alert; sid:1000;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+accept:flow ssh:request_started any any -> any any (alert; sid:2000;)
+
+# default drop

diff --git a/tests/firewall/ruletype-firewall-36-minimal/suricata.yaml b/tests/firewall/ruletype-firewall-36-minimal/suricata.yaml
new file mode 100644 (file)
index 0000000..24e38b5
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-36-minimal/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop

diff --git a/tests/firewall/ruletype-firewall-36-minimal/test.yaml b/tests/firewall/ruletype-firewall-36-minimal/test.yaml
new file mode 100644 (file)
index 0000000..e313d58
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-36-minimal/test.yaml
@@ -0,0 +1,41 @@
+requires:
+  min-version: 8
+
+pcap: ../../issue-5466-alert-then-pass-02/icmp_and_ssh-s0.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 4
+    match:
+      event_type: alert
+      alert.signature_id: 1000
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2000
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 140
+      flow.pkts_toclient: 182
+      flow.state: "established"
+      flow.alerted: true
+      flow.action: "accept"
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 322
+      stats.ips.blocked: 0
+      stats.ips.drop_reason.default_app_policy: 0
+      stats.ips.drop_reason.rules: 0

diff --git a/tests/firewall/ruletype-firewall-37-minimal-bad/firewall.rules b/tests/firewall/ruletype-firewall-37-minimal-bad/firewall.rules
new file mode 100644 (file)
index 0000000..b281f55
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-37-minimal-bad/firewall.rules
@@ -0,0 +1,14 @@
+# Packet rules
+
+accept:packet tcp:all any any -> any 22 (flow:not_established; alert; sid:1000;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+accept:flow ssh:response_finished any any -> any any (flow:established; alert; sid:2000;)
+
+# default drop

diff --git a/tests/firewall/ruletype-firewall-37-minimal-bad/suricata.yaml b/tests/firewall/ruletype-firewall-37-minimal-bad/suricata.yaml
new file mode 100644 (file)
index 0000000..24e38b5
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-37-minimal-bad/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop

diff --git a/tests/firewall/ruletype-firewall-37-minimal-bad/test.yaml b/tests/firewall/ruletype-firewall-37-minimal-bad/test.yaml
new file mode 100644 (file)
index 0000000..1665577
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-37-minimal-bad/test.yaml
@@ -0,0 +1,42 @@
+requires:
+  min-version: 8
+
+pcap: ../../issue-5466-alert-then-pass-02/icmp_and_ssh-s0.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 1000
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2000
+- filter:
+    count: 320
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 140
+      flow.pkts_toclient: 182
+      flow.state: "established"
+      flow.alerted: true
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 2
+      stats.ips.blocked: 320
+      stats.ips.drop_reason.default_app_policy: 0
+      stats.ips.drop_reason.default_packet_policy: 320
+      stats.ips.drop_reason.rules: 0

diff --git a/tests/firewall/ruletype-firewall-38-ssh-vs-telnet/firewall.rules b/tests/firewall/ruletype-firewall-38-ssh-vs-telnet/firewall.rules
new file mode 100644 (file)
index 0000000..0c88909
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-38-ssh-vs-telnet/firewall.rules
@@ -0,0 +1,8 @@
+# Packet rules
+
+# allow all packets while protocol detection is running
+accept:hook tcp:all any any <> any 23 (app-layer-protocol:unknown; alert; sid:1000;)
+# then when detected a protocol, only allow ssh
+accept:hook tcp:all any any <> any 23 (app-layer-protocol:ssh; alert; sid:1001;)
+
+# default drop

diff --git a/tests/firewall/ruletype-firewall-38-ssh-vs-telnet/suricata.yaml b/tests/firewall/ruletype-firewall-38-ssh-vs-telnet/suricata.yaml
new file mode 100644 (file)
index 0000000..24e38b5
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-38-ssh-vs-telnet/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop

diff --git a/tests/firewall/ruletype-firewall-38-ssh-vs-telnet/test.yaml b/tests/firewall/ruletype-firewall-38-ssh-vs-telnet/test.yaml
new file mode 100644 (file)
index 0000000..89baade
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-38-ssh-vs-telnet/test.yaml
@@ -0,0 +1,42 @@
+requires:
+  min-version: 8
+
+pcap: ../../telnet/telnet-01/telnet.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1000
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1001
+- filter:
+    count: 89
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 43
+      flow.pkts_toclient: 44
+      flow.state: "closed"
+      flow.alerted: true
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 3
+      stats.ips.blocked: 89
+      stats.ips.drop_reason.default_app_policy: 0
+      stats.ips.drop_reason.default_packet_policy: 89
+      stats.ips.drop_reason.rules: 0