tests: firewall: add verdict output

diff --git a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/suricata.yaml b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/suricata.yaml
index 24e38b5ab954073cbf3cd7c1ea8740fd28237298..21b31afbadff2428db20f2d644482182056ed245 100644 (file)
--- a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/suricata.yaml
+++ b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/suricata.yaml
@@ -55,9 +55,11 @@ outputs:
       types:
         - stats
         - flow
-        - alert
+        - alert:
+            verdict: true
         - tls:
             extended: yes     # enable this for extended logging information
         - drop:
             alerts: yes      # log alerts that caused drops
             flows: all       # start or all: 'start' logs only a single drop
+            verdict: true

diff --git a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml
index b2ed858a9a6b62941d6ee03519f7954f892e9e27..647fc082dce424bd86214ba79582dbfe953b90d6 100644 (file)
--- a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml
+++ b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml
@@ -24,11 +24,13 @@ checks:
       alert.signature_id: 1023
       alert.action: allowed
       pcap_cnt: 6
+      verdict.action: drop
 - filter:
     count: 2
     match:
       event_type: alert
       pcap_cnt: 6
+      verdict.action: drop
 - filter:
     count: 0
     match:
@@ -39,6 +41,7 @@ checks:
     match:
       event_type: alert
       alert.signature_id: 1021
+      verdict.action: accept
 - filter:
     count: 0
     match:
@@ -49,6 +52,20 @@ checks:
     match:
       event_type: alert
       alert.signature_id: 1023
+# packet rule accepted, also accepted at app layer
+- filter:
+    count: 5
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+      verdict.action: accept
+# packet rule accepted, dropped at app layer
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+      verdict.action: drop
 - filter:
     count: 0
     match:
@@ -69,10 +86,22 @@ checks:
     match:
       event_type: alert
       alert.signature_id: 105
+      verdict.action: accept
 - filter:
     count: 54 # 53 + 1 (drop sid 999)
     match:
       event_type: drop
+      verdict.action: drop
+# count all records with verdict field
+- filter:
+    count: 9
+    match:
+      verdict.action: accept
+# count all records with verdict field
+- filter:
+    count: 57
+    match:
+      verdict.action: drop
 - filter:
     count: 1
     match: