tests: drop/pass deconfliction updates

author Victor Julien <victor@inliniac.net>

Fri, 11 Apr 2025 07:14:10 +0000 (09:14 +0200)

committer Victor Julien <victor@inliniac.net>

Thu, 17 Apr 2025 06:22:10 +0000 (08:22 +0200)
author Victor Julien <victor@inliniac.net>
Fri, 11 Apr 2025 07:14:10 +0000 (09:14 +0200)
committer Victor Julien <victor@inliniac.net>
Thu, 17 Apr 2025 06:22:10 +0000 (08:22 +0200)
diff --git a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml

index 6fc663b029c9597cde8367d111d1be0aa0fe5ea3..b2ed858a9a6b62941d6ee03519f7954f892e9e27 100644 (file)
--- a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml
+++ b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml
@@ -25,7 +25,7 @@ checks:
        alert.action: allowed
        pcap_cnt: 6
  - filter:
-    count: 3 # 105 also matches here
+    count: 2
      match:
        event_type: alert
        pcap_cnt: 6
@@ -65,7 +65,7 @@ checks:
        event_type: alert
        alert.signature_id: 104
  - filter:
-    count: 2
+    count: 1
      match:
        event_type: alert
        alert.signature_id: 105
diff --git a/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/test.yaml b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/test.yaml

index f7305b4d2c0c6b92e8baa8a34e47ffc7e42ab63b..ada6819d1ba415e404ccee4befe375ccb277e61f 100644 (file)
--- a/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/test.yaml
+++ b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/test.yaml
@@ -37,8 +37,9 @@ checks:
        event_type: alert
        alert.signature_id: 104
        pcap_cnt: 6
+# packet:td drop sid 666 takes precedence
  - filter:
-    count: 1
+    count: 0
      match:
        event_type: alert
        alert.signature_id: 105
diff --git a/tests/issue-5466-alert-then-pass-03-drop-pass/test.rules b/tests/issue-5466-alert-then-pass-03-drop-pass/test.rules

index f697f217d9522b05f72e8cf27109b947dad0554b..4ef95fc01fc25eed7c3b716502fb9abc1f2e267e 100644 (file)
--- a/tests/issue-5466-alert-then-pass-03-drop-pass/test.rules
+++ b/tests/issue-5466-alert-then-pass-03-drop-pass/test.rules
@@ -1,2 +1,2 @@
  pass tcp any any -> any 22 (alert; sid:2; gid:10000003; msg:"PASS SSH";)
-drop tcp any any -> any any (noalert; sid:1; rev:1; msg:"DROP all TCP";)
+drop tcp any any -> any any (sid:1; rev:1; msg:"DROP all TCP";)
diff --git a/tests/issue-5466-alert-then-pass-03-drop-pass/test.yaml b/tests/issue-5466-alert-then-pass-03-drop-pass/test.yaml

index 11e15ef91fb037e6aafc0ed80aa6abea8ae15ba7..ab264ebf9bd0681baa84b2b413e773e46dc69c88 100644 (file)
--- a/tests/issue-5466-alert-then-pass-03-drop-pass/test.yaml
+++ b/tests/issue-5466-alert-then-pass-03-drop-pass/test.yaml
@@ -9,7 +9,7 @@ pcap: ../issue-5466-alert-then-pass-01/icmp_and_ssh.pcap
  
  checks:
    - filter:
-      count: 0
+      count: 1
        match:
          event_type: alert
          alert.signature_id: 1
@@ -18,7 +18,6 @@ checks:
        match:
          event_type: alert
          alert.signature_id: 2
-        alert.signature: "PASS SSH"
    - filter:
        count: 322
        match:
diff --git a/tests/util-action-tests/util-action-13/test.yaml b/tests/util-action-tests/util-action-13/test.yaml

index ede2edcbc553a143b22c7b4daf18e1336c8d55c1..422ab2753c9190de9b7ff359083d30efc60603ef 100644 (file)
--- a/tests/util-action-tests/util-action-13/test.yaml
+++ b/tests/util-action-tests/util-action-13/test.yaml
@@ -4,7 +4,7 @@ args:
  
  checks:
  - filter:
-    min-version: 7
+    lt-version: 8
      count: 1
      match:
        event_type: flow
@@ -21,6 +21,13 @@ checks:
        event_type: alert
        alert.signature_id: 1
  - filter:
+    min-version: 8
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    lt-version: 8
      count: 1
      match:
        event_type: alert
diff --git a/tests/util-action-tests/util-action-16/test.yaml b/tests/util-action-tests/util-action-16/test.yaml

index 370cacafdfdfdabbafa03efd275e58c3f74d0e33..29b73f9e58e40f2d7e416100e3ddd922c12365bd 100644 (file)
--- a/tests/util-action-tests/util-action-16/test.yaml
+++ b/tests/util-action-tests/util-action-16/test.yaml
@@ -6,7 +6,7 @@ args:
  
  checks:
  - filter:
-    min-version: 7
+    lt-version: 8
      count: 1
      match:
        event_type: flow
@@ -23,11 +23,26 @@ checks:
        event_type: alert
        alert.signature_id: 1
  - filter:
+    min-version: 8
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 2
+# IP-only, so max 2.
+- filter:
+    min-version: 8
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    lt-version: 8
      count: 1
      match:
        event_type: alert
        alert.signature_id: 2
  - filter:
+    lt-version: 8
      count: 1
      match:
        event_type: alert
author	Victor Julien <victor@inliniac.net>
	Fri, 11 Apr 2025 07:14:10 +0000 (09:14 +0200)
committer	Victor Julien <victor@inliniac.net>
	Thu, 17 Apr 2025 06:22:10 +0000 (08:22 +0200)
tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml		patch \| blob \| blame \| history
tests/firewall/ruletype-firewall-30-fw-accept-td-drop/test.yaml		patch \| blob \| blame \| history
tests/issue-5466-alert-then-pass-03-drop-pass/test.rules		patch \| blob \| blame \| history
tests/issue-5466-alert-then-pass-03-drop-pass/test.yaml		patch \| blob \| blame \| history
tests/util-action-tests/util-action-13/test.yaml		patch \| blob \| blame \| history
tests/util-action-tests/util-action-16/test.yaml		patch \| blob \| blame \| history