tests: add test for alert-then-pass issue 5466

diff --git a/tests/issue-5466-alert-then-pass-01/icmp_and_ssh.pcap b/tests/issue-5466-alert-then-pass-01/icmp_and_ssh.pcap
new file mode 100644 (file)
index 0000000..7708ee4
Binary files /dev/null and b/tests/issue-5466-alert-then-pass-01/icmp_and_ssh.pcap differ

diff --git a/tests/issue-5466-alert-then-pass-01/suricata.yaml b/tests/issue-5466-alert-then-pass-01/suricata.yaml
new file mode 100644 (file)
index 0000000..bf8a47e
--- /dev/null
+++ b/tests/issue-5466-alert-then-pass-01/suricata.yaml
@@ -0,0 +1,21 @@
+%YAML 1.1
+---
+
+action-order:
+  - pass
+  - drop
+  - reject
+  - alert
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: yes
+        - files
+        - http
+        - flow

diff --git a/tests/issue-5466-alert-then-pass-01/test.rules b/tests/issue-5466-alert-then-pass-01/test.rules
new file mode 100644 (file)
index 0000000..f697f21
--- /dev/null
+++ b/tests/issue-5466-alert-then-pass-01/test.rules
@@ -0,0 +1,2 @@
+pass tcp any any -> any 22 (alert; sid:2; gid:10000003; msg:"PASS SSH";)
+drop tcp any any -> any any (noalert; sid:1; rev:1; msg:"DROP all TCP";)

diff --git a/tests/issue-5466-alert-then-pass-01/test.yaml b/tests/issue-5466-alert-then-pass-01/test.yaml
new file mode 100644 (file)
index 0000000..7c29856
--- /dev/null
+++ b/tests/issue-5466-alert-then-pass-01/test.yaml
@@ -0,0 +1,33 @@
+requires:
+  min-version: 8
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        alert.signature: "PASS SSH"
+  - filter:
+      count: 0
+      match:
+        event_type: drop
+  - filter:
+      count: 2
+      match:
+        event_type: flow
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: flow
+        flow.action: pass

diff --git a/tests/issue-5466-alert-then-pass-02/icmp_and_ssh-s0.pcap b/tests/issue-5466-alert-then-pass-02/icmp_and_ssh-s0.pcap
new file mode 100644 (file)
index 0000000..fbfc654
Binary files /dev/null and b/tests/issue-5466-alert-then-pass-02/icmp_and_ssh-s0.pcap differ

diff --git a/tests/issue-5466-alert-then-pass-02/suricata.yaml b/tests/issue-5466-alert-then-pass-02/suricata.yaml
new file mode 100644 (file)
index 0000000..bf8a47e
--- /dev/null
+++ b/tests/issue-5466-alert-then-pass-02/suricata.yaml
@@ -0,0 +1,21 @@
+%YAML 1.1
+---
+
+action-order:
+  - pass
+  - drop
+  - reject
+  - alert
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: yes
+        - files
+        - http
+        - flow

diff --git a/tests/issue-5466-alert-then-pass-02/test.rules b/tests/issue-5466-alert-then-pass-02/test.rules
new file mode 100644 (file)
index 0000000..53c3470
--- /dev/null
+++ b/tests/issue-5466-alert-then-pass-02/test.rules
@@ -0,0 +1,3 @@
+pass ssh any any -> any any (msg:"pass rule with alert"; ssh.proto; content:"2"; alert; flow:established, to_server; sid:10201;)
+pass tcp any any -> any any (msg:"allow session establishment"; alert; flow:not_established; sid:10202;)
+drop ip any any -> any any (msg:"drop all packets"; sid:10211;)

diff --git a/tests/issue-5466-alert-then-pass-02/test.yaml b/tests/issue-5466-alert-then-pass-02/test.yaml
new file mode 100644 (file)
index 0000000..9f63dba
--- /dev/null
+++ b/tests/issue-5466-alert-then-pass-02/test.yaml
@@ -0,0 +1,36 @@
+requires:
+  min-version: 8
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 10211
+  - filter:
+      count: 3
+      match:
+        event_type: alert
+        alert.signature_id: 10202
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 10201
+  - filter:
+      count: 0
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        flow.action: pass

diff --git a/tests/issue-5466-alert-then-pass-03-drop-pass/suricata.yaml b/tests/issue-5466-alert-then-pass-03-drop-pass/suricata.yaml
new file mode 100644 (file)
index 0000000..4d96ebf
--- /dev/null
+++ b/tests/issue-5466-alert-then-pass-03-drop-pass/suricata.yaml
@@ -0,0 +1,21 @@
+%YAML 1.1
+---
+
+action-order:
+  - drop
+  - reject
+  - alert
+  - pass
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: yes
+        - files
+        - http
+        - flow

diff --git a/tests/issue-5466-alert-then-pass-03-drop-pass/test.rules b/tests/issue-5466-alert-then-pass-03-drop-pass/test.rules
new file mode 100644 (file)
index 0000000..f697f21
--- /dev/null
+++ b/tests/issue-5466-alert-then-pass-03-drop-pass/test.rules
@@ -0,0 +1,2 @@
+pass tcp any any -> any 22 (alert; sid:2; gid:10000003; msg:"PASS SSH";)
+drop tcp any any -> any any (noalert; sid:1; rev:1; msg:"DROP all TCP";)

diff --git a/tests/issue-5466-alert-then-pass-03-drop-pass/test.yaml b/tests/issue-5466-alert-then-pass-03-drop-pass/test.yaml
new file mode 100644 (file)
index 0000000..3187671
--- /dev/null
+++ b/tests/issue-5466-alert-then-pass-03-drop-pass/test.yaml
@@ -0,0 +1,35 @@
+requires:
+  min-version: 8
+
+args:
+  - --simulate-ips
+  - -k none
+
+pcap: ../issue-5466-alert-then-pass-01/icmp_and_ssh.pcap
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        alert.signature: "PASS SSH"
+  - filter:
+      count: 322
+      match:
+        event_type: drop
+  - filter:
+      count: 2
+      match:
+        event_type: flow
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: flow
+        flow.action: drop

diff --git a/tests/issue-5466-alert-then-pass-04-drop-alert/suricata.yaml b/tests/issue-5466-alert-then-pass-04-drop-alert/suricata.yaml
new file mode 100644 (file)
index 0000000..4d96ebf
--- /dev/null
+++ b/tests/issue-5466-alert-then-pass-04-drop-alert/suricata.yaml
@@ -0,0 +1,21 @@
+%YAML 1.1
+---
+
+action-order:
+  - drop
+  - reject
+  - alert
+  - pass
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: yes
+        - files
+        - http
+        - flow

diff --git a/tests/issue-5466-alert-then-pass-04-drop-alert/test.rules b/tests/issue-5466-alert-then-pass-04-drop-alert/test.rules
new file mode 100644 (file)
index 0000000..2f707c4
--- /dev/null
+++ b/tests/issue-5466-alert-then-pass-04-drop-alert/test.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any 22 (sid:2; gid:10000003;)
+drop tcp any any -> any any (noalert; sid:1; rev:1; msg:"DROP all TCP";)

diff --git a/tests/issue-5466-alert-then-pass-04-drop-alert/test.yaml b/tests/issue-5466-alert-then-pass-04-drop-alert/test.yaml
new file mode 100644 (file)
index 0000000..8ecad2e
--- /dev/null
+++ b/tests/issue-5466-alert-then-pass-04-drop-alert/test.yaml
@@ -0,0 +1,34 @@
+requires:
+  min-version: 7
+
+args:
+  - --simulate-ips
+  - -k none
+
+pcap: ../issue-5466-alert-then-pass-01/icmp_and_ssh.pcap
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 322
+      match:
+        event_type: drop
+  - filter:
+      count: 2
+      match:
+        event_type: flow
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: flow
+        flow.action: drop