From 240da971807ec4b667ee1268bffd649a53d852a5 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Tue, 29 Apr 2025 14:55:43 +0200 Subject: [PATCH] tests: firewall: add basic ssh tests --- .../firewall.rules | 22 ++++++ .../suricata.yaml | 63 +++++++++++++++ .../test.yaml | 57 ++++++++++++++ .../ruletype-firewall-33-ssh/firewall.rules | 17 +++++ .../ruletype-firewall-33-ssh/suricata.yaml | 63 +++++++++++++++ .../ruletype-firewall-33-ssh/test.yaml | 51 +++++++++++++ .../firewall.rules | 19 +++++ .../ruletype-firewall-34-ssh-sw/suricata.yaml | 63 +++++++++++++++ .../ruletype-firewall-34-ssh-sw/test.yaml | 56 ++++++++++++++ .../firewall.rules | 23 ++++++ .../ruletype-firewall-35-ssh-sw/suricata.yaml | 63 +++++++++++++++ .../ruletype-firewall-35-ssh-sw/test.yaml | 76 +++++++++++++++++++ .../firewall.rules | 15 ++++ .../suricata.yaml | 63 +++++++++++++++ .../ruletype-firewall-36-minimal/test.yaml | 41 ++++++++++ .../firewall.rules | 14 ++++ .../suricata.yaml | 63 +++++++++++++++ .../test.yaml | 42 ++++++++++ .../firewall.rules | 8 ++ .../suricata.yaml | 63 +++++++++++++++ .../test.yaml | 42 ++++++++++ 21 files changed, 924 insertions(+) create mode 100644 tests/firewall/ruletype-firewall-32-proto-detect-ssh/firewall.rules create mode 100644 tests/firewall/ruletype-firewall-32-proto-detect-ssh/suricata.yaml create mode 100644 tests/firewall/ruletype-firewall-32-proto-detect-ssh/test.yaml create mode 100644 tests/firewall/ruletype-firewall-33-ssh/firewall.rules create mode 100644 tests/firewall/ruletype-firewall-33-ssh/suricata.yaml create mode 100644 tests/firewall/ruletype-firewall-33-ssh/test.yaml create mode 100644 tests/firewall/ruletype-firewall-34-ssh-sw/firewall.rules create mode 100644 tests/firewall/ruletype-firewall-34-ssh-sw/suricata.yaml create mode 100644 tests/firewall/ruletype-firewall-34-ssh-sw/test.yaml create mode 100644 tests/firewall/ruletype-firewall-35-ssh-sw/firewall.rules create mode 100644 tests/firewall/ruletype-firewall-35-ssh-sw/suricata.yaml create mode 100644 tests/firewall/ruletype-firewall-35-ssh-sw/test.yaml create mode 100644 tests/firewall/ruletype-firewall-36-minimal/firewall.rules create mode 100644 tests/firewall/ruletype-firewall-36-minimal/suricata.yaml create mode 100644 tests/firewall/ruletype-firewall-36-minimal/test.yaml create mode 100644 tests/firewall/ruletype-firewall-37-minimal-bad/firewall.rules create mode 100644 tests/firewall/ruletype-firewall-37-minimal-bad/suricata.yaml create mode 100644 tests/firewall/ruletype-firewall-37-minimal-bad/test.yaml create mode 100644 tests/firewall/ruletype-firewall-38-ssh-vs-telnet/firewall.rules create mode 100644 tests/firewall/ruletype-firewall-38-ssh-vs-telnet/suricata.yaml create mode 100644 tests/firewall/ruletype-firewall-38-ssh-vs-telnet/test.yaml diff --git a/tests/firewall/ruletype-firewall-32-proto-detect-ssh/firewall.rules b/tests/firewall/ruletype-firewall-32-proto-detect-ssh/firewall.rules new file mode 100644 index 000000000..8983eba89 --- /dev/null +++ b/tests/firewall/ruletype-firewall-32-proto-detect-ssh/firewall.rules @@ -0,0 +1,22 @@ +# Packet rules + +# allow session setup +accept:packet tcp:all any any <> any 22 (flow:not_established; alert; sid:1000;) + +# ssh protocol detect + +accept:packet tcp:all any any -> any 22 (flow:established,to_server; dsize:0; app-layer-protocol:unknown,to_server; alert; sid:1003;) +accept:packet tcp:all any any -> any 22 (flow:established; app-layer-protocol:ssh,to_server; alert; sid:1001;) + +accept:packet tcp:all any 22 -> any any (flow:established,to_client; dsize:0; app-layer-protocol:unknown,to_client; alert; sid:1004;) +accept:packet tcp:all any 22 -> any any (flow:established; app-layer-protocol:ssh,to_client; alert; sid:1002;) + +# default drop + + + + +# App-layer rules + + +# default drop diff --git a/tests/firewall/ruletype-firewall-32-proto-detect-ssh/suricata.yaml b/tests/firewall/ruletype-firewall-32-proto-detect-ssh/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-32-proto-detect-ssh/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-32-proto-detect-ssh/test.yaml b/tests/firewall/ruletype-firewall-32-proto-detect-ssh/test.yaml new file mode 100644 index 000000000..4be2306c6 --- /dev/null +++ b/tests/firewall/ruletype-firewall-32-proto-detect-ssh/test.yaml @@ -0,0 +1,57 @@ +requires: + min-version: 8 + +pcap: ../../issue-5466-alert-then-pass-02/icmp_and_ssh-s0.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1000 +- filter: + count: 139 + match: + event_type: alert + alert.signature_id: 1001 + alert.action: allowed +- filter: + count: 181 + match: + event_type: alert + alert.signature_id: 1002 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1003 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1004 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 140 + flow.pkts_toclient: 182 + flow.state: "established" + flow.alerted: true + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 322 + stats.ips.blocked: 0 + stats.ips.drop_reason.default_app_policy: 0 + stats.ips.drop_reason.rules: 0 diff --git a/tests/firewall/ruletype-firewall-33-ssh/firewall.rules b/tests/firewall/ruletype-firewall-33-ssh/firewall.rules new file mode 100644 index 000000000..ca289c5c0 --- /dev/null +++ b/tests/firewall/ruletype-firewall-33-ssh/firewall.rules @@ -0,0 +1,17 @@ +# Packet rules + +# allow session setup +accept:hook tcp:all any any <> any 22 (alert; sid:1000;) + +# default drop + + + + +# App-layer rules + +accept:hook ssh:request_started any any -> any any (alert; sid:2000;) +accept:hook ssh:request_banner_wait_eol any any -> any any (alert; sid:2001;) +accept:tx ssh:request_banner_done any any -> any any (alert; sid:2002;) + +# default drop diff --git a/tests/firewall/ruletype-firewall-33-ssh/suricata.yaml b/tests/firewall/ruletype-firewall-33-ssh/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-33-ssh/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-33-ssh/test.yaml b/tests/firewall/ruletype-firewall-33-ssh/test.yaml new file mode 100644 index 000000000..1a7b53829 --- /dev/null +++ b/tests/firewall/ruletype-firewall-33-ssh/test.yaml @@ -0,0 +1,51 @@ +requires: + min-version: 8 + +pcap: ../../issue-5466-alert-then-pass-02/icmp_and_ssh-s0.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 324 + match: + event_type: alert + alert.signature_id: 1000 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2000 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2001 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2002 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 140 + flow.pkts_toclient: 182 + flow.state: "established" + flow.alerted: true + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 322 + stats.ips.blocked: 0 + stats.ips.drop_reason.default_app_policy: 0 + stats.ips.drop_reason.rules: 0 diff --git a/tests/firewall/ruletype-firewall-34-ssh-sw/firewall.rules b/tests/firewall/ruletype-firewall-34-ssh-sw/firewall.rules new file mode 100644 index 000000000..79f28e1f1 --- /dev/null +++ b/tests/firewall/ruletype-firewall-34-ssh-sw/firewall.rules @@ -0,0 +1,19 @@ +# Packet rules + +# allow all packets while protocol detection is running +accept:hook tcp:all any any <> any 22 (app-layer-protocol:unknown; alert; sid:1000;) +# then when detected a protocol, only allow ssh +accept:hook tcp:all any any <> any 22 (app-layer-protocol:ssh; alert; sid:1001;) + +# default drop + + + + +# App-layer rules + +accept:hook ssh:request_started any any -> any any (alert; sid:2000;) +accept:hook ssh:request_banner_wait_eol any any -> any any (alert; sid:2001;) +accept:tx ssh:request_banner_done any any -> any any (ssh.software; content:"OpenSSH_8.2p1"; alert; sid:2002;) + +# default drop diff --git a/tests/firewall/ruletype-firewall-34-ssh-sw/suricata.yaml b/tests/firewall/ruletype-firewall-34-ssh-sw/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-34-ssh-sw/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-34-ssh-sw/test.yaml b/tests/firewall/ruletype-firewall-34-ssh-sw/test.yaml new file mode 100644 index 000000000..91475bd46 --- /dev/null +++ b/tests/firewall/ruletype-firewall-34-ssh-sw/test.yaml @@ -0,0 +1,56 @@ +requires: + min-version: 8 + +pcap: ../../issue-5466-alert-then-pass-02/icmp_and_ssh-s0.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 4 + match: + event_type: alert + alert.signature_id: 1000 +- filter: + count: 320 + match: + event_type: alert + alert.signature_id: 1001 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2000 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2001 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2002 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 140 + flow.pkts_toclient: 182 + flow.state: "established" + flow.alerted: true + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 322 + stats.ips.blocked: 0 + stats.ips.drop_reason.default_app_policy: 0 + stats.ips.drop_reason.rules: 0 diff --git a/tests/firewall/ruletype-firewall-35-ssh-sw/firewall.rules b/tests/firewall/ruletype-firewall-35-ssh-sw/firewall.rules new file mode 100644 index 000000000..03a1e7316 --- /dev/null +++ b/tests/firewall/ruletype-firewall-35-ssh-sw/firewall.rules @@ -0,0 +1,23 @@ +# Packet rules + +# allow session setup +accept:hook tcp:all any any <> any 22 (alert; sid:1000;) + +# default drop + + + + +# App-layer rules + +accept:hook ssh:request_started any any -> any any (alert; sid:2000;) +accept:hook ssh:request_banner_wait_eol any any -> any any (alert; sid:2001;) +accept:hook ssh:request_banner_done any any -> any any (ssh.software; content:"OpenSSH_8.2p1"; alert; sid:2002;) +accept:hook ssh:request_finished any any -> any any (alert; sid:2003;) + +accept:hook ssh:response_started any any -> any any (alert; sid:3000;) +accept:hook ssh:response_banner_wait_eol any any -> any any (alert; sid:3001;) +accept:hook ssh:response_banner_done any any -> any any (ssh.software; content:"OpenSSH_7.9p1"; alert; sid:3002;) +accept:hook ssh:response_finished any any -> any any (alert; sid:3003;) + +# default drop diff --git a/tests/firewall/ruletype-firewall-35-ssh-sw/suricata.yaml b/tests/firewall/ruletype-firewall-35-ssh-sw/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-35-ssh-sw/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-35-ssh-sw/test.yaml b/tests/firewall/ruletype-firewall-35-ssh-sw/test.yaml new file mode 100644 index 000000000..31af7b1aa --- /dev/null +++ b/tests/firewall/ruletype-firewall-35-ssh-sw/test.yaml @@ -0,0 +1,76 @@ +requires: + min-version: 8 + +pcap: ../../issue-5466-alert-then-pass-02/icmp_and_ssh-s0.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 324 + match: + event_type: alert + alert.signature_id: 1000 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2000 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2001 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2002 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2003 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3000 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3001 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3002 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3003 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 140 + flow.pkts_toclient: 182 + flow.state: "established" + flow.alerted: true + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 322 + stats.ips.blocked: 0 + stats.ips.drop_reason.default_app_policy: 0 + stats.ips.drop_reason.rules: 0 diff --git a/tests/firewall/ruletype-firewall-36-minimal/firewall.rules b/tests/firewall/ruletype-firewall-36-minimal/firewall.rules new file mode 100644 index 000000000..2655fa5e2 --- /dev/null +++ b/tests/firewall/ruletype-firewall-36-minimal/firewall.rules @@ -0,0 +1,15 @@ +# Packet rules + +# allow session setup +accept:hook tcp:all any any <> any 22 (alert; sid:1000;) + +# default drop + + + + +# App-layer rules + +accept:flow ssh:request_started any any -> any any (alert; sid:2000;) + +# default drop diff --git a/tests/firewall/ruletype-firewall-36-minimal/suricata.yaml b/tests/firewall/ruletype-firewall-36-minimal/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-36-minimal/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-36-minimal/test.yaml b/tests/firewall/ruletype-firewall-36-minimal/test.yaml new file mode 100644 index 000000000..e313d58e2 --- /dev/null +++ b/tests/firewall/ruletype-firewall-36-minimal/test.yaml @@ -0,0 +1,41 @@ +requires: + min-version: 8 + +pcap: ../../issue-5466-alert-then-pass-02/icmp_and_ssh-s0.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 4 + match: + event_type: alert + alert.signature_id: 1000 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2000 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 140 + flow.pkts_toclient: 182 + flow.state: "established" + flow.alerted: true + flow.action: "accept" +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 322 + stats.ips.blocked: 0 + stats.ips.drop_reason.default_app_policy: 0 + stats.ips.drop_reason.rules: 0 diff --git a/tests/firewall/ruletype-firewall-37-minimal-bad/firewall.rules b/tests/firewall/ruletype-firewall-37-minimal-bad/firewall.rules new file mode 100644 index 000000000..b281f553a --- /dev/null +++ b/tests/firewall/ruletype-firewall-37-minimal-bad/firewall.rules @@ -0,0 +1,14 @@ +# Packet rules + +accept:packet tcp:all any any -> any 22 (flow:not_established; alert; sid:1000;) + +# default drop + + + + +# App-layer rules + +accept:flow ssh:response_finished any any -> any any (flow:established; alert; sid:2000;) + +# default drop diff --git a/tests/firewall/ruletype-firewall-37-minimal-bad/suricata.yaml b/tests/firewall/ruletype-firewall-37-minimal-bad/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-37-minimal-bad/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-37-minimal-bad/test.yaml b/tests/firewall/ruletype-firewall-37-minimal-bad/test.yaml new file mode 100644 index 000000000..16655779f --- /dev/null +++ b/tests/firewall/ruletype-firewall-37-minimal-bad/test.yaml @@ -0,0 +1,42 @@ +requires: + min-version: 8 + +pcap: ../../issue-5466-alert-then-pass-02/icmp_and_ssh-s0.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 1000 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2000 +- filter: + count: 320 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 140 + flow.pkts_toclient: 182 + flow.state: "established" + flow.alerted: true + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 2 + stats.ips.blocked: 320 + stats.ips.drop_reason.default_app_policy: 0 + stats.ips.drop_reason.default_packet_policy: 320 + stats.ips.drop_reason.rules: 0 diff --git a/tests/firewall/ruletype-firewall-38-ssh-vs-telnet/firewall.rules b/tests/firewall/ruletype-firewall-38-ssh-vs-telnet/firewall.rules new file mode 100644 index 000000000..0c8890925 --- /dev/null +++ b/tests/firewall/ruletype-firewall-38-ssh-vs-telnet/firewall.rules @@ -0,0 +1,8 @@ +# Packet rules + +# allow all packets while protocol detection is running +accept:hook tcp:all any any <> any 23 (app-layer-protocol:unknown; alert; sid:1000;) +# then when detected a protocol, only allow ssh +accept:hook tcp:all any any <> any 23 (app-layer-protocol:ssh; alert; sid:1001;) + +# default drop diff --git a/tests/firewall/ruletype-firewall-38-ssh-vs-telnet/suricata.yaml b/tests/firewall/ruletype-firewall-38-ssh-vs-telnet/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-38-ssh-vs-telnet/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-38-ssh-vs-telnet/test.yaml b/tests/firewall/ruletype-firewall-38-ssh-vs-telnet/test.yaml new file mode 100644 index 000000000..89baade2d --- /dev/null +++ b/tests/firewall/ruletype-firewall-38-ssh-vs-telnet/test.yaml @@ -0,0 +1,42 @@ +requires: + min-version: 8 + +pcap: ../../telnet/telnet-01/telnet.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1000 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1001 +- filter: + count: 89 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 43 + flow.pkts_toclient: 44 + flow.state: "closed" + flow.alerted: true + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 3 + stats.ips.blocked: 89 + stats.ips.drop_reason.default_app_policy: 0 + stats.ips.drop_reason.default_packet_policy: 89 + stats.ips.drop_reason.rules: 0 -- 2.47.2