From 4ed9be4b33f107b8c02a4a3d9f663e39b8b4a2f8 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Fri, 9 May 2025 10:50:17 +0200
Subject: [PATCH] tests: firewall: add verdict output

---
 .../suricata.yaml                             |  4 ++-
 .../test.yaml                                 | 29 +++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/suricata.yaml b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/suricata.yaml
index 24e38b5ab..21b31afba 100644
--- a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/suricata.yaml
+++ b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/suricata.yaml
@@ -55,9 +55,11 @@ outputs:
       types:
         - stats
         - flow
-        - alert
+        - alert:
+            verdict: true
         - tls:
             extended: yes     # enable this for extended logging information
         - drop:
             alerts: yes      # log alerts that caused drops
             flows: all       # start or all: 'start' logs only a single drop
+            verdict: true
diff --git a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml
index b2ed858a9..647fc082d 100644
--- a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml
+++ b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml
@@ -24,11 +24,13 @@ checks:
       alert.signature_id: 1023
       alert.action: allowed
       pcap_cnt: 6
+      verdict.action: drop
 - filter:
     count: 2
     match:
       event_type: alert
       pcap_cnt: 6
+      verdict.action: drop
 - filter:
     count: 0
     match:
@@ -39,6 +41,7 @@ checks:
     match:
       event_type: alert
       alert.signature_id: 1021
+      verdict.action: accept
 - filter:
     count: 0
     match:
@@ -49,6 +52,20 @@ checks:
     match:
       event_type: alert
       alert.signature_id: 1023
+# packet rule accepted, also accepted at app layer
+- filter:
+    count: 5
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+      verdict.action: accept
+# packet rule accepted, dropped at app layer
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+      verdict.action: drop
 - filter:
     count: 0
     match:
@@ -69,10 +86,22 @@ checks:
     match:
       event_type: alert
       alert.signature_id: 105
+      verdict.action: accept
 - filter:
     count: 54 # 53 + 1 (drop sid 999)
     match:
       event_type: drop
+      verdict.action: drop
+# count all records with verdict field
+- filter:
+    count: 9
+    match:
+      verdict.action: accept
+# count all records with verdict field
+- filter:
+    count: 57
+    match:
+      verdict.action: drop
 - filter:
     count: 1
     match:
-- 
2.47.2