tests: add bug 4663 and 4670 tests

diff --git a/tests/bug-4663-02/icmp.pcap b/tests/bug-4663-02/icmp.pcap
new file mode 100644 (file)
index 0000000..2a9e849
Binary files /dev/null and b/tests/bug-4663-02/icmp.pcap differ

diff --git a/tests/bug-4663-02/suricata.yaml b/tests/bug-4663-02/suricata.yaml
new file mode 100644 (file)
index 0000000..062b722
--- /dev/null
+++ b/tests/bug-4663-02/suricata.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+action-order:
+  - drop
+  - pass
+  - reject
+  - alert
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: yes
+        - dns
+        - flow

diff --git a/tests/bug-4663-02/test.rules b/tests/bug-4663-02/test.rules
new file mode 100644 (file)
index 0000000..40a19b7
--- /dev/null
+++ b/tests/bug-4663-02/test.rules
@@ -0,0 +1,3 @@
+drop icmp any any -> 8.8.8.8 any (msg:"Drop ICMP"; sid:10002;)
+pass ip any any -> any any (msg:"Pass IP"; sid:1004;)
+pass tcp any any -> any 22 (sid:1;)

diff --git a/tests/bug-4663-02/test.yaml b/tests/bug-4663-02/test.yaml
new file mode 100644 (file)
index 0000000..ece851a
--- /dev/null
+++ b/tests/bug-4663-02/test.yaml
@@ -0,0 +1,31 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - HAVE_NSS
+  min-version: 7
+
+args:
+  - --simulate-ips
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        flow.alerted: true
+        flow.action: drop
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 10002
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 1
+        alert.signature_id: 10002
+  - filter:
+      count: 10
+      match:
+        event_type: drop

diff --git a/tests/bug-4663-03/icmp_and_ssh.pcap b/tests/bug-4663-03/icmp_and_ssh.pcap
new file mode 100644 (file)
index 0000000..7708ee4
Binary files /dev/null and b/tests/bug-4663-03/icmp_and_ssh.pcap differ

diff --git a/tests/bug-4663-03/suricata.yaml b/tests/bug-4663-03/suricata.yaml
new file mode 100644 (file)
index 0000000..bf8a47e
--- /dev/null
+++ b/tests/bug-4663-03/suricata.yaml
@@ -0,0 +1,21 @@
+%YAML 1.1
+---
+
+action-order:
+  - pass
+  - drop
+  - reject
+  - alert
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: yes
+        - files
+        - http
+        - flow

diff --git a/tests/bug-4663-03/test.rules b/tests/bug-4663-03/test.rules
new file mode 100644 (file)
index 0000000..d2d75a9
--- /dev/null
+++ b/tests/bug-4663-03/test.rules
@@ -0,0 +1,2 @@
+pass tcp any any -> any 22 (sid:2; gid:10000003; msg:"PASS SSH";)
+drop tcp any any -> any any (noalert; sid:1; rev:1; msg:"DROP all TCP";)

diff --git a/tests/bug-4663-03/test.yaml b/tests/bug-4663-03/test.yaml
new file mode 100644 (file)
index 0000000..0c81522
--- /dev/null
+++ b/tests/bug-4663-03/test.yaml
@@ -0,0 +1,29 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - HAVE_NSS
+  min-version: 7
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        event_type: drop
+  - filter:
+      count: 2
+      match:
+        event_type: flow
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        flow.action: pass

diff --git a/tests/bug-4663/README.md b/tests/bug-4663/README.md
new file mode 100644 (file)
index 0000000..3a7af36
--- /dev/null
+++ b/tests/bug-4663/README.md
@@ -0,0 +1,4 @@
+PCAP
+====
+
+Pcap from https://forum.suricata.io/t/suricata-5-0-1-in-ips-mode/94/14

diff --git a/tests/bug-4663/blacklist b/tests/bug-4663/blacklist
new file mode 100644 (file)
index 0000000..fd5bec0
--- /dev/null
+++ b/tests/bug-4663/blacklist
@@ -0,0 +1,5 @@
+cac5f74a1e146d6de26845e3e03732c01167e4bbb4333e76889b538c9bd30362
+537aea248165d3e82e48c4808b92e048bd1593ecbcb99d661c3c776204cd96a2
+be331893e44dcad93536b7b5cd3104abc9174ab66086ea5ad8bd4b2618222780
+3f6a4dffd4fd653b53b621349d5167d3cfa3cad926c166e7e24b88d3c9a06acf
+abe7c7b40883a7b59e6493d0f9a9b4b85035f22ee6195da2b188c2072279634f

diff --git a/tests/bug-4663/input.pcap b/tests/bug-4663/input.pcap
new file mode 100644 (file)
index 0000000..20a7393
Binary files /dev/null and b/tests/bug-4663/input.pcap differ

diff --git a/tests/bug-4663/suricata.yaml b/tests/bug-4663/suricata.yaml
new file mode 100644 (file)
index 0000000..eca3826
--- /dev/null
+++ b/tests/bug-4663/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: yes
+        - files
+        - http
+        - flow

diff --git a/tests/bug-4663/test.rules b/tests/bug-4663/test.rules
new file mode 100644 (file)
index 0000000..c974242
--- /dev/null
+++ b/tests/bug-4663/test.rules
@@ -0,0 +1,2 @@
+pass tcp any any -> any 22 (sid:2; gid:10000003;)
+drop tcp any any -> any any (noalert; sid:1; rev:1;)

diff --git a/tests/bug-4663/test.yaml b/tests/bug-4663/test.yaml
new file mode 100644 (file)
index 0000000..3b87301
--- /dev/null
+++ b/tests/bug-4663/test.yaml
@@ -0,0 +1,30 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - HAVE_NSS
+  min-version: 7
+
+args:
+  - --simulate-ips
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 1
+        alert.signature_id: 1
+  - filter:
+      count: 969
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        flow.action: drop