--- /dev/null
+Test Description
+================
+
+Test to show the output and alert logged in case of elephant flow detected.
+
+Redmine Tickets
+===============
+
+https://redmine.openinfosecfoundation.org/issues/5647
+https://redmine.openinfosecfoundation.org/issues/8117
--- /dev/null
+%YAML 1.1
+---
+
+flow:
+ rate-tracking:
+ bytes: 10KiB
+ interval: 10
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filename: eve.json
+ types:
+ - flow
+ - stats
+ - alert
--- /dev/null
+#alert tcp any any -> any any (msg:"ToServer Elephant flow found!"; flow.elephant:toserver; threshold: type backoff, track by_flow, count 1, multiplier 10000; sid:1;)
+#alert tcp any any -> any any (msg:"ToClient Elephant flow found!"; flow.elephant:toclient; threshold: type backoff, track by_flow, count 1, multiplier 10000; sid:2;)
+alert tcp any any -> any any (msg:"ToServer Elephant flow found!"; flow.elephant:toserver; prefilter; sid:1;)
+alert tcp any any -> any any (msg:"ToClient Elephant flow found!"; flow.elephant:toclient; sid:2;)
+alert tcp any any -> any any (msg:"ToClient Elephant flow found!"; flow.elephant:both; sid:3;)
+alert tcp any any -> any any (msg:"ToClient Elephant flow found!"; flow.elephant:either; sid:4;)
+
--- /dev/null
+pcap: ../tcp-urgp-09-oob-exceed-limit-inline/tcp-urgent-1byte-66k.pcap
+
+args:
+- --set stats.interval=3600
+
+requires:
+ min-version: 9
+
+checks:
+ - filter:
+ # toserver
+ count: 131711
+ match:
+ alert.signature_id: 1
+
+ - filter:
+ # toclient
+ count: 131702
+ match:
+ alert.signature_id: 2
+
+ - filter:
+ # both
+ count: 131702
+ match:
+ alert.signature_id: 3
+
+ - filter:
+ # either
+ count: 131711
+ match:
+ alert.signature_id: 4
+
+ - filter:
+ count: 1
+ match:
+ stats.flow.elephant_toserver: 1
+
+ - filter:
+ count: 1
+ match:
+ stats.flow.elephant_toclient: 1
+
+ - filter:
+ count: 1
+ match:
+ flow.elephant: true
+
+ - filter:
+ count: 1
+ match:
+ flow.elephant_direction: ["toserver", "toclient"]
--- /dev/null
+#alert tcp any any -> any any (msg:"ToServer Elephant flow found!"; flow.elephant:toserver; threshold: type backoff, track by_flow, count 1, multiplier 10000; sid:1;)
+#alert tcp any any -> any any (msg:"ToClient Elephant flow found!"; flow.elephant:toclient; threshold: type backoff, track by_flow, count 1, multiplier 10000; sid:2;)
+alert tcp any any -> any any (msg:"ToServer Elephant flow found!"; flow.elephant:toserver; sid:1;)
+alert tcp any any -> any any (msg:"ToClient Elephant flow found!"; flow.elephant:toclient; sid:2;)
+alert tcp any any -> any any (msg:"ToClient Elephant flow found!"; flow.elephant:both; sid:3;)
+alert tcp any any -> any any (msg:"ToClient Elephant flow found!"; flow.elephant:either; sid:4;)
+
--- /dev/null
+requires:
+ min-version: 9
+ pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ lists.packet.matches[0].name: "flow.elephant"
+ lists.packet.matches[0].flow_elephant.dir: "toserver"
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ lists.packet.matches[0].name: "flow.elephant"
+ lists.packet.matches[0].flow_elephant.dir: "toclient"
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ lists.packet.matches[0].name: "flow.elephant"
+ lists.packet.matches[0].flow_elephant.dir: "either"
+- filter:
+ filename: rules.json
+ count: 1
+ match:
+ lists.packet.matches[0].name: "flow.elephant"
+ lists.packet.matches[0].flow_elephant.dir: "both"
+
projects / thirdparty / suricata-verify.git / commitdiff
