--- /dev/null
+# Test
+
+This is a test for a corner case scenario where the amount of alerts matching
+against a single packet is bigger than ``packet_alert_max`` and the discarded
+alert is for a rule with a ``drop`` action.
+
+Regardless of discarding the alert, Suricata must still enforce its ``drop``
+action, if that matched against the packet.
+
+This test is also particular as it only has one packet.
+
+Expected result:
+
+Alerts for sids 1, 2, 3 and 4. Alert for sid 5 should be discarded, but the `drop`
+verdict should still be present.
+
+# PCAP
+
+Re-used from test alert-max-append-higher-priority's pcap script, to keep same
+scenario.
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/5180
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ verdict: true
+ payload-printable: yes
+ - http
+ - flow
+ - stats
+ - drop
+ - anomaly
+
+# Set the order of alerts based on actions
+# The default order is pass, drop, reject, alert
+action-order:
+ - alert
+ - drop
+ - pass
+ - reject
+
+stats:
+ enabled: yes
+ decoder-events: true
+
+# Define maximum number of possible alerts that can be triggered for the same
+# packet. Default is 15
+packet-alert-max: 3
--- /dev/null
+# Engine-analysis' Internal id: 1
+alert tcp any any -> any any (msg:"Match rule 1"; dsize:<140; sid:1; rev:1;)
+# Engine-analysis' Internal id: 2
+alert http any any -> any any (msg:"Match rule 2"; uricontent:"/index.html"; sid:2; rev:1;)
+# Engine-analysis' Internal id: 3
+alert http any any -> any any (msg:"Match rule 3"; alert; http.request_line; bsize:10<>100; sid:3; rev:1;)
+# Engine-analysis' Internal id: 4
+alert http any any -> any any (msg:"Match rule 4"; http.request_line; content:"GET /index.html HTTP/1.0"; sid:4;)
+# this one should not show in alert due to alert queue overflow
+# Engine-analysis' Internal id: 0
+drop http any any -> any any (msg:"Match and drop rule 5"; http.request_line; content:"GET /index.html HTTP/1.0"; sid:5;)
--- /dev/null
+args:
+- -k none
+- --runmode=single
+- --set stream.midstream=true
+- --simulate-ips
+
+pcap: ../alert-max-append-higher-priority/input.pcap
+
+checks:
+# Sub-test 1
+- filter:
+ lt-version: 8.0.4
+ gt-version: 8.0.4
+ count: 1
+ match:
+ event_type: alert
+ pcap_cnt: 1
+ pkt_src: "wire/pcap"
+ alert.signature_id: 1
+ verdict.action: drop
+# Sub-test 2
+- filter:
+ lt-version: 8.0.4
+ gt-version: 8.0.4
+ count: 1
+ match:
+ event_type: alert
+ pcap_cnt: 1
+ pkt_src: "wire/pcap"
+ alert.signature_id: 2
+ verdict.action: drop
+# Sub-test 3
+- filter:
+ # suricata 7 doesn't show this alert.
+ # if we don't drop the flow, it matches against the stream
+ # (pkt_srt: stream (flow timeout))
+ min-version: 9
+ count: 1
+ match:
+ event_type: alert
+ pcap_cnt: 1
+ pkt_src: "wire/pcap"
+ alert.signature_id: 3
+ verdict.action: drop
+# Sub-test 4
+- filter:
+ # suricata 8 doesn't show this alert
+ lt-version: 8.0
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 4
+# Sub-test 5
+- filter:
+ # suricata 7 doesn't show this alert.
+ # if we don't drop the flow, it matches against the stream
+ # (pkt_srt: stream (flow timeout))
+ lt-version: 8.0
+ count: 0
+ match:
+ event_type: alert
+ pcap_cnt: 1
+ pkt_src: "wire/pcap"
+ alert.signature_id: 3
+ verdict.action: drop
+# Sub-test 6
+- filter:
+ min-version: 9
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 4
+# Sub-test 7
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 5
+# Sub-test 8
+- filter:
+ lt-version: 8.0.4
+ gt-version: 8.0.4
+ count: 1
+ match:
+ event_type: drop
+ pkt_src: "wire/pcap"
+ pcap_cnt: 1
+ drop.reason: rules
+# Sub-test 9
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.action: drop
+# Sub-test 10
+- filter:
+ # as suricata 7 won't have a match for sid 3,
+ # the overflow check fails for 7
+ min-version: 9
+ count: 1
+ match:
+ event_type: stats
+ stats.detect.alert_queue_overflow: 2
+ stats.detect.alert: 3
+ stats.decoder.pkts: 1
+ stats.ips.blocked: 1
+ stats.ips.accepted: 0
+ stats.ips.drop_reason.rules: 1
+# Sub-test 11
+- filter:
+ lt-version: 8.0
+ count: 1
+ match:
+ event_type: stats
+ stats.detect.alert_queue_overflow: 1
+ stats.detect.alert: 3
+ stats.decoder.pkts: 1
+ stats.ips.blocked: 1
+ stats.ips.accepted: 0
+ stats.ips.drop_reason.rules: 1
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/"GET /index.html HTTP/1.0\r\nHost: www.openinfosecfoundation.org\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113\r\nContent-Type: text/html\r\n"
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+# Test
+
+This is a test for a corner case scenario where the amount of alerts matching
+against a single packet is higher than ``packet_alert_max`` and the discarded
+alert is for a rule with a ``drop`` action.
+
+Regardless of discarding the alert, Suricata must still enforce its ``drop``
+action, if that matched against the packet.
+
+Expected result:
+
+We should see one discarded alert, as there isn't enough space in the alert queue
+for the rule with the "drop" action, and Suricata should block the traffic from
+the matched packet onwards.
+
+Currently:
+
+Suricata 7 will tag the flow for dropping from packet 1. We see alerts for
+sids 2, 3, and 5, only for said packet.
+
+## Pcap
+
+A single HTTP flow extracted from existing test ``http-protocol-inspect-v2`` pcap
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/5180
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - stats:
+ enabled: yes
+ filename: stats.log
+ append: yes # append to file (yes) or overwrite it (no)
+ totals: yes # stats for all threads merged together
+ threads: no # per thread stats
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ verdict: true
+ payload-printable: yes
+ - http
+ - flow
+ - stats
+ - drop
+
+
+# Set the order of alerts based on actions
+# The default order is pass, drop, reject, alert
+action-order:
+ - alert
+ - drop
+ - pass
+ - reject
+
+# Define maximum number of possible alerts that can be triggered for the same
+# packet. Default is 15
+packet-alert-max: 3
--- /dev/null
+# Engine-analysis' Internal id: 2
+# We don't expect this rule to match as the flow should be dropped before packets that
+# match against it would be inspected
+alert tcp any any -> any any (msg:"No match rule 1"; dsize:<140; sid:1; rev:1;)
+# Engine-analysis' Internal id: 3
+alert http any any -> any any (msg:"Match rule 2"; uricontent:"/pagead"; sid:2; rev:1;)
+# Engine-analysis' Internal id: 1
+alert http any any -> any any (msg:"Match rule 3"; http.request_line; content:"GET /pagead"; flowbits:set,suspiciousad; sid:3;)
+# Engine-analysis' Internal id: 0
+drop http any any -> any any (msg:"Match rule 4"; http.request_line; content:"GET /pagead"; flowbits:isset,suspiciousad; sid:4;)
+# Engine-analysis' Internal id: 4
+alert tcp any any -> any any (msg:"Match rule 5"; dsize:>720; sid:5; rev:1;)
+# Engine-analysis' Internal id: 5
+# We don't expect this rule to match as the flow should be dropped before packets that
+# match against it would be inspected
+alert tcp any any -> any any (msg:"No match rule 6"; tcp.flags:A; sid: 6; rev:1;)
--- /dev/null
+args:
+- -k none
+- --runmode=single
+- --set stream.midstream=true
+- --simulate-ips
+
+checks:
+# Subtest 1
+- filter:
+ lt-version: 8.0.4
+ gt-version: 8.0.4
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+# Subtest 2
+- filter:
+ lt-version: 8.0.4
+ gt-version: 8.0.4
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ pcap_cnt: 1
+ pkt_src: "wire/pcap"
+ verdict.action: drop
+# Subtest 3
+- filter:
+ lt-version: 8.0.4
+ gt-version: 8.0.4
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+ pcap_cnt: 1
+ pkt_src: "wire/pcap"
+ verdict.action: drop
+# Subtest 4
+# Matches, but not enough space in packet alert queue
+- filter:
+ lt-version: 8.0.4
+ gt-version: 8.0.4
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 4
+# Subtest 5
+- filter:
+ lt-version: 8.0.4
+ gt-version: 8.0.4
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 5
+ pcap_cnt: 1
+ pkt_src: "wire/pcap"
+ verdict.action: drop
+# Subtest 6
+# Matches, but not enough space in packet alert queue
+- filter:
+ lt-version: 8.0.4
+ gt-version: 8.0.4
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 6
+# Subtest 7
+- filter:
+ lt-version: 8.0.4
+ gt-version: 8.0.4
+ count: 1
+ match:
+ event_type: drop
+ pcap_cnt: 1
+ drop.reason: rules
+# Subtest 8
+- filter:
+ lt-version: 8.0.4
+ gt-version: 8.0.4
+ count: 1
+ match:
+ event_type: drop
+ pcap_cnt: 2
+ drop.reason: "flow drop"
+# Subtest 9
+- filter:
+ lt-version: 8.0.4
+ gt-version: 8.0.4
+ count: 1
+ match:
+ event_type: flow
+ flow.action: "drop"
+# Subtest 10
+- filter:
+ lt-version: 8.0.4
+ gt-version: 8.0.4
+ count: 1
+ match:
+ event_type: stats
+ stats.decoder.pkts: 7
+ stats.detect.alert_queue_overflow: 1
+ stats.detect.alert: 3
+ stats.ips.accepted: 0
+ stats.ips.blocked: 7
+ stats.ips.drop_reason.flow_drop: 6
+ stats.ips.drop_reason.rules: 1
--- /dev/null
+# Test
+
+This is a test for a corner case scenario where the amount of alerts matching
+against a single packet is bigger than ``packet_alert_max`` and the discarded
+alert is for a rule with a ``drop`` action.
+
+Regardless of discarding the alert, Suricata must still enforce its ``drop``
+action, if that matched against the packet.
+
+This test is also particular as it only has one packet.
+
+Expected result:
+
+Alerts for sids 1, 2 and 3. Alerts for sid 4 and 5 should be discarded, but the
+`drop` verdict should still be present.
+There should be 2 alerts discarded (alert_queue_overflow).
+
+## PCAP
+
+Single packet extracted from flow/pcap from test http-sticky-server's pcap.
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/5180
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ verdict: true
+ payload-printable: yes
+ - http
+ - flow
+ - stats
+ - drop
+ - anomaly
+
+# Set the order of alerts based on actions
+# The default order is pass, drop, reject, alert
+action-order:
+ - alert
+ - drop
+ - pass
+ - reject
+
+stats:
+ enabled: yes
+ decoder-events: true
+
+# Define maximum number of possible alerts that can be triggered for the same
+# packet. Default is 15
+packet-alert-max: 3
--- /dev/null
+# Engine-analysis' Internal id: 1
+alert tcp any any -> any any (msg:"Match rule 1"; dsize:>140; sid:1; rev:1;)
+# Engine-analysis' Internal id: 2
+alert http any any -> any any (msg:"Match rule 2"; http.host; content:"clients1.google"; sid:2; rev:1;)
+# Engine-analysis' Internal id: 3
+alert http any any -> any any (msg:"Match rule 3"; alert; http.method; bsize:3; sid:3; rev:1;)
+# Engine-analysis' Internal id: 4
+alert http any any -> any any (msg:"Match rule 4"; http.method; content:"GET"; sid:4;)
+# this one should not show in alert due to alert queue overflow
+# Engine-analysis' Internal id: 0
+drop http any any -> any any (msg:"Match and drop rule 5"; http.request_line; content:"GET /complete/search"; sid:5;)
--- /dev/null
+args:
+- -k none
+- --runmode=single
+- --set stream.midstream=true
+- --simulate-ips
+
+checks:
+# Sub-test 1
+- filter:
+ lt-version: 8.0.4
+ gt-version: 8.0.4
+ count: 1
+ match:
+ event_type: alert
+ pkt_src: "wire/pcap"
+ alert.signature_id: 1
+ verdict.action: drop
+# Sub-test 2
+- filter:
+ lt-version: 8.0.4
+ gt-version: 8.0.4
+ count: 1
+ match:
+ event_type: alert
+ pkt_src: "wire/pcap"
+ alert.signature_id: 2
+ verdict.action: drop
+# Sub-test 3
+- filter:
+ # as with drop-5180-01 test, 7.0.x doesn't show this alert
+ min-version: 9
+ count: 1
+ match:
+ event_type: alert
+ pkt_src: "wire/pcap"
+ alert.signature_id: 3
+ verdict.action: drop
+# Sub-test 4
+- filter:
+ # as with drop-5180-01 test, 7.0.x shows this alert
+ lt-version: 8.0
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 4
+# Sub-test 5
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 5
+# Sub-test 6
+- filter:
+ min-version: 9
+ lt-version: 8.0.4
+ gt-version: 8.0.4
+ count: 1
+ match:
+ event_type: drop
+ pkt_src: "wire/pcap"
+# Sub-test 7
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.action: drop
+# Sub-test 8
+- filter:
+ min-version: 9
+ count: 1
+ match:
+ event_type: stats
+ stats.detect.alert_queue_overflow: 2
+ stats.detect.alert: 3
+ stats.decoder.pkts: 1
+ stats.ips.blocked: 1
+ stats.ips.accepted: 0
+ stats.ips.drop_reason.rules: 1
+# Sub-test 9
+- filter:
+ lt-version: 8.0
+ count: 1
+ match:
+ event_type: stats
+ stats.detect.alert_queue_overflow: 1
+ stats.detect.alert: 3
+ stats.decoder.pkts: 1
+ stats.ips.blocked: 1
+ stats.ips.accepted: 0
+ stats.ips.drop_reason.rules: 1
projects / thirdparty / suricata-verify.git / commitdiff
