]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
tests: add suppress tests 961/head
authorVictor Julien <victor@inliniac.net>
Sat, 15 Oct 2022 09:50:06 +0000 (11:50 +0200)
committerVictor Julien <victor@inliniac.net>
Sat, 15 Oct 2022 09:50:06 +0000 (11:50 +0200)
54 files changed:
tests/threshold/threshold-config-suppress-bydst-ip/README.md [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bydst-ip/input.pcap [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bydst-ip/input.rules [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bydst-ip/suricata.yaml [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bydst-ip/test.yaml [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bydst-ip/threshold.config [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bydst-ipsubnet/README.md [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bydst-ipsubnet/input.pcap [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bydst-ipsubnet/input.rules [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bydst-ipsubnet/suricata.yaml [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bydst-ipsubnet/test.yaml [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bydst-ipsubnet/threshold.config [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bydst-ipvar/README.md [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bydst-ipvar/input.pcap [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bydst-ipvar/input.rules [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bydst-ipvar/suricata.yaml [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bydst-ipvar/test.yaml [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bydst-ipvar/threshold.config [new file with mode: 0644]
tests/threshold/threshold-config-suppress-byeither-ip/README.md [new file with mode: 0644]
tests/threshold/threshold-config-suppress-byeither-ip/input.pcap [new file with mode: 0644]
tests/threshold/threshold-config-suppress-byeither-ip/input.rules [new file with mode: 0644]
tests/threshold/threshold-config-suppress-byeither-ip/suricata.yaml [new file with mode: 0644]
tests/threshold/threshold-config-suppress-byeither-ip/test.yaml [new file with mode: 0644]
tests/threshold/threshold-config-suppress-byeither-ip/threshold.config [new file with mode: 0644]
tests/threshold/threshold-config-suppress-byeither-ipsubnet/README.md [new file with mode: 0644]
tests/threshold/threshold-config-suppress-byeither-ipsubnet/input.pcap [new file with mode: 0644]
tests/threshold/threshold-config-suppress-byeither-ipsubnet/input.rules [new file with mode: 0644]
tests/threshold/threshold-config-suppress-byeither-ipsubnet/suricata.yaml [new file with mode: 0644]
tests/threshold/threshold-config-suppress-byeither-ipsubnet/test.yaml [new file with mode: 0644]
tests/threshold/threshold-config-suppress-byeither-ipsubnet/threshold.config [new file with mode: 0644]
tests/threshold/threshold-config-suppress-byeither-ipvar/README.md [new file with mode: 0644]
tests/threshold/threshold-config-suppress-byeither-ipvar/input.pcap [new file with mode: 0644]
tests/threshold/threshold-config-suppress-byeither-ipvar/input.rules [new file with mode: 0644]
tests/threshold/threshold-config-suppress-byeither-ipvar/suricata.yaml [new file with mode: 0644]
tests/threshold/threshold-config-suppress-byeither-ipvar/test.yaml [new file with mode: 0644]
tests/threshold/threshold-config-suppress-byeither-ipvar/threshold.config [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bysrc-ip/README.md [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bysrc-ip/input.pcap [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bysrc-ip/input.rules [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bysrc-ip/suricata.yaml [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bysrc-ip/test.yaml [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bysrc-ip/threshold.config [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bysrc-ipsubnet/README.md [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bysrc-ipsubnet/input.pcap [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bysrc-ipsubnet/input.rules [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bysrc-ipsubnet/suricata.yaml [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bysrc-ipsubnet/test.yaml [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bysrc-ipsubnet/threshold.config [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bysrc-ipvar/README.md [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bysrc-ipvar/input.pcap [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bysrc-ipvar/input.rules [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bysrc-ipvar/suricata.yaml [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bysrc-ipvar/test.yaml [new file with mode: 0644]
tests/threshold/threshold-config-suppress-bysrc-ipvar/threshold.config [new file with mode: 0644]

diff --git a/tests/threshold/threshold-config-suppress-bydst-ip/README.md b/tests/threshold/threshold-config-suppress-bydst-ip/README.md
new file mode 100644 (file)
index 0000000..a9a4cbd
--- /dev/null
@@ -0,0 +1,5 @@
+# Threshold.config with by_rule 
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
diff --git a/tests/threshold/threshold-config-suppress-bydst-ip/input.pcap b/tests/threshold/threshold-config-suppress-bydst-ip/input.pcap
new file mode 100644 (file)
index 0000000..bf5caeb
Binary files /dev/null and b/tests/threshold/threshold-config-suppress-bydst-ip/input.pcap differ
diff --git a/tests/threshold/threshold-config-suppress-bydst-ip/input.rules b/tests/threshold/threshold-config-suppress-bydst-ip/input.rules
new file mode 100644 (file)
index 0000000..7cb862d
--- /dev/null
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
diff --git a/tests/threshold/threshold-config-suppress-bydst-ip/suricata.yaml b/tests/threshold/threshold-config-suppress-bydst-ip/suricata.yaml
new file mode 100644 (file)
index 0000000..ee5c3f0
--- /dev/null
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: true
+        - http
+        - anomaly
diff --git a/tests/threshold/threshold-config-suppress-bydst-ip/test.yaml b/tests/threshold/threshold-config-suppress-bydst-ip/test.yaml
new file mode 100644 (file)
index 0000000..58392f3
--- /dev/null
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7 
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 15
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: http
diff --git a/tests/threshold/threshold-config-suppress-bydst-ip/threshold.config b/tests/threshold/threshold-config-suppress-bydst-ip/threshold.config
new file mode 100644 (file)
index 0000000..e74f872
--- /dev/null
@@ -0,0 +1 @@
+suppress gen_id 1, sig_id 1000001, track by_dst, ip 145.254.160.237
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipsubnet/README.md b/tests/threshold/threshold-config-suppress-bydst-ipsubnet/README.md
new file mode 100644 (file)
index 0000000..a9a4cbd
--- /dev/null
@@ -0,0 +1,5 @@
+# Threshold.config with by_rule 
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipsubnet/input.pcap b/tests/threshold/threshold-config-suppress-bydst-ipsubnet/input.pcap
new file mode 100644 (file)
index 0000000..bf5caeb
Binary files /dev/null and b/tests/threshold/threshold-config-suppress-bydst-ipsubnet/input.pcap differ
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipsubnet/input.rules b/tests/threshold/threshold-config-suppress-bydst-ipsubnet/input.rules
new file mode 100644 (file)
index 0000000..7cb862d
--- /dev/null
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipsubnet/suricata.yaml b/tests/threshold/threshold-config-suppress-bydst-ipsubnet/suricata.yaml
new file mode 100644 (file)
index 0000000..ee5c3f0
--- /dev/null
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: true
+        - http
+        - anomaly
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipsubnet/test.yaml b/tests/threshold/threshold-config-suppress-bydst-ipsubnet/test.yaml
new file mode 100644 (file)
index 0000000..58392f3
--- /dev/null
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7 
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 15
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: http
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipsubnet/threshold.config b/tests/threshold/threshold-config-suppress-bydst-ipsubnet/threshold.config
new file mode 100644 (file)
index 0000000..20844fd
--- /dev/null
@@ -0,0 +1 @@
+suppress gen_id 1, sig_id 1000001, track by_dst, ip 145.254.160.0/24
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipvar/README.md b/tests/threshold/threshold-config-suppress-bydst-ipvar/README.md
new file mode 100644 (file)
index 0000000..a9a4cbd
--- /dev/null
@@ -0,0 +1,5 @@
+# Threshold.config with by_rule 
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipvar/input.pcap b/tests/threshold/threshold-config-suppress-bydst-ipvar/input.pcap
new file mode 100644 (file)
index 0000000..bf5caeb
Binary files /dev/null and b/tests/threshold/threshold-config-suppress-bydst-ipvar/input.pcap differ
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipvar/input.rules b/tests/threshold/threshold-config-suppress-bydst-ipvar/input.rules
new file mode 100644 (file)
index 0000000..7cb862d
--- /dev/null
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipvar/suricata.yaml b/tests/threshold/threshold-config-suppress-bydst-ipvar/suricata.yaml
new file mode 100644 (file)
index 0000000..c746f55
--- /dev/null
@@ -0,0 +1,21 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    SUPPRESS: "[10.0.0.0/8,20.0.0.0/16,145.0.0.0/8]"
+
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: true
+        - http
+        - anomaly
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipvar/test.yaml b/tests/threshold/threshold-config-suppress-bydst-ipvar/test.yaml
new file mode 100644 (file)
index 0000000..58392f3
--- /dev/null
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7 
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 15
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: http
diff --git a/tests/threshold/threshold-config-suppress-bydst-ipvar/threshold.config b/tests/threshold/threshold-config-suppress-bydst-ipvar/threshold.config
new file mode 100644 (file)
index 0000000..c717f2a
--- /dev/null
@@ -0,0 +1 @@
+suppress gen_id 1, sig_id 1000001, track by_dst, ip $SUPPRESS
diff --git a/tests/threshold/threshold-config-suppress-byeither-ip/README.md b/tests/threshold/threshold-config-suppress-byeither-ip/README.md
new file mode 100644 (file)
index 0000000..a9a4cbd
--- /dev/null
@@ -0,0 +1,5 @@
+# Threshold.config with by_rule 
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
diff --git a/tests/threshold/threshold-config-suppress-byeither-ip/input.pcap b/tests/threshold/threshold-config-suppress-byeither-ip/input.pcap
new file mode 100644 (file)
index 0000000..bf5caeb
Binary files /dev/null and b/tests/threshold/threshold-config-suppress-byeither-ip/input.pcap differ
diff --git a/tests/threshold/threshold-config-suppress-byeither-ip/input.rules b/tests/threshold/threshold-config-suppress-byeither-ip/input.rules
new file mode 100644 (file)
index 0000000..7cb862d
--- /dev/null
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
diff --git a/tests/threshold/threshold-config-suppress-byeither-ip/suricata.yaml b/tests/threshold/threshold-config-suppress-byeither-ip/suricata.yaml
new file mode 100644 (file)
index 0000000..ee5c3f0
--- /dev/null
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: true
+        - http
+        - anomaly
diff --git a/tests/threshold/threshold-config-suppress-byeither-ip/test.yaml b/tests/threshold/threshold-config-suppress-byeither-ip/test.yaml
new file mode 100644 (file)
index 0000000..11a7b53
--- /dev/null
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7 
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: http
diff --git a/tests/threshold/threshold-config-suppress-byeither-ip/threshold.config b/tests/threshold/threshold-config-suppress-byeither-ip/threshold.config
new file mode 100644 (file)
index 0000000..13aaba2
--- /dev/null
@@ -0,0 +1 @@
+suppress gen_id 1, sig_id 1000001, track by_either, ip 145.254.160.237
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipsubnet/README.md b/tests/threshold/threshold-config-suppress-byeither-ipsubnet/README.md
new file mode 100644 (file)
index 0000000..a9a4cbd
--- /dev/null
@@ -0,0 +1,5 @@
+# Threshold.config with by_rule 
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipsubnet/input.pcap b/tests/threshold/threshold-config-suppress-byeither-ipsubnet/input.pcap
new file mode 100644 (file)
index 0000000..bf5caeb
Binary files /dev/null and b/tests/threshold/threshold-config-suppress-byeither-ipsubnet/input.pcap differ
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipsubnet/input.rules b/tests/threshold/threshold-config-suppress-byeither-ipsubnet/input.rules
new file mode 100644 (file)
index 0000000..7cb862d
--- /dev/null
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipsubnet/suricata.yaml b/tests/threshold/threshold-config-suppress-byeither-ipsubnet/suricata.yaml
new file mode 100644 (file)
index 0000000..ee5c3f0
--- /dev/null
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: true
+        - http
+        - anomaly
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipsubnet/test.yaml b/tests/threshold/threshold-config-suppress-byeither-ipsubnet/test.yaml
new file mode 100644 (file)
index 0000000..11a7b53
--- /dev/null
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7 
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: http
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipsubnet/threshold.config b/tests/threshold/threshold-config-suppress-byeither-ipsubnet/threshold.config
new file mode 100644 (file)
index 0000000..0f55909
--- /dev/null
@@ -0,0 +1 @@
+suppress gen_id 1, sig_id 1000001, track by_either, ip 145.254.160.0/24
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipvar/README.md b/tests/threshold/threshold-config-suppress-byeither-ipvar/README.md
new file mode 100644 (file)
index 0000000..a9a4cbd
--- /dev/null
@@ -0,0 +1,5 @@
+# Threshold.config with by_rule 
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipvar/input.pcap b/tests/threshold/threshold-config-suppress-byeither-ipvar/input.pcap
new file mode 100644 (file)
index 0000000..bf5caeb
Binary files /dev/null and b/tests/threshold/threshold-config-suppress-byeither-ipvar/input.pcap differ
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipvar/input.rules b/tests/threshold/threshold-config-suppress-byeither-ipvar/input.rules
new file mode 100644 (file)
index 0000000..7cb862d
--- /dev/null
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipvar/suricata.yaml b/tests/threshold/threshold-config-suppress-byeither-ipvar/suricata.yaml
new file mode 100644 (file)
index 0000000..c746f55
--- /dev/null
@@ -0,0 +1,21 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    SUPPRESS: "[10.0.0.0/8,20.0.0.0/16,145.0.0.0/8]"
+
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: true
+        - http
+        - anomaly
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipvar/test.yaml b/tests/threshold/threshold-config-suppress-byeither-ipvar/test.yaml
new file mode 100644 (file)
index 0000000..11a7b53
--- /dev/null
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7 
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: http
diff --git a/tests/threshold/threshold-config-suppress-byeither-ipvar/threshold.config b/tests/threshold/threshold-config-suppress-byeither-ipvar/threshold.config
new file mode 100644 (file)
index 0000000..29d1563
--- /dev/null
@@ -0,0 +1 @@
+suppress gen_id 1, sig_id 1000001, track by_either, ip $SUPPRESS
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ip/README.md b/tests/threshold/threshold-config-suppress-bysrc-ip/README.md
new file mode 100644 (file)
index 0000000..a9a4cbd
--- /dev/null
@@ -0,0 +1,5 @@
+# Threshold.config with by_rule 
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ip/input.pcap b/tests/threshold/threshold-config-suppress-bysrc-ip/input.pcap
new file mode 100644 (file)
index 0000000..bf5caeb
Binary files /dev/null and b/tests/threshold/threshold-config-suppress-bysrc-ip/input.pcap differ
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ip/input.rules b/tests/threshold/threshold-config-suppress-bysrc-ip/input.rules
new file mode 100644 (file)
index 0000000..7cb862d
--- /dev/null
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ip/suricata.yaml b/tests/threshold/threshold-config-suppress-bysrc-ip/suricata.yaml
new file mode 100644 (file)
index 0000000..ee5c3f0
--- /dev/null
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: true
+        - http
+        - anomaly
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ip/test.yaml b/tests/threshold/threshold-config-suppress-bysrc-ip/test.yaml
new file mode 100644 (file)
index 0000000..65c1dea
--- /dev/null
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7 
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: http
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ip/threshold.config b/tests/threshold/threshold-config-suppress-bysrc-ip/threshold.config
new file mode 100644 (file)
index 0000000..7cd83dd
--- /dev/null
@@ -0,0 +1 @@
+suppress gen_id 1, sig_id 1000001, track by_src, ip 145.254.160.237
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/README.md b/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/README.md
new file mode 100644 (file)
index 0000000..a9a4cbd
--- /dev/null
@@ -0,0 +1,5 @@
+# Threshold.config with by_rule 
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/input.pcap b/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/input.pcap
new file mode 100644 (file)
index 0000000..bf5caeb
Binary files /dev/null and b/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/input.pcap differ
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/input.rules b/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/input.rules
new file mode 100644 (file)
index 0000000..7cb862d
--- /dev/null
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/suricata.yaml b/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/suricata.yaml
new file mode 100644 (file)
index 0000000..ee5c3f0
--- /dev/null
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: true
+        - http
+        - anomaly
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/test.yaml b/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/test.yaml
new file mode 100644 (file)
index 0000000..65c1dea
--- /dev/null
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7 
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: http
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/threshold.config b/tests/threshold/threshold-config-suppress-bysrc-ipsubnet/threshold.config
new file mode 100644 (file)
index 0000000..c6daa2b
--- /dev/null
@@ -0,0 +1 @@
+suppress gen_id 1, sig_id 1000001, track by_src, ip 145.254.160.0/24
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipvar/README.md b/tests/threshold/threshold-config-suppress-bysrc-ipvar/README.md
new file mode 100644 (file)
index 0000000..a9a4cbd
--- /dev/null
@@ -0,0 +1,5 @@
+# Threshold.config with by_rule 
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipvar/input.pcap b/tests/threshold/threshold-config-suppress-bysrc-ipvar/input.pcap
new file mode 100644 (file)
index 0000000..bf5caeb
Binary files /dev/null and b/tests/threshold/threshold-config-suppress-bysrc-ipvar/input.pcap differ
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipvar/input.rules b/tests/threshold/threshold-config-suppress-bysrc-ipvar/input.rules
new file mode 100644 (file)
index 0000000..7cb862d
--- /dev/null
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipvar/suricata.yaml b/tests/threshold/threshold-config-suppress-bysrc-ipvar/suricata.yaml
new file mode 100644 (file)
index 0000000..c746f55
--- /dev/null
@@ -0,0 +1,21 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    SUPPRESS: "[10.0.0.0/8,20.0.0.0/16,145.0.0.0/8]"
+
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: true
+        - http
+        - anomaly
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipvar/test.yaml b/tests/threshold/threshold-config-suppress-bysrc-ipvar/test.yaml
new file mode 100644 (file)
index 0000000..65c1dea
--- /dev/null
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7 
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 4
+      match:
+        event_type: alert
+        alert.signature_id: 1000001
+  - filter:
+      count: 19
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: http
diff --git a/tests/threshold/threshold-config-suppress-bysrc-ipvar/threshold.config b/tests/threshold/threshold-config-suppress-bysrc-ipvar/threshold.config
new file mode 100644 (file)
index 0000000..00a6571
--- /dev/null
@@ -0,0 +1 @@
+suppress gen_id 1, sig_id 1000001, track by_src, ip $SUPPRESS