--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 15
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 19
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+suppress gen_id 1, sig_id 1000001, track by_dst, ip 145.254.160.237
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 15
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 19
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+suppress gen_id 1, sig_id 1000001, track by_dst, ip 145.254.160.0/24
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ SUPPRESS: "[10.0.0.0/8,20.0.0.0/16,145.0.0.0/8]"
+
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 15
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 19
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+suppress gen_id 1, sig_id 1000001, track by_dst, ip $SUPPRESS
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 19
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+suppress gen_id 1, sig_id 1000001, track by_either, ip 145.254.160.237
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 19
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+suppress gen_id 1, sig_id 1000001, track by_either, ip 145.254.160.0/24
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ SUPPRESS: "[10.0.0.0/8,20.0.0.0/16,145.0.0.0/8]"
+
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 19
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+suppress gen_id 1, sig_id 1000001, track by_either, ip $SUPPRESS
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 4
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 19
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+suppress gen_id 1, sig_id 1000001, track by_src, ip 145.254.160.237
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 4
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 19
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+suppress gen_id 1, sig_id 1000001, track by_src, ip 145.254.160.0/24
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ SUPPRESS: "[10.0.0.0/8,20.0.0.0/16,145.0.0.0/8]"
+
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 4
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 19
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+suppress gen_id 1, sig_id 1000001, track by_src, ip $SUPPRESS