tests: add http file blocking on sha256 tests

diff --git a/tests/http-sha256-drop-02/README.md b/tests/http-sha256-drop-02/README.md
new file mode 100644 (file)
index 0000000..e7a75b4
--- /dev/null
+++ b/tests/http-sha256-drop-02/README.md
@@ -0,0 +1,4 @@
+PCAP
+====
+
+Pcap from https://forum.suricata.io/t/suricata-5-0-1-in-ips-mode/94/21

diff --git a/tests/http-sha256-drop-02/blacklist b/tests/http-sha256-drop-02/blacklist
new file mode 100644 (file)
index 0000000..fd5bec0
--- /dev/null
+++ b/tests/http-sha256-drop-02/blacklist
@@ -0,0 +1,5 @@
+cac5f74a1e146d6de26845e3e03732c01167e4bbb4333e76889b538c9bd30362
+537aea248165d3e82e48c4808b92e048bd1593ecbcb99d661c3c776204cd96a2
+be331893e44dcad93536b7b5cd3104abc9174ab66086ea5ad8bd4b2618222780
+3f6a4dffd4fd653b53b621349d5167d3cfa3cad926c166e7e24b88d3c9a06acf
+abe7c7b40883a7b59e6493d0f9a9b4b85035f22ee6195da2b188c2072279634f

diff --git a/tests/http-sha256-drop-02/input.pcap b/tests/http-sha256-drop-02/input.pcap
new file mode 100644 (file)
index 0000000..8b8f94e
Binary files /dev/null and b/tests/http-sha256-drop-02/input.pcap differ

diff --git a/tests/http-sha256-drop-02/suricata.yaml b/tests/http-sha256-drop-02/suricata.yaml
new file mode 100644 (file)
index 0000000..eca3826
--- /dev/null
+++ b/tests/http-sha256-drop-02/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: yes
+        - files
+        - http
+        - flow

diff --git a/tests/http-sha256-drop-02/test.rules b/tests/http-sha256-drop-02/test.rules
new file mode 100644 (file)
index 0000000..bad3228
--- /dev/null
+++ b/tests/http-sha256-drop-02/test.rules
@@ -0,0 +1,4 @@
+alert http any any -> any any (msg:"File stored: EXE"; fileext:"exe"; filestore; sid:1; rev:1;)
+drop http any any -> any any (msg:"Malicious file detected"; filesha256:blacklist; xbits:set, blocked_http, track ip_pair, expire 3600; sid:2; rev:2;)
+drop http any any -> any any (msg:"Block 206 response for IPPair"; content:"206"; http_stat_code; xbits:isset, blocked_http, track ip_pair; priority:1; sid:3; rev:1;)
+#drop http any any -> any any (msg:"Request blocked for IPPair"; content:"GET"; http_method; content:"exe"; http_uri; xbits:isset, blocked_http, track ip_pair; priority:1; sid:4; rev:2;)

diff --git a/tests/http-sha256-drop-02/test.yaml b/tests/http-sha256-drop-02/test.yaml
new file mode 100644 (file)
index 0000000..dbdfa31
--- /dev/null
+++ b/tests/http-sha256-drop-02/test.yaml
@@ -0,0 +1,50 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - HAVE_NSS
+  min-version: 4.1.0
+
+args:
+  - --simulate-ips
+  - --runmode=single
+  - --no-random
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        alert.signature_id: 2
+        pcap_cnt: 103
+  - filter:
+      count: 8
+      match:
+        event_type: drop
+        flow_id: 746850855319537
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+        pcap_cnt: 135
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        alert.signature_id: 3
+        pcap_cnt: 135
+  - filter:
+      count: 7
+      match:
+        event_type: drop
+        flow_id: 948787333709074

diff --git a/tests/http-sha256-drop/README.md b/tests/http-sha256-drop/README.md
new file mode 100644 (file)
index 0000000..3a7af36
--- /dev/null
+++ b/tests/http-sha256-drop/README.md
@@ -0,0 +1,4 @@
+PCAP
+====
+
+Pcap from https://forum.suricata.io/t/suricata-5-0-1-in-ips-mode/94/14

diff --git a/tests/http-sha256-drop/blacklist b/tests/http-sha256-drop/blacklist
new file mode 100644 (file)
index 0000000..fd5bec0
--- /dev/null
+++ b/tests/http-sha256-drop/blacklist
@@ -0,0 +1,5 @@
+cac5f74a1e146d6de26845e3e03732c01167e4bbb4333e76889b538c9bd30362
+537aea248165d3e82e48c4808b92e048bd1593ecbcb99d661c3c776204cd96a2
+be331893e44dcad93536b7b5cd3104abc9174ab66086ea5ad8bd4b2618222780
+3f6a4dffd4fd653b53b621349d5167d3cfa3cad926c166e7e24b88d3c9a06acf
+abe7c7b40883a7b59e6493d0f9a9b4b85035f22ee6195da2b188c2072279634f

diff --git a/tests/http-sha256-drop/input.pcap b/tests/http-sha256-drop/input.pcap
new file mode 100644 (file)
index 0000000..20a7393
Binary files /dev/null and b/tests/http-sha256-drop/input.pcap differ

diff --git a/tests/http-sha256-drop/suricata.yaml b/tests/http-sha256-drop/suricata.yaml
new file mode 100644 (file)
index 0000000..eca3826
--- /dev/null
+++ b/tests/http-sha256-drop/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: yes
+        - files
+        - http
+        - flow

diff --git a/tests/http-sha256-drop/test.rules b/tests/http-sha256-drop/test.rules
new file mode 100644 (file)
index 0000000..30d7dfc
--- /dev/null
+++ b/tests/http-sha256-drop/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (msg:"File stored: EXE"; fileext:"exe"; filestore; sid:1; rev:1;)
+drop http any any -> any any (msg:"Malicious file detected"; filesha256:blacklist; sid:2; rev:2;)

diff --git a/tests/http-sha256-drop/test.yaml b/tests/http-sha256-drop/test.yaml
new file mode 100644 (file)
index 0000000..d450431
--- /dev/null
+++ b/tests/http-sha256-drop/test.yaml
@@ -0,0 +1,29 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - HAVE_NSS
+  min-version: 4.1.0
+
+args:
+  - --simulate-ips
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 929
+  - filter:
+      count: 43
+      match:
+        event_type: drop