--- /dev/null
+Firewall Tests
+==============
+
+Test 3whs state tracking using flowbits.
--- /dev/null
+%YAML 1.1
+---
+
+# Global stats configuration
+stats:
+ enabled: yes
+ # The interval field (in seconds) controls the interval at
+ # which stats are updated in the log.
+ interval: 8
+ # Add decode events to stats.
+ #decoder-events: true
+ # Decoder event prefix in stats. Has been 'decoder' before, but that leads
+ # to missing events in the eve.stats records. See issue #2225.
+ #decoder-events-prefix: "decoder.event"
+ # Add stream events as stats.
+ #stream-events: false
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ # payload: yes # enable dumping payload in Base64
+ # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ # payload-printable: yes # enable dumping payload in printable (lossy) format
+ # packet: yes # enable dumping of packet (without stream segments)
+ # metadata: no # enable inclusion of app layer metadata with alert. Default yes
+ # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64
+ # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
+
+ # Enable the logging of tagged packets for rules using the
+ # "tag" keyword.
+ tagged-packets: yes
+ # Enable logging the final action taken on a packet by the engine
+ # (e.g: the alert may have action 'allowed' but the verdict be
+ # 'drop' due to another alert. That's the engine's verdict)
+ # verdict: yes
+ - anomaly:
+ # Anomaly log records describe unexpected conditions such
+ # as truncated packets, packets with invalid IP/UDP/TCP
+ # length values, and other events that render the packet
+ # invalid for further processing or describe unexpected
+ # behavior on an established stream. Networks which
+ # experience high occurrences of anomalies may experience
+ # packet processing degradation.
+ #
+ # Anomalies are reported for the following:
+ # 1. Decode: Values and conditions that are detected while
+ # decoding individual packets. This includes invalid or
+ # unexpected values for low-level protocol lengths as well
+ # as stream related events (TCP 3-way handshake issues,
+ # unexpected sequence number, etc).
+ # 2. Stream: This includes stream related events (TCP
+ # 3-way handshake issues, unexpected sequence number,
+ # etc).
+ # 3. Application layer: These denote application layer
+ # specific conditions that are unexpected, invalid or are
+ # unexpected given the application monitoring state.
+ #
+ # By default, anomaly logging is enabled. When anomaly
+ # logging is enabled, applayer anomaly reporting is
+ # also enabled.
+ enabled: yes
+ #
+ # Choose one or more types of anomaly logging and whether to enable
+ # logging of the packet header for packet anomalies.
+ types:
+ # decode: no
+ # stream: no
+ # applayer: yes
+ #packethdr: no
+ - tls:
+ extended: yes # enable this for extended logging information
+ # output TLS transaction where the session is resumed using a
+ # session id
+ #session-resumption: no
+ # ja4 hashes in tls records will never be logged unless
+ # the following is set to on. (Default off)
+ # ja4: off
+ # custom controls which TLS fields that are included in eve-log
+ #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4]
+ - files:
+ force-magic: no # force logging magic on all logged files
+ # force logging of checksums, available hash functions are md5,
+ # sha1 and sha256
+ #force-hash: [md5]
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ # EXPERIMENTAL per packet output giving TCP state tracking details
+ # including internal state, flags, etc.
+ # This output is experimental, meant for debugging and subject to
+ # change in both config and output without any notice.
+ #- stream:
+ # all: false # log all TCP packets
+ # event-set: false # log packets that have a decoder/stream event
+ # state-update: false # log packets triggering a TCP state update
+ # spurious-retransmission: false # log spurious retransmission packets
--- /dev/null
+# allow tcp handshake
+
+pass tcp any any -> any 443 (flags:S; flow:not_established; flowbits:set,syn; sid:1;)
+pass tcp any 443 -> any any (flags:SA; flow:not_established; flowbits:isset,syn; flowbits:set,synack; sid:2;)
+pass tcp any any -> any 443 (flags:A; flow:not_established; flowbits:isset,synack; flowbits:unset,syn; flowbits:unset,synack; sid:3;)
+
+# allow established
+
+pass tcp any any <> any 443 (flow:established; sid:4;)
+
+# drop everything else
+
+drop ip any any -> any any (msg:"Drop all else"; flow:stateless; sid:5;)
--- /dev/null
+pcap: ../../tls/tls-random/input.pcap
+
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: tls
+ tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
--- /dev/null
+Firewall Tests
+==============
+
+Test 3whs state tracking using flow state.
--- /dev/null
+%YAML 1.1
+---
+
+# Global stats configuration
+stats:
+ enabled: yes
+ # The interval field (in seconds) controls the interval at
+ # which stats are updated in the log.
+ interval: 8
+ # Add decode events to stats.
+ #decoder-events: true
+ # Decoder event prefix in stats. Has been 'decoder' before, but that leads
+ # to missing events in the eve.stats records. See issue #2225.
+ #decoder-events-prefix: "decoder.event"
+ # Add stream events as stats.
+ #stream-events: false
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ # payload: yes # enable dumping payload in Base64
+ # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
+ # payload-printable: yes # enable dumping payload in printable (lossy) format
+ # packet: yes # enable dumping of packet (without stream segments)
+ # metadata: no # enable inclusion of app layer metadata with alert. Default yes
+ # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64
+ # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format
+
+ # Enable the logging of tagged packets for rules using the
+ # "tag" keyword.
+ tagged-packets: yes
+ # Enable logging the final action taken on a packet by the engine
+ # (e.g: the alert may have action 'allowed' but the verdict be
+ # 'drop' due to another alert. That's the engine's verdict)
+ # verdict: yes
+ - anomaly:
+ # Anomaly log records describe unexpected conditions such
+ # as truncated packets, packets with invalid IP/UDP/TCP
+ # length values, and other events that render the packet
+ # invalid for further processing or describe unexpected
+ # behavior on an established stream. Networks which
+ # experience high occurrences of anomalies may experience
+ # packet processing degradation.
+ #
+ # Anomalies are reported for the following:
+ # 1. Decode: Values and conditions that are detected while
+ # decoding individual packets. This includes invalid or
+ # unexpected values for low-level protocol lengths as well
+ # as stream related events (TCP 3-way handshake issues,
+ # unexpected sequence number, etc).
+ # 2. Stream: This includes stream related events (TCP
+ # 3-way handshake issues, unexpected sequence number,
+ # etc).
+ # 3. Application layer: These denote application layer
+ # specific conditions that are unexpected, invalid or are
+ # unexpected given the application monitoring state.
+ #
+ # By default, anomaly logging is enabled. When anomaly
+ # logging is enabled, applayer anomaly reporting is
+ # also enabled.
+ enabled: yes
+ #
+ # Choose one or more types of anomaly logging and whether to enable
+ # logging of the packet header for packet anomalies.
+ types:
+ # decode: no
+ # stream: no
+ # applayer: yes
+ #packethdr: no
+ - tls:
+ extended: yes # enable this for extended logging information
+ # output TLS transaction where the session is resumed using a
+ # session id
+ #session-resumption: no
+ # ja4 hashes in tls records will never be logged unless
+ # the following is set to on. (Default off)
+ # ja4: off
+ # custom controls which TLS fields that are included in eve-log
+ #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4]
+ - files:
+ force-magic: no # force logging magic on all logged files
+ # force logging of checksums, available hash functions are md5,
+ # sha1 and sha256
+ #force-hash: [md5]
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ # EXPERIMENTAL per packet output giving TCP state tracking details
+ # including internal state, flags, etc.
+ # This output is experimental, meant for debugging and subject to
+ # change in both config and output without any notice.
+ #- stream:
+ # all: false # log all TCP packets
+ # event-set: false # log packets that have a decoder/stream event
+ # state-update: false # log packets triggering a TCP state update
+ # spurious-retransmission: false # log spurious retransmission packets
--- /dev/null
+# allow tcp handshake
+
+pass tcp any any <> any 443 (flow:not_established; sid:1;)
+
+# allow established
+
+pass tcp any any <> any 443 (flow:established; sid:4;)
+
+# drop everything else
+
+drop ip any any -> any any (msg:"Drop all else"; flow:stateless; sid:5;)
--- /dev/null
+pcap: ../../tls/tls-random/input.pcap
+
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: tls
+ tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
projects / thirdparty / suricata-verify.git / commitdiff
