--- /dev/null
+# Test
+
+Check that the midstream-policy is properly applied in case it's set to
+``pass-flow`` in IPS mode in a stream firstly seen by Suricata during SYNACK
+stage.
+
+# Behavior
+
+We expect to have zero alerts, but see ``http`` events logged, as the flow will
+still be inspected.
+
+# Pcap
+
+Pcap is the result of a curl to www.testmyids.com
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
--- /dev/null
+args:
+- --simulate-ips
+- --set stream.midstream-policy=pass-flow
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.action: pass
+ - filter:
+ count: 0
+ match:
+ event_type: http
--- /dev/null
+# Test
+
+Check that the midstream-policy is properly set to fail closed when
+stream.midstream-policy=drop-flow in IPS mode in a stream first seen by Suricata
+in SYNACK stage.
+
+# Behavior
+
+Neither the alert or anomaly events that would be logged with default behavior
+will show, as the flow is being dropped.
+
+# Traffic Description
+
+TCP async traffic with only the server to client side of a IMAP session
+
+# Pcap
+
+Pcap from https://github.com/mtimebombm/suricata/blob/master/imap-server.pcap
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert:
+ - anomaly:
+ enabled: yes
+ types:
+ decode: no
+ stream: yes
+ applayer: yes
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: start # start or all: 'start' logs only a single drop
+ # per flow direction. All logs each dropped pkt.
+ - flow
--- /dev/null
+# look for a content match crossing packet payload boundaries
+alert tcp any 143 -> any any (content:"C6 OK ID completed|0d 0a|* 21 EXISTS|0d 0a|* 6 RECENT"; flow:to_client; sid:1;)
--- /dev/null
+args:
+- --simulate-ips
+- --set stream.async-oneside=true
+- --set stream.midstream-policy=drop-flow
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 1
+ match:
+ event_type: drop
+ drop.reason: stream midstream
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.action: drop
+ - filter:
+ count: 0
+ match:
+ event_type: anomaly
--- /dev/null
+# Test
+
+Check that Suricata behaves as expected with no midstream-policy set (that is,
+with default behavior), in IPS mode, in a stream first seen by Suricata in
+SYNACK stage.
+
+# Behavior
+
+With midstream true but no exception policy for midstream set we expect to see
+alerts and ``http`` events logged, as the portion of the flow available will be
+inspected and no exception policy for midstream will be applied.
+
+# Pcap
+
+Pcap is the result of a curl to www.testmyids.com
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ - flow
+ - http
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
--- /dev/null
+args:
+- --simulate-ips
+- --set stream.midstream=true
+
+checks:
+
+ # Check that we only have one alert event type in eve.
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ src_port: 80
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ dest_port: 80
+ flow.state: closed
+ flow.alerted: true
+ - filter:
+ count: 1
+ match:
+ event_type: http
+ dest_port: 80
--- /dev/null
+# Test
+
+Check that the midstream-policy is properly applied in case it's set to
+``pass-flow`` in IPS mode, when the stream is first seen by Suricata in ACK
+stage.
+
+# Behavior
+
+We expect to have no alerts, but to see ``http`` events logged, as the flow will
+be inspected still.
+
+# Pcap
+
+Pcap is the result of a curl to www.testmyids.com, later extracted with
+Wireshark to keep the ``http`` packets only.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert
+ - flow
+ - http
--- /dev/null
+alert tcp any any -> any any (http_response_line; content:"200 OK"; sid:1;)
--- /dev/null
+args:
+- --simulate-ips
+- --set stream.midstream-policy=pass-flow
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.action: pass
+- filter:
+ count: 0
+ match:
+ event_type: http
--- /dev/null
+# Test
+
+Check that the midstream-policy is properly applied in case it's set to
+``bypass`` in IPS mode, when the engine firstly sees the stream during SYNACK
+stage.
+
+# Behavior
+
+We expect to have no alerts, but to see ``http`` events logged, as the flow will
+be inspected still.
+
+# Pcap
+
+Pcap is the result of a curl to www.testmyids.com, later extracted with
+Wireshark to keep the ``http`` packets only.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
--- /dev/null
+args:
+- --simulate-ips
+- --set stream.midstream-policy=bypass
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.state: bypassed
+ - filter:
+ count: 0
+ match:
+ event_type: http
--- /dev/null
+# Test
+
+Check that the midstream-policy is properly applied in case it's set to
+``drop-flow`` in IPS mode, when the stream is first seen by Suricata in ACK
+stage.
+
+# Behavior
+
+We expect to only see ``drop`` and ``flow`` events logged, as the flow will be
+droped.
+
+# Pcap
+
+Pcap is the result of a curl to www.testmyids.com, later extracted with
+Wireshark to keep the ``http`` packets only.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert:
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
--- /dev/null
+drop http any any -> any any (msg:"broad http rule"; sid:1;)
--- /dev/null
+args:
+- --simulate-ips
+- --set stream.midstream-policy=drop-flow
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: http
+ - filter:
+ count: 2
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.action: drop
+
--- /dev/null
+# Test
+
+Check that the midstream-policy is properly applied in case it's set to
+``bypass`` in IPS mode when the engine firstly sees the stream during ACK
+state.
+
+# Behavior
+
+We expect to only see a ``flow`` event logged, as the flow will be bypassed.
+
+# Pcap
+
+Pcap is borrowed from the smb3-01 SV test.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert
+ - flow
+ - smb
+ - drop:
+ alerts: yes
+ flows: all
--- /dev/null
+alert smb any any -> any any (msg: "broad smb rule"; sid:1;)
--- /dev/null
+args:
+- --simulate-ips
+- --set stream.midstream-policy=bypass
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.action: pass
+ - filter:
+ count: 0
+ match:
+ event_type: smb
projects / thirdparty / suricata-verify.git / commitdiff
