--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert:
+ tagged-packets: yes
+ - anomaly:
+ enabled: yes
+ types:
+ decode: no
+ stream: yes
+ applayer: yes
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ # per flow direction. All logs each dropped pkt.
+ - flow
+action-order:
+ - pass
+ - drop
+ - reject
+ - alert
--- /dev/null
+pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;)
+drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;)
+
+# matches packet 4, but should not alert due to memcap drop
+alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;)
--- /dev/null
+requires:
+ features:
+ - DEBUG
+ files:
+ - src/util-exception-policy.c
+pcap: ../tls-ja3s/input.pcap
+args:
+- --simulate-ips
+- -k none
+# pretend pretend error in the first data
+- --simulate-applayer-error-at-offset-ts=0
+- --set app-layer.error-policy=drop-flow
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 29
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: drop
+ drop.reason: "applayer error"
+ - filter:
+ count: 28
+ match:
+ event_type: drop
+ drop.reason: "flow drop"
+ - filter:
+ count: 0
+ match:
+ event_type: tls
+ tls.sni: example.com
+ - filter:
+ count: 0
+ match:
+ event_type: tls
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: tls
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.action: drop
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert:
+ tagged-packets: yes
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ # per flow direction. All logs each dropped pkt.
+action-order:
+ - pass
+ - drop
+ - reject
+ - alert
--- /dev/null
+pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;)
+drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; priority:2; sid:2; rev:1;)
+# matches packet 4, but no match due to action order
+alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;)
--- /dev/null
+requires:
+ features:
+ - DEBUG
+ files:
+ - src/util-exception-policy.c
+pcap: ../tls-ja3s/input.pcap
+args:
+- --simulate-ips
+- -k none
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 0
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: tls
+ tls.sni: example.com
--- /dev/null
+pcap from https://wiki.wireshark.org/SampleCaptures
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert:
+ tagged-packets: yes
+ - anomaly:
+ enabled: yes
+ types:
+ decode: no
+ stream: yes
+ applayer: yes
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ # per flow direction. All logs each dropped pkt.
+ - flow
+action-order:
+ - pass
+ - drop
+ - reject
+ - alert
--- /dev/null
+alert icmp any any -> any any (itype:8; sid:1;)
--- /dev/null
+requires:
+ features:
+ - DEBUG
+ files:
+ - src/util-exception-policy.c
+args:
+- --simulate-ips
+- -k none
+# pretend pretend error in the first fragment
+- --simulate-packet-defrag-memcap=1
+- --set defrag.memcap-policy=drop-packet
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 1
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: drop
+ drop.reason: "defrag memcap"
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ proto: ICMP
+ - filter:
+ count: 0
+ match:
+ event_type: flow
+ flow.action: drop
+ proto: ICMP
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert:
+ tagged-packets: yes
+ - anomaly:
+ enabled: yes
+ types:
+ decode: no
+ stream: yes
+ applayer: yes
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ # per flow direction. All logs each dropped pkt.
+ - flow
+action-order:
+ - pass
+ - drop
+ - reject
+ - alert
--- /dev/null
+pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;)
+drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;)
+
+# matches packet 4, but should not alert due to memcap drop
+alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;)
--- /dev/null
+requires:
+ features:
+ - DEBUG
+ files:
+ - src/util-exception-policy.c
+pcap: ../tls-ja3s/input.pcap
+args:
+- --simulate-ips
+- -k none
+# pretend tcp memcap was hit in packet 4, the client hello containing the sni
+- --simulate-packet-tcp-reassembly-memcap=4
+- --set stream.reassembly.memcap-policy=drop-flow
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 29
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: drop
+ drop.reason: "stream memcap"
+ - filter:
+ count: 28
+ match:
+ event_type: drop
+ drop.reason: "flow drop"
+ - filter:
+ count: 0
+ match:
+ event_type: tls
+ tls.sni: example.com
+ - filter:
+ count: 0
+ match:
+ event_type: tls
+ - filter:
+ count: 0
+ match:
+ event_type: flow
+ app_proto: tls
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.action: drop
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert:
+ tagged-packets: yes
+ - anomaly:
+ enabled: yes
+ types:
+ decode: no
+ stream: yes
+ applayer: yes
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ # per flow direction. All logs each dropped pkt.
+ - flow
+action-order:
+ - pass
+ - drop
+ - reject
+ - alert
--- /dev/null
+pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;)
+drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;)
+
+# matches packet 4, but should not alert due to memcap pass
+alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;)
--- /dev/null
+requires:
+ features:
+ - DEBUG
+ files:
+ - src/util-exception-policy.c
+pcap: ../tls-ja3s/input.pcap
+args:
+- --simulate-ips
+- -k none
+- --simulate-packet-tcp-reassembly-memcap=4
+- --set stream.reassembly.memcap-policy=pass-flow
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 0
+ match:
+ event_type: drop
+ - filter:
+ count: 0
+ match:
+ event_type: tls
+ tls.sni: example.com
+ - filter:
+ count: 1
+ match:
+ event_type: tls
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: tls
+ flow.action: pass
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert:
+ tagged-packets: yes
+ - anomaly:
+ enabled: yes
+ types:
+ decode: no
+ stream: yes
+ applayer: yes
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ # per flow direction. All logs each dropped pkt.
+ - flow
+action-order:
+ - pass
+ - drop
+ - reject
+ - alert
--- /dev/null
+pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;)
+drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;)
+
+# matches packet 4, but should not alert due to memcap bypass
+alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;)
--- /dev/null
+requires:
+ features:
+ - DEBUG
+ files:
+ - src/util-exception-policy.c
+pcap: ../tls-ja3s/input.pcap
+args:
+- --simulate-ips
+- -k none
+- --simulate-packet-tcp-reassembly-memcap=4
+- --set stream.reassembly.memcap-policy=bypass
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 0
+ match:
+ event_type: drop
+ - filter:
+ count: 0
+ match:
+ event_type: tls
+ tls.sni: example.com
+ - filter:
+ count: 0
+ match:
+ event_type: tls
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.state: bypassed
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert:
+ tagged-packets: yes
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ # per flow direction. All logs each dropped pkt.
+ - flow
--- /dev/null
+pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;)
+# matches packet 4, but no match due to memcap drop
+alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;)
--- /dev/null
+requires:
+ features:
+ - DEBUG
+ files:
+ - src/util-exception-policy.c
+pcap: ../tls-ja3s/input.pcap
+args:
+- --simulate-ips
+- -k none
+# pretend tcp memcap was hit in packet 4, the client hello containing the sni
+- --simulate-packet-tcp-reassembly-memcap=4
+- --set stream.reassembly.memcap-policy=drop-flow
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 29
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: drop
+ drop.reason: "stream memcap"
+ - filter:
+ count: 28
+ match:
+ event_type: drop
+ drop.reason: "flow drop"
+ - filter:
+ count: 0
+ match:
+ event_type: tls
+ tls.sni: example.com
+ - filter:
+ count: 0
+ match:
+ event_type: tls
+ - filter:
+ count: 0
+ match:
+ event_type: flow
+ app_proto: tls
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.action: drop
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert:
+ tagged-packets: yes
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ # per flow direction. All logs each dropped pkt.
+ - flow
--- /dev/null
+pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;)
+# matches packet 4, but no match due to memcap drop
+alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;)
--- /dev/null
+requires:
+ features:
+ - DEBUG
+ files:
+ - src/util-exception-policy.c
+pcap: ../tls-ja3s/input.pcap
+args:
+- --simulate-ips
+- -k none
+# pretend tcp memcap was hit in packet 4, the client hello containing the sni
+- --simulate-packet-tcp-reassembly-memcap=4
+- --set stream.reassembly.memcap-policy=drop-packet
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 1
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: drop
+ drop.reason: "stream memcap"
+ - filter:
+ count: 0
+ match:
+ event_type: drop
+ drop.reason: "flow drop"
+ - filter:
+ count: 0
+ match:
+ event_type: tls
+ tls.sni: example.com
+ - filter:
+ count: 1
+ match:
+ event_type: tls
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: tls
+ - filter:
+ count: 0
+ match:
+ event_type: flow
+ flow.action: drop
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert:
+ tagged-packets: yes
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ # per flow direction. All logs each dropped pkt.
+ - flow
--- /dev/null
+pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;)
+# matches packet 4, but no match due to memcap drop
+alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;)
--- /dev/null
+requires:
+ features:
+ - DEBUG
+ files:
+ - src/util-exception-policy.c
+pcap: ../tls-ja3s/input.pcap
+args:
+- --simulate-ips
+- -k none
+# pretend tcp memcap was hit in packet 4, the client hello containing the sni
+- --simulate-packet-tcp-reassembly-memcap=4
+- --set stream.reassembly.memcap-policy=pass-packet
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 0
+ match:
+ event_type: drop
+ - filter:
+ count: 0
+ match:
+ event_type: drop
+ drop.reason: "stream memcap"
+ - filter:
+ count: 0
+ match:
+ event_type: drop
+ drop.reason: "flow drop"
+ - filter:
+ count: 0
+ match:
+ event_type: tls
+ tls.sni: example.com
+ - filter:
+ count: 1
+ match:
+ event_type: tls
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: tls
+ - filter:
+ count: 0
+ match:
+ event_type: flow
+ flow.action: drop
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert:
+ tagged-packets: yes
+ - anomaly:
+ enabled: yes
+ types:
+ decode: no
+ stream: yes
+ applayer: yes
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ # per flow direction. All logs each dropped pkt.
+ - flow
+action-order:
+ - pass
+ - drop
+ - reject
+ - alert
--- /dev/null
+pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;)
+drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;)
+
+# matches packet 4, but should not alert due to memcap drop
+alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;)
--- /dev/null
+requires:
+ features:
+ - DEBUG
+ files:
+ - src/util-exception-policy.c
+pcap: ../tls-ja3s/input.pcap
+args:
+- --simulate-ips
+- -k none
+- --simulate-packet-tcp-ssn-memcap=1
+- --set stream.memcap-policy=drop-flow
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 32
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: drop
+ drop.reason: "stream memcap"
+ - filter:
+ count: 31
+ match:
+ event_type: drop
+ drop.reason: "flow drop"
+ - filter:
+ count: 0
+ match:
+ event_type: tls
+ tls.sni: example.com
+ - filter:
+ count: 0
+ match:
+ event_type: tls
+ - filter:
+ count: 0
+ match:
+ event_type: flow
+ app_proto: tls
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.action: drop
projects / thirdparty / suricata-verify.git / commitdiff
