tests: add basic test for reject exception policy

author Juliana Fajardini <jufajardini@oisf.net>

Tue, 6 Sep 2022 22:02:15 +0000 (19:02 -0300)

committer Victor Julien <victor@inliniac.net>

Tue, 13 Sep 2022 09:42:14 +0000 (11:42 +0200)
author Juliana Fajardini <jufajardini@oisf.net>
Tue, 6 Sep 2022 22:02:15 +0000 (19:02 -0300)
committer Victor Julien <victor@inliniac.net>
Tue, 13 Sep 2022 09:42:14 +0000 (11:42 +0200)
diff --git a/tests/exception-policy-reject-action-01/README.md b/tests/exception-policy-reject-action-01/README.md

new file mode 100644 (file)

index 0000000..717dfb5
--- /dev/null
+++ b/tests/exception-policy-reject-action-01/README.md
@@ -0,0 +1,15 @@
+# Test
+
+Check that the reject action for the exception policies is minimally functional.
+We don't check that the reject packet was created and sent, just that the
+packet/flow is dropped.
+
+# Behavior
+
+We expect to only see ``drop`` and ``flow`` events logged, as the flow will be
+droped.
+
+# Pcap
+
+Pcap is the result of a curl to www.testmyids.com, later extracted with
+Wireshark to keep the ``http`` packets only.
diff --git a/tests/exception-policy-reject-action-01/input-http-ACK.pcap b/tests/exception-policy-reject-action-01/input-http-ACK.pcap

new file mode 100644 (file)

index 0000000..c5b1c51

Binary files /dev/null and b/tests/exception-policy-reject-action-01/input-http-ACK.pcap differ
diff --git a/tests/exception-policy-reject-action-01/suricata.yaml b/tests/exception-policy-reject-action-01/suricata.yaml

new file mode 100644 (file)

index 0000000..d672946
--- /dev/null
+++ b/tests/exception-policy-reject-action-01/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+        - flow
+        - http
+        - drop:
+            alerts: yes
+            flows: all
diff --git a/tests/exception-policy-reject-action-01/test.rules b/tests/exception-policy-reject-action-01/test.rules

new file mode 100644 (file)

index 0000000..d0368df
--- /dev/null
+++ b/tests/exception-policy-reject-action-01/test.rules
@@ -0,0 +1 @@
+drop http any any -> any any (msg:"broad http rule"; sid:1;)
diff --git a/tests/exception-policy-reject-action-01/test.yaml b/tests/exception-policy-reject-action-01/test.yaml

new file mode 100644 (file)

index 0000000..c4d32d5
--- /dev/null
+++ b/tests/exception-policy-reject-action-01/test.yaml
@@ -0,0 +1,19 @@
+args:
+- --simulate-ips
+- --set stream.midstream-policy=reject
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: http
+  - filter:
+      count: 2
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        flow.action: drop
+
author	Juliana Fajardini <jufajardini@oisf.net>
	Tue, 6 Sep 2022 22:02:15 +0000 (19:02 -0300)
committer	Victor Julien <victor@inliniac.net>
	Tue, 13 Sep 2022 09:42:14 +0000 (11:42 +0200)
tests/exception-policy-reject-action-01/README.md	[new file with mode: 0644]	patch \| blob
tests/exception-policy-reject-action-01/input-http-ACK.pcap	[new file with mode: 0644]	patch \| blob
tests/exception-policy-reject-action-01/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/exception-policy-reject-action-01/test.rules	[new file with mode: 0644]	patch \| blob
tests/exception-policy-reject-action-01/test.yaml	[new file with mode: 0644]	patch \| blob