These were converted from unittests present in `util-action`.
Task #5371
--- /dev/null
+Test based on former Suricata unit test from util-action file.
+
+Expected Behavior
+=================
+
+The second packet should match rule sid 2 first, meaning no alerts are generated for it.
+Sids 1 and 3 should generate alerts for the other packets.
+
+PCAP
+====
+pcap generated with scapy.
+
--- /dev/null
+alert ip any any -> any any (msg:"sig 1"; sid:1;)
+pass ip 192.168.1.1 80 -> any any (msg:"sig 2"; sid:2;)
+alert ip any any -> any any (msg:"sig 3"; sid:3;)
--- /dev/null
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ min-version: 7
+ count: 1
+ match:
+ event_type: flow
+ flow.action: pass
+- filter:
+ count: 1
+ match:
+ event_type: stats
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n"
+
+pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n"
+
+pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80,
+ flags='P''A')/"Hi all!\r\n"
+
+pkts = []
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Test based on former Suricata unit test from util-action file.
+
+Expected Behavior
+=================
+
+For the second packet, we expect to only see an alert for sid 3, as DROP and
+PASS here have higher priority. The other two packets should generate alerts,
+since sid 2 isn't triggered for them.
+
+PCAP
+====
+pcap generated with scapy.
+
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - flow
+
+action-order:
+ - drop
+ - pass
+ - reject
+ - alert
--- /dev/null
+alert ip any any -> any any (msg:"sig 1"; sid:1;)
+pass ip 192.168.1.1 80 -> any any (msg:"sig 2"; sid:2;)
+drop ip any any -> any any (msg:"sig 3"; sid:3;)
--- /dev/null
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ min-version: 7
+ count: 1
+ match:
+ event_type: flow
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n"
+
+pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n"
+
+pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80,
+ flags='P''A')/"Hi all!\r\n"
+
+pkts = []
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Test based on former Suricata unit test from util-action file.
+
+Expected Behavior
+=================
+
+For the second packet, we don't expect alerts, since it will be flagged by the
+PASS sid (2). We expect alerts for sids 1 and 3 for the other two packets.
+
+PCAP
+====
+pcap generated with scapy.
+
--- /dev/null
+alert ip any any -> any any (msg:"sig 1"; content:"Hi all"; sid:1;)
+pass ip any any -> any any (msg:"sig 2"; content:"wo"; sid:2;)
+alert ip any any -> any any (msg:"sig 3"; content:"Hi all"; sid:3;)
--- /dev/null
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: true
+- filter:
+ count: 1
+ match:
+ event_type: stats
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 3
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n"
+
+pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"wo!\r\n"
+
+pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80,
+ flags='P''A')/"Hi all!\r\n"
+
+pkts = []
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Test based on former Suricata unit test from util-action file.
+
+Expected Behavior
+=================
+
+First and third sids will be triggered by all three packets. The second packet
+won't trigger sid 1, for the PASS rule will bypass that.
+
+PCAP
+====
+pcap generated with scapy.
+
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - flow
+
+action-order:
+ - drop
+ - pass
+ - reject
+ - alert
--- /dev/null
+alert tcp any any -> any any (msg:"sig 1"; content:"Hi all"; sid:1;)
+pass tcp any any -> any any (msg:"sig 2"; content:"wo"; sid:2;)
+drop tcp any any -> any any (msg:"sig 3"; content:"Hi all"; sid:3;)
--- /dev/null
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: true
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 2
+ match:
+ event_type: alert
+ alert.signature_id: 3
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n"
+
+pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi \
+ all wo!\r\n"
+
+pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80,
+ flags='P''A')/"Hi all!\r\n"
+
+pkts = []
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Test based on former Suricata unit test from util-action file.
+
+Expected Behavior
+=================
+
+The PASS rule (sid 2) will make so that no alerts will be registered by Suri.
+
+PCAP
+====
+pcap generated with scapy.
+
--- /dev/null
+alert ip any any -> any any (msg:"sig 1"; sid:1;)
+pass ip any any -> any any (msg:"Testing normal 2"; sid:2;)
+alert ip any any -> any any (msg:"sig 3"; sid:3;)
--- /dev/null
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ min-version: 7
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: false
+ flow.action: pass
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: false
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 3
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n"
+
+pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n"
+
+pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80,
+ flags='P''A')/"Hi all!\r\n"
+
+pkts = []
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Test based on former Suricata unit test from util-action file.
+
+Expected Behavior
+=================
+
+The DROP rule (sid 3) will be triggered by all packets, and having the highest
+priority, will make so that no other alerts will be registered by Suri.
+
+PCAP
+====
+pcap generated with scapy.
+
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - flow
+
+action-order:
+ - drop
+ - pass
+ - reject
+ - alert
--- /dev/null
+alert tcp any any -> any any (msg:"sig 1"; content:"Hi all"; sid:1;)
+pass tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;)
+drop tcp any any -> any any (msg:"sig 3"; content:"Hi all"; sid:3;)
--- /dev/null
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: true
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 3
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n"
+
+pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n"
+
+pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80,
+ flags='P''A')/"Hi all!\r\n"
+
+pkts = []
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Test based on former Suricata unit test from util-action file.
+
+Expected Behavior
+=================
+
+The three packets should trigger all three signatures, but since DROP and ALERT
+have higher priority, only those two generate alerts, as the PASS rule won't
+take place.
+
+PCAP
+====
+pcap generated with scapy.
+
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - flow
+
+action-order:
+ - drop
+ - alert
+ - reject
+ - pass
--- /dev/null
+alert tcp any any -> any any (msg:"sig 1"; content:"Hi all"; sid:1;)
+pass tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;)
+drop tcp any any -> any any (msg:"sig 3"; content:"Hi all"; sid:3;)
--- /dev/null
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: true
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 3
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n"
+
+pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n"
+
+pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80,
+ flags='P''A')/"Hi all!\r\n"
+
+pkts = []
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Test based on former Suricata unit test from util-action file.
+
+Expected Behavior
+=================
+
+The three packets should trigger all three signatures, but since with the
+default settings PASS has higher priority, the DROP and ALERT signatures won't
+generate alerts, as all packets trigger sid 2 (PASS).
+
+PCAP
+====
+pcap generated with scapy.
+
--- /dev/null
+alert tcp any any -> any any (msg:"sig 1"; sid:1;)
+pass tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;)
+drop tcp any any -> any any (msg:"sig 3"; sid:3;)
--- /dev/null
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: false
+- filter:
+ count: 1
+ match:
+ event_type: stats
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 3
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n"
+
+pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n"
+
+pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80,
+ flags='P''A')/"Hi all!\r\n"
+
+pkts = []
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Test based on former Suricata unit test from util-action file.
+
+Expected Behavior
+=================
+
+The three packets should trigger all three signatures, but since with the
+default settings PASS has higher priority, the DROP and ALERT signatures won't
+generate alerts, as all packets trigger sid 2 (PASS).
+
+PCAP
+====
+pcap generated with scapy.
+
--- /dev/null
+drop tcp any any -> any any (msg:"sig 1"; sid:1;)
+alert tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;)
+pass tcp any any -> any any (msg:"sig 3"; sid:3;)
--- /dev/null
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ min-version: 7
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: false
+ flow.action: pass
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: false
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 3
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n"
+
+pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n"
+
+pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80,
+ flags='P''A')/"Hi all!\r\n"
+
+pkts = []
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Test based on former Suricata unit test from util-action file.
+
+Expected Behavior
+=================
+
+The three packets should trigger all three signatures, but since DROP and ALERT
+have higher priority, only those two generate alerts, as the PASS rule won't
+take place.
+
+PCAP
+====
+pcap generated with scapy.
+
--- /dev/null
+pass tcp any any -> any any (msg:"sig 1"; sid:1;)
+drop tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;)
+alert tcp any any -> any any (msg:"sig 3"; sid:3;)
--- /dev/null
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ min-version: 7
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: false
+ flow.action: pass
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: false
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 3
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n"
+
+pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n"
+
+pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80,
+ flags='P''A')/"Hi all!\r\n"
+
+pkts = []
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Test based on former Suricata unit test from util-action file.
+
+Expected Behavior
+=================
+
+As the DROP action has the higher priority, we expect that all packets generate
+alert for sid 3.
+
+PCAP
+====
+pcap generated with scapy.
+
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - flow
+
+action-order:
+ - drop
+ - pass
+ - reject
+ - alert
--- /dev/null
+alert tcp any any -> any any (msg:"sig 1"; sid:1;)
+pass tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;)
+drop tcp any any -> any any (msg:"sig 3"; sid:3;)
--- /dev/null
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ min-version: 7
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: true
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: true
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n"
+
+pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n"
+
+pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80,
+ flags='P''A')/"Hi all!\r\n"
+
+pkts = []
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Test based on former Suricata unit test from util-action file.
+
+Expected Behavior
+=================
+
+The three packets should trigger all three signatures, but since DROP signature
+has higher priority, all packets are dropped before other alerts are generated.
+The packets are considered as being from a single flow, and with the first
+packet being dropped, the whole flow is dropped, generated a single alert for
+sid 1.
+
+PCAP
+====
+pcap generated with scapy.
+
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - flow
+
+action-order:
+ - drop
+ - pass
+ - reject
+ - alert
--- /dev/null
+drop tcp any any -> any any (msg:"sig 1"; sid:1;)
+alert tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;)
+pass tcp any any -> any any (msg:"sig 3"; sid:3;)
--- /dev/null
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ min-version: 7
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: true
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: true
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 3
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n"
+
+pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n"
+
+pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80,
+ flags='P''A')/"Hi all!\r\n"
+
+pkts = []
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Test based on former Suricata unit test from util-action file.
+
+Expected Behavior
+=================
+
+As the DROP action has the higher priority, we expect that all packets generate
+alert for sid 2, and sid 2 only.
+
+PCAP
+====
+pcap generated with scapy.
+
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - flow
+
+action-order:
+ - drop
+ - pass
+ - reject
+ - alert
--- /dev/null
+pass tcp any any -> any any (msg:"sig 1"; sid:1;)
+drop tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;)
+alert tcp any any -> any any (msg:"sig 3"; sid:3;)
--- /dev/null
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ min-version: 7
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: true
+ flow.action: pass
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: true
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 3
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n"
+
+pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n"
+
+pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80,
+ flags='P''A')/"Hi all!\r\n"
+
+pkts = []
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Test based on former Suricata unit test from util-action file.
+
+Expected Behavior
+=================
+
+As the DROP and ALERT actions have higher priority, we expect alerts for sids
+1 and 3.
+
+PCAP
+====
+pcap generated with scapy.
+
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - flow
+
+action-order:
+ - drop
+ - alert
+ - reject
+ - pass
--- /dev/null
+alert tcp any any -> any any (msg:"sig 1"; sid:1;)
+pass tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;)
+drop tcp any any -> any any (msg:"sig 3"; sid:3;)
--- /dev/null
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ min-version: 7
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: true
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: true
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n"
+
+pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n"
+
+pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80,
+ flags='P''A')/"Hi all!\r\n"
+
+pkts = []
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Test based on former Suricata unit test from util-action file.
+
+Expected Behavior
+=================
+
+As the DROP and ALERT actions have higher priority, we expect that all packets generate
+alerts for sids 1 and 2.
+
+PCAP
+====
+pcap generated with scapy.
+
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - flow
+
+action-order:
+ - drop
+ - alert
+ - reject
+ - pass
--- /dev/null
+drop tcp any any -> any any (msg:"sig 1"; sid:1;)
+alert tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;)
+pass tcp any any -> any any (msg:"sig 3"; sid:3;)
--- /dev/null
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ min-version: 7
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: true
+ flow.action: drop
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: true
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 3
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n"
+
+pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n"
+
+pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80,
+ flags='P''A')/"Hi all!\r\n"
+
+pkts = []
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Test based on former Suricata unit test from util-action file.
+
+Expected Behavior
+=================
+
+As the DROP and ALERT actions have higher priority, we expect that all packets generate
+alerts for sids 2 and 3.
+
+PCAP
+====
+pcap generated with scapy.
+
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - flow
+
+action-order:
+ - drop
+ - alert
+ - reject
+ - pass
--- /dev/null
+pass tcp any any -> any any (msg:"sig 1"; sid:1;)
+drop tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;)
+alert tcp any any -> any any (msg:"sig 3"; sid:3;)
--- /dev/null
+args:
+- -k none
+- --simulate-ips
+
+checks:
+- filter:
+ min-version: 7
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: true
+ flow.action: pass
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.alerted: true
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n"
+
+pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n"
+
+pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80,
+ flags='P''A')/"Hi all!\r\n"
+
+pkts = []
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+
+wrpcap('input.pcap', pkts)
projects / thirdparty / suricata-verify.git / commitdiff
