tests: add tests to check flow drops

diff --git a/tests/flow-drop-iponly-01/suricata.yaml b/tests/flow-drop-iponly-01/suricata.yaml
new file mode 100644 (file)
index 0000000..ef50188
--- /dev/null
+++ b/tests/flow-drop-iponly-01/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+            tagged-packets: yes
+        - tls:
+            extended: no     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: start     # start or all: 'start' logs only a single drop
+        - flow

diff --git a/tests/flow-drop-iponly-01/test-limit.pcap b/tests/flow-drop-iponly-01/test-limit.pcap
new file mode 100644 (file)
index 0000000..60fa36e
Binary files /dev/null and b/tests/flow-drop-iponly-01/test-limit.pcap differ

diff --git a/tests/flow-drop-iponly-01/test.rules b/tests/flow-drop-iponly-01/test.rules
new file mode 100644 (file)
index 0000000..86c438b
--- /dev/null
+++ b/tests/flow-drop-iponly-01/test.rules
@@ -0,0 +1,2 @@
+drop ip 100.117.241.123 any -> any any (sid:1;)
+drop ip 100.64.4.146 any -> any any (sid:2;)

diff --git a/tests/flow-drop-iponly-01/test.yaml b/tests/flow-drop-iponly-01/test.yaml
new file mode 100644 (file)
index 0000000..0679309
--- /dev/null
+++ b/tests/flow-drop-iponly-01/test.yaml
@@ -0,0 +1,35 @@
+requirements:
+  min-version: 6
+
+args:
+- -k none
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.action: blocked
+        pcap_cnt: 1
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        alert.signature_id: 1
+        alert.action: blocked
+        pcap_cnt: 1
+        drop.reason: rules
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 2
+        drop.reason: flow drop
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        flow.action: drop
+        tcp.state: syn_sent

diff --git a/tests/flow-drop-iponly-02/input.pcap b/tests/flow-drop-iponly-02/input.pcap
new file mode 100644 (file)
index 0000000..6e5b803
Binary files /dev/null and b/tests/flow-drop-iponly-02/input.pcap differ

diff --git a/tests/flow-drop-iponly-02/suricata.yaml b/tests/flow-drop-iponly-02/suricata.yaml
new file mode 100644 (file)
index 0000000..ef50188
--- /dev/null
+++ b/tests/flow-drop-iponly-02/suricata.yaml
@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+            tagged-packets: yes
+        - tls:
+            extended: no     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: start     # start or all: 'start' logs only a single drop
+        - flow

diff --git a/tests/flow-drop-iponly-02/test.rules b/tests/flow-drop-iponly-02/test.rules
new file mode 100644 (file)
index 0000000..5ea0d3f
--- /dev/null
+++ b/tests/flow-drop-iponly-02/test.rules
@@ -0,0 +1,2 @@
+drop ip 192.168.10.31 any -> any any (sid:1;)
+drop ip 192.168.10.10 any -> any any (sid:2;)

diff --git a/tests/flow-drop-iponly-02/test.yaml b/tests/flow-drop-iponly-02/test.yaml
new file mode 100644 (file)
index 0000000..f79b567
--- /dev/null
+++ b/tests/flow-drop-iponly-02/test.yaml
@@ -0,0 +1,34 @@
+requirements:
+  min-version: 6
+
+args:
+- -k none
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.action: blocked
+        pcap_cnt: 1
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        alert.signature_id: 1
+        alert.action: blocked
+        pcap_cnt: 1
+        drop.reason: rules
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 4
+        drop.reason: flow drop
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        flow.action: drop