--- /dev/null
+Test that iprep can be used from a app hook. Iprep rule matches as the
+reputation of the dst addr > 0.
+
+Pcap from https://redmine.openinfosecfoundation.org/issues/8285
--- /dev/null
+1,test,Testing
--- /dev/null
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+
+# default drop
+
+drop:flow http1:request_line any any -> any any (sid:999; alert; iprep:dst,test,>,0;)
+accept:flow http1:request_line any any -> any any (sid:998;)
--- /dev/null
+82.165.177.154,1,10
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert:
+ verdict: true
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ verdict: true
--- /dev/null
+requires:
+ min-version: 9
+
+args:
+ - --simulate-ips
+ - --set reputation-categories-file=${TEST_DIR}/categories.txt
+ - --set reputation-files.0=${TEST_DIR}/iprep.list
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+- filter:
+ count: 7
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: drop
+ pcap_cnt: 4
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ dest_ip: 82.165.177.154
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 3
+ stats.ips.blocked: 7
+ stats.ips.drop_reason.pre_flow_hook: 0
+ stats.ips.drop_reason.default_packet_policy: 0
+ stats.ips.drop_reason.default_app_policy: 0
+ stats.ips.drop_reason.rules: 1
+ stats.ips.drop_reason.flow_drop: 6
--- /dev/null
+Test that iprep can be used from a app hook. Iprep rule does not match due to it looking for > 0, triggering a default drop.
+
+Pcap from https://redmine.openinfosecfoundation.org/issues/8285
--- /dev/null
+1,test,Testing
--- /dev/null
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+
+# default drop
+
+drop:flow http1:request_line any any -> any any (sid:999; alert; iprep:dst,test,>,0;)
--- /dev/null
+82.165.177.154,1,0
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - stats
+ - flow
+ - alert:
+ verdict: true
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ verdict: true
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../ruletype-firewall-45-iprep-8285/input.pcap
+
+args:
+ - --simulate-ips
+ - --set reputation-categories-file=${TEST_DIR}/categories.txt
+ - --set reputation-files.0=${TEST_DIR}/iprep.list
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+- filter:
+ count: 7
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: drop
+ pcap_cnt: 4
+- filter:
+ count: 0
+ match:
+ event_type: tls
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ dest_ip: 82.165.177.154
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 3
+ stats.ips.blocked: 7
+ stats.ips.drop_reason.pre_flow_hook: 0
+ stats.ips.drop_reason.default_packet_policy: 0
+ stats.ips.drop_reason.default_app_policy: 1
+ stats.ips.drop_reason.flow_drop: 6
--- /dev/null
+Test that iprep can be used from a app hook. Iprep rule does not match, and traffic is allowed by the next rule.
+
+Pcap from https://redmine.openinfosecfoundation.org/issues/8285
--- /dev/null
+1,test,Testing
--- /dev/null
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+
+# default drop
+
+drop:flow http1:request_line any any -> any any (sid:999; alert; iprep:dst,test,>,0;)
+accept:flow http1:request_line any any -> any any (sid:998;)
--- /dev/null
+82.165.177.154,1,0
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - http
+ - stats
+ - flow
+ - alert:
+ verdict: true
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ verdict: true
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../ruletype-firewall-45-iprep-8285/input.pcap
+
+args:
+ - --simulate-ips
+ - --set reputation-categories-file=${TEST_DIR}/categories.txt
+ - --set reputation-files.0=${TEST_DIR}/iprep.list
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: http
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ dest_ip: 82.165.177.154
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 10
+ stats.ips.blocked: 0
--- /dev/null
+Test that iprep can be used from a app hook. Iprep rule matches and accepts the traffic.
+
+Pcap from https://redmine.openinfosecfoundation.org/issues/8285
--- /dev/null
+1,test,Testing
--- /dev/null
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+
+# default drop
+
+accept:flow http1:request_line any any -> any any (sid:999; alert; iprep:dst,test,>,0;)
--- /dev/null
+82.165.177.154,1,10
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ # more specific is better for alert accuracy and performance
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ #HOME_NET: "[192.168.0.0/16]"
+ #HOME_NET: "[10.0.0.0/8]"
+ #HOME_NET: "[172.16.0.0/12]"
+ #HOME_NET: "any"
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DC_SERVERS: "$HOME_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+ GENEVE_PORTS: 6081
+ VXLAN_PORTS: 4789
+ TEREDO_PORTS: 3544
+ SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - http
+ - stats
+ - flow
+ - alert:
+ verdict: true
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ verdict: true
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../ruletype-firewall-45-iprep-8285/input.pcap
+
+args:
+ - --simulate-ips
+ - --set reputation-categories-file=${TEST_DIR}/categories.txt
+ - --set reputation-files.0=${TEST_DIR}/iprep.list
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+- filter:
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: http
+- filter:
+ count: 1
+ match:
+ event_type: flow
+ dest_ip: 82.165.177.154
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 10
+ stats.ips.blocked: 0
projects / thirdparty / suricata-verify.git / commitdiff
