test/eps: Test updates/additions for 6.0.x

This commit adds support for 6.0.x eps stream reassembly testing
- Output logging of ips drop reasons is limited to 7 and above
- Create 6.0.x specific test cases for -01, -04, -05

Issue: 6364

diff --git a/tests/exception-policy-stream-reassembly-memcap-01/test.yaml b/tests/exception-policy-stream-reassembly-memcap-01/test.yaml
index f20281159430ffcfdcffa167409ee4ae778baeb8..6a4fac482ca842c22d053cc6d9d1014fde99aed2 100644 (file)
--- a/tests/exception-policy-stream-reassembly-memcap-01/test.yaml
+++ b/tests/exception-policy-stream-reassembly-memcap-01/test.yaml
@@ -1,4 +1,5 @@
 requires:
+  min-version: 7
   features:
     - DEBUG
   files:

diff --git a/tests/exception-policy-stream-reassembly-memcap-04/test.yaml b/tests/exception-policy-stream-reassembly-memcap-04/test.yaml
index f20281159430ffcfdcffa167409ee4ae778baeb8..6a4fac482ca842c22d053cc6d9d1014fde99aed2 100644 (file)
--- a/tests/exception-policy-stream-reassembly-memcap-04/test.yaml
+++ b/tests/exception-policy-stream-reassembly-memcap-04/test.yaml
@@ -1,4 +1,5 @@
 requires:
+  min-version: 7
   features:
     - DEBUG
   files:

diff --git a/tests/exception-policy-stream-reassembly-memcap-05/test.yaml b/tests/exception-policy-stream-reassembly-memcap-05/test.yaml
index d19e9ad87479d39f0e7db260e07e3e78014dee23..6e7d457bcdbf914f4dbd4b71a5c3c5221390cac8 100644 (file)
--- a/tests/exception-policy-stream-reassembly-memcap-05/test.yaml
+++ b/tests/exception-policy-stream-reassembly-memcap-05/test.yaml
@@ -1,4 +1,5 @@
 requires:
+  min-version: 7
   features:
     - DEBUG
   files:

diff --git a/tests/exception-policy-stream-reassembly-memcap-07/README.md b/tests/exception-policy-stream-reassembly-memcap-07/README.md
new file mode 100644 (file)
index 0000000..88a687f
--- /dev/null
+++ b/tests/exception-policy-stream-reassembly-memcap-07/README.md
@@ -0,0 +1,5 @@
+# Description
+
+Test exception policy logic for stream reassembly.
+
+DEBUG is required to enable the "eps" logic.

diff --git a/tests/exception-policy-stream-reassembly-memcap-07/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-07/suricata.yaml
new file mode 100644 (file)
index 0000000..3c973a2
--- /dev/null
+++ b/tests/exception-policy-stream-reassembly-memcap-07/suricata.yaml
@@ -0,0 +1,34 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+            tagged-packets: yes
+        - anomaly:
+            enabled: yes
+            types:
+              decode: no
+              stream: yes
+              applayer: yes
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
+                             # per flow direction. All logs each dropped pkt.
+        - flow
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values
+action-order:
+  - pass
+  - drop
+  - reject
+  - alert

diff --git a/tests/exception-policy-stream-reassembly-memcap-07/test.rules b/tests/exception-policy-stream-reassembly-memcap-07/test.rules
new file mode 100644 (file)
index 0000000..da4a536
--- /dev/null
+++ b/tests/exception-policy-stream-reassembly-memcap-07/test.rules
@@ -0,0 +1,5 @@
+pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;)
+drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;)
+
+# matches packet 4, but should not alert due to memcap drop
+alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;)

diff --git a/tests/exception-policy-stream-reassembly-memcap-07/test.yaml b/tests/exception-policy-stream-reassembly-memcap-07/test.yaml
new file mode 100644 (file)
index 0000000..464e812
--- /dev/null
+++ b/tests/exception-policy-stream-reassembly-memcap-07/test.yaml
@@ -0,0 +1,51 @@
+requires:
+  lt-version: 7
+  features:
+    - DEBUG
+  files:
+    - src/util-exception-policy.c
+pcap: ../tls/tls-ja3s/input.pcap
+args:
+- --simulate-ips
+- -k none
+# pretend tcp memcap was hit in packet 4, the client hello containing the sni
+- --simulate-packet-tcp-reassembly-memcap=4
+- --set stream.reassembly.memcap-policy=drop-flow
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+  - filter:
+      count: 29
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        drop.reason: "stream reassembly"
+  - filter:
+      count: 28
+      match:
+        event_type: drop
+        drop.reason: "flow drop"
+  - filter:
+      count: 0
+      match:
+        event_type: tls
+        tls.sni: example.com
+  - filter:
+      count: 0
+      match:
+        event_type: tls
+  - filter:
+      count: 0
+      match:
+        event_type: flow
+        app_proto: tls
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        flow.action: drop

diff --git a/tests/exception-policy-stream-reassembly-memcap-08/README.md b/tests/exception-policy-stream-reassembly-memcap-08/README.md
new file mode 100644 (file)
index 0000000..88a687f
--- /dev/null
+++ b/tests/exception-policy-stream-reassembly-memcap-08/README.md
@@ -0,0 +1,5 @@
+# Description
+
+Test exception policy logic for stream reassembly.
+
+DEBUG is required to enable the "eps" logic.

diff --git a/tests/exception-policy-stream-reassembly-memcap-08/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-08/suricata.yaml
new file mode 100644 (file)
index 0000000..aac4c60
--- /dev/null
+++ b/tests/exception-policy-stream-reassembly-memcap-08/suricata.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+            tagged-packets: yes
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
+                             # per flow direction. All logs each dropped pkt.
+        - flow
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values

diff --git a/tests/exception-policy-stream-reassembly-memcap-08/test.rules b/tests/exception-policy-stream-reassembly-memcap-08/test.rules
new file mode 100644 (file)
index 0000000..55923b2
--- /dev/null
+++ b/tests/exception-policy-stream-reassembly-memcap-08/test.rules
@@ -0,0 +1,3 @@
+pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;)
+# matches packet 4, but no match due to memcap drop
+alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;)

diff --git a/tests/exception-policy-stream-reassembly-memcap-08/test.yaml b/tests/exception-policy-stream-reassembly-memcap-08/test.yaml
new file mode 100644 (file)
index 0000000..464e812
--- /dev/null
+++ b/tests/exception-policy-stream-reassembly-memcap-08/test.yaml
@@ -0,0 +1,51 @@
+requires:
+  lt-version: 7
+  features:
+    - DEBUG
+  files:
+    - src/util-exception-policy.c
+pcap: ../tls/tls-ja3s/input.pcap
+args:
+- --simulate-ips
+- -k none
+# pretend tcp memcap was hit in packet 4, the client hello containing the sni
+- --simulate-packet-tcp-reassembly-memcap=4
+- --set stream.reassembly.memcap-policy=drop-flow
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+  - filter:
+      count: 29
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        drop.reason: "stream reassembly"
+  - filter:
+      count: 28
+      match:
+        event_type: drop
+        drop.reason: "flow drop"
+  - filter:
+      count: 0
+      match:
+        event_type: tls
+        tls.sni: example.com
+  - filter:
+      count: 0
+      match:
+        event_type: tls
+  - filter:
+      count: 0
+      match:
+        event_type: flow
+        app_proto: tls
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        flow.action: drop

diff --git a/tests/exception-policy-stream-reassembly-memcap-09/README.md b/tests/exception-policy-stream-reassembly-memcap-09/README.md
new file mode 100644 (file)
index 0000000..88a687f
--- /dev/null
+++ b/tests/exception-policy-stream-reassembly-memcap-09/README.md
@@ -0,0 +1,5 @@
+# Description
+
+Test exception policy logic for stream reassembly.
+
+DEBUG is required to enable the "eps" logic.

diff --git a/tests/exception-policy-stream-reassembly-memcap-09/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-09/suricata.yaml
new file mode 100644 (file)
index 0000000..aac4c60
--- /dev/null
+++ b/tests/exception-policy-stream-reassembly-memcap-09/suricata.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+            tagged-packets: yes
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
+                             # per flow direction. All logs each dropped pkt.
+        - flow
+        - stats:
+            totals: yes       # stats for all threads merged together
+            threads: no       # per thread stats
+            deltas: no        # include delta values

diff --git a/tests/exception-policy-stream-reassembly-memcap-09/test.rules b/tests/exception-policy-stream-reassembly-memcap-09/test.rules
new file mode 100644 (file)
index 0000000..55923b2
--- /dev/null
+++ b/tests/exception-policy-stream-reassembly-memcap-09/test.rules
@@ -0,0 +1,3 @@
+pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;)
+# matches packet 4, but no match due to memcap drop
+alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;)

diff --git a/tests/exception-policy-stream-reassembly-memcap-09/test.yaml b/tests/exception-policy-stream-reassembly-memcap-09/test.yaml
new file mode 100644 (file)
index 0000000..8e5057b
--- /dev/null
+++ b/tests/exception-policy-stream-reassembly-memcap-09/test.yaml
@@ -0,0 +1,52 @@
+requires:
+  lt-version: 7
+  features:
+    - DEBUG
+  files:
+    - src/util-exception-policy.c
+pcap: ../tls/tls-ja3s/input.pcap
+args:
+- --simulate-ips
+- -k none
+# pretend tcp memcap was hit in packet 4, the client hello containing the sni
+- --simulate-packet-tcp-reassembly-memcap=4
+- --set stream.reassembly.memcap-policy=drop-packet
+- --set app-layer.error-policy=ignore
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        drop.reason: "stream reassembly"
+  - filter:
+      count: 0
+      match:
+        event_type: drop
+        drop.reason: "flow drop"
+  - filter:
+      count: 0
+      match:
+        event_type: tls
+        tls.sni: example.com
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        app_proto: tls
+  - filter:
+      count: 0
+      match:
+        event_type: flow
+        flow.action: drop