--- /dev/null
+Test
+====
+
+Check and capture the behavior when Suricata is run with `exception-policy:
+auto` set in IDS mode.
+
+Behavior
+========
+
+We expect the master switch for exception policy to be set to `ignore` in that
+case, as that's the default value in IDS.
+
+We also don't expect to see any Warning message in that case, as that's expected
+behavior.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert:
+ tagged-packets: yes
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ # per flow direction. All logs each dropped pkt.
+action-order:
+ - pass
+ - drop
+ - reject
+ - alert
+
+exception-policy: auto
+
+logging:
+ default-log-level: info
+ outputs:
+ - file:
+ enabled: yes
+ level: info
+ filename: suricata.json
+ type: json
--- /dev/null
+pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;)
+drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; priority:2; sid:2; rev:1;)
+# matches packet 4, but no match due to action order
+alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;)
--- /dev/null
+requires:
+ min-version: 7
+
+pcap: ../tls/tls-ja3s/input.pcap
+
+args:
+- -k none
+
+checks:
+ - filter:
+ filename: eve.json
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ filename: eve.json
+ count: 0
+ match:
+ event_type: drop
+ - filter:
+ filename: eve.json
+ count: 1
+ match:
+ event_type: tls
+ tls.sni: example.com
+ - filter:
+ filename: suricata.json
+ count: 1
+ match:
+ log_level: Info
+ event_type: engine
+ engine.module: exception-policy
+ engine.message: "master exception-policy set to: ignore"
--- /dev/null
+Test
+====
+
+Check and capture the behavior when Suricata is run with `exception-policy:
+auto` set in IPS mode.
+
+Behavior
+========
+
+We expect the master switch for exception policy to be set to `drop-flow` in this
+case, as that's the default value in IPS.
+
+We also don't expect to see any Warning message in that case, as that's expected
+behavior. We will see an info log output, as that's the level specified for this
+test.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert:
+ tagged-packets: yes
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ # per flow direction. All logs each dropped pkt.
+action-order:
+ - pass
+ - drop
+ - reject
+ - alert
+
+exception-policy: auto
+
+logging:
+ default-log-level: info
+ outputs:
+ - file:
+ enabled: yes
+ level: info
+ filename: suricata.json
+ type: json
--- /dev/null
+pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;)
+drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; priority:2; sid:2; rev:1;)
+# matches packet 4, but no match due to action order
+alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;)
--- /dev/null
+requires:
+ features:
+ - DEBUG
+ min-version: 7
+
+pcap: ../tls/tls-ja3s/input.pcap
+
+args:
+- -k none
+- --simulate-applayer-error-at-offset-ts=0
+- --set app-layer.error-policy=auto
+- --simulate-ips
+
+checks:
+ - filter:
+ filename: eve.json
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ filename: eve.json
+ count: 29
+ match:
+ event_type: drop
+ - filter:
+ filename: suricata.json
+ count: 1
+ match:
+ log_level: Info
+ event_type: engine
+ engine.module: exception-policy
+ engine.message: "master exception-policy set to: drop-flow"
projects / thirdparty / suricata-verify.git / commitdiff
