--- /dev/null
+# Test
+
+Check that the midstream exception policy is properly applied in case Suricata
+has stream midstream pick-up sessions disabled. In this test the exception policy
+for midstream sessions is set to ``bypass``. This test is for IPS mode.
+
+# Behavior
+
+We expect to see no alerts nor ``http`` events logged, as the flow won't be inspected.
+Flow will be bypassed.
+
+# Pcap
+
+Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a
+curl to www.testmyids.com.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
+ - stats
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
+alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;)
--- /dev/null
+pcap: ../../exception-policy-midstream-03/input.pcap
+
+requires:
+ min-version: 7
+
+args:
+- --simulate-ips
+- --set stream.midstream=false
+- --set stream.midstream-policy=bypass
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 0
+ match:
+ event_type: http
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.state: bypassed
--- /dev/null
+# Test
+
+Check that the midstream exception policy is properly applied in case Suricata
+has stream midstream pick-up sessions disabled. In this test the exception policy
+for midstream sessions is set to ``drop-flow``. This test is for IPS mode.
+
+# Behavior
+
+We expect to see no alerts nor ``http`` events logged, as the session won't be
+tracked. The flow should be dropped.
+
+# Pcap
+
+Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a
+curl to www.testmyids.com.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
+ - stats
--- /dev/null
+alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;)
--- /dev/null
+pcap: ../../exception-policy-midstream-03/input.pcap
+
+requires:
+ min-version: 7
+
+args:
+- --set stream.midstream=false
+- --set stream.midstream-policy=drop-flow
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 0
+ match:
+ event_type: http
+ - filter:
+ count: 1
+ match:
+ event_type: drop
+ drop.reason: stream midstream
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.action: drop
--- /dev/null
+# Test
+
+Check that the midstream exception policy is properly applied in case Suricata
+has stream midstream pick-up sessions disabled. In this test the exception policy
+for midstream sessions is set to ``drop-packet``. This test is for IPS mode.
+
+# Behavior
+
+We expect Suri to error out without starting as ``drop-packet`` isn't a valid
+exception policy value for the midstream exception policy.
+
+# Pcap
+
+Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a
+curl to www.testmyids.com.
--- /dev/null
+%YAML 1.1
+---
+
+logging:
+ default-log-level: notice
+ outputs:
+ - file:
+ enabled: yes
+ level: notice
+ filename: suricata.json
+ type: json
--- /dev/null
+pcap: ../../exception-policy-midstream-03/input.pcap
+
+requires:
+ min-version: 7
+
+exit-code: 1
+
+args:
+- --simulate-ips
+- --set stream.midstream=false
+- --set stream.midstream-policy=drop-packet
+
+checks:
+ - filter:
+ filename: suricata.json
+ count: 1
+ match:
+ event_type: engine
+ log_level: Error
--- /dev/null
+# Test
+
+Check that the midstream exception policy is properly applied in case Suricata
+has stream midstream pick-up sessions disabled. In this test the exception policy
+for midstream sessions is set to ``ignore``. This test is for IPS mode.
+
+# Behavior
+
+We expect to see no alerts nor ``http`` events logged, as the flow won't be inspected.
+
+# Pcap
+
+Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a
+curl to www.testmyids.com.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
+ - stats
--- /dev/null
+alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;)
--- /dev/null
+pcap: ../../exception-policy-midstream-03/input.pcap
+
+requires:
+ min-version: 7
+
+args:
+- --simulate-ips
+- --set stream.midstream=false
+- --set stream.midstream-policy=ignore
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 0
+ match:
+ event_type: http
+ - filter:
+ count: 1
+ match:
+ event_type: flow
--- /dev/null
+# Test
+
+Check that the midstream exception policy is properly applied in case Suricata
+has stream midstream pick-up sessions disabled. In this test the exception policy
+for midstream sessions is set to ``pass-flow``. This test is for IPS mode.
+
+# Behavior
+
+We expect to see no alerts nor ``http`` events logged, as the flow won't be inspected.
+
+# Pcap
+
+Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a
+curl to www.testmyids.com.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
+ - stats
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
+alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;)
--- /dev/null
+pcap: ../../exception-policy-midstream-03/input.pcap
+
+requires:
+ min-version: 7
+
+args:
+- --simulate-ips
+- --set stream.midstream=false
+- --set stream.midstream-policy=pass-flow
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 0
+ match:
+ event_type: http
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.action: pass
--- /dev/null
+# Test
+
+Check that the midstream exception policy is properly applied in case Suricata
+has stream midstream pick-up sessions disabled. In this test the exception policy
+for midstream sessions is set to ``pass-packet``. This test is for IPS mode.
+
+# Behavior
+
+We expect Suri to error out without starting as ``pass-packet`` isn't a valid
+exception policy value.
+
+
+# Pcap
+
+Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a
+curl to www.testmyids.com.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - stats
+
+logging:
+ default-log-level: notice
+ outputs:
+ - file:
+ enabled: yes
+ level: notice
+ filename: suricata.json
+ type: json
--- /dev/null
+pcap: ../../exception-policy-midstream-03/input.pcap
+
+requires:
+ min-version: 7
+
+exit-code: 1
+
+args:
+- --simulate-ips
+- --set stream.midstream=true
+- --set stream.midstream-policy=pass-packet
+
+
+checks:
+ - filter:
+ filename: suricata.json
+ count: 1
+ match:
+ event_type: engine
+ log_level: Error
+
--- /dev/null
+# Test
+
+Check that the midstream exception policy is properly applied in case Suricata
+has stream midstream pick-up sessions disabled. In this test the exception policy
+for midstream sessions is set to ``reject``. This test is for IPS mode.
+
+# Behavior
+
+We expect to see no alerts nor ``http`` events logged, as the session won't be
+tracked. We also expect to see ``drop`` events, as in IPS mode the flow is
+rejected and dropped.
+
+# Pcap
+
+Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a
+curl to www.testmyids.com.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
+ - stats
--- /dev/null
+alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;)
--- /dev/null
+pcap: ../../exception-policy-midstream-03/input.pcap
+
+requires:
+ min-version: 7
+
+args:
+- --simulate-ips
+- --set stream.midstream=false
+- --set stream.midstream-policy=reject
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 0
+ match:
+ event_type: http
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.action: drop
--- /dev/null
+# Test
+
+Check that the midstream exception policy is properly applied in case Suricata
+has stream midstream pick-up sessions enabled. In this test the exception policy
+for midstream sessions is set to ``bypass``. This test is for IPS mode.
+
+# Behavior
+
+We expect Suri to error out without starting as ``bypass`` isn't a valid
+exception policy value when midstream picku-up sessions are enabled.
+
+# Pcap
+
+Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a
+curl to www.testmyids.com.
--- /dev/null
+%YAML 1.1
+---
+
+logging:
+ default-log-level: notice
+ outputs:
+ - file:
+ enabled: yes
+ level: notice
+ filename: suricata.json
+ type: json
--- /dev/null
+pcap: ../../exception-policy-midstream-03/input.pcap
+
+requires:
+ min-version: 7
+
+exit-code: 1
+
+args:
+- --simulate-ips
+- --set stream.midstream=true
+- --set stream.midstream-policy=bypass
+
+checks:
+ - filter:
+ filename: suricata.json
+ count: 1
+ match:
+ event_type: engine
+ log_level: Error
--- /dev/null
+# Test
+
+Check that the midstream exception policy is properly applied in case Suricata
+has stream midstream pick-up sessions enabled. In this test the exception policy
+for midstream sessions is set to ``drop-flow``. This test is for IPS mode.
+
+# Behavior
+
+We expect Suri to error out without starting as ``drop-flow`` isn't a valid
+exception policy value when midstream picku-up sessions are enabled.
+
+# Pcap
+
+Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a
+curl to www.testmyids.com.
--- /dev/null
+%YAML 1.1
+---
+
+logging:
+ default-log-level: notice
+ outputs:
+ - file:
+ enabled: yes
+ level: notice
+ filename: suricata.json
+ type: json
--- /dev/null
+pcap: ../../exception-policy-midstream-03/input.pcap
+
+requires:
+ min-version: 7
+
+exit-code: 1
+
+args:
+- --simulate-ips
+- --set stream.midstream=true
+- --set stream.midstream-policy=drop-flow
+
+checks:
+ - filter:
+ filename: suricata.json
+ count: 1
+ match:
+ event_type: engine
+ log_level: Error
--- /dev/null
+# Test
+
+Check that the midstream exception policy is properly applied in case Suricata
+has stream midstream pick-up sessions enabled. In this test the exception policy
+for midstream sessions is set to ``drop-packet``. This test is for IPS mode.
+
+# Behavior
+
+We expect Suri to error out without starting as ``drop-packet`` isn't a valid
+exception policy value when midstream picku-up sessions are enabled.
+
+# Pcap
+
+Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a
+curl to www.testmyids.com.
--- /dev/null
+%YAML 1.1
+---
+
+logging:
+ default-log-level: notice
+ outputs:
+ - file:
+ enabled: yes
+ level: notice
+ filename: suricata.json
+ type: json
--- /dev/null
+pcap: ../../exception-policy-midstream-03/input.pcap
+
+requires:
+ min-version: 7
+
+exit-code: 1
+
+args:
+- --simulate-ips
+- --set stream.midstream=true
+- --set stream.midstream-policy=drop-packet
+
+checks:
+ - filter:
+ filename: suricata.json
+ count: 1
+ match:
+ event_type: engine
+ log_level: Error
--- /dev/null
+# Test
+
+Check that the midstream exception policy is properly applied in case Suricata
+has stream midstream pick-up sessions enabled. In this test the exception policy
+for midstream sessions is set to ``ignore``. This test is for IPS mode.
+
+# Behavior
+
+We expect to see alerts and ``http`` events logged, as the flow will
+be inspected.
+
+# Pcap
+
+Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a
+curl to www.testmyids.com.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
+ - stats
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
--- /dev/null
+pcap: ../../exception-policy-midstream-03/input.pcap
+
+requires:
+ min-version: 7
+
+args:
+- --simulate-ips
+- --set stream.midstream=true
+- --set stream.midstream-policy=ignore
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ count: 1
+ match:
+ event_type: http
+ - filter:
+ count: 1
+ match:
+ event_type: flow
--- /dev/null
+# Test
+
+Check that the midstream exception policy is properly applied in case Suricata
+has stream midstream pick-up sessions enabled. In this test the exception policy
+for midstream sessions is set to ``pass-flow``. This test is for IPS mode.
+
+# Behavior
+
+We expect to see no alerts, since detection won't run due to ``pass-flow``, but
+to see ``http`` events logged, as the flow will be inspected.
+
+# Pcap
+
+Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a
+curl to www.testmyids.com.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
+ - stats
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
+alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;)
--- /dev/null
+pcap: ../../exception-policy-midstream-03/input.pcap
+
+requires:
+ min-version: 7
+
+args:
+- --simulate-ips
+- --set stream.midstream=true
+- --set stream.midstream-policy=pass-flow
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 1
+ match:
+ event_type: http
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.action: pass
--- /dev/null
+# Test
+
+Check that the midstream exception policy is properly applied in case Suricata
+has stream midstream pick-up sessions enabled. In this test the exception policy
+for midstream sessions is set to ``pass-packet``. This test is for IPS mode.
+
+# Behavior
+
+We expect Suri to error out without starting as ``pass-packet`` isn't a valid
+exception policy value.
+
+
+# Pcap
+
+Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a
+curl to www.testmyids.com.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - stats
+
+logging:
+ default-log-level: notice
+ outputs:
+ - file:
+ enabled: yes
+ level: notice
+ filename: suricata.json
+ type: json
--- /dev/null
+pcap: ../../exception-policy-midstream-03/input.pcap
+
+requires:
+ min-version: 7
+
+exit-code: 1
+
+args:
+- --simulate-ips
+- --set stream.midstream=true
+- --set stream.midstream-policy=pass-packet
+
+
+checks:
+ - filter:
+ filename: suricata.json
+ count: 1
+ match:
+ event_type: engine
+ log_level: Error
+
--- /dev/null
+# Test
+
+Check that the midstream exception policy is properly applied in case Suricata
+has stream midstream pick-up sessions enabled. In this test the exception policy
+for midstream sessions is set to ``reject``. This test is for IPS mode.
+
+# Behavior
+
+We expect Suri to error out without starting as ``reject`` isn't a valid
+exception policy value when midstream picku-up sessions are enabled.
+
+
+# Pcap
+
+Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a
+curl to www.testmyids.com.
--- /dev/null
+%YAML 1.1
+---
+
+logging:
+ default-log-level: notice
+ outputs:
+ - file:
+ enabled: yes
+ level: notice
+ filename: suricata.json
+ type: json
--- /dev/null
+pcap: ../../exception-policy-midstream-03/input.pcap
+
+requires:
+ min-version: 7
+
+exit-code: 1
+
+args:
+- --simulate-ips
+- --set stream.midstream=true
+- --set stream.midstream-policy=reject
+
+checks:
+ - filter:
+ filename: suricata.json
+ count: 1
+ match:
+ event_type: engine
+ log_level: Error
projects / thirdparty / suricata-verify.git / commitdiff
