--- /dev/null
+# Test Description
+
+Test that the engine doesn't access out of bounds elements when checking for
+the verdict of the last alert in the packet alert queue.
+
+## PCAP
+
+Shared by Jason Ish.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/7630
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert:
+ tagged-packets: yes
+ verdict: yes
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ # per flow direction. All logs each dropped pkt.
+ verdict: yes
+ - flow
+ - stats
+
+packet-alert-max: 6
+
+action-order:
+ - alert
+ - pass
+ - drop
+ - reject
--- /dev/null
+alert tcp any any -> any any (msg:"issue8021 rule 1"; content:"PAYLOAD_TRIGGER"; sid:8002101; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 2"; content:"PAYLOAD_TRIGGER"; sid:8002102; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 3"; content:"PAYLOAD_TRIGGER"; sid:8002103; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 4"; content:"PAYLOAD_TRIGGER"; sid:8002104; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 5"; content:"PAYLOAD_TRIGGER"; sid:8002105; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 6"; content:"PAYLOAD_TRIGGER"; sid:8002106; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 7"; content:"PAYLOAD_TRIGGER"; sid:8002107; rev:1;)
--- /dev/null
+args:
+- -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ alert.action: allowed
+ alert.severity: 3
+ alert.signature_id: 8002101
+ event_type: alert
+ pcap_cnt: 1
+ verdict.action: alert
+- filter:
+ count: 1
+ match:
+ alert.action: allowed
+ alert.signature_id: 8002102
+ event_type: alert
+ pcap_cnt: 1
+ verdict.action: alert
+- filter:
+ count: 1
+ match:
+ alert.action: allowed
+ alert.signature_id: 8002103
+ event_type: alert
+ pcap_cnt: 1
+ verdict.action: alert
+- filter:
+ count: 1
+ match:
+ alert.action: allowed
+ alert.signature_id: 8002104
+ event_type: alert
+ pcap_cnt: 1
+ verdict.action: alert
+- filter:
+ count: 1
+ match:
+ alert.action: allowed
+ alert.signature_id: 8002105
+ event_type: alert
+ pcap_cnt: 1
+ verdict.action: alert
+- filter:
+ count: 1
+ match:
+ alert.action: allowed
+ alert.signature_id: 8002106
+ event_type: alert
+ pcap_cnt: 1
+ verdict.action: alert
+- filter:
+ count: 0
+ match:
+ alert.action: allowed
+ alert.signature_id: 8002107
+ event_type: alert
+ pcap_cnt: 1
+ verdict.action: alert
+- filter:
+ count: 0
+ match:
+ event_type: stats
+ stats.detect.engines.rules_loaded: 7
+ stats.detect.engines.rules_failed: 0
+ stats.detect.engines.rules_skipped: 0
+ stats.detect.alert: 6
+ stats.detect.alert_queue_overflow: 1
+ stats.detect.alerts_suppressed: 0
+
+
--- /dev/null
+# Test Description
+
+Test that the engine doesn't access out of bounds elements when checking for
+the verdict of the last alert in the packet alert queue. And that it logs
+the `pass` verdic correctly, for an "PASS + ALERT" rule. (Sid 8002106).
+
+## PCAP
+
+Shared by Jason Ish. (Reused from bug-8021-alert-max-verdict-01).
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/7630
+https://redmine.openinfosecfoundation.org/issues/8021
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert:
+ tagged-packets: yes
+ verdict: yes
+ - tls:
+ extended: yes # enable this for extended logging information
+ - drop:
+ alerts: yes # log alerts that caused drops
+ flows: all # start or all: 'start' logs only a single drop
+ # per flow direction. All logs each dropped pkt.
+ verdict: yes
+ - flow
+ - stats
+
+packet-alert-max: 6
+
+action-order:
+ - pass
+ - alert
+ - drop
+ - reject
--- /dev/null
+alert tcp any any -> any any (msg:"issue8021 rule 1"; content:"PAYLOAD_TRIGGER"; sid:8002101; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 2"; content:"PAYLOAD_TRIGGER"; sid:8002102; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 3"; content:"PAYLOAD_TRIGGER"; sid:8002103; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 4"; content:"PAYLOAD_TRIGGER"; sid:8002104; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 5"; content:"PAYLOAD_TRIGGER"; sid:8002105; rev:1;)
+pass tcp any any -> any any (msg:"issue8021 rule 6"; alert; content:"PAYLOAD_TRIGGER"; sid:8002106; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 7"; content:"PAYLOAD_TRIGGER"; sid:8002107; rev:1;)
--- /dev/null
+pcap: ../bug-8021-alert-max-verdict-01/input.pcap
+
+args:
+- -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ alert.action: allowed
+ alert.severity: 3
+ alert.signature_id: 8002101
+ event_type: alert
+ pcap_cnt: 1
+- filter:
+ count: 0
+ match:
+ alert.action: allowed
+ alert.signature_id: 8002102
+ event_type: alert
+ pcap_cnt: 1
+- filter:
+ count: 0
+ match:
+ alert.action: allowed
+ alert.signature_id: 8002103
+ event_type: alert
+ pcap_cnt: 1
+- filter:
+ count: 0
+ match:
+ alert.action: allowed
+ alert.signature_id: 8002104
+ event_type: alert
+ pcap_cnt: 1
+- filter:
+ count: 0
+ match:
+ alert.action: allowed
+ alert.signature_id: 8002105
+ event_type: alert
+ pcap_cnt: 1
+- filter:
+ count: 1
+ match:
+ alert.action: allowed
+ alert.signature_id: 8002106
+ event_type: alert
+ pcap_cnt: 1
+ verdict.action: pass
+- filter:
+ count: 0
+ match:
+ alert.action: allowed
+ alert.signature_id: 8002107
+ event_type: alert
+ pcap_cnt: 1
+ verdict.action: alert
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.detect.engines[0].rules_loaded: 7
+ stats.detect.engines[0].rules_failed: 0
+ stats.detect.engines[0].rules_skipped: 0
+ stats.detect.alert: 1
+ stats.detect.alert_queue_overflow: 0
--- /dev/null
+Test
+====
+
+Check that when there is only a pass rule, the verdict outputed is correct
+(pass, instead of alert).
+
+PCAP
+====
+
+Pcap from https://redmine.openinfosecfoundation.org/issues/7414
+Reused from test bug-7414-decoder-event-01/ip_secopt.pcap.
+
+Redmine ticket
+==============
+
+https://redmine.openinfosecfoundation.org/issues/7630
+
--- /dev/null
+pass pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; alert; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;)
--- /dev/null
+%YAML 1.1
+---
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ ethernet: true
+ pcap-file: true
+
+ types:
+ - alert:
+ packet: yes # enable dumping of packet (without stream segments)
+ verdict: yes
--- /dev/null
+pcap: ../bug-7414-decoder-event-01/ip_secopt.pcap
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2200005
+ pcap_cnt: 3
+ pkt_src: "wire/pcap"
+ ether.src_mac: "f6:3a:04:28:26:77"
+ ether.dest_mac: "fe:2d:cf:ad:28:54"
+ alert.action: "allowed"
+ packet: "/i3PrShU9joEKCZ3CABIAABoAAEAAEARWEoeHh4eFBQUFIIC8TUAAN6tvu+qABPEE8QASB76g3Jy/3MMn6/gl+2PaHNYfvkOoBoRYsUb5ZV3mCocwk9Xbm1VI6ZMlgQ+xZbugYD/RB0xtXrOiZQ43SvBfdo36g=="
+ verdict.action: "pass"
+ pcap_filename.__endswith: "ip_secopt.pcap"
--- /dev/null
+Test
+====
+
+Check that when there is only a pass rule without "alert", no verdict outputed.
+
+PCAP
+====
+
+Pcap from https://redmine.openinfosecfoundation.org/issues/7414
+Reused from test bug-7414-decoder-event-01/ip_secopt.pcap.
+
+Redmine ticket
+==============
+
+https://redmine.openinfosecfoundation.org/issues/7630
+
--- /dev/null
+pass pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;)
--- /dev/null
+%YAML 1.1
+---
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ ethernet: true
+ pcap-file: true
+
+ types:
+ - alert:
+ packet: yes # enable dumping of packet (without stream segments)
+ verdict: yes
+ - anomaly:
+ types:
+ decode: yes
+ packethdr: yes
+ - flow
--- /dev/null
+pcap: ../bug-7414-decoder-event-01/ip_secopt.pcap
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2200005
+ verdict.action: "pass"
+ - filter:
+ count: 1
+ match:
+ event_type: anomaly
+ anomaly.type: decode
+ anomaly.event: decoder.ipv4.opt_pad_required
+ - filter:
+ count: 2
+ match:
+ event_type: anomaly
+ anomaly.type: decode
+ anomaly.event: decoder.ipv4.opt_invalid_len
+ - filter:
+ count: 1
+ match:
+ event_type: flow
projects / thirdparty / suricata-verify.git / commitdiff
