This test indicated that there were FP drops for HTTP transactions,
leading the `http` events check to fail. This is no longer the case.
flow.action is still not set to drop for tls.
## Current Observations
-- HTTP response packets are being logged as dropped, however the transaction is
- logged suggesting the drop is only in logging only, but not actually
- occurring.
+- HTTP flows are logged as `passed`, as expected.
-- All the TLS packets apear to be getting dropped, but `flow.action` is never
- set to true.
+- All the TLS packets appear to be getting dropped, but `flow.action` is never
+ set to drop.
--- /dev/null
+%YAML 1.1
+---
+
+vars:
+ address-groups:
+ HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+ EXTERNAL_NET: "!$HOME_NET"
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - tls
+ - flow
- filter:
# We should see 2 http transactions as the pass rule should allow http
# flows.
- #
- # This fails.
count: 2
match:
event_type: http
event_type: flow
app_proto: http
flow.alerted: false
+ flow.action: pass
- filter:
- # We should see NO drops (or alerts) for http
+ # We should see NO drops for http
count: 0
match:
- event_type: alert
+ event_type: drop
app_proto: http
- filter:
projects / thirdparty / suricata-verify.git / commitdiff
