--- /dev/null
+# Threshold.config with by_flow
+
+This test checks threshold.config file using by_flow tracking
+
+The pcap file is from http-all-headers test
--- /dev/null
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+pcap: ../../http-all-headers/input.pcap
+
+requires:
+ min-version: 8
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ alert.action: blocked
+ - filter:
+ count: 16
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ alert.action: allowed
+ - filter:
+ count: 3
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+rate_filter gen_id 1, sig_id 1000001, track by_flow, count 3, seconds 60, new_action alert, timeout 1000
--- /dev/null
+# Threshold.config with by_flow
+
+This test checks threshold.config file using by_flow keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+alert tcp any any -> any any (dsize:0; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+pcap: ../../http-all-headers/input.pcap
+
+requires:
+ min-version: 8
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+threshold gen_id 1, sig_id 1000001, type both, track by_flow, count 5, seconds 60
--- /dev/null
+# Threshold.config with by_flow
+
+This test checks threshold.config file using by_flow keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+alert tcp any any -> any any (dsize:0; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+pcap: ../../http-all-headers/input.pcap
+
+requires:
+ min-version: 8
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+threshold gen_id 1, sig_id 1000001, type limit, track by_flow, count 1, seconds 60
--- /dev/null
+# Threshold.config with by_flow
+
+This test checks threshold.config file using by_flow keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+alert tcp any any -> any any (dsize:0; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+pcap: ../../http-all-headers/input.pcap
+
+requires:
+ min-version: 8
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 3
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+threshold gen_id 1, sig_id 1000001, type threshold, track by_flow, count 5, seconds 60
projects / thirdparty / suricata-verify.git / commitdiff
