tests: add test for max alert default & noalerts

Since the default max alert value is 15 and we want to ensure that that
value is enforced if the configuration is set with something invalid,
this test has packet-max-alert set to 0 (which will fall back to 15,
the default). We have 15 'noalert' rules and 1 alert rule that gets
triggered.

Related to task #4942

diff --git a/tests/alert-max/alert-max-default/README.md b/tests/alert-max/alert-max-default/README.md
new file mode 100644 (file)
index 0000000..12aacbb
--- /dev/null
+++ b/tests/alert-max/alert-max-default/README.md
@@ -0,0 +1,8 @@
+Tests that even if we have higher priority rules, if they have the `noalert`
+keyword, a later triggered `alert` rule will be appended and generate an alert.
+
+The `noalert` rules show up in our stats log as `detect.alerts_suppressed`.
+The alert rule will be triggered.
+
+Also test that Suricata will fall back to default value if an invalid value
+(zero, in the test) is passed in the configuration file.

diff --git a/tests/alert-max/alert-max-default/input.pcap b/tests/alert-max/alert-max-default/input.pcap
new file mode 100644 (file)
index 0000000..baa322b
Binary files /dev/null and b/tests/alert-max/alert-max-default/input.pcap differ

diff --git a/tests/alert-max/alert-max-default/suricata.yaml b/tests/alert-max/alert-max-default/suricata.yaml
new file mode 100644 (file)
index 0000000..d2e40e4
--- /dev/null
+++ b/tests/alert-max/alert-max-default/suricata.yaml
@@ -0,0 +1,22 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+        - stats:
+  - stats:
+      enabled: yes
+      filename: stats.log
+      append: yes       # append to file (yes) or overwrite it (no)
+      totals: yes       # stats for all threads merged together
+      threads: no       # per thread stats
+
+
+# This is a purposefully invalid config value, which will lead to the
+# engine falling back to 15, the default
+packet-alert-max: 0

diff --git a/tests/alert-max/alert-max-default/test.rules b/tests/alert-max/alert-max-default/test.rules
new file mode 100644 (file)
index 0000000..7c1a78f
--- /dev/null
+++ b/tests/alert-max/alert-max-default/test.rules
@@ -0,0 +1,16 @@
+alert tcp any any -> any any (msg:"Noalert rule 1"; noalert; sid:1; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 2"; noalert; sid:2; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 3"; noalert; sid:3; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 4"; noalert; sid:4; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 5"; noalert; sid:5; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 6"; noalert; sid:6; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 7"; noalert; sid:7; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 8"; noalert; sid:8; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 9"; noalert; sid:9; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 10"; noalert; sid:10; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 11"; noalert; sid:11; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 12"; noalert; sid:12; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 13"; noalert; sid:13; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 14"; noalert; sid:14; rev:1;)
+alert tcp any any -> any any (msg:"Noalert rule 15"; noalert; sid:15; rev:1;)
+alert tcp any any -> any any (msg:"Alert rule"; sid:16; rev:1;)

diff --git a/tests/alert-max/alert-max-default/test.yaml b/tests/alert-max/alert-max-default/test.yaml
new file mode 100644 (file)
index 0000000..990950b
--- /dev/null
+++ b/tests/alert-max/alert-max-default/test.yaml
@@ -0,0 +1,9 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 16

diff --git a/tests/alert-max/alert-max-default/writepcap.py b/tests/alert-max/alert-max-default/writepcap.py
new file mode 100755 (executable)
index 0000000..df22b22
--- /dev/null
+++ b/tests/alert-max/alert-max-default/writepcap.py
@@ -0,0 +1,7 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = list()
+pkts.append(IP()/TCP())
+
+wrpcap('input.pcap', pkts)