tests: add checks for hiding zero counter stats

author Juliana Fajardini <jufajardini@oisf.net>

Wed, 3 Apr 2024 23:13:18 +0000 (20:13 -0300)

committer Juliana Fajardini <jufajardini@oisf.net>

Thu, 11 Apr 2024 21:01:15 +0000 (18:01 -0300)
author Juliana Fajardini <jufajardini@oisf.net>
Wed, 3 Apr 2024 23:13:18 +0000 (20:13 -0300)
committer Juliana Fajardini <jufajardini@oisf.net>
Thu, 11 Apr 2024 21:01:15 +0000 (18:01 -0300)
diff --git a/tests/feature-5976-zero-stats-01/README.md b/tests/feature-5976-zero-stats-01/README.md

new file mode 100644 (file)

index 0000000..bbf7ea4
--- /dev/null
+++ b/tests/feature-5976-zero-stats-01/README.md
@@ -0,0 +1,12 @@
+# Test
+
+Showcase engine behavior when stats counters that are zero are hidden from the
+eve log stats event.
+
+## PCAP
+
+Reused from `tls-certs-alert` test.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/5976
diff --git a/tests/feature-5976-zero-stats-01/suricata.yaml b/tests/feature-5976-zero-stats-01/suricata.yaml

new file mode 100644 (file)

index 0000000..38d096d
--- /dev/null
+++ b/tests/feature-5976-zero-stats-01/suricata.yaml
@@ -0,0 +1,39 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+            tagged-packets: yes
+        - anomaly:
+            enabled: yes
+            types:
+              decode: no
+              stream: yes
+              applayer: yes
+        - tls:
+            extended: yes
+        - drop:
+            alerts: yes
+            flows: all
+        - stats:
+            totals: yes
+            threads: no
+            deltas: no
+            zero-valued-counters: false
+        - flow
+  - stats:
+      enabled: yes
+      filename: stats.log
+
+action-order:
+  - pass
+  - drop
+  - reject
+  - alert
diff --git a/tests/feature-5976-zero-stats-01/test.rules b/tests/feature-5976-zero-stats-01/test.rules

new file mode 100644 (file)

index 0000000..da4a536
--- /dev/null
+++ b/tests/feature-5976-zero-stats-01/test.rules
@@ -0,0 +1,5 @@
+pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;)
+drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;)
+
+# matches packet 4, but should not alert due to memcap drop
+alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;)
diff --git a/tests/feature-5976-zero-stats-01/test.yaml b/tests/feature-5976-zero-stats-01/test.yaml

new file mode 100644 (file)

index 0000000..a60c16d
--- /dev/null
+++ b/tests/feature-5976-zero-stats-01/test.yaml
@@ -0,0 +1,25 @@
+requires:
+  min-version: 8
+pcap: ../tls/tls-certs-alert/input.pcap
+args:
+- --simulate-ips
+- -k none
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        has-key: stats.decoder.pkts
+        not-has-key: stats.decoder.invalid
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        has-key: stats.ips.accepted
+        not-has-key: stats.ips.rejected
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        has-key: stats.tcp.sessions
+        not-has-key: stats.tcp.active_sessions
diff --git a/tests/feature-5976-zero-stats-02/README.md b/tests/feature-5976-zero-stats-02/README.md

new file mode 100644 (file)

index 0000000..3f51df7
--- /dev/null
+++ b/tests/feature-5976-zero-stats-02/README.md
@@ -0,0 +1,12 @@
+# Test
+
+Showcase engine behavior when stats counters that are zero are hidden from the
+eve log stats event.
+
+## PCAP
+
+Reused from `bug-3519` test.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/5976
diff --git a/tests/feature-5976-zero-stats-02/suricata.yaml b/tests/feature-5976-zero-stats-02/suricata.yaml

new file mode 100644 (file)

index 0000000..b2b93b6
--- /dev/null
+++ b/tests/feature-5976-zero-stats-02/suricata.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - stats:
+            totals: yes
+            threads: no
+            deltas: no
+            zero-valued-counters: false
+        - flow
+  - stats:
+      enabled: yes
+      filename: stats.log
diff --git a/tests/feature-5976-zero-stats-02/test.yaml b/tests/feature-5976-zero-stats-02/test.yaml

new file mode 100644 (file)

index 0000000..51f2a94
--- /dev/null
+++ b/tests/feature-5976-zero-stats-02/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 8
+
+pcap: ../bug-3519/input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        has-key: stats.decoder.ipv4
+        not-has-key: stats.decoder.ipv6
author	Juliana Fajardini <jufajardini@oisf.net>
	Wed, 3 Apr 2024 23:13:18 +0000 (20:13 -0300)
committer	Juliana Fajardini <jufajardini@oisf.net>
	Thu, 11 Apr 2024 21:01:15 +0000 (18:01 -0300)
tests/feature-5976-zero-stats-01/README.md	[new file with mode: 0644]	patch \| blob
tests/feature-5976-zero-stats-01/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/feature-5976-zero-stats-01/test.rules	[new file with mode: 0644]	patch \| blob
tests/feature-5976-zero-stats-01/test.yaml	[new file with mode: 0644]	patch \| blob
tests/feature-5976-zero-stats-02/README.md	[new file with mode: 0644]	patch \| blob
tests/feature-5976-zero-stats-02/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/feature-5976-zero-stats-02/test.yaml	[new file with mode: 0644]	patch \| blob