--- /dev/null
+## PCAP
+
+This PCAP contains 3 flows. 2 are http and one is TLS. The HTTP flows should
+be full passed with no alerts, while the TLS flow should be dropped.
+
+## Current Observations
+
+- HTTP response packets are being logged as dropped, however the transaction is
+ logged suggesting the drop is only in logging only, but not actually
+ occurring.
+
+- All the TLS packets apear to be getting dropped, but `flow.action` is never
+ set to true.
--- /dev/null
+pass tcp $HOME_NET any -> $EXTERNAL_NET 80 (sid:1;)
+drop ip any any -> any any (msg:"DROP ALL"; flow:stateless; sid:2;)
--- /dev/null
+requires:
+ min-version: 6
+
+args:
+- -k none --simulate-ips
+
+checks:
+- filter:
+ # We should see 2 http transactions as the pass rule should allow http
+ # flows.
+ #
+ # This fails.
+ count: 2
+ match:
+ event_type: http
+
+- filter:
+ # There should be no alerts for http.
+ count: 0
+ match:
+ event_type: alert
+ app_proto: http
+
+- filter:
+ # There should be 2 http flow events without alerts.
+ count: 2
+ match:
+ event_type: flow
+ app_proto: http
+ flow.alerted: false
+
+- filter:
+ # We should see NO drops (or alerts) for http
+ count: 0
+ match:
+ event_type: alert
+ app_proto: http
+
+- filter:
+ # There should be one tls flow that is alerted
+ count: 1
+ match:
+ event_type: flow
+ dest_port: 443
+ flow.alerted: true
projects / thirdparty / suricata-verify.git / commitdiff
