--- /dev/null
+This is a test for corner cases scenarios where we have a low packet_alert_max
+configuration, and we try to add a signature with an id which is lower than an
+existing queued signature.
+
+The expected behavior is as follows:
+- Rules with sid 1, 2, and 4 should not match (there to ensure we have the right
+scenario in terms of internal ids and signature ordering)
+- 1st rule triggered: sid 4 (internal id 3)
+- 2nd rule triggered: sid 6 (internal id 5)
+- 3rd rule triggered: sid 8 (internal id 7)
+- 4th rule triggered: sid 7 (internal id 6)
+
+In this scenario, packet_alert_max is set to 3, meaning that one of the rules
+should not generate an alert, at the end, due to being discarded from the Packet's
+alert queue.
+
+Expected final result:
+
+Alerts for sids 4, 6 and 7. Sid 8 should be discarded, as its higher id implies a
+lower priority rule - discarded.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - stats:
+ enabled: yes
+ filename: stats.log
+ append: yes # append to file (yes) or overwrite it (no)
+ totals: yes # stats for all threads merged together
+ threads: no # per thread stats
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert
+ - http
+
+# Define maximum number of possible alerts that can be triggered for the same
+# packet. Default is 15
+packet-alert-max: 2
--- /dev/null
+# internal id 0 -- should not trigger
+alert http any any -> any any (msg:"No match rule 1"; http.request_line; bsize:<10; priority:1; sid:1;)
+# internal id 1 -- should not trigger
+alert http any any -> any any (msg:"No match rule 2"; http.request_line; bsize:>150; priority: 1; sid:2; rev:1;)
+# internal id 2 -- should not trigger
+alert tcp any any -> any any (msg:"No match rule 3"; dsize:>130; sid:3; rev:1;)
+# internal id 3
+alert tcp any any -> any any (msg:"Match rule - internal id 3"; dsize:<140; sid:4; rev:1;)
+# internal id 4 -- sould not trigger
+alert tcp any any -> any any (msg:"No match rule 4"; dsize:>140; sid:5; rev:1;)
+# internal id 5
+alert http any any -> any any (msg:"Match rule internal id 5"; uricontent:"/index.html"; sid:6; rev:1;)
+# internal id 6
+alert http any any -> any any (msg:"Match rule internal id 6"; http.request_line; bsize:10<>100; sid:7; rev:1;)
+# Internal id 7
+alert http any any -> any any (msg:"Match rule internal id 7"; http.request_line; content:"GET /index.html HTTP/1.0"; sid:8;)
--- /dev/null
+args:
+- -k none
+- --runmode=single
+- --set stream.midstream=true
+
+checks:
+# Subtest 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+# Subtest 2
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+# Subtest 3
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 3
+# Subtest 4
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 4
+# Subtest 5
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 5
+# Subtest 6
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 6
+# Subtest 7
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 7
+# Subtest 8
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 8
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/"GET /index.html HTTP/1.0\r\nHost: www.openinfosecfoundation.org\r\nUser-Agent: This is a dummy message body\r\nContent-Type: text/html\r\n"
+
+wrpcap('input.pcap', pkts)
projects / thirdparty / suricata-verify.git / commitdiff
