--- /dev/null
+# Test
+
+Check the expected default behavior for Exception Policies in IPS, in Suricata
+versions 6 and 7.
+
+# Behavior
+
+In 7, the auto behavior is to drop-packet and/or drop-flow in case of traffic
+exceptions, in IPS mode. In 6, the default behavior is to 'ignore'.
+
+# Pcap
+
+Pcap is the result of a curl to www.testmyids.com, later extracted with
+Wireshark to keep the ``http`` packets only.
- reject
- alert
-exception-policy: ignore
+ #exception-policy: ignore
args:
- --simulate-ips
- -k none
+
checks:
- filter:
count: 0
match:
event_type: alert
- filter:
+ lt-version: 7
count: 0
match:
event_type: drop
- filter:
+ min-version: 7
count: 1
+ match:
+ event_type: drop
+ - filter:
+ lt-version: 7
+ count: 1
+ match:
+ event_type: tls
+ tls.sni: example.com
+ - filter:
+ min-version: 7
+ count: 0
match:
event_type: tls
tls.sni: example.com
--- /dev/null
+# Test
+
+Check the expected default behavior, in versions 6 and 7 of Suricata, for IDS
+mode.
+
+# Behavior
+
+In both 6 and 7, the default behavior is to 'ignore' in case of traffic
+exceptions, in IDS mode.
+
+# Pcap
+
+Pcap is the result of a curl to www.testmyids.com, later extracted with
+Wireshark to keep the ``http`` packets only.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
+ - stats
+
+logging:
+ default-log-level: config
+ outputs:
+ - file:
+ enabled: yes
+ level: config
+ filename: suricata.json
+ type: json
--- /dev/null
+alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;)
--- /dev/null
+pcap: ../exception-policy-midstream-03/input.pcap
+
+args:
+- --set stream.midstream=true
+
+checks:
+ - filter:
+ count: 6
+ match:
+ event_type: alert
+ - filter:
+ count: 1
+ match:
+ event_type: http
+ - filter:
+ lt-version: 7
+ count: 0
+ match:
+ event_type: drop
+ drop.reason: stream midstream
+ - filter:
+ lt-version: 7
+ count: 0
+ match:
+ event_type: flow
+ flow.action: drop
+ - filter:
+ lt-version: 7
+ filename: suricata.json
+ count: 1
+ match:
+ event_type: engine
+ log_level: Config
+ engine.message: "exception-policy: ignore (defined via 'built-in default' for IDS-mode). Warning: this will change to drop-flow or drop-packet in Suricata 7."
+ - filter:
+ lt-version: 7
+ filename: suricata.json
+ count: 1
+ match:
+ event_type: engine
+ log_level: Config
+ engine.message: "stream.midstream-policy: ignore (defined via 'built-in default' for IDS-mode). Warning: this will change to drop-flow or drop-packet in Suricata 7."
--- /dev/null
+# Test
+
+Check the expected auto behavior for exception policies, in versions 6 and 7 of
+Suricata, in IPS mode.
+
+# Behavior
+
+In 7, the auto behavior is 'drop-packet' and/or 'drop-flow' in case of traffic
+exceptions, in IPS mode. In 6, the auto behavior is to 'ignore'.
+
+# Pcap
+
+Pcap is the result of a curl to www.testmyids.com, later extracted with
+Wireshark to keep the ``http`` packets only.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
+
+logging:
+ default-log-level: config
+ outputs:
+ - file:
+ enabled: yes
+ level: config
+ filename: suricata.json
+ type: json
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
--- /dev/null
+args:
+- --simulate-ips
+- --set exception-policy=auto
+
+checks:
+ - filter:
+ min-version: 7
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ min-version: 7
+ count: 1
+ match:
+ event_type: drop
+ drop.reason: stream midstream
+ - filter:
+ min-version: 7
+ count: 9
+ match:
+ event_type: drop
+ - filter:
+ count: 0
+ match:
+ event_type: flow
+ flow.state: bypassed
+ - filter:
+ min-version: 7
+ count: 1
+ match:
+ event_type: flow
+ flow.action: drop
+ - filter:
+ count: 0
+ match:
+ event_type: http
+ # checks for Suricata 6
+ - filter:
+ lt-version: 7
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ lt-version: 7
+ count: 2
+ match:
+ event_type: drop
+ drop.reason: stream error
+ - filter:
+ lt-version: 7
+ count: 0
+ match:
+ event_type: flow
+ flow.action: drop
+ - filter:
+ filename: suricata.json
+ lt-version: 7
+ count: 1
+ match:
+ log_level: Info
+ event_type: engine
+ engine.message: "master exception-policy set to: auto"
+ - filter:
+ filename: suricata.json
+ lt-version: 7
+ count: 1
+ match:
+ log_level: Config
+ event_type: engine
+ engine.message: "stream.midstream-policy: ignore (defined via 'exception-policy' master switch). Warning: this will change to drop-flow or drop-packet in Suricata 7."
--- /dev/null
+# Test
+
+Check the expected auto behavior for exception policies, in versions 6 and 7
+of Suricata, in IDS mode.
+
+# Behavior
+
+In IDS mode, the auto behavior for exception policies is 'ignore' for both 6 and 7.
+
+# Pcap
+
+Pcap is the result of a curl to www.testmyids.com, later extracted with
+Wireshark to keep the ``http`` packets only.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
+
+logging:
+ default-log-level: config
+ outputs:
+ - file:
+ enabled: yes
+ level: config
+ filename: suricata.json
+ type: json
+
+exception-policy: auto
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
--- /dev/null
+checks:
+ - filter:
+ min-version: 7
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ min-version: 7
+ count: 1
+ match:
+ event_type: drop
+ drop.reason: stream midstream
+ - filter:
+ min-version: 7
+ count: 9
+ match:
+ event_type: drop
+ - filter:
+ count: 0
+ match:
+ event_type: flow
+ flow.state: bypassed
+ - filter:
+ min-version: 7
+ count: 1
+ match:
+ event_type: flow
+ flow.action: drop
+ - filter:
+ count: 0
+ match:
+ event_type: http
+ # checks for Suricata 6
+ - filter:
+ lt-version: 7
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ lt-version: 7
+ count: 0
+ match:
+ event_type: drop
+ drop.reason: stream error
+ - filter:
+ lt-version: 7
+ count: 0
+ match:
+ event_type: flow
+ flow.action: drop
+ - filter:
+ filename: suricata.json
+ lt-version: 7
+ count: 1
+ match:
+ log_level: Info
+ event_type: engine
+ engine.message: "master exception-policy set to: auto"
+ - filter:
+ filename: suricata.json
+ lt-version: 7
+ count: 1
+ match:
+ log_level: Config
+ event_type: engine
+ engine.message: "app-layer.error-policy: ignore (defined via 'exception-policy' master switch). Warning: this will change to drop-flow or drop-packet in Suricata 7."
projects / thirdparty / suricata-verify.git / commitdiff
