--- /dev/null
+# Test
+
+Showcase exception policy stats counters for application layer protocol errors,
+showing only the summarized counters.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/5816
+
%YAML 1.1
---
+stats:
+ enabled: yes
+ interval: 8
+
outputs:
- eve-log:
enabled: yes
stream: yes
applayer: yes
- tls:
- extended: yes # enable this for extended logging information
+ extended: yes
- drop:
- alerts: yes # log alerts that caused drops
- flows: all # start or all: 'start' logs only a single drop
- # per flow direction. All logs each dropped pkt.
+ alerts: yes
+ flows: all
+ - stats:
+ totals: yes
+ threads: no
+ deltas: no
- flow
- - stats
+ - stats:
+ enabled: yes
+ filename: stats.log
action-order:
- pass
match:
event_type: stats
stats.ips.drop_reason.applayer_error: 1
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.app_layer.error.exception_policy.drop_flow: 1
+ stats.app_layer.error.exception_policy.pass_flow: 0
--- /dev/null
+# Test
+
+Showcase exception policy stats counters for application layer protocol errors,
+including also indicating how it is possible to configure: exception policy
+stats to log counters per app-proto, instead of only a summary.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/5816
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert:
+ tagged-packets: yes
+ - anomaly:
+ enabled: yes
+ types:
+ decode: no
+ stream: yes
+ applayer: yes
+ - tls:
+ extended: yes
+ - drop:
+ alerts: yes
+ flows: all
+ - stats:
+ totals: yes
+ threads: no
+ deltas: no
+ - flow
+ - stats:
+ enabled: yes
+ filename: stats.log
+
+action-order:
+ - pass
+ - drop
+ - reject
+ - alert
+
+stats:
+ enabled: yes
+ interval: 8
+ exception-policy:
+ per-app-proto-errors: true
--- /dev/null
+#pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;)
+#drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;)
+
+# matches packet 4, but should not alert due to memcap drop
+alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;)
--- /dev/null
+requires:
+ features:
+ - DEBUG
+pcap: ../tls/tls-certs-alert/input.pcap
+args:
+- --simulate-ips
+- -k none
+# pretend pretend error in the first data
+- --simulate-applayer-error-at-offset-ts=0
+- --set app-layer.error-policy=pass-packet
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 0
+ match:
+ event_type: drop
+ - filter:
+ count: 0
+ match:
+ event_type: drop
+ drop.reason: "flow drop"
+ - filter:
+ count: 0
+ match:
+ event_type: tls
+ tls.sni: example.com
+ - filter:
+ count: 0
+ match:
+ event_type: tls
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: tls
+ - filter:
+ count: 0
+ match:
+ event_type: flow
+ flow.action: drop
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.app_layer.error.tls.exception_policy.pass_packet: 1
+ stats.app_layer.error.tls.exception_policy.drop_packet: 0
--- /dev/null
+# Test
+
+Showcase exception policy stats counters for application layer protocol errors
+with a longer per-app-proto stats counter - in case, ``bittorrent-dht.pass-packet``.
+
+The result can be seen in the stats.log file in the output directory.
+
+## PCAP
+
+Reused from existing bittorrent-dht test.
+
+## Ticket
+
+Related to work for exception policy stats counters:
+https://redmine.openinfosecfoundation.org/issues/5816
--- /dev/null
+%YAML 1.1
+---
+
+app-layer:
+ protocols:
+ bittorrent-dht:
+ enabled: yes
+
+outputs:
+ - eve-log:
+ enabled: yes
+ types:
+ - alert:
+ tagged-packets: yes
+ - anomaly:
+ enabled: yes
+ types:
+ decode: no
+ stream: yes
+ applayer: yes
+ - bittorrent-dht
+ - drop:
+ alerts: yes
+ flows: all
+ - stats:
+ totals: yes
+ threads: no
+ deltas: no
+ - flow
+ - stats:
+ enabled: yes
+ filename: stats.log
+
+action-order:
+ - pass
+ - drop
+ - reject
+ - alert
+
+stats:
+ enabled: yes
+ interval: 8
+ exception-policy:
+ per-app-proto-errors: true
--- /dev/null
+requires:
+ min-version: 8
+ features:
+ - DEBUG
+pcap: ../bittorrent-dht/input.pcap
+args:
+- --simulate-ips
+- -k none
+- --simulate-applayer-error-at-offset-tc=3
+- --set app-layer.error-policy=pass-packet
+
+checks:
+- filter:
+ count: 1
+ match:
+ bittorrent_dht.request.id: 6162636465666768696a30313233343536373839
+ bittorrent_dht.request_type: ping
+ bittorrent_dht.transaction_id: '6161'
+ dest_ip: 190.0.0.3
+ dest_port: 30000
+ event_type: bittorrent_dht
+ pcap_cnt: 3
+ pkt_src: wire/pcap
+ proto: UDP
+ src_ip: 190.0.0.1
+ src_port: 20000
+- filter:
+ count: 1
+ match:
+ bittorrent_dht.request.id: 6162636465666768696a30313233343536373839
+ bittorrent_dht.request_type: ping
+ bittorrent_dht.transaction_id: '6161'
+ dest_ip: 190.0.0.2
+ dest_port: 50000
+ event_type: bittorrent_dht
+ pcap_cnt: 1
+ pkt_src: wire/pcap
+ proto: UDP
+ src_ip: 190.0.0.1
+ src_port: 40000
+- filter:
+ count: 1
+ match:
+ bittorrent_dht.error.msg: A Generic Error Ocurred
+ bittorrent_dht.error.num: 201
+ bittorrent_dht.transaction_id: '6161'
+ dest_ip: 190.0.0.1
+ dest_port: 20000
+ event_type: bittorrent_dht
+ pcap_cnt: 4
+ pkt_src: wire/pcap
+ proto: UDP
+ src_ip: 190.0.0.3
+ src_port: 30000
+- filter:
+ count: 1
+ match:
+ bittorrent_dht.response.id: 6d6e6f707172737475767778797a313233343536
+ bittorrent_dht.transaction_id: '6161'
+ dest_ip: 190.0.0.1
+ dest_port: 40000
+ event_type: bittorrent_dht
+ pcap_cnt: 2
+ pkt_src: wire/pcap
+ proto: UDP
+ src_ip: 190.0.0.2
+ src_port: 50000
- drop:
alerts: yes # log alerts that caused drops
flows: all # start or all: 'start' logs only a single drop
- # per flow direction. All logs each dropped pkt.
+ - stats
+ - stats:
+ enabled: yes
+ filename: stats.log
+ append: yes
+
action-order:
- pass
- drop
- reject
- alert
- #exception-policy: ignore
+exception-policy: ignore
requires:
features:
- DEBUG
- files:
- - src/util-exception-policy.c
+
pcap: ../tls/tls-certs-alert/input.pcap
+
args:
- --simulate-ips
- -k none
requires:
features:
- DEBUG
- files:
- - src/util-exception-policy.c
args:
- --simulate-ips
- -k none
match:
event_type: stats
stats.ips.drop_reason.defrag_memcap: 1
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.defrag.memcap_exception_policy.drop_packet: 1
+ stats.defrag.memcap_exception_policy.pass_packet: 0
+
%YAML 1.1
---
+stats:
+ enabled: yes
+
outputs:
- eve-log:
enabled: yes
- drop:
alerts: yes
flows: all
+ - stats
+ - stats:
+ enabled: yes
+ filename: stats.log
+ append: yes
+
+exception-policy: ignore
count: 0
match:
event_type: http
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.tcp.midstream_exception_policy.pass_flow: 9
match:
event_type: stats
stats.ips.drop_reason.stream_midstream: 1
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.tcp.midstream_exception_policy.drop_flow: 1
http: yes
- flow
- http
+ - stats
+ - stats:
+ enabled: yes
+ filename: stats.log
+ append: yes
logging:
default-log-level: notice
- alert
- flow
- http
+ - stats
+ - stats:
+ enabled: yes
+ filename: stats.log
+ append: yes
count: 0
match:
event_type: http
+- filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.tcp.midstream_exception_policy.pass_flow: 2
deployment: reverse
header: X-Forwarded-For
- flow
+ - stats
- http
- drop:
alerts: yes
flows: all
+ - stats:
+ enabled: yes
+ filename: stats.log
+ append: yes
count: 0
match:
event_type: http
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.tcp.midstream_exception_policy.bypass: 1
- alert:
- flow
- http
+ - stats
- drop:
alerts: yes
flows: all
+ - stats:
+ enabled: yes
+ filename: stats.log
+ append: yes
match:
event_type: flow
flow.action: drop
-
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.tcp.midstream_exception_policy.drop_flow: 1
%YAML 1.1
---
+stats:
+ enabled: yes
+
outputs:
- eve-log:
enabled: yes
match:
event_type: stats
stats.ips.drop_reason.flow_memcap: 1
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.flow.memcap_exception_policy.drop_packet: 1
+ stats.flow.memcap_exception_policy.pass_packet: 0
- stats:
totals: yes # stats for all threads merged together
threads: no # per thread stats
- deltas: no # include delta values
+ deltas: no
+ - stats:
+ enabled: yes
+ filename: stats.log
+ append: yes
+
action-order:
- pass
- drop
flows: all # start or all: 'start' logs only a single drop
# per flow direction. All logs each dropped pkt.
- flow
+ - stats
+
+ - stats:
+ enabled: yes
+ filename: stats.log
+ append: yes
match:
event_type: flow
flow.action: drop
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.tcp.reassembly_exception_policy.pass_packet: 1
match:
event_type: stats
stats.ips.drop_reason.stream_memcap: 1
+ - filter:
+ min-version: 8
+ count: 1
+ match:
+ event_type: stats
+ stats.tcp.ssn_memcap_exception_policy.drop_flow: 1
projects / thirdparty / suricata-verify.git / commitdiff
