]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6e0d1ce)
tests: add test for bug 5867 FP drop log events
authorJuliana Fajardini <jufajardini@oisf.net>
Thu, 16 Mar 2023 21:48:21 +0000 (18:48 -0300)
committerVictor Julien <victor@inliniac.net>
Tue, 18 Apr 2023 07:12:50 +0000 (09:12 +0200)
Bug #5867

tests/bug-5867-fp-drop-01/README.md [new file with mode: 0644] patch | blob
tests/bug-5867-fp-drop-01/input.pcap [new file with mode: 0644] patch | blob
tests/bug-5867-fp-drop-01/suricata.yaml [new file with mode: 0644] patch | blob
tests/bug-5867-fp-drop-01/test.rules [new file with mode: 0644] patch | blob
tests/bug-5867-fp-drop-01/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/bug-5867-fp-drop-01/README.md b/tests/bug-5867-fp-drop-01/README.md
new file mode 100644 (file)
index 0000000..94b2151
--- /dev/null
+++ b/tests/bug-5867-fp-drop-01/README.md
@@ -0,0 +1,18 @@
+# Test
+
+This test checks bug 5867 for false positive drop events in the eve logs,
+for packets that triggered higher priority PASS rules and DROP rules.
+
+Bug report: https://redmine.openinfosecfoundation.org/issues/5867
+
+# Behavior
+
+In the scenario shown in this test, `PASS` has a higher priority in the action
+order (as it's the default), so the packet should trigger the PASS rule first,
+so the DROP rule should have no effect.
+
+# Pcap
+
+Pcap comes from forum post where bug was reported the first time:
+https://forum.suricata.io/t/drop-log-false-positive-records-possible-since-6-0-6/3228
+
diff --git a/tests/bug-5867-fp-drop-01/input.pcap b/tests/bug-5867-fp-drop-01/input.pcap
new file mode 100644 (file)
index 0000000..0a56ee9
Binary files /dev/null and b/tests/bug-5867-fp-drop-01/input.pcap differ
diff --git a/tests/bug-5867-fp-drop-01/suricata.yaml b/tests/bug-5867-fp-drop-01/suricata.yaml
new file mode 100644 (file)
index 0000000..3bb23cb
--- /dev/null
+++ b/tests/bug-5867-fp-drop-01/suricata.yaml
@@ -0,0 +1,25 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filename: eve.json
+      types:
+        - alert
+        - anomaly
+        - drop:
+            alerts: yes
+            flows: start
+        - flow
+        - smtp
+
+action-order:
+  - pass
+  - drop
+  - reject
+  - alert
+
+exception-policy: ignore
+
+
diff --git a/tests/bug-5867-fp-drop-01/test.rules b/tests/bug-5867-fp-drop-01/test.rules
new file mode 100644 (file)
index 0000000..b38b86a
--- /dev/null
+++ b/tests/bug-5867-fp-drop-01/test.rules
@@ -0,0 +1,2 @@
+pass tcp 172.17.1.0/24 any -> any 225 (msg:"PASS LOCAL NET Port 225::no flags::flow to_server::no thresholds"; flow:to_server; classtype:misc-activity; sid:1000100; rev:1; metadata:created_at 2023_02_07, updated_at 2023_02_07;)
+drop tcp 172.17.1.0/24 any -> any 225 (msg:"DROP LOCAL NET Port 225::no flags::flow established to_server::no thresholds"; flow:to_server,established; classtype:misc-activity; sid:1000101; rev:1; metadata:created_at 2023_02_07, updated_at 2023_02_07;)
diff --git a/tests/bug-5867-fp-drop-01/test.yaml b/tests/bug-5867-fp-drop-01/test.yaml
new file mode 100644 (file)
index 0000000..11bdb30
--- /dev/null
+++ b/tests/bug-5867-fp-drop-01/test.yaml
@@ -0,0 +1,18 @@
+requires:
+   min-version: 6
+args:
+- -k none
+- --set stream.midstream=true
+- --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 172.17.1.105
+      dest_port: 225
+      event_type: smtp
+- filter:
+    count: 0
+    match:
+      event_type: drop
Mirror of https://github.com/OISF/suricata-verify.git