Add tests for the new master switch config for the Exception policies.
Added also a check in the exception-policy test that checks the default
behavior, to ensure that things work as expected with the master switch
disabled and the exception policies not set.
Task #5219
log_level: Info
event_type: engine
engine.module: exception-policy
- engine.message: "master exception-policy set to: ignore"
+ engine.message: "master exception-policy set to: auto"
log_level: Info
event_type: engine
engine.module: exception-policy
- engine.message: "master exception-policy set to: drop-flow"
+ engine.message: "master exception-policy set to: auto"
- drop
- reject
- alert
+
+exception-policy: ignore
--- /dev/null
+# Test
+
+Check the expected auto behavior, for the master switch for drop-packet and
+drop-flow in case of traffic exceptions, in IPS mode.
+
+# Behavior
+
+We expect to have no alerts, and see drop events, includding for the flow. Checks
+for the bypassed flow are left to highlight the fact that the indicated exception
+policy is overwritten by the master switch.
+
+# Pcap
+
+Pcap is the result of a curl to www.testmyids.com, later extracted with
+Wireshark to keep the ``http`` packets only.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
+
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --simulate-ips
+- --set exception-policy=auto
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 1
+ match:
+ event_type: drop
+ drop.reason: stream midstream
+ - filter:
+ count: 9
+ match:
+ event_type: drop
+ - filter:
+ count: 0
+ match:
+ event_type: flow
+ flow.state: bypassed
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.action: drop
+ - filter:
+ count: 0
+ match:
+ event_type: http
--- /dev/null
+# Test
+
+Check the bypass behavior for the Exception policies master switch in IPS
+mode in case of traffic exceptions.
+
+# Behavior
+
+We expect to have no alerts, nor drop events, only the flow in bypassed state.
+Checks are left to highlight the expected behavior in comparison to other
+possible behaviors, with different policies in place.
+
+# Pcap
+
+Pcap is the result of a curl to www.testmyids.com, later extracted with
+Wireshark to keep the ``http`` packets only.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
+
+exception-policy: bypass
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --simulate-ips
+- --set stream.midstream=true
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 0
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.state: bypassed
+ - filter:
+ count: 0
+ match:
+ event_type: http
--- /dev/null
+# Test
+
+Check that the proper default exception policy is applied in case the master
+switch is disabled and there is no exception policy configured.
+stage.
+
+# Behavior
+
+We expect to have ``alert`` and ``http`` events logged, as the flow will
+be inspected still.
+
+# Pcap
+
+Pcap is the result of a curl to www.testmyids.com, later extracted with
+Wireshark to keep the ``http`` packets only.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
+
+exception-policy: ignore
+
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --simulate-ips
+- --set stream.midstream=true
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ count: 0
+ match:
+ event_type: drop
+ - filter:
+ count: 0
+ match:
+ event_type: flow
+ flow.state: bypassed
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+# Test
+
+Check the expected overriding behavior, in IPS mode, if an Exception Policy is
+set, regardless of what is defined in the master switch.
+
+# Behavior
+
+We expect to see a flow event with the action set to pass, and the http
+protocol event, since a pass policy will still mean inspection, just no detection.
+
+# Pcap
+
+Pcap is the result of a curl to www.testmyids.com, later extracted with
+Wireshark to keep the ``http`` packets only.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
+
+exception-policy: auto
+
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --simulate-ips
+- --set stream.midstream=true
+- --set stream.midstream-policy=pass-flow
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 0
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.action: pass
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+# Test
+
+Check that the Exception Policy is properly applied in case it's set to
+``bypass`` in IDS mode, when the engine firstly sees the stream during
+SYNACK stage.
+
+# Behavior
+
+We expect to have no events other than ``flow``, with an indication that it was
+bypassed.
+
+# Pcap
+
+Pcap is the result of a curl to www.testmyids.com, later extracted with
+Wireshark to keep the ``http`` packets only.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
+
+exception-policy: bypass
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set stream.midstream=true
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: alert
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ flow.state: bypassed
+ - filter:
+ count: 0
+ match:
+ event_type: http
--- /dev/null
+# Test
+
+Check that the Exception Policy is properly applied in case it's set to
+``auto`` in IPS mode, when the engine is set to midstream=true.
+
+# Behavior
+
+We expect the engine to define the exception policy for midstream as `ignore`,
+as that's the default configuration value when midstream flows are accepted.
+This means we should see ``alert`` and ``http`` events.
+
+# Pcap
+
+Pcap is the result of a curl to www.testmyids.com, later extracted with
+Wireshark to keep the ``http`` packets only.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
+
+exception-policy: auto
+
+logging:
+ default-log-level: notice
+ outputs:
+ - file:
+ enabled: yes
+ level: debug
+ filename: suricata.json
+ type: json
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set stream.midstream=true
+- --simulate-ips
+
+checks:
+ - filter:
+ filename: eve.json
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ filename: eve.json
+ count: 0
+ match:
+ event_type: flow
+ flow.state: bypassed
+ - filter:
+ filename: eve.json
+ count: 1
+ match:
+ event_type: http
+ - filter:
+ filename: eve.json
+ count: 0
+ match:
+ event_type: drop
+ - filter:
+ filename: suricata.json
+ count: 0
+ match:
+ event_type: engine
+ log_level: Warning
+ engine.module: exception-policy
--- /dev/null
+# Test
+
+Check that the Exception Policy is properly applied with default configuration
+in IPS mode, when the engine is set to midstream=true.
+
+# Behavior
+
+We expect the engine to define the exception policy for midstream as `ignore`,
+as that's the default configuration value when midstream flows are accepted.
+This means we should see ``alert`` and ``http`` events.
+
+# Pcap
+
+Pcap is the result of a curl to www.testmyids.com, later extracted with
+Wireshark to keep the ``http`` packets only.
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: yes
+ payload-buffer-size: 4kb
+ payload-printable: yes
+ packet: yes
+ http: yes
+ tls: yes
+ ssh: yes
+ smtp: yes
+ xff:
+ enabled: yes
+ mode: extra-data
+ deployment: reverse
+ header: X-Forwarded-For
+ - flow
+ - http
+ - drop:
+ alerts: yes
+ flows: all
+
+logging:
+ default-log-level: notice
+ outputs:
+ - file:
+ enabled: yes
+ level: debug
+ filename: suricata.json
+ type: json
--- /dev/null
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;)
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set stream.midstream=true
+- --simulate-ips
+
+checks:
+ - filter:
+ filename: eve.json
+ count: 1
+ match:
+ event_type: alert
+ - filter:
+ filename: eve.json
+ count: 0
+ match:
+ event_type: flow
+ flow.state: bypassed
+ - filter:
+ filename: eve.json
+ count: 1
+ match:
+ event_type: http
+ - filter:
+ filename: eve.json
+ count: 0
+ match:
+ event_type: drop
+ - filter:
+ filename: suricata.json
+ count: 0
+ match:
+ event_type: engine
+ log_level: Warning
+ engine.module: exception-policy
projects / thirdparty / suricata-verify.git / commitdiff
