--- /dev/null
+# Test
+
+Test that in a scenario where a rule inspects traffic in an IP-in-IP tunnel, the
+engine will generate alerts properly.
+
+## PCAP
+
+Shared by reporter.
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/7725
--- /dev/null
+%YAML 1.1
+---
+
+stats:
+ enabled: yes
+ interval: 8
+
+logging:
+ default-log-level: notice
+ default-output-filter:
+ outputs:
+ - console:
+ enabled: yes
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ alerts: yes
+ - flow
+ - stats:
+ enabled: yes
+ filename: stats.log
--- /dev/null
+alert ip any any -> 10.0.0.0/8 any (msg:"IP-in-IP Test rule 1 - outer layer"; classtype:misc-activity; sid:60000000; rev:1;)
+drop ip any any -> 192.168.0.0/16 any (msg:"IP-in-IP Test rule 2 - inner layer"; classtype:misc-activity; sid:60000001; rev:1;)
--- /dev/null
+requires:
+ min-version: 8
+
+args:
+- -k none
+- --simulate-ips
+- --set stream.midstream=true
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 60000000
+ pkt_src: wire/pcap
+ proto: IP-in-IP
+ src_ip: 10.0.0.94
+ dest_ip: 10.1.0.237
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 60000001
+ pkt_src: ipv4 tunnel
+ proto: ICMP
+ src_ip: 192.168.0.94
+ dest_ip: 192.168.0.237
+ tunnel.src_ip: 10.0.0.94
+ tunnel.dest_ip: 10.1.0.237
+ tunnel.proto: IP-in-IP
+ - filter:
+ count: 1
+ match:
+ event_type: drop
+ alert.signature_id: 60000001
+ pkt_src: ipv4 tunnel
+ proto: ICMP
+ - filter:
+ count: 2
+ match:
+ event_type: drop
+ pkt_src: ipv4 tunnel
+ proto: ICMP
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ proto: IP-in-IP
+ src_ip: 10.0.0.94
+ dest_ip: 10.1.0.237
+ flow.alerted: true
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ proto: ICMP
+ src_ip: 192.168.0.94
+ dest_ip: 192.168.0.237
+ flow.alerted: true
+ flow.action: drop
projects / thirdparty / suricata-verify.git / commitdiff
