--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 19
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 2 # 1 per direction
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+rate_filter gen_id 1, sig_id 1000001, track by_dst, count 1, seconds 60, new_action alert, timeout 1000
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 19
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 2 # 1 per direction
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+rate_filter gen_id 1, sig_id 1000001, track by_src, count 1, seconds 60, new_action alert, timeout 1000
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 19
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 1
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+rate_filter gen_id 1, sig_id 1000001, track by_both, count 1, seconds 60, new_action alert, timeout 1000
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+drop tcp any any -> any any (dsize:0; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 19
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 1
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+rate_filter gen_id 1, sig_id 1000001, track by_rule, count 1, seconds 60, new_action alert, timeout 1000
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+alert http any any -> any any (sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 31
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 29
+ match:
+ event_type: drop
+ drop.reason: threshold detection_filter
--- /dev/null
+rate_filter gen_id 1, sig_id 1000001, track by_dst, count 1, seconds 60, new_action drop, timeout 1000
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+alert http any any -> any any (sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 31
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 29
+ match:
+ event_type: drop
+ drop.reason: threshold detection_filter
--- /dev/null
+rate_filter gen_id 1, sig_id 1000001, track by_src, count 1, seconds 60, new_action drop, timeout 1000
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+alert http any any -> any any (sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 31
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 30
+ match:
+ event_type: drop
+ drop.reason: threshold detection_filter
--- /dev/null
+rate_filter gen_id 1, sig_id 1000001, track by_both, count 1, seconds 60, new_action drop, timeout 1000
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+alert http any any -> any any (sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 31
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 30
+ match:
+ event_type: drop
+ drop.reason: threshold detection_filter
--- /dev/null
+rate_filter gen_id 1, sig_id 1000001, track by_rule, count 1, seconds 60, new_action drop, timeout 1000
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+alert http any any -> any any (msg:"toto"; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 2 # once for each dir
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 0
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+rate_filter gen_id 1, sig_id 1000001, track by_dst, count 1, seconds 60, new_action pass, timeout 1000
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+alert http any any -> any any (msg:"toto"; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 2 # once for each dir
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 0
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+rate_filter gen_id 1, sig_id 1000001, track by_src, count 1, seconds 60, new_action pass, timeout 1000
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+alert http any any -> any any (msg:"toto"; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 0
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+rate_filter gen_id 1, sig_id 1000001, track by_both, count 1, seconds 60, new_action pass, timeout 1000
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+alert http any any -> any any (msg:"toto"; sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 0
+ match:
+ event_type: drop
+ - filter:
+ count: 1
+ match:
+ event_type: http
--- /dev/null
+rate_filter gen_id 1, sig_id 1000001, track by_rule, count 1, seconds 60, new_action pass, timeout 1000
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+alert http any any -> any any (sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 31
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 29
+ match:
+ event_type: drop
+ drop.reason: threshold detection_filter
--- /dev/null
+rate_filter gen_id 1, sig_id 1000001, track by_dst, count 1, seconds 60, new_action reject, timeout 1000
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+alert http any any -> any any (sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 31
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 29
+ match:
+ event_type: drop
+ drop.reason: threshold detection_filter
--- /dev/null
+rate_filter gen_id 1, sig_id 1000001, track by_src, count 1, seconds 60, new_action reject, timeout 1000
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+alert http any any -> any any (sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 31
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 30
+ match:
+ event_type: drop
+ drop.reason: threshold detection_filter
--- /dev/null
+rate_filter gen_id 1, sig_id 1000001, track by_both, count 1, seconds 60, new_action reject, timeout 1000
--- /dev/null
+# Threshold.config with by_rule
+
+This test checks threshold.config file using by_rule keyword
+
+The pcap file is from http-all-headers test
--- /dev/null
+alert http any any -> any any (sid: 1000001;)
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - alert
+ - drop:
+ flows: all
+ alerts: true
+ - http
+ - anomaly
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+- --set threshold-file=${TEST_DIR}/threshold.config
+- --simulate-ips
+
+checks:
+ - filter:
+ count: 31
+ match:
+ event_type: alert
+ alert.signature_id: 1000001
+ - filter:
+ count: 30
+ match:
+ event_type: drop
+ drop.reason: threshold detection_filter
--- /dev/null
+rate_filter gen_id 1, sig_id 1000001, track by_rule, count 1, seconds 60, new_action reject, timeout 1000
projects / thirdparty / suricata-verify.git / commitdiff
