From: Victor Julien Date: Fri, 3 Sep 2021 15:03:24 +0000 (+0200) Subject: tests: add bug 4663 and 4670 tests X-Git-Tag: suricata-6.0.4~55 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=013c389717a2d67de88ac57ac5fe11f089b32783;p=thirdparty%2Fsuricata-verify.git tests: add bug 4663 and 4670 tests --- diff --git a/tests/bug-4663-02/icmp.pcap b/tests/bug-4663-02/icmp.pcap new file mode 100644 index 000000000..2a9e8496f Binary files /dev/null and b/tests/bug-4663-02/icmp.pcap differ diff --git a/tests/bug-4663-02/suricata.yaml b/tests/bug-4663-02/suricata.yaml new file mode 100644 index 000000000..062b7227d --- /dev/null +++ b/tests/bug-4663-02/suricata.yaml @@ -0,0 +1,20 @@ +%YAML 1.1 +--- + +action-order: + - drop + - pass + - reject + - alert + +outputs: + - eve-log: + enabled: yes + filetype: regular + types: + - alert + - drop: + flows: all + alerts: yes + - dns + - flow diff --git a/tests/bug-4663-02/test.rules b/tests/bug-4663-02/test.rules new file mode 100644 index 000000000..40a19b7cf --- /dev/null +++ b/tests/bug-4663-02/test.rules @@ -0,0 +1,3 @@ +drop icmp any any -> 8.8.8.8 any (msg:"Drop ICMP"; sid:10002;) +pass ip any any -> any any (msg:"Pass IP"; sid:1004;) +pass tcp any any -> any 22 (sid:1;) diff --git a/tests/bug-4663-02/test.yaml b/tests/bug-4663-02/test.yaml new file mode 100644 index 000000000..ece851ad5 --- /dev/null +++ b/tests/bug-4663-02/test.yaml @@ -0,0 +1,31 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + min-version: 7 + +args: + - --simulate-ips + +checks: + - filter: + count: 1 + match: + event_type: flow + flow.alerted: true + flow.action: drop + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 10002 + - filter: + count: 1 + match: + event_type: drop + pcap_cnt: 1 + alert.signature_id: 10002 + - filter: + count: 10 + match: + event_type: drop diff --git a/tests/bug-4663-03/icmp_and_ssh.pcap b/tests/bug-4663-03/icmp_and_ssh.pcap new file mode 100644 index 000000000..7708ee481 Binary files /dev/null and b/tests/bug-4663-03/icmp_and_ssh.pcap differ diff --git a/tests/bug-4663-03/suricata.yaml b/tests/bug-4663-03/suricata.yaml new file mode 100644 index 000000000..bf8a47e9b --- /dev/null +++ b/tests/bug-4663-03/suricata.yaml @@ -0,0 +1,21 @@ +%YAML 1.1 +--- + +action-order: + - pass + - drop + - reject + - alert + +outputs: + - eve-log: + enabled: yes + filetype: regular + types: + - alert + - drop: + flows: all + alerts: yes + - files + - http + - flow diff --git a/tests/bug-4663-03/test.rules b/tests/bug-4663-03/test.rules new file mode 100644 index 000000000..d2d75a9f3 --- /dev/null +++ b/tests/bug-4663-03/test.rules @@ -0,0 +1,2 @@ +pass tcp any any -> any 22 (sid:2; gid:10000003; msg:"PASS SSH";) +drop tcp any any -> any any (noalert; sid:1; rev:1; msg:"DROP all TCP";) diff --git a/tests/bug-4663-03/test.yaml b/tests/bug-4663-03/test.yaml new file mode 100644 index 000000000..0c81522fc --- /dev/null +++ b/tests/bug-4663-03/test.yaml @@ -0,0 +1,29 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + min-version: 7 + +args: + - --simulate-ips + - -k none + +checks: + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 2 + match: + event_type: flow + - filter: + count: 1 + match: + event_type: flow + flow.action: pass diff --git a/tests/bug-4663/README.md b/tests/bug-4663/README.md new file mode 100644 index 000000000..3a7af36d8 --- /dev/null +++ b/tests/bug-4663/README.md @@ -0,0 +1,4 @@ +PCAP +==== + +Pcap from https://forum.suricata.io/t/suricata-5-0-1-in-ips-mode/94/14 diff --git a/tests/bug-4663/blacklist b/tests/bug-4663/blacklist new file mode 100644 index 000000000..fd5bec0ab --- /dev/null +++ b/tests/bug-4663/blacklist @@ -0,0 +1,5 @@ +cac5f74a1e146d6de26845e3e03732c01167e4bbb4333e76889b538c9bd30362 +537aea248165d3e82e48c4808b92e048bd1593ecbcb99d661c3c776204cd96a2 +be331893e44dcad93536b7b5cd3104abc9174ab66086ea5ad8bd4b2618222780 +3f6a4dffd4fd653b53b621349d5167d3cfa3cad926c166e7e24b88d3c9a06acf +abe7c7b40883a7b59e6493d0f9a9b4b85035f22ee6195da2b188c2072279634f diff --git a/tests/bug-4663/input.pcap b/tests/bug-4663/input.pcap new file mode 100644 index 000000000..20a739378 Binary files /dev/null and b/tests/bug-4663/input.pcap differ diff --git a/tests/bug-4663/suricata.yaml b/tests/bug-4663/suricata.yaml new file mode 100644 index 000000000..eca382635 --- /dev/null +++ b/tests/bug-4663/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + types: + - alert + - drop: + flows: all + alerts: yes + - files + - http + - flow diff --git a/tests/bug-4663/test.rules b/tests/bug-4663/test.rules new file mode 100644 index 000000000..c974242c3 --- /dev/null +++ b/tests/bug-4663/test.rules @@ -0,0 +1,2 @@ +pass tcp any any -> any 22 (sid:2; gid:10000003;) +drop tcp any any -> any any (noalert; sid:1; rev:1;) diff --git a/tests/bug-4663/test.yaml b/tests/bug-4663/test.yaml new file mode 100644 index 000000000..3b8730180 --- /dev/null +++ b/tests/bug-4663/test.yaml @@ -0,0 +1,30 @@ +requires: + features: + - HAVE_LIBJANSSON + - HAVE_NSS + min-version: 7 + +args: + - --simulate-ips + +checks: + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: drop + pcap_cnt: 1 + alert.signature_id: 1 + - filter: + count: 969 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: flow + flow.action: drop