From: Juliana Fajardini Date: Mon, 24 Feb 2025 13:44:01 +0000 (-0300) Subject: tests: check exception policies flow output X-Git-Tag: suricata-7.0.10~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=068b31976afcd709ee23c10e44ae94e4466e5ba4;p=thirdparty%2Fsuricata-verify.git tests: check exception policies flow output Add checks for `flow.exception_policy` fields in the exception policies tests. Related to Task #6215 --- diff --git a/tests/exception-policy-applayer-01/test.yaml b/tests/exception-policy-applayer-01/test.yaml index f7a5fdc7c..8569a2be2 100644 --- a/tests/exception-policy-applayer-01/test.yaml +++ b/tests/exception-policy-applayer-01/test.yaml @@ -59,3 +59,10 @@ checks: event_type: stats stats.app_layer.error.exception_policy.drop_flow: 1 stats.app_layer.error.exception_policy.pass_flow: 0 + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "app_layer_error" + flow.exception_policy[0].policy: "drop_flow" diff --git a/tests/exception-policy-applayer-02/test.yaml b/tests/exception-policy-applayer-02/test.yaml index c0e33bba5..a45b97e5a 100644 --- a/tests/exception-policy-applayer-02/test.yaml +++ b/tests/exception-policy-applayer-02/test.yaml @@ -48,3 +48,10 @@ checks: event_type: stats stats.app_layer.error.tls.exception_policy.pass_packet: 1 stats.app_layer.error.tls.exception_policy.drop_packet: 0 + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "app_layer_error" + flow.exception_policy[0].policy: "pass_packet" diff --git a/tests/exception-policy-applayer-03/test.yaml b/tests/exception-policy-applayer-03/test.yaml index 2eedb5230..c0189b0f8 100644 --- a/tests/exception-policy-applayer-03/test.yaml +++ b/tests/exception-policy-applayer-03/test.yaml @@ -71,3 +71,10 @@ checks: event_type: stats stats.app_layer.error.exception_policy.pass_packet: 1 stats.app_layer.error.exception_policy.drop_packet: 0 +- filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "app_layer_error" + flow.exception_policy[0].policy: "pass_packet" diff --git a/tests/exception-policy-default-01/suricata.yaml b/tests/exception-policy-default-01/suricata.yaml index 09637bdec..a84c70055 100644 --- a/tests/exception-policy-default-01/suricata.yaml +++ b/tests/exception-policy-default-01/suricata.yaml @@ -13,6 +13,7 @@ outputs: alerts: yes # log alerts that caused drops flows: all # start or all: 'start' logs only a single drop - stats + - flow - stats: enabled: yes filename: stats.log diff --git a/tests/exception-policy-default-01/test.yaml b/tests/exception-policy-default-01/test.yaml index 676b6c260..4391585ae 100644 --- a/tests/exception-policy-default-01/test.yaml +++ b/tests/exception-policy-default-01/test.yaml @@ -22,3 +22,10 @@ checks: match: event_type: tls tls.sni: example.com + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + not-has-key: flow.exception_policy[0].target + not-has-key: flow.exception_policy[0].policy diff --git a/tests/exception-policy-default-02/test.yaml b/tests/exception-policy-default-02/test.yaml index 8c0204504..738756b05 100644 --- a/tests/exception-policy-default-02/test.yaml +++ b/tests/exception-policy-default-02/test.yaml @@ -12,3 +12,10 @@ checks: count: 1 match: event_type: http + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_midstream" + flow.exception_policy[0].policy: "ignore" diff --git a/tests/exception-policy-default-03/test.yaml b/tests/exception-policy-default-03/test.yaml index 90a2f1859..c244dda35 100644 --- a/tests/exception-policy-default-03/test.yaml +++ b/tests/exception-policy-default-03/test.yaml @@ -36,3 +36,10 @@ checks: count: 0 match: event_type: http + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_midstream" + flow.exception_policy[0].policy: "drop_flow" diff --git a/tests/exception-policy-default-04/test.yaml b/tests/exception-policy-default-04/test.yaml index f751f3d9d..88191d798 100644 --- a/tests/exception-policy-default-04/test.yaml +++ b/tests/exception-policy-default-04/test.yaml @@ -23,3 +23,10 @@ checks: count: 0 match: event_type: http + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_midstream" + flow.exception_policy[0].policy: "ignore" diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.yaml index 7adfc8048..ff4fb586d 100644 --- a/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.yaml +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.yaml @@ -35,3 +35,10 @@ checks: count: 0 match: event_type: http + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_midstream" + flow.exception_policy[0].policy: "drop_flow" diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.yaml index 3cbb4658a..41369a3cd 100644 --- a/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.yaml +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.yaml @@ -25,3 +25,10 @@ checks: count: 0 match: event_type: http + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_midstream" + flow.exception_policy[0].policy: "bypass" diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.yaml index 562c31d4a..302d878f5 100644 --- a/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.yaml +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.yaml @@ -25,3 +25,10 @@ checks: count: 1 match: event_type: http + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_midstream" + flow.exception_policy[0].policy: "ignore" diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.yaml index e1c3d501e..eeb36937d 100644 --- a/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.yaml +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.yaml @@ -26,3 +26,10 @@ checks: count: 1 match: event_type: http + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_midstream" + flow.exception_policy[0].policy: "pass_flow" diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.yaml index e61f73090..e34973a03 100644 --- a/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.yaml +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.yaml @@ -20,3 +20,10 @@ checks: count: 0 match: event_type: http + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_midstream" + flow.exception_policy[0].policy: "bypass" diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.yaml index c08352b49..756bfb638 100644 --- a/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.yaml +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.yaml @@ -36,3 +36,10 @@ checks: event_type: engine log_level: Warning engine.module: exception-policy + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_midstream" + flow.exception_policy[0].policy: "ignore" diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.yaml index c08352b49..756bfb638 100644 --- a/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.yaml +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.yaml @@ -36,3 +36,10 @@ checks: event_type: engine log_level: Warning engine.module: exception-policy + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_midstream" + flow.exception_policy[0].policy: "ignore" diff --git a/tests/exception-policy-midstream-01/test.yaml b/tests/exception-policy-midstream-01/test.yaml index 29fb09d8a..864d32564 100644 --- a/tests/exception-policy-midstream-01/test.yaml +++ b/tests/exception-policy-midstream-01/test.yaml @@ -24,3 +24,10 @@ checks: match: event_type: stats stats.tcp.midstream_exception_policy.pass_flow: 9 + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_midstream" + flow.exception_policy[0].policy: "pass_flow" diff --git a/tests/exception-policy-midstream-02/test.yaml b/tests/exception-policy-midstream-02/test.yaml index 0db328543..b8f0b02ca 100644 --- a/tests/exception-policy-midstream-02/test.yaml +++ b/tests/exception-policy-midstream-02/test.yaml @@ -36,3 +36,10 @@ checks: match: event_type: stats stats.tcp.midstream_exception_policy.drop_flow: 1 + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: stream_midstream + flow.exception_policy[0].policy: drop_flow diff --git a/tests/exception-policy-midstream-03/test.yaml b/tests/exception-policy-midstream-03/test.yaml index 04233a600..3974e7dc3 100644 --- a/tests/exception-policy-midstream-03/test.yaml +++ b/tests/exception-policy-midstream-03/test.yaml @@ -24,3 +24,10 @@ checks: match: event_type: http dest_port: 80 + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_midstream" + flow.exception_policy[0].policy: "ignore" diff --git a/tests/exception-policy-midstream-04/test.yaml b/tests/exception-policy-midstream-04/test.yaml index 10fb97e7e..263ac2efe 100644 --- a/tests/exception-policy-midstream-04/test.yaml +++ b/tests/exception-policy-midstream-04/test.yaml @@ -25,3 +25,10 @@ checks: match: event_type: stats stats.tcp.midstream_exception_policy.pass_flow: 2 +- filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_midstream" + flow.exception_policy[0].policy: "pass_flow" diff --git a/tests/exception-policy-midstream-05/test.yaml b/tests/exception-policy-midstream-05/test.yaml index 7c6db568a..5d90a9a66 100644 --- a/tests/exception-policy-midstream-05/test.yaml +++ b/tests/exception-policy-midstream-05/test.yaml @@ -24,3 +24,10 @@ checks: match: event_type: stats stats.tcp.midstream_exception_policy.bypass: 1 + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_midstream" + flow.exception_policy[0].policy: "bypass" diff --git a/tests/exception-policy-midstream-06/test.yaml b/tests/exception-policy-midstream-06/test.yaml index f4e4c44f3..3b6cf2b93 100644 --- a/tests/exception-policy-midstream-06/test.yaml +++ b/tests/exception-policy-midstream-06/test.yaml @@ -22,3 +22,10 @@ checks: match: event_type: stats stats.tcp.midstream_exception_policy.drop_flow: 1 + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_midstream" + flow.exception_policy[0].policy: "drop_flow" diff --git a/tests/exception-policy-midstream-07/test.yaml b/tests/exception-policy-midstream-07/test.yaml index 37430914a..644bb2125 100644 --- a/tests/exception-policy-midstream-07/test.yaml +++ b/tests/exception-policy-midstream-07/test.yaml @@ -18,3 +18,10 @@ checks: count: 0 match: event_type: smb + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_midstream" + flow.exception_policy[0].policy: "bypass" diff --git a/tests/exception-policy-reject-action-01/test.yaml b/tests/exception-policy-reject-action-01/test.yaml index 4bea809b6..5809415d0 100644 --- a/tests/exception-policy-reject-action-01/test.yaml +++ b/tests/exception-policy-reject-action-01/test.yaml @@ -18,4 +18,10 @@ checks: match: event_type: flow flow.action: drop - + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_midstream" + flow.exception_policy[0].policy: "reject" diff --git a/tests/exception-policy-simulated-flow-memcap/test.yaml b/tests/exception-policy-simulated-flow-memcap/test.yaml index c378a8e85..a79398b34 100644 --- a/tests/exception-policy-simulated-flow-memcap/test.yaml +++ b/tests/exception-policy-simulated-flow-memcap/test.yaml @@ -39,3 +39,10 @@ checks: event_type: stats stats.flow.memcap_exception_policy.drop_packet: 1 stats.flow.memcap_exception_policy.pass_packet: 0 + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_midstream" + flow.exception_policy[0].policy: "ignore" diff --git a/tests/exception-policy-stream-reassembly-memcap-01/test.yaml b/tests/exception-policy-stream-reassembly-memcap-01/test.yaml index 28d053b8d..8e59d36b7 100644 --- a/tests/exception-policy-stream-reassembly-memcap-01/test.yaml +++ b/tests/exception-policy-stream-reassembly-memcap-01/test.yaml @@ -52,3 +52,10 @@ checks: match: event_type: stats stats.ips.drop_reason.stream_reassembly: 1 + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_reassembly_memcap" + flow.exception_policy[0].policy: "drop_flow" diff --git a/tests/exception-policy-stream-reassembly-memcap-02/test.yaml b/tests/exception-policy-stream-reassembly-memcap-02/test.yaml index e25e98b3e..0a027ae19 100644 --- a/tests/exception-policy-stream-reassembly-memcap-02/test.yaml +++ b/tests/exception-policy-stream-reassembly-memcap-02/test.yaml @@ -32,3 +32,12 @@ checks: event_type: flow app_proto: tls flow.action: pass + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_reassembly_memcap" + flow.exception_policy[0].policy: "pass_flow" + flow.exception_policy[1].target: "app_layer_error" + flow.exception_policy[1].policy: "ignore" diff --git a/tests/exception-policy-stream-reassembly-memcap-03/test.yaml b/tests/exception-policy-stream-reassembly-memcap-03/test.yaml index 6a6fd8d8f..6756a2ee1 100644 --- a/tests/exception-policy-stream-reassembly-memcap-03/test.yaml +++ b/tests/exception-policy-stream-reassembly-memcap-03/test.yaml @@ -30,3 +30,10 @@ checks: match: event_type: flow flow.state: bypassed + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_reassembly_memcap" + flow.exception_policy[0].policy: "bypass" diff --git a/tests/exception-policy-stream-reassembly-memcap-04/test.yaml b/tests/exception-policy-stream-reassembly-memcap-04/test.yaml index 28d053b8d..8e59d36b7 100644 --- a/tests/exception-policy-stream-reassembly-memcap-04/test.yaml +++ b/tests/exception-policy-stream-reassembly-memcap-04/test.yaml @@ -52,3 +52,10 @@ checks: match: event_type: stats stats.ips.drop_reason.stream_reassembly: 1 + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_reassembly_memcap" + flow.exception_policy[0].policy: "drop_flow" diff --git a/tests/exception-policy-stream-reassembly-memcap-05/test.yaml b/tests/exception-policy-stream-reassembly-memcap-05/test.yaml index b07cc3f5b..70a1e56fb 100644 --- a/tests/exception-policy-stream-reassembly-memcap-05/test.yaml +++ b/tests/exception-policy-stream-reassembly-memcap-05/test.yaml @@ -53,3 +53,12 @@ checks: match: event_type: stats stats.ips.drop_reason.stream_reassembly: 1 + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_reassembly_memcap" + flow.exception_policy[0].policy: "drop_packet" + flow.exception_policy[1].target: "app_layer_error" + flow.exception_policy[1].policy: "ignore" diff --git a/tests/exception-policy-stream-reassembly-memcap-06/test.yaml b/tests/exception-policy-stream-reassembly-memcap-06/test.yaml index 0f4b23899..4990a3735 100644 --- a/tests/exception-policy-stream-reassembly-memcap-06/test.yaml +++ b/tests/exception-policy-stream-reassembly-memcap-06/test.yaml @@ -53,3 +53,12 @@ checks: match: event_type: stats stats.tcp.reassembly_exception_policy.pass_packet: 1 + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_reassembly_memcap" + flow.exception_policy[0].policy: "pass_packet" + flow.exception_policy[1].target: "app_layer_error" + flow.exception_policy[1].policy: "ignore" diff --git a/tests/exception-policy-stream-ssn-memcap-01/test.yaml b/tests/exception-policy-stream-ssn-memcap-01/test.yaml index 58f9fabef..93d3f7567 100644 --- a/tests/exception-policy-stream-ssn-memcap-01/test.yaml +++ b/tests/exception-policy-stream-ssn-memcap-01/test.yaml @@ -57,3 +57,10 @@ checks: match: event_type: stats stats.tcp.ssn_memcap_exception_policy.drop_flow: 1 + - filter: + min-version: 8 + count: 1 + match: + event_type: flow + flow.exception_policy[0].target: "stream_memcap" + flow.exception_policy[0].policy: "drop_flow"