From: Victor Julien Date: Fri, 11 Apr 2025 09:45:48 +0000 (+0200) Subject: tests: more firewall tests X-Git-Tag: suricata-7.0.11~92 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=098b31e3171151f5379fe2d688b60136dcb201f1;p=thirdparty%2Fsuricata-verify.git tests: more firewall tests --- diff --git a/tests/firewall/ruletype-firewall-04-ruleset-vs-sni/firewall.rules b/tests/firewall/ruletype-firewall-04-ruleset-vs-sni/firewall.rules new file mode 100644 index 000000000..c2274da56 --- /dev/null +++ b/tests/firewall/ruletype-firewall-04-ruleset-vs-sni/firewall.rules @@ -0,0 +1,15 @@ +# accept outgoing ping and the returning pongs +accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:101;) + +# allow session setup +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET any (flow:not_established; alert; sid:1021;) +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET any (flow:established; alert; sid:1022;) + +drop:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:102;) +drop:flow tls:server_hello_done $EXTERNAL_NET any -> $HOME_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:103;) + +accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;) +accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:104; alert;) + +# Implicit drop all else +drop:packet ip:all any any -> any any (msg:"policy drop"; sid:999;) diff --git a/tests/firewall/ruletype-firewall-04-ruleset-vs-sni/suricata.yaml b/tests/firewall/ruletype-firewall-04-ruleset-vs-sni/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-04-ruleset-vs-sni/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-04-ruleset-vs-sni/test.yaml b/tests/firewall/ruletype-firewall-04-ruleset-vs-sni/test.yaml new file mode 100644 index 000000000..ad2baaf9b --- /dev/null +++ b/tests/firewall/ruletype-firewall-04-ruleset-vs-sni/test.yaml @@ -0,0 +1,34 @@ +pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap + +requires: + min-version: 8 + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 101 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 32 + flow.pkts_toclient: 30 + flow.state: "closed" + flow.alerted: true + flow.action: "accept" +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 62 + stats.ips.blocked: 0