From: Shivani Bhardwaj Date: Thu, 4 Dec 2025 06:41:44 +0000 (+0530) Subject: flow: add test for elephant flow detection X-Git-Tag: suricata-7.0.14~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0e2bcdbdc46017cfccc8c0966a68ae334684812b;p=thirdparty%2Fsuricata-verify.git flow: add test for elephant flow detection Feature 7438 --- diff --git a/tests/elephant-flow-detection/README.md b/tests/elephant-flow-detection/README.md new file mode 100644 index 000000000..c3ae77c90 --- /dev/null +++ b/tests/elephant-flow-detection/README.md @@ -0,0 +1,10 @@ +Test Description +================ + +Test to show the output and alert logged in case of elephant flow detected. + +Redmine Tickets +=============== + +https://redmine.openinfosecfoundation.org/issues/5647 +https://redmine.openinfosecfoundation.org/issues/8117 diff --git a/tests/elephant-flow-detection/suricata.yaml b/tests/elephant-flow-detection/suricata.yaml new file mode 100644 index 000000000..0b2e39d70 --- /dev/null +++ b/tests/elephant-flow-detection/suricata.yaml @@ -0,0 +1,16 @@ +%YAML 1.1 +--- + +flow: + rate-tracking: + bytes: 10KiB + interval: 10 + +outputs: + - eve-log: + enabled: yes + filename: eve.json + types: + - flow + - stats + - alert diff --git a/tests/elephant-flow-detection/test.rules b/tests/elephant-flow-detection/test.rules new file mode 100644 index 000000000..9becafbc4 --- /dev/null +++ b/tests/elephant-flow-detection/test.rules @@ -0,0 +1,7 @@ +#alert tcp any any -> any any (msg:"ToServer Elephant flow found!"; flow.elephant:toserver; threshold: type backoff, track by_flow, count 1, multiplier 10000; sid:1;) +#alert tcp any any -> any any (msg:"ToClient Elephant flow found!"; flow.elephant:toclient; threshold: type backoff, track by_flow, count 1, multiplier 10000; sid:2;) +alert tcp any any -> any any (msg:"ToServer Elephant flow found!"; flow.elephant:toserver; prefilter; sid:1;) +alert tcp any any -> any any (msg:"ToClient Elephant flow found!"; flow.elephant:toclient; sid:2;) +alert tcp any any -> any any (msg:"ToClient Elephant flow found!"; flow.elephant:both; sid:3;) +alert tcp any any -> any any (msg:"ToClient Elephant flow found!"; flow.elephant:either; sid:4;) + diff --git a/tests/elephant-flow-detection/test.yaml b/tests/elephant-flow-detection/test.yaml new file mode 100644 index 000000000..d3824a041 --- /dev/null +++ b/tests/elephant-flow-detection/test.yaml @@ -0,0 +1,52 @@ +pcap: ../tcp-urgp-09-oob-exceed-limit-inline/tcp-urgent-1byte-66k.pcap + +args: +- --set stats.interval=3600 + +requires: + min-version: 9 + +checks: + - filter: + # toserver + count: 131711 + match: + alert.signature_id: 1 + + - filter: + # toclient + count: 131702 + match: + alert.signature_id: 2 + + - filter: + # both + count: 131702 + match: + alert.signature_id: 3 + + - filter: + # either + count: 131711 + match: + alert.signature_id: 4 + + - filter: + count: 1 + match: + stats.flow.elephant_toserver: 1 + + - filter: + count: 1 + match: + stats.flow.elephant_toclient: 1 + + - filter: + count: 1 + match: + flow.elephant: true + + - filter: + count: 1 + match: + flow.elephant_direction: ["toserver", "toclient"] diff --git a/tests/elephant-flow-engine-analysis/test.rules b/tests/elephant-flow-engine-analysis/test.rules new file mode 100644 index 000000000..69b1c63e2 --- /dev/null +++ b/tests/elephant-flow-engine-analysis/test.rules @@ -0,0 +1,7 @@ +#alert tcp any any -> any any (msg:"ToServer Elephant flow found!"; flow.elephant:toserver; threshold: type backoff, track by_flow, count 1, multiplier 10000; sid:1;) +#alert tcp any any -> any any (msg:"ToClient Elephant flow found!"; flow.elephant:toclient; threshold: type backoff, track by_flow, count 1, multiplier 10000; sid:2;) +alert tcp any any -> any any (msg:"ToServer Elephant flow found!"; flow.elephant:toserver; sid:1;) +alert tcp any any -> any any (msg:"ToClient Elephant flow found!"; flow.elephant:toclient; sid:2;) +alert tcp any any -> any any (msg:"ToClient Elephant flow found!"; flow.elephant:both; sid:3;) +alert tcp any any -> any any (msg:"ToClient Elephant flow found!"; flow.elephant:either; sid:4;) + diff --git a/tests/elephant-flow-engine-analysis/test.yaml b/tests/elephant-flow-engine-analysis/test.yaml new file mode 100644 index 000000000..727c68fc0 --- /dev/null +++ b/tests/elephant-flow-engine-analysis/test.yaml @@ -0,0 +1,33 @@ +requires: + min-version: 9 + pcap: false + +args: + - --engine-analysis + +checks: +- filter: + filename: rules.json + count: 1 + match: + lists.packet.matches[0].name: "flow.elephant" + lists.packet.matches[0].flow_elephant.dir: "toserver" +- filter: + filename: rules.json + count: 1 + match: + lists.packet.matches[0].name: "flow.elephant" + lists.packet.matches[0].flow_elephant.dir: "toclient" +- filter: + filename: rules.json + count: 1 + match: + lists.packet.matches[0].name: "flow.elephant" + lists.packet.matches[0].flow_elephant.dir: "either" +- filter: + filename: rules.json + count: 1 + match: + lists.packet.matches[0].name: "flow.elephant" + lists.packet.matches[0].flow_elephant.dir: "both" +