From: Victor Julien Date: Wed, 7 Jan 2026 13:13:17 +0000 (+0100) Subject: tests: add test for issue 8206 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f3ab53fb124682c8dc7a83ffb8374e2bcae6650;p=thirdparty%2Fsuricata-verify.git tests: add test for issue 8206 --- diff --git a/tests/firewall/ruletype-firewall-44-yaml-config-only/README.md b/tests/firewall/ruletype-firewall-44-yaml-config-only/README.md new file mode 100644 index 000000000..84f57b665 --- /dev/null +++ b/tests/firewall/ruletype-firewall-44-yaml-config-only/README.md @@ -0,0 +1,7 @@ +Test to check if loading firewall mode and rules purely through the yaml works. + +Empty test.rules is needed to avoid SV adding `--disable-detection`. + +Firewall rules are in a subdir to avoid SV loading it as a regular rulefile. + +Ticket #8206 (https://redmine.openinfosecfoundation.org/issues/8206) diff --git a/tests/firewall/ruletype-firewall-44-yaml-config-only/firewall/fw.rules b/tests/firewall/ruletype-firewall-44-yaml-config-only/firewall/fw.rules new file mode 100644 index 000000000..63a5f0732 --- /dev/null +++ b/tests/firewall/ruletype-firewall-44-yaml-config-only/firewall/fw.rules @@ -0,0 +1,9 @@ +accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:101;) + +drop:flow tls:client_hello_done $HOME_NET any -> 172.16.0.0/12 any (ja3.hash; content:"e7eca2baf4458d095b7f45da28c16c34"; msg:"Drop naughty JA3"; sid:102;) + +drop:flow tls:server_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:103;) + +accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:104; alert;) + +# Implicit drop all else diff --git a/tests/firewall/ruletype-firewall-44-yaml-config-only/suricata.yaml b/tests/firewall/ruletype-firewall-44-yaml-config-only/suricata.yaml new file mode 100644 index 000000000..f3ee9167b --- /dev/null +++ b/tests/firewall/ruletype-firewall-44-yaml-config-only/suricata.yaml @@ -0,0 +1,76 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + + +firewall: + # toggle to enable firewall mode + enabled: yes + + # Firewall rule file are in their own path and are not managed + # by Suricata-Update. + rule-path: /etc/suricata/firewall/ + + # List of files with firewall rules. Order matters, files are loaded + # in order and rules are applied in that order (per state, see docs) + rule-files: diff --git a/tests/firewall/ruletype-firewall-44-yaml-config-only/test.rules b/tests/firewall/ruletype-firewall-44-yaml-config-only/test.rules new file mode 100644 index 000000000..636bc1a8a --- /dev/null +++ b/tests/firewall/ruletype-firewall-44-yaml-config-only/test.rules @@ -0,0 +1 @@ +# intentionally empty diff --git a/tests/firewall/ruletype-firewall-44-yaml-config-only/test.yaml b/tests/firewall/ruletype-firewall-44-yaml-config-only/test.yaml new file mode 100644 index 000000000..ccf7cee0f --- /dev/null +++ b/tests/firewall/ruletype-firewall-44-yaml-config-only/test.yaml @@ -0,0 +1,37 @@ +requires: + min-version: 9 + features: + - HAVE_JA3 + +pcap: ../../detect-itype-prefilter/icmpv4-ping.pcap + +args: + - --simulate-ips + - --set firewall.rule-path=${TEST_DIR}/firewall + - --set firewall.rule-files.0=fw.rules + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 101 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 75 + flow.pkts_toclient: 75 + flow.state: "established" + flow.alerted: true + flow.action: "accept" +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 150 + stats.ips.blocked: 0