From: Juliana Fajardini Date: Thu, 30 Oct 2025 00:31:48 +0000 (-0700) Subject: tests: add 'drop and alert queue max' tests X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=101809e8194487f669fce4c1901dec4263d69e49;p=thirdparty%2Fsuricata-verify.git tests: add 'drop and alert queue max' tests Related to Bug #5180 --- diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/README.md b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/README.md new file mode 100644 index 000000000..ee51db3ce --- /dev/null +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/README.md @@ -0,0 +1,24 @@ +# Test + +This is a test for a corner case scenario where the amount of alerts matching +against a single packet is bigger than ``packet_alert_max`` and the discarded +alert is for a rule with a ``drop`` action. + +Regardless of discarding the alert, Suricata must still enforce its ``drop`` +action, if that matched against the packet. + +This test is also particular as it only has one packet. + +Expected result: + +Alerts for sids 1, 2, 3 and 4. Alert for sid 5 should be discarded, but the `drop` +verdict should still be present. + +# PCAP + +Re-used from test alert-max-append-higher-priority's pcap script, to keep same +scenario. + +## Redmine ticket + +https://redmine.openinfosecfoundation.org/issues/5180 diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/suricata.yaml b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/suricata.yaml new file mode 100644 index 000000000..520021553 --- /dev/null +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/suricata.yaml @@ -0,0 +1,33 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + verdict: true + payload-printable: yes + - http + - flow + - stats + - drop + - anomaly + +# Set the order of alerts based on actions +# The default order is pass, drop, reject, alert +action-order: + - alert + - drop + - pass + - reject + +stats: + enabled: yes + decoder-events: true + +# Define maximum number of possible alerts that can be triggered for the same +# packet. Default is 15 +packet-alert-max: 3 diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.rules b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.rules new file mode 100644 index 000000000..903ae4916 --- /dev/null +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.rules @@ -0,0 +1,11 @@ +# Engine-analysis' Internal id: 1 +alert tcp any any -> any any (msg:"Match rule 1"; dsize:<140; sid:1; rev:1;) +# Engine-analysis' Internal id: 2 +alert http any any -> any any (msg:"Match rule 2"; uricontent:"/index.html"; sid:2; rev:1;) +# Engine-analysis' Internal id: 3 +alert http any any -> any any (msg:"Match rule 3"; alert; http.request_line; bsize:10<>100; sid:3; rev:1;) +# Engine-analysis' Internal id: 4 +alert http any any -> any any (msg:"Match rule 4"; http.request_line; content:"GET /index.html HTTP/1.0"; sid:4;) +# this one should not show in alert due to alert queue overflow +# Engine-analysis' Internal id: 0 +drop http any any -> any any (msg:"Match and drop rule 5"; http.request_line; content:"GET /index.html HTTP/1.0"; sid:5;) diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.yaml b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.yaml new file mode 100644 index 000000000..14c229b08 --- /dev/null +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/test.yaml @@ -0,0 +1,120 @@ +args: +- -k none +- --runmode=single +- --set stream.midstream=true +- --simulate-ips + +pcap: ../alert-max-append-higher-priority/input.pcap + +checks: +# Sub-test 1 +- filter: + lt-version: 8.0.4 + gt-version: 8.0.4 + count: 1 + match: + event_type: alert + pcap_cnt: 1 + pkt_src: "wire/pcap" + alert.signature_id: 1 + verdict.action: drop +# Sub-test 2 +- filter: + lt-version: 8.0.4 + gt-version: 8.0.4 + count: 1 + match: + event_type: alert + pcap_cnt: 1 + pkt_src: "wire/pcap" + alert.signature_id: 2 + verdict.action: drop +# Sub-test 3 +- filter: + # suricata 7 doesn't show this alert. + # if we don't drop the flow, it matches against the stream + # (pkt_srt: stream (flow timeout)) + min-version: 9 + count: 1 + match: + event_type: alert + pcap_cnt: 1 + pkt_src: "wire/pcap" + alert.signature_id: 3 + verdict.action: drop +# Sub-test 4 +- filter: + # suricata 8 doesn't show this alert + lt-version: 8.0 + count: 1 + match: + event_type: alert + alert.signature_id: 4 +# Sub-test 5 +- filter: + # suricata 7 doesn't show this alert. + # if we don't drop the flow, it matches against the stream + # (pkt_srt: stream (flow timeout)) + lt-version: 8.0 + count: 0 + match: + event_type: alert + pcap_cnt: 1 + pkt_src: "wire/pcap" + alert.signature_id: 3 + verdict.action: drop +# Sub-test 6 +- filter: + min-version: 9 + count: 0 + match: + event_type: alert + alert.signature_id: 4 +# Sub-test 7 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 5 +# Sub-test 8 +- filter: + lt-version: 8.0.4 + gt-version: 8.0.4 + count: 1 + match: + event_type: drop + pkt_src: "wire/pcap" + pcap_cnt: 1 + drop.reason: rules +# Sub-test 9 +- filter: + count: 1 + match: + event_type: flow + flow.action: drop +# Sub-test 10 +- filter: + # as suricata 7 won't have a match for sid 3, + # the overflow check fails for 7 + min-version: 9 + count: 1 + match: + event_type: stats + stats.detect.alert_queue_overflow: 2 + stats.detect.alert: 3 + stats.decoder.pkts: 1 + stats.ips.blocked: 1 + stats.ips.accepted: 0 + stats.ips.drop_reason.rules: 1 +# Sub-test 11 +- filter: + lt-version: 8.0 + count: 1 + match: + event_type: stats + stats.detect.alert_queue_overflow: 1 + stats.detect.alert: 3 + stats.decoder.pkts: 1 + stats.ips.blocked: 1 + stats.ips.accepted: 0 + stats.ips.drop_reason.rules: 1 diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/writepcap.py b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/writepcap.py new file mode 100755 index 000000000..1399831c4 --- /dev/null +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-01/writepcap.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/"GET /index.html HTTP/1.0\r\nHost: www.openinfosecfoundation.org\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113\r\nContent-Type: text/html\r\n" + +wrpcap('input.pcap', pkts) diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/README.md b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/README.md new file mode 100644 index 000000000..a0572d5fd --- /dev/null +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/README.md @@ -0,0 +1,27 @@ +# Test + +This is a test for a corner case scenario where the amount of alerts matching +against a single packet is higher than ``packet_alert_max`` and the discarded +alert is for a rule with a ``drop`` action. + +Regardless of discarding the alert, Suricata must still enforce its ``drop`` +action, if that matched against the packet. + +Expected result: + +We should see one discarded alert, as there isn't enough space in the alert queue +for the rule with the "drop" action, and Suricata should block the traffic from +the matched packet onwards. + +Currently: + +Suricata 7 will tag the flow for dropping from packet 1. We see alerts for +sids 2, 3, and 5, only for said packet. + +## Pcap + +A single HTTP flow extracted from existing test ``http-protocol-inspect-v2`` pcap + +## Redmine ticket + +https://redmine.openinfosecfoundation.org/issues/5180 diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/http-extracted-01.pcap b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/http-extracted-01.pcap new file mode 100644 index 000000000..f213a3f1f Binary files /dev/null and b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/http-extracted-01.pcap differ diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/suricata.yaml b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/suricata.yaml new file mode 100644 index 000000000..a7e59ea3e --- /dev/null +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/suricata.yaml @@ -0,0 +1,35 @@ +%YAML 1.1 +--- + +outputs: + - stats: + enabled: yes + filename: stats.log + append: yes # append to file (yes) or overwrite it (no) + totals: yes # stats for all threads merged together + threads: no # per thread stats + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + verdict: true + payload-printable: yes + - http + - flow + - stats + - drop + + +# Set the order of alerts based on actions +# The default order is pass, drop, reject, alert +action-order: + - alert + - drop + - pass + - reject + +# Define maximum number of possible alerts that can be triggered for the same +# packet. Default is 15 +packet-alert-max: 3 diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.rules b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.rules new file mode 100644 index 000000000..bc16c1009 --- /dev/null +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.rules @@ -0,0 +1,16 @@ +# Engine-analysis' Internal id: 2 +# We don't expect this rule to match as the flow should be dropped before packets that +# match against it would be inspected +alert tcp any any -> any any (msg:"No match rule 1"; dsize:<140; sid:1; rev:1;) +# Engine-analysis' Internal id: 3 +alert http any any -> any any (msg:"Match rule 2"; uricontent:"/pagead"; sid:2; rev:1;) +# Engine-analysis' Internal id: 1 +alert http any any -> any any (msg:"Match rule 3"; http.request_line; content:"GET /pagead"; flowbits:set,suspiciousad; sid:3;) +# Engine-analysis' Internal id: 0 +drop http any any -> any any (msg:"Match rule 4"; http.request_line; content:"GET /pagead"; flowbits:isset,suspiciousad; sid:4;) +# Engine-analysis' Internal id: 4 +alert tcp any any -> any any (msg:"Match rule 5"; dsize:>720; sid:5; rev:1;) +# Engine-analysis' Internal id: 5 +# We don't expect this rule to match as the flow should be dropped before packets that +# match against it would be inspected +alert tcp any any -> any any (msg:"No match rule 6"; tcp.flags:A; sid: 6; rev:1;) diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.yaml b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.yaml new file mode 100644 index 000000000..f8204218e --- /dev/null +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-02/test.yaml @@ -0,0 +1,106 @@ +args: +- -k none +- --runmode=single +- --set stream.midstream=true +- --simulate-ips + +checks: +# Subtest 1 +- filter: + lt-version: 8.0.4 + gt-version: 8.0.4 + count: 0 + match: + event_type: alert + alert.signature_id: 1 +# Subtest 2 +- filter: + lt-version: 8.0.4 + gt-version: 8.0.4 + count: 1 + match: + event_type: alert + alert.signature_id: 2 + pcap_cnt: 1 + pkt_src: "wire/pcap" + verdict.action: drop +# Subtest 3 +- filter: + lt-version: 8.0.4 + gt-version: 8.0.4 + count: 1 + match: + event_type: alert + alert.signature_id: 3 + pcap_cnt: 1 + pkt_src: "wire/pcap" + verdict.action: drop +# Subtest 4 +# Matches, but not enough space in packet alert queue +- filter: + lt-version: 8.0.4 + gt-version: 8.0.4 + count: 0 + match: + event_type: alert + alert.signature_id: 4 +# Subtest 5 +- filter: + lt-version: 8.0.4 + gt-version: 8.0.4 + count: 1 + match: + event_type: alert + alert.signature_id: 5 + pcap_cnt: 1 + pkt_src: "wire/pcap" + verdict.action: drop +# Subtest 6 +# Matches, but not enough space in packet alert queue +- filter: + lt-version: 8.0.4 + gt-version: 8.0.4 + count: 0 + match: + event_type: alert + alert.signature_id: 6 +# Subtest 7 +- filter: + lt-version: 8.0.4 + gt-version: 8.0.4 + count: 1 + match: + event_type: drop + pcap_cnt: 1 + drop.reason: rules +# Subtest 8 +- filter: + lt-version: 8.0.4 + gt-version: 8.0.4 + count: 1 + match: + event_type: drop + pcap_cnt: 2 + drop.reason: "flow drop" +# Subtest 9 +- filter: + lt-version: 8.0.4 + gt-version: 8.0.4 + count: 1 + match: + event_type: flow + flow.action: "drop" +# Subtest 10 +- filter: + lt-version: 8.0.4 + gt-version: 8.0.4 + count: 1 + match: + event_type: stats + stats.decoder.pkts: 7 + stats.detect.alert_queue_overflow: 1 + stats.detect.alert: 3 + stats.ips.accepted: 0 + stats.ips.blocked: 7 + stats.ips.drop_reason.flow_drop: 6 + stats.ips.drop_reason.rules: 1 diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/README.md b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/README.md new file mode 100644 index 000000000..f3abd7af4 --- /dev/null +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/README.md @@ -0,0 +1,24 @@ +# Test + +This is a test for a corner case scenario where the amount of alerts matching +against a single packet is bigger than ``packet_alert_max`` and the discarded +alert is for a rule with a ``drop`` action. + +Regardless of discarding the alert, Suricata must still enforce its ``drop`` +action, if that matched against the packet. + +This test is also particular as it only has one packet. + +Expected result: + +Alerts for sids 1, 2 and 3. Alerts for sid 4 and 5 should be discarded, but the +`drop` verdict should still be present. +There should be 2 alerts discarded (alert_queue_overflow). + +## PCAP + +Single packet extracted from flow/pcap from test http-sticky-server's pcap. + +## Redmine ticket + +https://redmine.openinfosecfoundation.org/issues/5180 diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/extracted-packet-http-sticky-server.pcap b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/extracted-packet-http-sticky-server.pcap new file mode 100644 index 000000000..de4891191 Binary files /dev/null and b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/extracted-packet-http-sticky-server.pcap differ diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/suricata.yaml b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/suricata.yaml new file mode 100644 index 000000000..520021553 --- /dev/null +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/suricata.yaml @@ -0,0 +1,33 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + verdict: true + payload-printable: yes + - http + - flow + - stats + - drop + - anomaly + +# Set the order of alerts based on actions +# The default order is pass, drop, reject, alert +action-order: + - alert + - drop + - pass + - reject + +stats: + enabled: yes + decoder-events: true + +# Define maximum number of possible alerts that can be triggered for the same +# packet. Default is 15 +packet-alert-max: 3 diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.rules b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.rules new file mode 100644 index 000000000..1c1077231 --- /dev/null +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.rules @@ -0,0 +1,11 @@ +# Engine-analysis' Internal id: 1 +alert tcp any any -> any any (msg:"Match rule 1"; dsize:>140; sid:1; rev:1;) +# Engine-analysis' Internal id: 2 +alert http any any -> any any (msg:"Match rule 2"; http.host; content:"clients1.google"; sid:2; rev:1;) +# Engine-analysis' Internal id: 3 +alert http any any -> any any (msg:"Match rule 3"; alert; http.method; bsize:3; sid:3; rev:1;) +# Engine-analysis' Internal id: 4 +alert http any any -> any any (msg:"Match rule 4"; http.method; content:"GET"; sid:4;) +# this one should not show in alert due to alert queue overflow +# Engine-analysis' Internal id: 0 +drop http any any -> any any (msg:"Match and drop rule 5"; http.request_line; content:"GET /complete/search"; sid:5;) diff --git a/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.yaml b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.yaml new file mode 100644 index 000000000..16186c4be --- /dev/null +++ b/tests/alert-max/alert-max-append-higher-priority-drop-5180-03/test.yaml @@ -0,0 +1,90 @@ +args: +- -k none +- --runmode=single +- --set stream.midstream=true +- --simulate-ips + +checks: +# Sub-test 1 +- filter: + lt-version: 8.0.4 + gt-version: 8.0.4 + count: 1 + match: + event_type: alert + pkt_src: "wire/pcap" + alert.signature_id: 1 + verdict.action: drop +# Sub-test 2 +- filter: + lt-version: 8.0.4 + gt-version: 8.0.4 + count: 1 + match: + event_type: alert + pkt_src: "wire/pcap" + alert.signature_id: 2 + verdict.action: drop +# Sub-test 3 +- filter: + # as with drop-5180-01 test, 7.0.x doesn't show this alert + min-version: 9 + count: 1 + match: + event_type: alert + pkt_src: "wire/pcap" + alert.signature_id: 3 + verdict.action: drop +# Sub-test 4 +- filter: + # as with drop-5180-01 test, 7.0.x shows this alert + lt-version: 8.0 + count: 1 + match: + event_type: alert + alert.signature_id: 4 +# Sub-test 5 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 5 +# Sub-test 6 +- filter: + min-version: 9 + lt-version: 8.0.4 + gt-version: 8.0.4 + count: 1 + match: + event_type: drop + pkt_src: "wire/pcap" +# Sub-test 7 +- filter: + count: 1 + match: + event_type: flow + flow.action: drop +# Sub-test 8 +- filter: + min-version: 9 + count: 1 + match: + event_type: stats + stats.detect.alert_queue_overflow: 2 + stats.detect.alert: 3 + stats.decoder.pkts: 1 + stats.ips.blocked: 1 + stats.ips.accepted: 0 + stats.ips.drop_reason.rules: 1 +# Sub-test 9 +- filter: + lt-version: 8.0 + count: 1 + match: + event_type: stats + stats.detect.alert_queue_overflow: 1 + stats.detect.alert: 3 + stats.decoder.pkts: 1 + stats.ips.blocked: 1 + stats.ips.accepted: 0 + stats.ips.drop_reason.rules: 1