From: Victor Julien Date: Tue, 24 Sep 2024 13:20:09 +0000 (+0200) Subject: tests: add basic TCP tracking firewall rules X-Git-Tag: suricata-7.0.8~30 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2c5dbdc3a23f6057a86f8da54ea9408ac6d11fbf;p=thirdparty%2Fsuricata-verify.git tests: add basic TCP tracking firewall rules --- diff --git a/tests/firewall/firewall-01-tcp-pkt-state-flowbits/README.md b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/README.md new file mode 100644 index 000000000..fb5fe55fd --- /dev/null +++ b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/README.md @@ -0,0 +1,4 @@ +Firewall Tests +============== + +Test 3whs state tracking using flowbits. diff --git a/tests/firewall/firewall-01-tcp-pkt-state-flowbits/suricata.yaml b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/suricata.yaml new file mode 100644 index 000000000..b67886b55 --- /dev/null +++ b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/suricata.yaml @@ -0,0 +1,101 @@ +%YAML 1.1 +--- + +# Global stats configuration +stats: + enabled: yes + # The interval field (in seconds) controls the interval at + # which stats are updated in the log. + interval: 8 + # Add decode events to stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + #decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + # Enable logging the final action taken on a packet by the engine + # (e.g: the alert may have action 'allowed' but the verdict be + # 'drop' due to another alert. That's the engine's verdict) + # verdict: yes + - anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is enabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # also enabled. + enabled: yes + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + types: + # decode: no + # stream: no + # applayer: yes + #packethdr: no + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # ja4 hashes in tls records will never be logged unless + # the following is set to on. (Default off) + # ja4: off + # custom controls which TLS fields that are included in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # EXPERIMENTAL per packet output giving TCP state tracking details + # including internal state, flags, etc. + # This output is experimental, meant for debugging and subject to + # change in both config and output without any notice. + #- stream: + # all: false # log all TCP packets + # event-set: false # log packets that have a decoder/stream event + # state-update: false # log packets triggering a TCP state update + # spurious-retransmission: false # log spurious retransmission packets diff --git a/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.rules b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.rules new file mode 100644 index 000000000..4bc3c6353 --- /dev/null +++ b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.rules @@ -0,0 +1,13 @@ +# allow tcp handshake + +pass tcp any any -> any 443 (flags:S; flow:not_established; flowbits:set,syn; sid:1;) +pass tcp any 443 -> any any (flags:SA; flow:not_established; flowbits:isset,syn; flowbits:set,synack; sid:2;) +pass tcp any any -> any 443 (flags:A; flow:not_established; flowbits:isset,synack; flowbits:unset,syn; flowbits:unset,synack; sid:3;) + +# allow established + +pass tcp any any <> any 443 (flow:established; sid:4;) + +# drop everything else + +drop ip any any -> any any (msg:"Drop all else"; flow:stateless; sid:5;) diff --git a/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.yaml b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.yaml new file mode 100644 index 000000000..e6b9e7dac --- /dev/null +++ b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.yaml @@ -0,0 +1,20 @@ +pcap: ../../tls/tls-random/input.pcap + +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 0 + match: + event_type: alert +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: tls + tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS diff --git a/tests/firewall/firewall-02-tcp-pkt-state-flow/README.md b/tests/firewall/firewall-02-tcp-pkt-state-flow/README.md new file mode 100644 index 000000000..809e7b46f --- /dev/null +++ b/tests/firewall/firewall-02-tcp-pkt-state-flow/README.md @@ -0,0 +1,4 @@ +Firewall Tests +============== + +Test 3whs state tracking using flow state. diff --git a/tests/firewall/firewall-02-tcp-pkt-state-flow/suricata.yaml b/tests/firewall/firewall-02-tcp-pkt-state-flow/suricata.yaml new file mode 100644 index 000000000..b67886b55 --- /dev/null +++ b/tests/firewall/firewall-02-tcp-pkt-state-flow/suricata.yaml @@ -0,0 +1,101 @@ +%YAML 1.1 +--- + +# Global stats configuration +stats: + enabled: yes + # The interval field (in seconds) controls the interval at + # which stats are updated in the log. + interval: 8 + # Add decode events to stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + #decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + # Enable logging the final action taken on a packet by the engine + # (e.g: the alert may have action 'allowed' but the verdict be + # 'drop' due to another alert. That's the engine's verdict) + # verdict: yes + - anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is enabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # also enabled. + enabled: yes + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + types: + # decode: no + # stream: no + # applayer: yes + #packethdr: no + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # ja4 hashes in tls records will never be logged unless + # the following is set to on. (Default off) + # ja4: off + # custom controls which TLS fields that are included in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # EXPERIMENTAL per packet output giving TCP state tracking details + # including internal state, flags, etc. + # This output is experimental, meant for debugging and subject to + # change in both config and output without any notice. + #- stream: + # all: false # log all TCP packets + # event-set: false # log packets that have a decoder/stream event + # state-update: false # log packets triggering a TCP state update + # spurious-retransmission: false # log spurious retransmission packets diff --git a/tests/firewall/firewall-02-tcp-pkt-state-flow/test.rules b/tests/firewall/firewall-02-tcp-pkt-state-flow/test.rules new file mode 100644 index 000000000..c536c3c8a --- /dev/null +++ b/tests/firewall/firewall-02-tcp-pkt-state-flow/test.rules @@ -0,0 +1,11 @@ +# allow tcp handshake + +pass tcp any any <> any 443 (flow:not_established; sid:1;) + +# allow established + +pass tcp any any <> any 443 (flow:established; sid:4;) + +# drop everything else + +drop ip any any -> any any (msg:"Drop all else"; flow:stateless; sid:5;) diff --git a/tests/firewall/firewall-02-tcp-pkt-state-flow/test.yaml b/tests/firewall/firewall-02-tcp-pkt-state-flow/test.yaml new file mode 100644 index 000000000..e6b9e7dac --- /dev/null +++ b/tests/firewall/firewall-02-tcp-pkt-state-flow/test.yaml @@ -0,0 +1,20 @@ +pcap: ../../tls/tls-random/input.pcap + +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 0 + match: + event_type: alert +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: tls + tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS