From: Victor Julien <victor@inliniac.net>
Date: Mon, 27 Feb 2023 20:42:17 +0000 (+0100)
Subject: tests: add tcp fast open tests
X-Git-Tag: suricata-6.0.12~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=40756470deca888f4f5f23c62bc9eed541b9c8d0;p=thirdparty%2Fsuricata-verify.git

tests: add tcp fast open tests
---

diff --git a/tests/tcp-fastopen-10-syn-data-ignore/README.md b/tests/tcp-fastopen-10-syn-data-ignore/README.md
new file mode 100644
index 000000000..61158d643
--- /dev/null
+++ b/tests/tcp-fastopen-10-syn-data-ignore/README.md
@@ -0,0 +1,5 @@
+PCAP
+====
+
+Pcap by Victor Julien
+
diff --git a/tests/tcp-fastopen-10-syn-data-ignore/input.pcap b/tests/tcp-fastopen-10-syn-data-ignore/input.pcap
new file mode 100644
index 000000000..10350e610
Binary files /dev/null and b/tests/tcp-fastopen-10-syn-data-ignore/input.pcap differ
diff --git a/tests/tcp-fastopen-10-syn-data-ignore/suricata.yaml b/tests/tcp-fastopen-10-syn-data-ignore/suricata.yaml
new file mode 100644
index 000000000..efb769f9e
--- /dev/null
+++ b/tests/tcp-fastopen-10-syn-data-ignore/suricata.yaml
@@ -0,0 +1,27 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stream:
+            all: true
+        - alert:
+            tagged-packets: yes
+        - anomaly:
+            enabled: yes
+            types:
+              decode: yes
+              stream: yes
+              applayer: yes
+            #packethdr: no
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - flow
diff --git a/tests/tcp-fastopen-10-syn-data-ignore/test.rules b/tests/tcp-fastopen-10-syn-data-ignore/test.rules
new file mode 100644
index 000000000..ba2a3590f
--- /dev/null
+++ b/tests/tcp-fastopen-10-syn-data-ignore/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN/ACK ignored TFO data"; stream-event:3whs_synack_tfo_data_ignored; classtype:protocol-command-decode; sid:2210064; rev:1;)
diff --git a/tests/tcp-fastopen-10-syn-data-ignore/test.yaml b/tests/tcp-fastopen-10-syn-data-ignore/test.yaml
new file mode 100644
index 000000000..1802b00ac
--- /dev/null
+++ b/tests/tcp-fastopen-10-syn-data-ignore/test.yaml
@@ -0,0 +1,56 @@
+requires:
+  files:
+    - src/output-eve-stream.c
+
+args:
+- --simulate-ips
+#- --set stream.midstream=true
+#- --set stream.midstream-policy=ignore
+- --runmode=single
+#- --set stats.stream-events=true
+- --set flow-timeouts.tcp.new=60
+- --set flow-timeouts.tcp.established=600
+# Long timeout to avoid midstream pickup at the end.
+- --set flow-timeouts.tcp.closed=60
+
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: flow
+  - filter:
+      count: 1
+      match:
+        event_type: stream_tcp
+        pcap_cnt: 1
+        direction: "to_server"
+        stream_tcp.session.state: "syn_sent"
+        stream_tcp.packet.len: 585
+  - filter:
+      count: 1
+      match:
+        event_type: stream_tcp
+        pcap_cnt: 2
+        direction: "to_client"
+        stream_tcp.session.state: "syn_recv"
+        stream_tcp.events[0]: "stream.3whs_synack_tfo_data_ignored"
+  - filter:
+      count: 1
+      match:
+        event_type: stream_tcp
+        pcap_cnt: 3
+        direction: "to_server"
+        stream_tcp.session.state: "syn_sent"
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.sni: "icloud.com"
+        tls.version: "UNDETERMINED"
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.sni: "icloud.com"
+        tls.version: "TLS 1.3"
diff --git a/tests/tcp-fastopen-11-reject-syn-data/README.md b/tests/tcp-fastopen-11-reject-syn-data/README.md
new file mode 100644
index 000000000..61158d643
--- /dev/null
+++ b/tests/tcp-fastopen-11-reject-syn-data/README.md
@@ -0,0 +1,5 @@
+PCAP
+====
+
+Pcap by Victor Julien
+
diff --git a/tests/tcp-fastopen-11-reject-syn-data/suricata.yaml b/tests/tcp-fastopen-11-reject-syn-data/suricata.yaml
new file mode 100644
index 000000000..efb769f9e
--- /dev/null
+++ b/tests/tcp-fastopen-11-reject-syn-data/suricata.yaml
@@ -0,0 +1,27 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stream:
+            all: true
+        - alert:
+            tagged-packets: yes
+        - anomaly:
+            enabled: yes
+            types:
+              decode: yes
+              stream: yes
+              applayer: yes
+            #packethdr: no
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - flow
diff --git a/tests/tcp-fastopen-11-reject-syn-data/test.rules b/tests/tcp-fastopen-11-reject-syn-data/test.rules
new file mode 100644
index 000000000..ba2a3590f
--- /dev/null
+++ b/tests/tcp-fastopen-11-reject-syn-data/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"SURICATA STREAM 3way handshake SYN/ACK ignored TFO data"; stream-event:3whs_synack_tfo_data_ignored; classtype:protocol-command-decode; sid:2210064; rev:1;)
diff --git a/tests/tcp-fastopen-11-reject-syn-data/test.yaml b/tests/tcp-fastopen-11-reject-syn-data/test.yaml
new file mode 100644
index 000000000..d515ea246
--- /dev/null
+++ b/tests/tcp-fastopen-11-reject-syn-data/test.yaml
@@ -0,0 +1,45 @@
+requires:
+  files:
+    - src/output-eve-stream.c
+
+args:
+- --simulate-ips
+- --runmode=single
+- --set flow-timeouts.tcp.new=60
+- --set flow-timeouts.tcp.established=600
+- --set flow-timeouts.tcp.closed=60
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+  - filter:
+      count: 1
+      match:
+        event_type: stream_tcp
+        pcap_cnt: 1
+        direction: "to_server"
+        stream_tcp.session.state: "syn_sent"
+        stream_tcp.packet.len: 585
+  - filter:
+      count: 1
+      match:
+        event_type: stream_tcp
+        pcap_cnt: 2
+        direction: "to_client"
+        stream_tcp.session.state: "syn_recv"
+        stream_tcp.events[0]: "stream.3whs_synack_tfo_data_ignored"
+  - filter:
+      count: 1
+      match:
+        event_type: stream_tcp
+        pcap_cnt: 3
+        direction: "to_server"
+        stream_tcp.session.state: "established"
+  - filter:
+      count: 1
+      match:
+        event_type: tls
+        tls.sni: "icloud.com"
+        tls.version: "TLS 1.3"
diff --git a/tests/tcp-fastopen-11-reject-syn-data/tlpw-tcp-tfo-data-on-syn-nack.pcap b/tests/tcp-fastopen-11-reject-syn-data/tlpw-tcp-tfo-data-on-syn-nack.pcap
new file mode 100644
index 000000000..79ada5be9
Binary files /dev/null and b/tests/tcp-fastopen-11-reject-syn-data/tlpw-tcp-tfo-data-on-syn-nack.pcap differ