From: Juliana Fajardini Date: Wed, 17 Aug 2022 15:18:13 +0000 (-0300) Subject: tests: add ips midstream exception policy tests X-Git-Tag: suricata-6.0.8~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=49b3772564c3e8cfa7878d6076d1ba282b57aa99;p=thirdparty%2Fsuricata-verify.git tests: add ips midstream exception policy tests --- diff --git a/tests/exception-policy-midstream-01/README.md b/tests/exception-policy-midstream-01/README.md new file mode 100644 index 000000000..89bedd34d --- /dev/null +++ b/tests/exception-policy-midstream-01/README.md @@ -0,0 +1,14 @@ +# Test + +Check that the midstream-policy is properly applied in case it's set to +``pass-flow`` in IPS mode in a stream firstly seen by Suricata during SYNACK +stage. + +# Behavior + +We expect to have zero alerts, but see ``http`` events logged, as the flow will +still be inspected. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com diff --git a/tests/exception-policy-midstream-01/input.pcap b/tests/exception-policy-midstream-01/input.pcap new file mode 100644 index 000000000..7a89ef172 Binary files /dev/null and b/tests/exception-policy-midstream-01/input.pcap differ diff --git a/tests/exception-policy-midstream-01/suricata.yaml b/tests/exception-policy-midstream-01/suricata.yaml new file mode 100644 index 000000000..b22aeadcd --- /dev/null +++ b/tests/exception-policy-midstream-01/suricata.yaml @@ -0,0 +1,28 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all diff --git a/tests/exception-policy-midstream-01/test.rules b/tests/exception-policy-midstream-01/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-midstream-01/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-midstream-01/test.yaml b/tests/exception-policy-midstream-01/test.yaml new file mode 100644 index 000000000..77d4e07f8 --- /dev/null +++ b/tests/exception-policy-midstream-01/test.yaml @@ -0,0 +1,18 @@ +args: +- --simulate-ips +- --set stream.midstream-policy=pass-flow + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: flow + flow.action: pass + - filter: + count: 0 + match: + event_type: http diff --git a/tests/exception-policy-midstream-02/README.md b/tests/exception-policy-midstream-02/README.md new file mode 100644 index 000000000..462889381 --- /dev/null +++ b/tests/exception-policy-midstream-02/README.md @@ -0,0 +1,18 @@ +# Test + +Check that the midstream-policy is properly set to fail closed when +stream.midstream-policy=drop-flow in IPS mode in a stream first seen by Suricata +in SYNACK stage. + +# Behavior + +Neither the alert or anomaly events that would be logged with default behavior +will show, as the flow is being dropped. + +# Traffic Description + +TCP async traffic with only the server to client side of a IMAP session + +# Pcap + +Pcap from https://github.com/mtimebombm/suricata/blob/master/imap-server.pcap diff --git a/tests/exception-policy-midstream-02/input.pcap b/tests/exception-policy-midstream-02/input.pcap new file mode 100644 index 000000000..154af0820 Binary files /dev/null and b/tests/exception-policy-midstream-02/input.pcap differ diff --git a/tests/exception-policy-midstream-02/suricata.yaml b/tests/exception-policy-midstream-02/suricata.yaml new file mode 100644 index 000000000..d4e75dae9 --- /dev/null +++ b/tests/exception-policy-midstream-02/suricata.yaml @@ -0,0 +1,19 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - drop: + alerts: yes # log alerts that caused drops + flows: start # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow diff --git a/tests/exception-policy-midstream-02/test.rules b/tests/exception-policy-midstream-02/test.rules new file mode 100644 index 000000000..6c37036b6 --- /dev/null +++ b/tests/exception-policy-midstream-02/test.rules @@ -0,0 +1,2 @@ +# look for a content match crossing packet payload boundaries +alert tcp any 143 -> any any (content:"C6 OK ID completed|0d 0a|* 21 EXISTS|0d 0a|* 6 RECENT"; flow:to_client; sid:1;) diff --git a/tests/exception-policy-midstream-02/test.yaml b/tests/exception-policy-midstream-02/test.yaml new file mode 100644 index 000000000..46e4d1fc6 --- /dev/null +++ b/tests/exception-policy-midstream-02/test.yaml @@ -0,0 +1,24 @@ +args: +- --simulate-ips +- --set stream.async-oneside=true +- --set stream.midstream-policy=drop-flow + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: drop + drop.reason: stream midstream + - filter: + count: 1 + match: + event_type: flow + flow.action: drop + - filter: + count: 0 + match: + event_type: anomaly diff --git a/tests/exception-policy-midstream-03/README.md b/tests/exception-policy-midstream-03/README.md new file mode 100644 index 000000000..1c1f48d09 --- /dev/null +++ b/tests/exception-policy-midstream-03/README.md @@ -0,0 +1,15 @@ +# Test + +Check that Suricata behaves as expected with no midstream-policy set (that is, +with default behavior), in IPS mode, in a stream first seen by Suricata in +SYNACK stage. + +# Behavior + +With midstream true but no exception policy for midstream set we expect to see +alerts and ``http`` events logged, as the portion of the flow available will be +inspected and no exception policy for midstream will be applied. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com diff --git a/tests/exception-policy-midstream-03/input.pcap b/tests/exception-policy-midstream-03/input.pcap new file mode 100644 index 000000000..7a89ef172 Binary files /dev/null and b/tests/exception-policy-midstream-03/input.pcap differ diff --git a/tests/exception-policy-midstream-03/suricata.yaml b/tests/exception-policy-midstream-03/suricata.yaml new file mode 100644 index 000000000..49d9203a7 --- /dev/null +++ b/tests/exception-policy-midstream-03/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + - flow + - http diff --git a/tests/exception-policy-midstream-03/test.rules b/tests/exception-policy-midstream-03/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-midstream-03/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-midstream-03/test.yaml b/tests/exception-policy-midstream-03/test.yaml new file mode 100644 index 000000000..f5a096317 --- /dev/null +++ b/tests/exception-policy-midstream-03/test.yaml @@ -0,0 +1,24 @@ +args: +- --simulate-ips +- --set stream.midstream=true + +checks: + + # Check that we only have one alert event type in eve. + - filter: + count: 1 + match: + event_type: alert + src_port: 80 + - filter: + count: 1 + match: + event_type: flow + dest_port: 80 + flow.state: closed + flow.alerted: true + - filter: + count: 1 + match: + event_type: http + dest_port: 80 diff --git a/tests/exception-policy-midstream-04/README.md b/tests/exception-policy-midstream-04/README.md new file mode 100644 index 000000000..3beb9f187 --- /dev/null +++ b/tests/exception-policy-midstream-04/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream-policy is properly applied in case it's set to +``pass-flow`` in IPS mode, when the stream is first seen by Suricata in ACK +stage. + +# Behavior + +We expect to have no alerts, but to see ``http`` events logged, as the flow will +be inspected still. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-midstream-04/input.pcap b/tests/exception-policy-midstream-04/input.pcap new file mode 100644 index 000000000..c5b1c5155 Binary files /dev/null and b/tests/exception-policy-midstream-04/input.pcap differ diff --git a/tests/exception-policy-midstream-04/suricata.yaml b/tests/exception-policy-midstream-04/suricata.yaml new file mode 100644 index 000000000..e142e7086 --- /dev/null +++ b/tests/exception-policy-midstream-04/suricata.yaml @@ -0,0 +1,10 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert + - flow + - http diff --git a/tests/exception-policy-midstream-04/test.rules b/tests/exception-policy-midstream-04/test.rules new file mode 100644 index 000000000..e6d1c657d --- /dev/null +++ b/tests/exception-policy-midstream-04/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (http_response_line; content:"200 OK"; sid:1;) diff --git a/tests/exception-policy-midstream-04/test.yaml b/tests/exception-policy-midstream-04/test.yaml new file mode 100644 index 000000000..e58e756aa --- /dev/null +++ b/tests/exception-policy-midstream-04/test.yaml @@ -0,0 +1,19 @@ +args: +- --simulate-ips +- --set stream.midstream-policy=pass-flow + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: flow + flow.action: pass +- filter: + count: 0 + match: + event_type: http diff --git a/tests/exception-policy-midstream-05/README.md b/tests/exception-policy-midstream-05/README.md new file mode 100644 index 000000000..0755cff3c --- /dev/null +++ b/tests/exception-policy-midstream-05/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream-policy is properly applied in case it's set to +``bypass`` in IPS mode, when the engine firstly sees the stream during SYNACK +stage. + +# Behavior + +We expect to have no alerts, but to see ``http`` events logged, as the flow will +be inspected still. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-midstream-05/input.pcap b/tests/exception-policy-midstream-05/input.pcap new file mode 100644 index 000000000..7a89ef172 Binary files /dev/null and b/tests/exception-policy-midstream-05/input.pcap differ diff --git a/tests/exception-policy-midstream-05/suricata.yaml b/tests/exception-policy-midstream-05/suricata.yaml new file mode 100644 index 000000000..b22aeadcd --- /dev/null +++ b/tests/exception-policy-midstream-05/suricata.yaml @@ -0,0 +1,28 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all diff --git a/tests/exception-policy-midstream-05/test.rules b/tests/exception-policy-midstream-05/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-midstream-05/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-midstream-05/test.yaml b/tests/exception-policy-midstream-05/test.yaml new file mode 100644 index 000000000..3edf00e2e --- /dev/null +++ b/tests/exception-policy-midstream-05/test.yaml @@ -0,0 +1,18 @@ +args: +- --simulate-ips +- --set stream.midstream-policy=bypass + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: flow + flow.state: bypassed + - filter: + count: 0 + match: + event_type: http diff --git a/tests/exception-policy-midstream-06/README.md b/tests/exception-policy-midstream-06/README.md new file mode 100644 index 000000000..e49cc2aa7 --- /dev/null +++ b/tests/exception-policy-midstream-06/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream-policy is properly applied in case it's set to +``drop-flow`` in IPS mode, when the stream is first seen by Suricata in ACK +stage. + +# Behavior + +We expect to only see ``drop`` and ``flow`` events logged, as the flow will be +droped. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-midstream-06/input-http-ACK.pcap b/tests/exception-policy-midstream-06/input-http-ACK.pcap new file mode 100644 index 000000000..c5b1c5155 Binary files /dev/null and b/tests/exception-policy-midstream-06/input-http-ACK.pcap differ diff --git a/tests/exception-policy-midstream-06/suricata.yaml b/tests/exception-policy-midstream-06/suricata.yaml new file mode 100644 index 000000000..d672946e9 --- /dev/null +++ b/tests/exception-policy-midstream-06/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + - flow + - http + - drop: + alerts: yes + flows: all diff --git a/tests/exception-policy-midstream-06/test.rules b/tests/exception-policy-midstream-06/test.rules new file mode 100644 index 000000000..d0368df50 --- /dev/null +++ b/tests/exception-policy-midstream-06/test.rules @@ -0,0 +1 @@ +drop http any any -> any any (msg:"broad http rule"; sid:1;) diff --git a/tests/exception-policy-midstream-06/test.yaml b/tests/exception-policy-midstream-06/test.yaml new file mode 100644 index 000000000..67c8de631 --- /dev/null +++ b/tests/exception-policy-midstream-06/test.yaml @@ -0,0 +1,19 @@ +args: +- --simulate-ips +- --set stream.midstream-policy=drop-flow + +checks: + - filter: + count: 0 + match: + event_type: http + - filter: + count: 2 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: flow + flow.action: drop + diff --git a/tests/exception-policy-midstream-07/README.md b/tests/exception-policy-midstream-07/README.md new file mode 100644 index 000000000..85457e58c --- /dev/null +++ b/tests/exception-policy-midstream-07/README.md @@ -0,0 +1,13 @@ +# Test + +Check that the midstream-policy is properly applied in case it's set to +``bypass`` in IPS mode when the engine firstly sees the stream during ACK +state. + +# Behavior + +We expect to only see a ``flow`` event logged, as the flow will be bypassed. + +# Pcap + +Pcap is borrowed from the smb3-01 SV test. diff --git a/tests/exception-policy-midstream-07/input.pcap b/tests/exception-policy-midstream-07/input.pcap new file mode 100644 index 000000000..0adc7740e Binary files /dev/null and b/tests/exception-policy-midstream-07/input.pcap differ diff --git a/tests/exception-policy-midstream-07/suricata.yaml b/tests/exception-policy-midstream-07/suricata.yaml new file mode 100644 index 000000000..67597409a --- /dev/null +++ b/tests/exception-policy-midstream-07/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert + - flow + - smb + - drop: + alerts: yes + flows: all diff --git a/tests/exception-policy-midstream-07/test.rules b/tests/exception-policy-midstream-07/test.rules new file mode 100644 index 000000000..db3bd63d1 --- /dev/null +++ b/tests/exception-policy-midstream-07/test.rules @@ -0,0 +1 @@ +alert smb any any -> any any (msg: "broad smb rule"; sid:1;) diff --git a/tests/exception-policy-midstream-07/test.yaml b/tests/exception-policy-midstream-07/test.yaml new file mode 100644 index 000000000..73e9d6671 --- /dev/null +++ b/tests/exception-policy-midstream-07/test.yaml @@ -0,0 +1,18 @@ +args: +- --simulate-ips +- --set stream.midstream-policy=bypass + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: flow + flow.action: pass + - filter: + count: 0 + match: + event_type: smb