From: Victor Julien Date: Mon, 31 Mar 2025 08:25:19 +0000 (+0200) Subject: tests: firewall tests X-Git-Tag: suricata-7.0.11~105 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=61d3d5cfa441b485e69d24af92231716a3880498;p=thirdparty%2Fsuricata-verify.git tests: firewall tests --- diff --git a/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.yaml b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.yaml index e6b9e7dac..d1e6556ea 100644 --- a/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.yaml +++ b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.yaml @@ -1,3 +1,6 @@ +requires: + min-version: 8 + pcap: ../../tls/tls-random/input.pcap args: diff --git a/tests/firewall/firewall-02-tcp-pkt-state-flow/test.yaml b/tests/firewall/firewall-02-tcp-pkt-state-flow/test.yaml index e6b9e7dac..d1e6556ea 100644 --- a/tests/firewall/firewall-02-tcp-pkt-state-flow/test.yaml +++ b/tests/firewall/firewall-02-tcp-pkt-state-flow/test.yaml @@ -1,3 +1,6 @@ +requires: + min-version: 8 + pcap: ../../tls/tls-random/input.pcap args: diff --git a/tests/firewall/firewall-03-tcp-tls-enforce/test.yaml b/tests/firewall/firewall-03-tcp-tls-enforce/test.yaml index e6b9e7dac..d1e6556ea 100644 --- a/tests/firewall/firewall-03-tcp-tls-enforce/test.yaml +++ b/tests/firewall/firewall-03-tcp-tls-enforce/test.yaml @@ -1,3 +1,6 @@ +requires: + min-version: 8 + pcap: ../../tls/tls-random/input.pcap args: diff --git a/tests/firewall/firewall-04-tls-sni-enforce/test.yaml b/tests/firewall/firewall-04-tls-sni-enforce/test.yaml index e6f58dbac..7e204b71e 100644 --- a/tests/firewall/firewall-04-tls-sni-enforce/test.yaml +++ b/tests/firewall/firewall-04-tls-sni-enforce/test.yaml @@ -1,3 +1,6 @@ +requires: + min-version: 8 + pcap: ../../bug-2646-01/input.pcap args: diff --git a/tests/firewall/firewall-06-tls-sni-enforce/test.yaml b/tests/firewall/firewall-06-tls-sni-enforce/test.yaml index 4a1b7618c..5180be1a3 100644 --- a/tests/firewall/firewall-06-tls-sni-enforce/test.yaml +++ b/tests/firewall/firewall-06-tls-sni-enforce/test.yaml @@ -1,3 +1,6 @@ +requires: + min-version: 8 + pcap: ../../bug-2646-01/input.pcap args: diff --git a/tests/firewall/ruletype-firewall-01-flow-start/firewall.rules b/tests/firewall/ruletype-firewall-01-flow-start/firewall.rules new file mode 100644 index 000000000..53b88e7d1 --- /dev/null +++ b/tests/firewall/ruletype-firewall-01-flow-start/firewall.rules @@ -0,0 +1,2 @@ +accept:flow tcp:flow_start any any -> any 443 (flow:to_server; sid:1;) +drop:flow tcp:flow_start any any -> any any (sid:2;) diff --git a/tests/firewall/ruletype-firewall-01-flow-start/suricata.yaml b/tests/firewall/ruletype-firewall-01-flow-start/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-01-flow-start/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-01-flow-start/test.yaml b/tests/firewall/ruletype-firewall-01-flow-start/test.yaml new file mode 100644 index 000000000..6f877f5bc --- /dev/null +++ b/tests/firewall/ruletype-firewall-01-flow-start/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 8 + +pcap: ../../tls/tls-random/input.pcap + +args: + - --simulate-ips + +checks: +- filter: + count: 0 + match: + event_type: alert +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: tls + tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS diff --git a/tests/firewall/ruletype-firewall-02-flow-start/firewall.rules b/tests/firewall/ruletype-firewall-02-flow-start/firewall.rules new file mode 100644 index 000000000..529b443a8 --- /dev/null +++ b/tests/firewall/ruletype-firewall-02-flow-start/firewall.rules @@ -0,0 +1,2 @@ +accept:flow tcp:flow_start any any -> any 80 (flow:to_server; alert; sid:1;) +drop:flow tcp:flow_start any any -> any any (sid:2;) diff --git a/tests/firewall/ruletype-firewall-02-flow-start/suricata.yaml b/tests/firewall/ruletype-firewall-02-flow-start/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-02-flow-start/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-02-flow-start/test.yaml b/tests/firewall/ruletype-firewall-02-flow-start/test.yaml new file mode 100644 index 000000000..ee89e692d --- /dev/null +++ b/tests/firewall/ruletype-firewall-02-flow-start/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 8 + +pcap: ../../tls/tls-random/input.pcap + +args: + - --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.action: blocked +- filter: + count: 13 + match: + event_type: drop +- filter: + count: 0 + match: + event_type: tls diff --git a/tests/firewall/ruletype-firewall-03-ruleset-vs-ping/firewall.rules b/tests/firewall/ruletype-firewall-03-ruleset-vs-ping/firewall.rules new file mode 100644 index 000000000..63a5f0732 --- /dev/null +++ b/tests/firewall/ruletype-firewall-03-ruleset-vs-ping/firewall.rules @@ -0,0 +1,9 @@ +accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:101;) + +drop:flow tls:client_hello_done $HOME_NET any -> 172.16.0.0/12 any (ja3.hash; content:"e7eca2baf4458d095b7f45da28c16c34"; msg:"Drop naughty JA3"; sid:102;) + +drop:flow tls:server_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:103;) + +accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:104; alert;) + +# Implicit drop all else diff --git a/tests/firewall/ruletype-firewall-03-ruleset-vs-ping/suricata.yaml b/tests/firewall/ruletype-firewall-03-ruleset-vs-ping/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-03-ruleset-vs-ping/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-03-ruleset-vs-ping/test.yaml b/tests/firewall/ruletype-firewall-03-ruleset-vs-ping/test.yaml new file mode 100644 index 000000000..1b8c585ef --- /dev/null +++ b/tests/firewall/ruletype-firewall-03-ruleset-vs-ping/test.yaml @@ -0,0 +1,35 @@ +requires: + min-version: 8 + features: + - HAVE_JA3 + +pcap: ../../detect-itype-prefilter/icmpv4-ping.pcap + +args: + - --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 101 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 75 + flow.pkts_toclient: 75 + flow.state: "established" + flow.alerted: true + flow.action: "accept" +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 150 + stats.ips.blocked: 0 diff --git a/tests/firewall/ruletype-firewall-05-ruleset-vs-sni/firewall.rules b/tests/firewall/ruletype-firewall-05-ruleset-vs-sni/firewall.rules new file mode 100644 index 000000000..6fc79ac5e --- /dev/null +++ b/tests/firewall/ruletype-firewall-05-ruleset-vs-sni/firewall.rules @@ -0,0 +1,29 @@ +# Packet rules + +# accept outgoing ping and the returning pongs +accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;) +# allow session setup +accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;) +# some exception test +accept:flow tcp:all $HOME_NET any <> 1.2.3.4 443 (flow:established; alert; sid:1022;) + +# pass rest of the flow to +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;) + +# default drop + + + + +# App-layer rules + +# deny list some hash +drop:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (ja3.hash; content:"e7eca2baf4458d095b7f45da28c16c34"; msg:"Drop naughty JA3"; sid:102;) +# Disallow TLS v1.0 to some destinations. +drop:flow tls:server_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:103;) + +accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:104; alert;) +# allow tls before client hello is done. +accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;) + +# default drop diff --git a/tests/firewall/ruletype-firewall-05-ruleset-vs-sni/suricata.yaml b/tests/firewall/ruletype-firewall-05-ruleset-vs-sni/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-05-ruleset-vs-sni/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-05-ruleset-vs-sni/test.yaml b/tests/firewall/ruletype-firewall-05-ruleset-vs-sni/test.yaml new file mode 100644 index 000000000..595ecea41 --- /dev/null +++ b/tests/firewall/ruletype-firewall-05-ruleset-vs-sni/test.yaml @@ -0,0 +1,71 @@ +requires: + min-version: 8 + features: + - HAVE_JA3 + +pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1011 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1021 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1022 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1023 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 102 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 103 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 104 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 105 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 32 + flow.pkts_toclient: 30 + flow.state: "closed" + flow.alerted: true + flow.action: "accept" +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 62 + stats.ips.blocked: 0 diff --git a/tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/firewall.rules b/tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/firewall.rules new file mode 100644 index 000000000..bd3872956 --- /dev/null +++ b/tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/firewall.rules @@ -0,0 +1,9 @@ +# Packet rules + +# allow session setup +accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;) + +# allow rest of the flow, packet by packet +accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;) + +# default drop diff --git a/tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/suricata.yaml b/tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/test.yaml b/tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/test.yaml new file mode 100644 index 000000000..87c593247 --- /dev/null +++ b/tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/test.yaml @@ -0,0 +1,49 @@ +requires: + min-version: 8 + +pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1011 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1021 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1022 +- filter: + count: 59 + match: + event_type: alert + alert.signature_id: 1023 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 32 + flow.pkts_toclient: 30 + flow.state: "closed" + flow.alerted: true + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 62 + stats.ips.blocked: 0 diff --git a/tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/firewall.rules b/tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/firewall.rules new file mode 100644 index 000000000..4041767d2 --- /dev/null +++ b/tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/firewall.rules @@ -0,0 +1,9 @@ +# Packet rules + +# allow session setup +accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;) + +# allow rest of the flow. Bidir as we don't know which side will talk first. +accept:flow tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;) + +# default drop diff --git a/tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/suricata.yaml b/tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/test.yaml b/tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/test.yaml new file mode 100644 index 000000000..45ea4fb35 --- /dev/null +++ b/tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/test.yaml @@ -0,0 +1,49 @@ +requires: + min-version: 8 + +pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1011 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1021 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1022 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1023 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 32 + flow.pkts_toclient: 30 + flow.state: "closed" + flow.alerted: true + flow.action: accept +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 62 + stats.ips.blocked: 0 diff --git a/tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/firewall.rules b/tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/firewall.rules new file mode 100644 index 000000000..52c1b1185 --- /dev/null +++ b/tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/firewall.rules @@ -0,0 +1,10 @@ +# Packet rules + +# accept outgoing ping and the returning pongs +accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;) +# allow session setup +accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;) +# some exception test +accept:flow tcp:all $HOME_NET any <> 1.2.3.4 443 (flow:established; alert; sid:1022;) + +# default drop diff --git a/tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/suricata.yaml b/tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/test.yaml b/tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/test.yaml new file mode 100644 index 000000000..f87a80081 --- /dev/null +++ b/tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/test.yaml @@ -0,0 +1,45 @@ +requires: + min-version: 8 + +pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1011 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1021 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1022 +- filter: + count: 59 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 32 + flow.pkts_toclient: 30 + flow.state: "closed" # TODO due to no drop being applied to the flow, we only drop after stream/app-layer + flow.alerted: true + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 3 + stats.ips.blocked: 59 + stats.ips.drop_reason.default_packet_policy: 59 diff --git a/tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/firewall.rules b/tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/firewall.rules new file mode 100644 index 000000000..034d6c654 --- /dev/null +++ b/tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/firewall.rules @@ -0,0 +1,29 @@ +# Packet rules + +# accept outgoing ping and the returning pongs +accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;) +# allow session setup +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;) +# some exception test +accept:flow tcp:all $HOME_NET any <> 1.2.3.4 443 (flow:established; alert; sid:1022;) + +# allow rest of the flow to +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;) + +# default drop + + + + +# App-layer rules + +# deny list some hash +drop:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (ja3.hash; content:"e7eca2baf4458d095b7f45da28c16c34"; msg:"Drop naughty JA3"; sid:102;) +# Disallow TLS v1.0 to some destinations. +drop:flow tls:server_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:103;) +# should not match, pcap is to google +accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.bing.com"; sid:104; alert;) +# allow tls before client hello is done. +accept:packet tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;) + +# default drop diff --git a/tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/suricata.yaml b/tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/test.yaml b/tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/test.yaml new file mode 100644 index 000000000..decfaea2e --- /dev/null +++ b/tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/test.yaml @@ -0,0 +1,73 @@ +requires: + min-version: 8 + features: + - HAVE_JA3 + +pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1011 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1021 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1022 +- filter: + count: 7 + match: + event_type: alert + alert.signature_id: 1023 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 102 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 103 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 104 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 105 +- filter: + count: 53 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 32 + flow.pkts_toclient: 30 + flow.state: "established" + flow.alerted: true + flow.action: drop +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 9 + stats.ips.blocked: 53 + stats.ips.drop_reason.default_app_policy: 1 + stats.ips.drop_reason.flow_drop: 52 diff --git a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/firewall.rules b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/firewall.rules new file mode 100644 index 000000000..034d6c654 --- /dev/null +++ b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/firewall.rules @@ -0,0 +1,29 @@ +# Packet rules + +# accept outgoing ping and the returning pongs +accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;) +# allow session setup +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;) +# some exception test +accept:flow tcp:all $HOME_NET any <> 1.2.3.4 443 (flow:established; alert; sid:1022;) + +# allow rest of the flow to +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;) + +# default drop + + + + +# App-layer rules + +# deny list some hash +drop:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (ja3.hash; content:"e7eca2baf4458d095b7f45da28c16c34"; msg:"Drop naughty JA3"; sid:102;) +# Disallow TLS v1.0 to some destinations. +drop:flow tls:server_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:103;) +# should not match, pcap is to google +accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.bing.com"; sid:104; alert;) +# allow tls before client hello is done. +accept:packet tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;) + +# default drop diff --git a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/suricata.yaml b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/td.rules b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/td.rules new file mode 100644 index 000000000..b9d167efe --- /dev/null +++ b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/td.rules @@ -0,0 +1 @@ +drop tcp any any -> any any (dsize:21; seq:538452275; sid:999;) diff --git a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml new file mode 100644 index 000000000..6fc663b02 --- /dev/null +++ b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml @@ -0,0 +1,93 @@ +requires: + min-version: 8 + features: + - HAVE_JA3 + +pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 999 + alert.action: blocked + pcap_cnt: 6 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1023 + alert.action: allowed + pcap_cnt: 6 +- filter: + count: 3 # 105 also matches here + match: + event_type: alert + pcap_cnt: 6 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1011 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1021 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1022 +- filter: + count: 7 + match: + event_type: alert + alert.signature_id: 1023 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 102 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 103 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 104 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 105 +- filter: + count: 54 # 53 + 1 (drop sid 999) + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 32 + flow.pkts_toclient: 30 + flow.state: "established" + flow.alerted: true + flow.action: drop +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 8 + stats.ips.blocked: 54 + stats.ips.drop_reason.default_app_policy: 1 + stats.ips.drop_reason.rules: 1 + stats.ips.drop_reason.flow_drop: 52 diff --git a/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/firewall.rules b/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/firewall.rules new file mode 100644 index 000000000..af4ab86c1 --- /dev/null +++ b/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/firewall.rules @@ -0,0 +1,22 @@ +# Packet rules + +# accept outgoing ping and the returning pongs +accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;) +# allow session setup +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;) +# allow rest of the flow to +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;) + +# default drop + + + + +# App-layer rules + +# should match, pcap is to google +accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:104; alert;) +# allow tls before client hello is done. +accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;) + +# default drop diff --git a/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/suricata.yaml b/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/td.rules b/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/td.rules new file mode 100644 index 000000000..c69638197 --- /dev/null +++ b/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/td.rules @@ -0,0 +1,4 @@ +# this pass should prevent match of 998, but it should not affect the fw rules +pass:flow tcp any any -> any any (flags:S; sid:999; alert;) +# would match if 999 didn't set a flow pass +alert tls any any -> any any (tls.sni; content:"google"; sid:998;) diff --git a/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/test.yaml b/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/test.yaml new file mode 100644 index 000000000..f67b570b8 --- /dev/null +++ b/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/test.yaml @@ -0,0 +1,95 @@ +requires: + min-version: 8 + +pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 999 + pcap_cnt: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 998 + pcap_cnt: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1023 + alert.action: allowed + pcap_cnt: 6 +- filter: + count: 3 + match: + event_type: alert + pcap_cnt: 6 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1011 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1021 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1022 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1023 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 102 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 103 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 104 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 105 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 32 + flow.pkts_toclient: 30 + flow.state: "closed" + flow.alerted: true + flow.action: "accept" +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 62 + stats.ips.blocked: 0 + stats.ips.drop_reason.default_app_policy: 0 + stats.ips.drop_reason.rules: 0 diff --git a/tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/firewall.rules b/tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/firewall.rules new file mode 100644 index 000000000..9891fb9f9 --- /dev/null +++ b/tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/firewall.rules @@ -0,0 +1,11 @@ +# Packet rules + +accept:packet ip:all any any -> any any (flowbits:isset,fw_flow_accept; alert; sid:1010;) + +# allow session setup +accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;) + +# allow rest of the flow to +accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; flowbits:set,fw_flow_accept; alert; sid:1023;) + +# default drop diff --git a/tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/suricata.yaml b/tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/test.yaml b/tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/test.yaml new file mode 100644 index 000000000..7b1d61902 --- /dev/null +++ b/tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/test.yaml @@ -0,0 +1,46 @@ +requires: + min-version: 8 + +pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1023 + alert.action: allowed + pcap_cnt: 4 +- filter: + count: 58 + match: + event_type: alert + alert.signature_id: 1010 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1021 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 32 + flow.pkts_toclient: 30 + flow.state: "closed" + flow.alerted: true + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 62 + stats.ips.blocked: 0 diff --git a/tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/firewall.rules b/tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/firewall.rules new file mode 100644 index 000000000..c97323b25 --- /dev/null +++ b/tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/firewall.rules @@ -0,0 +1,18 @@ +# Packet rules + +accept:packet ip:all any any -> any any (flowbits:isset,fw_flow_accept; alert; sid:1010;) + +# allow session setup +accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;) + +# allow rest of the flow +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;) + +# default drop + + + + +accept:hook tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; flowbits:set,fw_flow_accept; sid:104; alert;) +accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;) +# default drop diff --git a/tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/suricata.yaml b/tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/test.yaml b/tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/test.yaml new file mode 100644 index 000000000..370aa69c9 --- /dev/null +++ b/tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/test.yaml @@ -0,0 +1,54 @@ +requires: + min-version: 8 + +pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1023 +- filter: + count: 56 + match: + event_type: alert + alert.signature_id: 1010 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1021 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 104 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 105 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 32 + flow.pkts_toclient: 30 + flow.state: "closed" + flow.alerted: true + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 62 + stats.ips.blocked: 0 diff --git a/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/firewall.rules b/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/firewall.rules new file mode 100644 index 000000000..af4ab86c1 --- /dev/null +++ b/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/firewall.rules @@ -0,0 +1,22 @@ +# Packet rules + +# accept outgoing ping and the returning pongs +accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;) +# allow session setup +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;) +# allow rest of the flow to +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;) + +# default drop + + + + +# App-layer rules + +# should match, pcap is to google +accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:104; alert;) +# allow tls before client hello is done. +accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;) + +# default drop diff --git a/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/suricata.yaml b/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/td.rules b/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/td.rules new file mode 100644 index 000000000..6029bde37 --- /dev/null +++ b/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/td.rules @@ -0,0 +1,4 @@ +# this pass should prevent match of 998, but it should not affect the fw rules +pass:flow tls any any -> any any (flow:to_server; tls.version:1.0; sid:999; alert;) +# would match if 999 didn't set a flow pass +alert tls any any -> any any (tls.sni; content:"google"; sid:998;) diff --git a/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/test.yaml b/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/test.yaml new file mode 100644 index 000000000..778449f03 --- /dev/null +++ b/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/test.yaml @@ -0,0 +1,94 @@ +requires: + min-version: 8 + +pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 999 + pcap_cnt: 4 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 998 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1023 + alert.action: allowed + pcap_cnt: 6 +- filter: + count: 3 + match: + event_type: alert + pcap_cnt: 6 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1011 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1021 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1022 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1023 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 102 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 103 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 104 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 105 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 32 + flow.pkts_toclient: 30 + flow.state: "closed" + flow.alerted: true + flow.action: "accept" +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 62 + stats.ips.blocked: 0 + stats.ips.drop_reason.default_app_policy: 0 + stats.ips.drop_reason.rules: 0 diff --git a/tests/firewall/ruletype-firewall-15-state-keyword/firewall.rules b/tests/firewall/ruletype-firewall-15-state-keyword/firewall.rules new file mode 100644 index 000000000..f71a8d048 --- /dev/null +++ b/tests/firewall/ruletype-firewall-15-state-keyword/firewall.rules @@ -0,0 +1,29 @@ +# Packet rules + +# allow session setup +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;) + +# pass rest of the flow to +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;) + +# default drop + + + + +# App-layer rules + +accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:100;) +accept:hook tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:101; alert;) +accept:hook tls:client_cert_done $HOME_NET any -> $EXTERNAL_NET any (alert; sid:102;) +accept:hook tls:client_handshake_done $HOME_NET any -> $EXTERNAL_NET any (alert; sid:103;) +accept:hook tls:client_finished $HOME_NET any -> $EXTERNAL_NET any (alert; sid:104;) + +accept:hook tls:server_in_progress $EXTERNAL_NET any -> $HOME_NET any (alert; sid:200;) +accept:hook tls:server_hello $EXTERNAL_NET any -> $HOME_NET any (alert; sid:201;) +accept:hook tls:server_cert_done $EXTERNAL_NET any -> $HOME_NET any (alert; sid:202;) +accept:hook tls:server_hello_done $EXTERNAL_NET any -> $HOME_NET any (alert; sid:203;) +accept:hook tls:server_handshake_done $EXTERNAL_NET any -> $HOME_NET any (alert; sid:204;) +accept:hook tls:server_finished $EXTERNAL_NET any -> $HOME_NET any (alert; sid:205;) + +# default drop diff --git a/tests/firewall/ruletype-firewall-15-state-keyword/suricata.yaml b/tests/firewall/ruletype-firewall-15-state-keyword/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-15-state-keyword/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-15-state-keyword/test.yaml b/tests/firewall/ruletype-firewall-15-state-keyword/test.yaml new file mode 100644 index 000000000..8139319b3 --- /dev/null +++ b/tests/firewall/ruletype-firewall-15-state-keyword/test.yaml @@ -0,0 +1,94 @@ +requires: + min-version: 8 + +pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1021 +- filter: + count: 59 + match: + event_type: alert + alert.signature_id: 1023 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 100 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 101 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 102 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 103 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 104 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 200 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 201 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 202 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 203 +- filter: + count: 18 + match: + event_type: alert + alert.signature_id: 204 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 205 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 32 + flow.pkts_toclient: 30 + flow.state: "closed" + flow.alerted: true + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 62 + stats.ips.blocked: 0 diff --git a/tests/firewall/ruletype-firewall-16-http-per-hook/firewall.rules b/tests/firewall/ruletype-firewall-16-http-per-hook/firewall.rules new file mode 100644 index 000000000..7fde25449 --- /dev/null +++ b/tests/firewall/ruletype-firewall-16-http-per-hook/firewall.rules @@ -0,0 +1,19 @@ +# Packet rules + +accept:hook tcp:all any any -> any any (sid:100;) +# default drop + + +accept:hook http1:request_started any any -> any any (alert; sid:101;) +accept:hook http1:request_line any any -> any any (http.method; bsize:4; alert; sid:102;) +accept:hook http1:request_headers any any -> any any (alert; sid:103;) +accept:hook http1:request_body any any -> any any (alert; sid:104;) +accept:hook http1:request_trailer any any -> any any (alert; sid:105;) +accept:hook http1:request_complete any any -> any any (alert; sid:106;) + +accept:hook http1:response_started any any -> any any (alert; sid:201;) +accept:hook http1:response_line any any -> any any (alert; sid:202;) +accept:hook http1:response_headers any any -> any any (alert; sid:203;) +accept:hook http1:response_body any any -> any any (alert; sid:204;) +accept:hook http1:response_trailer any any -> any any (alert; sid:205;) +accept:hook http1:response_complete any any -> any any (alert; sid:206;) diff --git a/tests/firewall/ruletype-firewall-16-http-per-hook/suricata.yaml b/tests/firewall/ruletype-firewall-16-http-per-hook/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-16-http-per-hook/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-16-http-per-hook/test.yaml b/tests/firewall/ruletype-firewall-16-http-per-hook/test.yaml new file mode 100644 index 000000000..d3667bb69 --- /dev/null +++ b/tests/firewall/ruletype-firewall-16-http-per-hook/test.yaml @@ -0,0 +1,100 @@ +requires: + min-version: 8 + +pcap: ../../flowbit-oring/input.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 100 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 101 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 102 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 103 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 104 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 105 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 106 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 201 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 202 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 203 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 204 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 205 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 206 +- filter: + count: 7 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 6 + flow.pkts_toclient: 4 + flow.state: "established" + flow.alerted: true + flow.action: drop +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 3 + stats.ips.blocked: 7 + stats.ips.drop_reason.default_app_policy: 1 + stats.ips.drop_reason.flow_drop: 6 diff --git a/tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/firewall.rules b/tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/firewall.rules new file mode 100644 index 000000000..86b6951af --- /dev/null +++ b/tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/firewall.rules @@ -0,0 +1,25 @@ +# Packet rules + +# allow session setup +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 80 (flow:not_established; alert; sid:1021;) + +# pass rest of the flow to +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 80 (flow:established; alert; sid:1023;) + +# default drop + +accept:hook http1:request_started any any -> any any (alert; sid:100;) +accept:hook http1:request_line any any -> any any (http.method; content:"GET"; http.uri; content:"/c.gif"; xbits:set,xxx,track tx; alert; sid:101;) +accept:hook http1:request_headers any any -> any any (http.user_agent; content:"Windows NT"; xbits:isset,xxx,track tx; alert; sid:102;) +accept:hook http1:request_headers any any -> any any (http.host; content:"msn"; xbits:isset,xxx,track tx; alert; sid:103;) + +accept:hook http1:request_body any any -> any any (xbits:isset,xxx,track tx; alert; sid:104;) +accept:hook http1:request_trailer any any -> any any (xbits:isset,xxx,track tx; alert; sid:105;) +accept:hook http1:request_complete any any -> any any (xbits:isset,xxx,track tx; alert; sid:106;) + +accept:hook http1:response_started any any -> any any (xbits:isset,xxx,track tx; alert; sid:200;) +accept:hook http1:response_line any any -> any any (http.stat_code; content:"200"; xbits:isset,xxx,track tx; alert; sid:201;) +accept:hook http1:response_headers any any -> any any (xbits:isset,xxx,track tx; alert; sid:202;) +accept:hook http1:response_body any any -> any any (xbits:isset,xxx,track tx; alert; sid:203;) +accept:hook http1:response_trailer any any -> any any (xbits:isset,xxx,track tx; alert; sid:204;) +accept:hook http1:response_complete any any -> any any (xbits:isset,xxx,track tx; alert; sid:205;) diff --git a/tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/http-sticky-server-s8.pcap b/tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/http-sticky-server-s8.pcap new file mode 100644 index 000000000..cfa60b817 Binary files /dev/null and b/tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/http-sticky-server-s8.pcap differ diff --git a/tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/test.yaml b/tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/test.yaml new file mode 100644 index 000000000..d6065f4f6 --- /dev/null +++ b/tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/test.yaml @@ -0,0 +1,102 @@ +requires: + min-version: 8 + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1021 +- filter: + count: 24 + match: + event_type: alert + alert.signature_id: 1023 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 100 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 101 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 102 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 103 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 104 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 105 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 106 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 200 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 201 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 202 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 203 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 204 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 205 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 18 + flow.pkts_toclient: 9 + flow.state: "established" + flow.alerted: true + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 27 + stats.ips.blocked: 0 diff --git a/tests/firewall/ruletype-firewall-18-http-per-hook/firewall.rules b/tests/firewall/ruletype-firewall-18-http-per-hook/firewall.rules new file mode 100644 index 000000000..7b8599924 --- /dev/null +++ b/tests/firewall/ruletype-firewall-18-http-per-hook/firewall.rules @@ -0,0 +1,19 @@ +# Packet rules + +accept:hook tcp:all any any -> any any (sid:100;) +# default drop + + +accept:hook http1:request_started any any -> any any (alert; sid:101;) +# No rule to accept the request_line +accept:hook http1:request_headers any any -> any any (alert; sid:103;) +accept:hook http1:request_body any any -> any any (alert; sid:104;) +accept:hook http1:request_trailer any any -> any any (alert; sid:105;) +accept:hook http1:request_complete any any -> any any (alert; sid:106;) + +accept:hook http1:response_started any any -> any any (alert; sid:201;) +accept:hook http1:response_line any any -> any any (alert; sid:202;) +accept:hook http1:response_headers any any -> any any (alert; sid:203;) +accept:hook http1:response_body any any -> any any (alert; sid:204;) +accept:hook http1:response_trailer any any -> any any (alert; sid:205;) +accept:hook http1:response_complete any any -> any any (alert; sid:206;) diff --git a/tests/firewall/ruletype-firewall-18-http-per-hook/suricata.yaml b/tests/firewall/ruletype-firewall-18-http-per-hook/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-18-http-per-hook/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-18-http-per-hook/test.yaml b/tests/firewall/ruletype-firewall-18-http-per-hook/test.yaml new file mode 100644 index 000000000..d3667bb69 --- /dev/null +++ b/tests/firewall/ruletype-firewall-18-http-per-hook/test.yaml @@ -0,0 +1,100 @@ +requires: + min-version: 8 + +pcap: ../../flowbit-oring/input.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 100 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 101 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 102 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 103 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 104 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 105 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 106 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 201 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 202 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 203 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 204 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 205 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 206 +- filter: + count: 7 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 6 + flow.pkts_toclient: 4 + flow.state: "established" + flow.alerted: true + flow.action: drop +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 3 + stats.ips.blocked: 7 + stats.ips.drop_reason.default_app_policy: 1 + stats.ips.drop_reason.flow_drop: 6 diff --git a/tests/firewall/ruletype-firewall-19-http-per-hook/firewall.rules b/tests/firewall/ruletype-firewall-19-http-per-hook/firewall.rules new file mode 100644 index 000000000..6bd9b71c8 --- /dev/null +++ b/tests/firewall/ruletype-firewall-19-http-per-hook/firewall.rules @@ -0,0 +1,19 @@ +# Packet rules + +accept:hook tcp:all any any -> any any (sid:100;) +# default drop + + +accept:hook http1:request_started any any -> any any (alert; sid:101;) +accept:hook http1:request_line any any -> any any (http.method; content:"POST"; alert; sid:102;) +accept:hook http1:request_headers any any -> any any (alert; sid:103;) +accept:hook http1:request_body any any -> any any (alert; sid:104;) +accept:hook http1:request_trailer any any -> any any (alert; sid:105;) +accept:hook http1:request_complete any any -> any any (alert; sid:106;) + +accept:hook http1:response_started any any -> any any (alert; sid:201;) +accept:hook http1:response_line any any -> any any (alert; sid:202;) +accept:hook http1:response_headers any any -> any any (alert; sid:203;) +accept:hook http1:response_body any any -> any any (alert; sid:204;) +accept:hook http1:response_trailer any any -> any any (alert; sid:205;) +accept:hook http1:response_complete any any -> any any (alert; sid:206;) diff --git a/tests/firewall/ruletype-firewall-19-http-per-hook/suricata.yaml b/tests/firewall/ruletype-firewall-19-http-per-hook/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-19-http-per-hook/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-19-http-per-hook/test.yaml b/tests/firewall/ruletype-firewall-19-http-per-hook/test.yaml new file mode 100644 index 000000000..d3667bb69 --- /dev/null +++ b/tests/firewall/ruletype-firewall-19-http-per-hook/test.yaml @@ -0,0 +1,100 @@ +requires: + min-version: 8 + +pcap: ../../flowbit-oring/input.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 100 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 101 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 102 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 103 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 104 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 105 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 106 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 201 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 202 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 203 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 204 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 205 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 206 +- filter: + count: 7 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 6 + flow.pkts_toclient: 4 + flow.state: "established" + flow.alerted: true + flow.action: drop +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 3 + stats.ips.blocked: 7 + stats.ips.drop_reason.default_app_policy: 1 + stats.ips.drop_reason.flow_drop: 6 diff --git a/tests/firewall/ruletype-firewall-20-http-per-hook/firewall.rules b/tests/firewall/ruletype-firewall-20-http-per-hook/firewall.rules new file mode 100644 index 000000000..86aaa8dc4 --- /dev/null +++ b/tests/firewall/ruletype-firewall-20-http-per-hook/firewall.rules @@ -0,0 +1,17 @@ +# Packet rules + +accept:hook tcp:all any any -> any any (sid:100;) +# default drop + + +accept:hook http1:request_started any any -> any any (alert; sid:101;) +accept:hook http1:request_line any any -> any any (http.method; content:"POST"; alert; sid:102;) +# test that packet and flow is still dropped if last rule was accept but several states +# have no rules + +accept:hook http1:response_started any any -> any any (alert; sid:201;) +accept:hook http1:response_line any any -> any any (alert; sid:202;) +accept:hook http1:response_headers any any -> any any (alert; sid:203;) +accept:hook http1:response_body any any -> any any (alert; sid:204;) +accept:hook http1:response_trailer any any -> any any (alert; sid:205;) +accept:hook http1:response_complete any any -> any any (alert; sid:206;) diff --git a/tests/firewall/ruletype-firewall-20-http-per-hook/suricata.yaml b/tests/firewall/ruletype-firewall-20-http-per-hook/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-20-http-per-hook/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-20-http-per-hook/test.yaml b/tests/firewall/ruletype-firewall-20-http-per-hook/test.yaml new file mode 100644 index 000000000..d3667bb69 --- /dev/null +++ b/tests/firewall/ruletype-firewall-20-http-per-hook/test.yaml @@ -0,0 +1,100 @@ +requires: + min-version: 8 + +pcap: ../../flowbit-oring/input.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 100 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 101 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 102 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 103 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 104 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 105 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 106 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 201 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 202 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 203 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 204 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 205 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 206 +- filter: + count: 7 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 6 + flow.pkts_toclient: 4 + flow.state: "established" + flow.alerted: true + flow.action: drop +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 3 + stats.ips.blocked: 7 + stats.ips.drop_reason.default_app_policy: 1 + stats.ips.drop_reason.flow_drop: 6 diff --git a/tests/firewall/ruletype-firewall-21-http-accept-tx/firewall.rules b/tests/firewall/ruletype-firewall-21-http-accept-tx/firewall.rules new file mode 100644 index 000000000..7bc43939f --- /dev/null +++ b/tests/firewall/ruletype-firewall-21-http-accept-tx/firewall.rules @@ -0,0 +1,12 @@ +# Packet rules + +# allow session setup +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 80 (flow:not_established; alert; sid:1021;) + +# pass rest of the flow to +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 80 (flow:established; alert; sid:1023;) + +# default drop + +accept:hook http1:request_started any any -> any any (alert; sid:100;) +accept:tx http1:request_line any any -> any any (http.method; content:"GET"; http.uri; content:"/c.gif"; alert; sid:101;) diff --git a/tests/firewall/ruletype-firewall-21-http-accept-tx/http-sticky-server-s8.pcap b/tests/firewall/ruletype-firewall-21-http-accept-tx/http-sticky-server-s8.pcap new file mode 100644 index 000000000..cfa60b817 Binary files /dev/null and b/tests/firewall/ruletype-firewall-21-http-accept-tx/http-sticky-server-s8.pcap differ diff --git a/tests/firewall/ruletype-firewall-21-http-accept-tx/suricata.yaml b/tests/firewall/ruletype-firewall-21-http-accept-tx/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-21-http-accept-tx/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-21-http-accept-tx/test.yaml b/tests/firewall/ruletype-firewall-21-http-accept-tx/test.yaml new file mode 100644 index 000000000..c53d1a06e --- /dev/null +++ b/tests/firewall/ruletype-firewall-21-http-accept-tx/test.yaml @@ -0,0 +1,47 @@ +requires: + min-version: 8 + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1021 +- filter: + count: 24 + match: + event_type: alert + alert.signature_id: 1023 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 100 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 101 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 18 + flow.pkts_toclient: 9 + flow.state: "established" + flow.alerted: true + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 27 + stats.ips.blocked: 0 diff --git a/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/firewall.rules b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/firewall.rules new file mode 100644 index 000000000..7bc43939f --- /dev/null +++ b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/firewall.rules @@ -0,0 +1,12 @@ +# Packet rules + +# allow session setup +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 80 (flow:not_established; alert; sid:1021;) + +# pass rest of the flow to +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 80 (flow:established; alert; sid:1023;) + +# default drop + +accept:hook http1:request_started any any -> any any (alert; sid:100;) +accept:tx http1:request_line any any -> any any (http.method; content:"GET"; http.uri; content:"/c.gif"; alert; sid:101;) diff --git a/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/http-sticky-server-s8.pcap b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/http-sticky-server-s8.pcap new file mode 100644 index 000000000..cfa60b817 Binary files /dev/null and b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/http-sticky-server-s8.pcap differ diff --git a/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/suricata.yaml b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/td.rules b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/td.rules new file mode 100644 index 000000000..ca0dee28c --- /dev/null +++ b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/td.rules @@ -0,0 +1,2 @@ +alert http any any -> any any (http.user_agent; content:"Mozilla"; sid:9998;) +alert http any any -> any any (http.stat_code; content:"200"; sid:9999;) diff --git a/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/test.yaml b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/test.yaml new file mode 100644 index 000000000..aa28596b9 --- /dev/null +++ b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/test.yaml @@ -0,0 +1,57 @@ +requires: + min-version: 8 + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1021 +- filter: + count: 24 + match: + event_type: alert + alert.signature_id: 1023 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 100 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 101 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 9998 +- filter: + count: 8 + match: + event_type: alert + alert.signature_id: 9999 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 18 + flow.pkts_toclient: 9 + flow.state: "established" + flow.alerted: true + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 27 + stats.ips.blocked: 0 diff --git a/tests/firewall/ruletype-firewall-23-dns-per-hook/firewall.rules b/tests/firewall/ruletype-firewall-23-dns-per-hook/firewall.rules new file mode 100644 index 000000000..2851034ee --- /dev/null +++ b/tests/firewall/ruletype-firewall-23-dns-per-hook/firewall.rules @@ -0,0 +1,11 @@ +# Packet rules + +accept:hook udp:all any any -> any any (sid:100;) +# default drop + + +accept:hook dns:request_started any any -> any any (alert; sid:101;) +accept:hook dns:request_complete any any -> any any (dns.query; content:"dropbox"; alert; sid:102;) + +accept:hook dns:response_started any any -> any any (alert; sid:201;) +accept:hook dns:response_complete any any -> any any (dns.response.rrname; content:"dropbox"; alert; sid:202;) diff --git a/tests/firewall/ruletype-firewall-23-dns-per-hook/suricata.yaml b/tests/firewall/ruletype-firewall-23-dns-per-hook/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-23-dns-per-hook/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-23-dns-per-hook/test.yaml b/tests/firewall/ruletype-firewall-23-dns-per-hook/test.yaml new file mode 100644 index 000000000..46c308772 --- /dev/null +++ b/tests/firewall/ruletype-firewall-23-dns-per-hook/test.yaml @@ -0,0 +1,63 @@ +requires: + min-version: 8 + +pcap: ../../dns/dns-eve/input.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 100 +- filter: + count: 4 + match: + event_type: alert + alert.signature_id: 101 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 102 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 201 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 202 +- filter: + count: 2 + match: + event_type: drop +- filter: + count: 3 + match: + event_type: flow + flow.pkts_toserver: 1 + flow.pkts_toclient: 1 + flow.alerted: true + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 1 + flow.pkts_toclient: 1 + flow.alerted: true + flow.action: drop +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 6 + stats.ips.blocked: 2 + stats.ips.drop_reason.default_app_policy: 1 + stats.ips.drop_reason.flow_drop: 1 diff --git a/tests/firewall/ruletype-firewall-24-dnstcp-per-hook/firewall.rules b/tests/firewall/ruletype-firewall-24-dnstcp-per-hook/firewall.rules new file mode 100644 index 000000000..9cf74122e --- /dev/null +++ b/tests/firewall/ruletype-firewall-24-dnstcp-per-hook/firewall.rules @@ -0,0 +1,11 @@ +# Packet rules + +accept:hook tcp:all any any -> any any (sid:100;) +# default drop + + +accept:hook dns:request_started any any -> any any (alert; sid:101;) +accept:hook dns:request_complete any any -> any any (dns.query; content:"suricata.io"; alert; sid:102;) + +accept:hook dns:response_started any any -> any any (alert; sid:201;) +accept:hook dns:response_complete any any -> any any (dns.response.rrname; content:"suricata.io"; alert; sid:202;) diff --git a/tests/firewall/ruletype-firewall-24-dnstcp-per-hook/suricata.yaml b/tests/firewall/ruletype-firewall-24-dnstcp-per-hook/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-24-dnstcp-per-hook/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-24-dnstcp-per-hook/test.yaml b/tests/firewall/ruletype-firewall-24-dnstcp-per-hook/test.yaml new file mode 100644 index 000000000..fddd1c74c --- /dev/null +++ b/tests/firewall/ruletype-firewall-24-dnstcp-per-hook/test.yaml @@ -0,0 +1,55 @@ +requires: + min-version: 8 + +pcap: ../../dns/dns-frames/input.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 100 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 101 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 102 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 201 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 202 +- filter: + count: 2 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 6 + flow.pkts_toclient: 4 + flow.alerted: true + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 10 + stats.ips.blocked: 2 + stats.ips.drop_reason.default_packet_policy: 2 + stats.ips.drop_reason.default_app_policy: 0 diff --git a/tests/firewall/ruletype-firewall-25-tcp-udp/firewall.rules b/tests/firewall/ruletype-firewall-25-tcp-udp/firewall.rules new file mode 100644 index 000000000..d48e4c59d --- /dev/null +++ b/tests/firewall/ruletype-firewall-25-tcp-udp/firewall.rules @@ -0,0 +1,2 @@ +accept:packet udp:all any any -> any any (sid:100;) +# default drop diff --git a/tests/firewall/ruletype-firewall-25-tcp-udp/suricata.yaml b/tests/firewall/ruletype-firewall-25-tcp-udp/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-25-tcp-udp/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-25-tcp-udp/test.yaml b/tests/firewall/ruletype-firewall-25-tcp-udp/test.yaml new file mode 100644 index 000000000..d439cde63 --- /dev/null +++ b/tests/firewall/ruletype-firewall-25-tcp-udp/test.yaml @@ -0,0 +1,43 @@ +requires: + min-version: 8 + +pcap: ../../dns/dns-frames/input.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 100 +- filter: + count: 10 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + proto: TCP + flow.pkts_toserver: 6 + flow.pkts_toclient: 4 + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: flow + proto: UDP + flow.pkts_toserver: 1 + flow.pkts_toclient: 1 + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 2 + stats.ips.blocked: 10 + stats.ips.drop_reason.default_packet_policy: 10 + stats.ips.drop_reason.default_app_policy: 0 diff --git a/tests/firewall/ruletype-firewall-26-drop-rule/firewall.rules b/tests/firewall/ruletype-firewall-26-drop-rule/firewall.rules new file mode 100644 index 000000000..e1b5ded1c --- /dev/null +++ b/tests/firewall/ruletype-firewall-26-drop-rule/firewall.rules @@ -0,0 +1,3 @@ +drop:packet tcp:all any any -> any any (sid:99;) +accept:flow tcp:flow_start any any -> any 443 (alert; flow:to_server; sid:1;) +drop:flow tcp:flow_start any any -> any any (sid:2;) diff --git a/tests/firewall/ruletype-firewall-26-drop-rule/suricata.yaml b/tests/firewall/ruletype-firewall-26-drop-rule/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-26-drop-rule/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-26-drop-rule/test.yaml b/tests/firewall/ruletype-firewall-26-drop-rule/test.yaml new file mode 100644 index 000000000..7ae218f53 --- /dev/null +++ b/tests/firewall/ruletype-firewall-26-drop-rule/test.yaml @@ -0,0 +1,33 @@ +requires: + min-version: 8 + +pcap: ../../tls/tls-random/input.pcap + +args: + - --simulate-ips + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 13 + match: + event_type: alert + alert.signature_id: 99 +- filter: + count: 13 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: tls + tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS diff --git a/tests/firewall/ruletype-firewall-27-http-drop-rule/firewall.rules b/tests/firewall/ruletype-firewall-27-http-drop-rule/firewall.rules new file mode 100644 index 000000000..6e4e2ef9e --- /dev/null +++ b/tests/firewall/ruletype-firewall-27-http-drop-rule/firewall.rules @@ -0,0 +1,20 @@ +# Packet rules + +accept:hook tcp:all any any -> any any (sid:100;) +# default drop + + +accept:hook http1:request_started any any -> any any (alert; sid:101;) +drop:packet http1:request_line any any -> any any (sid:999; alert;) +accept:hook http1:request_line any any -> any any (http.method; content:"GET"; alert; sid:102;) +accept:hook http1:request_headers any any -> any any (alert; sid:103;) +accept:hook http1:request_body any any -> any any (alert; sid:104;) +accept:hook http1:request_trailer any any -> any any (alert; sid:105;) +accept:hook http1:request_complete any any -> any any (alert; sid:106;) + +accept:hook http1:response_started any any -> any any (alert; sid:201;) +accept:hook http1:response_line any any -> any any (alert; sid:202;) +accept:hook http1:response_headers any any -> any any (alert; sid:203;) +accept:hook http1:response_body any any -> any any (alert; sid:204;) +accept:hook http1:response_trailer any any -> any any (alert; sid:205;) +accept:hook http1:response_complete any any -> any any (alert; sid:206;) diff --git a/tests/firewall/ruletype-firewall-27-http-drop-rule/suricata.yaml b/tests/firewall/ruletype-firewall-27-http-drop-rule/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-27-http-drop-rule/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-27-http-drop-rule/test.yaml b/tests/firewall/ruletype-firewall-27-http-drop-rule/test.yaml new file mode 100644 index 000000000..d3b205969 --- /dev/null +++ b/tests/firewall/ruletype-firewall-27-http-drop-rule/test.yaml @@ -0,0 +1,96 @@ +requires: + min-version: 8 + +pcap: ../../flowbit-oring/input.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 100 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 101 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 999 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 102 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 104 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 105 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 106 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 201 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 202 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 203 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 204 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 205 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 206 +- filter: + count: 1 + match: + event_type: drop + alert.signature_id: 999 +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 6 + flow.pkts_toclient: 4 + flow.state: "closed" + flow.alerted: true + not-has-key: flow.action +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 9 + stats.ips.blocked: 1 + stats.ips.drop_reason.rules: 1 diff --git a/tests/firewall/ruletype-firewall-28-http-drop-flow-rule/firewall.rules b/tests/firewall/ruletype-firewall-28-http-drop-flow-rule/firewall.rules new file mode 100644 index 000000000..ffb869e15 --- /dev/null +++ b/tests/firewall/ruletype-firewall-28-http-drop-flow-rule/firewall.rules @@ -0,0 +1,20 @@ +# Packet rules + +accept:hook tcp:all any any -> any any (sid:100;) +# default drop + + +accept:hook http1:request_started any any -> any any (alert; sid:101;) +drop:flow http1:request_line any any -> any any (sid:999; alert;) +accept:hook http1:request_line any any -> any any (http.method; content:"GET"; alert; sid:102;) +accept:hook http1:request_headers any any -> any any (alert; sid:103;) +accept:hook http1:request_body any any -> any any (alert; sid:104;) +accept:hook http1:request_trailer any any -> any any (alert; sid:105;) +accept:hook http1:request_complete any any -> any any (alert; sid:106;) + +accept:hook http1:response_started any any -> any any (alert; sid:201;) +accept:hook http1:response_line any any -> any any (alert; sid:202;) +accept:hook http1:response_headers any any -> any any (alert; sid:203;) +accept:hook http1:response_body any any -> any any (alert; sid:204;) +accept:hook http1:response_trailer any any -> any any (alert; sid:205;) +accept:hook http1:response_complete any any -> any any (alert; sid:206;) diff --git a/tests/firewall/ruletype-firewall-28-http-drop-flow-rule/suricata.yaml b/tests/firewall/ruletype-firewall-28-http-drop-flow-rule/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-28-http-drop-flow-rule/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-28-http-drop-flow-rule/test.yaml b/tests/firewall/ruletype-firewall-28-http-drop-flow-rule/test.yaml new file mode 100644 index 000000000..f64962946 --- /dev/null +++ b/tests/firewall/ruletype-firewall-28-http-drop-flow-rule/test.yaml @@ -0,0 +1,103 @@ +requires: + min-version: 8 + +pcap: ../../flowbit-oring/input.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 100 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 101 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 999 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 102 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 104 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 105 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 106 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 201 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 202 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 203 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 204 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 205 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 206 +- filter: + count: 1 + match: + event_type: drop + alert.signature_id: 999 + drop.reason: "rules" +- filter: + count: 6 + match: + event_type: drop + drop.reason: "flow drop" +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 6 + flow.pkts_toclient: 4 + flow.state: "established" + flow.alerted: true + flow.action: drop +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 3 + stats.ips.blocked: 7 + stats.ips.drop_reason.rules: 1 + stats.ips.drop_reason.flow_drop: 6 diff --git a/tests/firewall/ruletype-firewall-29-http-drop-flow-rule/firewall.rules b/tests/firewall/ruletype-firewall-29-http-drop-flow-rule/firewall.rules new file mode 100644 index 000000000..fc8d3bd99 --- /dev/null +++ b/tests/firewall/ruletype-firewall-29-http-drop-flow-rule/firewall.rules @@ -0,0 +1 @@ +drop:flow tcp:flow_start any any -> any any (flags:S; sid:100;) diff --git a/tests/firewall/ruletype-firewall-29-http-drop-flow-rule/suricata.yaml b/tests/firewall/ruletype-firewall-29-http-drop-flow-rule/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-29-http-drop-flow-rule/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-29-http-drop-flow-rule/test.yaml b/tests/firewall/ruletype-firewall-29-http-drop-flow-rule/test.yaml new file mode 100644 index 000000000..5795a002c --- /dev/null +++ b/tests/firewall/ruletype-firewall-29-http-drop-flow-rule/test.yaml @@ -0,0 +1,43 @@ +requires: + min-version: 8 + +pcap: ../../flowbit-oring/input.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 100 +- filter: + count: 1 + match: + event_type: drop + alert.signature_id: 100 + drop.reason: "rules" +- filter: + count: 9 + match: + event_type: drop + drop.reason: "flow drop" +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 6 + flow.pkts_toclient: 4 + flow.state: "new" + flow.alerted: true + flow.action: drop +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 0 + stats.ips.blocked: 10 + stats.ips.drop_reason.rules: 1 + stats.ips.drop_reason.flow_drop: 9 diff --git a/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/firewall.rules b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/firewall.rules new file mode 100644 index 000000000..aefd2c38e --- /dev/null +++ b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/firewall.rules @@ -0,0 +1,20 @@ +# Packet rules + +# allow session setup +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;) +# allow rest of the flow to +accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;) + +# default drop + + + + +# App-layer rules + +# should match, pcap is to google +accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:104; alert;) +# allow tls before client hello is done. +accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;) + +# default drop diff --git a/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/suricata.yaml b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/suricata.yaml new file mode 100644 index 000000000..24e38b5ab --- /dev/null +++ b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/suricata.yaml @@ -0,0 +1,63 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop diff --git a/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/td.rules b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/td.rules new file mode 100644 index 000000000..3882c92e3 --- /dev/null +++ b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/td.rules @@ -0,0 +1 @@ +drop:packet tcp-pkt any any -> any any (flow:to_server; content:"|16 03 01 02 00|"; startswith; sid:666;) diff --git a/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/test.yaml b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/test.yaml new file mode 100644 index 000000000..f7305b4d2 --- /dev/null +++ b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/test.yaml @@ -0,0 +1,71 @@ +requires: + min-version: 8 + +pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 666 + pcap_cnt: 4 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1023 + alert.action: allowed + pcap_cnt: 6 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1021 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1023 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 104 + pcap_cnt: 6 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 105 + pcap_cnt: 4 +- filter: + count: 1 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: drop + pcap_cnt: 4 +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 32 + flow.pkts_toclient: 30 + flow.state: "closed" + flow.alerted: true + flow.action: "accept" +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 61 + stats.ips.blocked: 1 + stats.ips.drop_reason.default_app_policy: 0 + stats.ips.drop_reason.rules: 1 diff --git a/tests/firewall/ruletype-firewall-31-retrans-of-drop/.suricata.yaml.swp b/tests/firewall/ruletype-firewall-31-retrans-of-drop/.suricata.yaml.swp new file mode 100644 index 000000000..23c957ff3 Binary files /dev/null and b/tests/firewall/ruletype-firewall-31-retrans-of-drop/.suricata.yaml.swp differ diff --git a/tests/firewall/ruletype-firewall-31-retrans-of-drop/firewall.rules b/tests/firewall/ruletype-firewall-31-retrans-of-drop/firewall.rules new file mode 100644 index 000000000..6bd9b71c8 --- /dev/null +++ b/tests/firewall/ruletype-firewall-31-retrans-of-drop/firewall.rules @@ -0,0 +1,19 @@ +# Packet rules + +accept:hook tcp:all any any -> any any (sid:100;) +# default drop + + +accept:hook http1:request_started any any -> any any (alert; sid:101;) +accept:hook http1:request_line any any -> any any (http.method; content:"POST"; alert; sid:102;) +accept:hook http1:request_headers any any -> any any (alert; sid:103;) +accept:hook http1:request_body any any -> any any (alert; sid:104;) +accept:hook http1:request_trailer any any -> any any (alert; sid:105;) +accept:hook http1:request_complete any any -> any any (alert; sid:106;) + +accept:hook http1:response_started any any -> any any (alert; sid:201;) +accept:hook http1:response_line any any -> any any (alert; sid:202;) +accept:hook http1:response_headers any any -> any any (alert; sid:203;) +accept:hook http1:response_body any any -> any any (alert; sid:204;) +accept:hook http1:response_trailer any any -> any any (alert; sid:205;) +accept:hook http1:response_complete any any -> any any (alert; sid:206;) diff --git a/tests/firewall/ruletype-firewall-31-retrans-of-drop/input.pcap b/tests/firewall/ruletype-firewall-31-retrans-of-drop/input.pcap new file mode 100644 index 000000000..d984ec180 Binary files /dev/null and b/tests/firewall/ruletype-firewall-31-retrans-of-drop/input.pcap differ diff --git a/tests/firewall/ruletype-firewall-31-retrans-of-drop/suricata.yaml b/tests/firewall/ruletype-firewall-31-retrans-of-drop/suricata.yaml new file mode 100644 index 000000000..b95e719f4 --- /dev/null +++ b/tests/firewall/ruletype-firewall-31-retrans-of-drop/suricata.yaml @@ -0,0 +1,65 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + - stream: + all: true # log all TCP packets diff --git a/tests/firewall/ruletype-firewall-31-retrans-of-drop/test.yaml b/tests/firewall/ruletype-firewall-31-retrans-of-drop/test.yaml new file mode 100644 index 000000000..3bd0abaf1 --- /dev/null +++ b/tests/firewall/ruletype-firewall-31-retrans-of-drop/test.yaml @@ -0,0 +1,98 @@ +requires: + min-version: 8 + +args: + - --simulate-ips + - -k none + +checks: +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 100 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 101 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 102 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 103 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 104 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 105 +# No match due to 102 dropping the prior hook +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 106 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 201 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 202 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 203 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 204 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 205 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 206 +- filter: + count: 4 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: flow + flow.pkts_toserver: 7 + flow.pkts_toclient: 2 + flow.state: "established" + flow.alerted: true + flow.action: drop +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 5 + stats.ips.blocked: 4 + stats.ips.drop_reason.default_app_policy: 1 + stats.ips.drop_reason.flow_drop: 3 diff --git a/tests/firewall/ruletype-firewall-31-retrans-of-drop/writepcap.py b/tests/firewall/ruletype-firewall-31-retrans-of-drop/writepcap.py new file mode 100755 index 000000000..81952ff74 --- /dev/null +++ b/tests/firewall/ruletype-firewall-31-retrans-of-drop/writepcap.py @@ -0,0 +1,17 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = [] + +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)]) +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535) +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535) + +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)/"GET / HTTP/1.0\r\n" +#pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=18,ack=1001,window=65535)/"Cookie: abcdef\r\n" +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=34,ack=1001,window=65535)/"User-Agent: " +pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=46,ack=1001,window=65535)/"Mozilla\r\n\r\n" + +pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='RA',seq=1001,ack=18,window=65535) + +wrpcap('input.pcap', pkts)