From: Juliana Fajardini <jufajardini@oisf.net>
Date: Tue, 6 Sep 2022 22:02:15 +0000 (-0300)
Subject: tests: add basic test for reject exception policy
X-Git-Tag: suricata-6.0.8~38
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64f691df3aa5a37ea021d0a93e5c4629a051f6c6;p=thirdparty%2Fsuricata-verify.git

tests: add basic test for reject exception policy

This test only ensures that Suricata does drop packet/flow after
reaching an exception condition with a 'reject' policy.

Related to
Task #5503
---

diff --git a/tests/exception-policy-reject-action-01/README.md b/tests/exception-policy-reject-action-01/README.md
new file mode 100644
index 000000000..717dfb5fc
--- /dev/null
+++ b/tests/exception-policy-reject-action-01/README.md
@@ -0,0 +1,15 @@
+# Test
+
+Check that the reject action for the exception policies is minimally functional.
+We don't check that the reject packet was created and sent, just that the
+packet/flow is dropped.
+
+# Behavior
+
+We expect to only see ``drop`` and ``flow`` events logged, as the flow will be
+droped.
+
+# Pcap
+
+Pcap is the result of a curl to www.testmyids.com, later extracted with
+Wireshark to keep the ``http`` packets only.
diff --git a/tests/exception-policy-reject-action-01/input-http-ACK.pcap b/tests/exception-policy-reject-action-01/input-http-ACK.pcap
new file mode 100644
index 000000000..c5b1c5155
Binary files /dev/null and b/tests/exception-policy-reject-action-01/input-http-ACK.pcap differ
diff --git a/tests/exception-policy-reject-action-01/suricata.yaml b/tests/exception-policy-reject-action-01/suricata.yaml
new file mode 100644
index 000000000..d672946e9
--- /dev/null
+++ b/tests/exception-policy-reject-action-01/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+        - flow
+        - http
+        - drop:
+            alerts: yes
+            flows: all
diff --git a/tests/exception-policy-reject-action-01/test.rules b/tests/exception-policy-reject-action-01/test.rules
new file mode 100644
index 000000000..d0368df50
--- /dev/null
+++ b/tests/exception-policy-reject-action-01/test.rules
@@ -0,0 +1 @@
+drop http any any -> any any (msg:"broad http rule"; sid:1;)
diff --git a/tests/exception-policy-reject-action-01/test.yaml b/tests/exception-policy-reject-action-01/test.yaml
new file mode 100644
index 000000000..c4d32d5fd
--- /dev/null
+++ b/tests/exception-policy-reject-action-01/test.yaml
@@ -0,0 +1,19 @@
+args:
+- --simulate-ips
+- --set stream.midstream-policy=reject
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: http
+  - filter:
+      count: 2
+      match:
+        event_type: drop
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        flow.action: drop
+