From: Victor Julien Date: Mon, 13 Jun 2022 06:08:25 +0000 (+0200) Subject: tests: flowbit prefilter tests X-Git-Tag: suricata-7.0.11~121 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6ba98d438eeebe56e4289a7d55e867cb0f20bea4;p=thirdparty%2Fsuricata-verify.git tests: flowbit prefilter tests --- diff --git a/tests/flowbits-prefilter-01/flowbit-prefilter.rules b/tests/flowbits-prefilter-01/flowbit-prefilter.rules new file mode 100644 index 000000000..ac7f95b2c --- /dev/null +++ b/tests/flowbits-prefilter-01/flowbit-prefilter.rules @@ -0,0 +1,10 @@ +alert tcp any any -> any any (flow:to_client; content:"HTTP"; flowbits:set,common1; flowbits:set,common2; sid:11;) +alert tcp any any -> any any (dsize:10; flowbits:set,never; flowbits:set,common2; sid:12;) +alert tcp any any -> any any (flowbits:isset,never; sid:21;) +alert tcp any any -> any any (flowbits:isset,common2; prefilter; dsize:259; sid:22;) +alert tcp any any -> any any (flowbits:isset,never; prefilter; dsize:10; sid:23;) +alert tcp any any -> any any (flowbits:isset,common1; prefilter; dsize:11; sid:24;) +alert tcp any any -> any any (flowbits:isset,common1; prefilter; ack:3308437468; sid:25;) +alert tcp any any -> any any (priority:10; dsize:11; sid:31;) +alert tcp any any -> any any (priority:10; dsize:10; sid:32;) +alert tcp any any -> any any (priority:10; ack:3308437468; sid:33;) diff --git a/tests/flowbits-prefilter-01/test.yaml b/tests/flowbits-prefilter-01/test.yaml new file mode 100644 index 000000000..5e035b078 --- /dev/null +++ b/tests/flowbits-prefilter-01/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 8 + +pcap: ../flowbit-oring/input.pcap + +args: + - -k none + - --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 11 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 22 diff --git a/tests/flowbits-prefilter-02-auto/flowbit-prefilter-tx.rules b/tests/flowbits-prefilter-02-auto/flowbit-prefilter-tx.rules new file mode 100644 index 000000000..453ac9be9 --- /dev/null +++ b/tests/flowbits-prefilter-02-auto/flowbit-prefilter-tx.rules @@ -0,0 +1,10 @@ +alert tcp any any -> any any (flow:to_client; http.response_line; content:"HTTP"; flowbits:set,rare; flowbits:set,common; sid:11;) +alert tcp any any -> any any (http.request_line; content:"ABC"; flowbits:set,never; flowbits:set,common; sid:12;) +alert tcp any any -> any any (flowbits:isset,never; sid:21;) +alert tcp any any -> any any (flowbits:isset,common; http.stat_code; content:"200"; sid:22;) +alert tcp any any -> any any (flowbits:isset,never; http.stat_code; content:"200"; sid:23;) +alert tcp any any -> any any (flowbits:isset,rare; http.stat_code; content:"201"; sid:24;) +alert tcp any any -> any any (flowbits:isset,rare; http.stat_code; content:"200"; sid:25;) +alert tcp any any -> any any (priority:10; http.stat_code; content:"202"; sid:31;) +alert tcp any any -> any any (priority:10; http.stat_code; content:"201"; sid:32;) +alert tcp any any -> any any (priority:10; http.stat_code; content:"200"; sid:33;) diff --git a/tests/flowbits-prefilter-02-auto/test.yaml b/tests/flowbits-prefilter-02-auto/test.yaml new file mode 100644 index 000000000..d85993366 --- /dev/null +++ b/tests/flowbits-prefilter-02-auto/test.yaml @@ -0,0 +1,35 @@ +requires: + min-version: 8 + +pcap: ../flowbit-oring/input.pcap + +args: + - -k none + - --simulate-ips + - --set detect.prefilter.default=auto + +checks: +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 11 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 22 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 25 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 33 diff --git a/tests/flowbits-prefilter-03/flowbit-prefilter.rules b/tests/flowbits-prefilter-03/flowbit-prefilter.rules new file mode 100644 index 000000000..241295bd3 --- /dev/null +++ b/tests/flowbits-prefilter-03/flowbit-prefilter.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (flow:to_server; content:"GET"; flowbits:set,abc; sid:1;) +alert tcp any any -> any any (flow:to_client; content:"HTTP"; flowbits:isset,abc; prefilter; sid:2;) diff --git a/tests/flowbits-prefilter-03/test.yaml b/tests/flowbits-prefilter-03/test.yaml new file mode 100644 index 000000000..eff05ff86 --- /dev/null +++ b/tests/flowbits-prefilter-03/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 8 + +pcap: ../flowbit-oring/input.pcap + +args: + - -k none + - --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 4 + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 2 diff --git a/tests/flowbits-prefilter-04-pkt-auto/flowbit-prefilter.rules b/tests/flowbits-prefilter-04-pkt-auto/flowbit-prefilter.rules new file mode 100644 index 000000000..288d27264 --- /dev/null +++ b/tests/flowbits-prefilter-04-pkt-auto/flowbit-prefilter.rules @@ -0,0 +1,10 @@ +alert tcp any any -> any any (flow:to_client; content:"HTTP"; flowbits:set,rare; flowbits:set,common; sid:11;) +alert tcp any any -> any any (dsize:81; flowbits:set,common; sid:12;) +alert tcp any any -> any any (flowbits:isset,never; sid:21;) +alert tcp any any -> any any (flowbits:isset,common; dsize:259; sid:22;) +alert tcp any any -> any any (flowbits:isset,never; dsize:10; sid:23;) +alert tcp any any -> any any (flowbits:isset,rare; dsize:11; sid:24;) +alert tcp any any -> any any (flowbits:isset,rare; ack:3308437468; sid:25;) +alert tcp any any -> any any (priority:10; dsize:11; sid:31;) +alert tcp any any -> any any (priority:10; dsize:10; sid:32;) +alert tcp any any -> any any (priority:10; ack:3308437468; sid:33;) diff --git a/tests/flowbits-prefilter-04-pkt-auto/test.yaml b/tests/flowbits-prefilter-04-pkt-auto/test.yaml new file mode 100644 index 000000000..f7cbee51a --- /dev/null +++ b/tests/flowbits-prefilter-04-pkt-auto/test.yaml @@ -0,0 +1,23 @@ +requires: + min-version: 8 + +pcap: ../flowbit-oring/input.pcap + +args: + - -k none + - --simulate-ips + - --set detect.prefilter.default=auto + +checks: +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 11 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 22 diff --git a/tests/flowbits-prefilter-05-onedir/flowbit-prefilter.rules b/tests/flowbits-prefilter-05-onedir/flowbit-prefilter.rules new file mode 100644 index 000000000..baaef1daa --- /dev/null +++ b/tests/flowbits-prefilter-05-onedir/flowbit-prefilter.rules @@ -0,0 +1,2 @@ +alert tcp any any -> any any (flow:to_client; dsize:259; flowbits:set,size; sid:1;) +alert tcp any any -> any any (flowbits:isset,size; prefilter; sid:2;) diff --git a/tests/flowbits-prefilter-05-onedir/test.yaml b/tests/flowbits-prefilter-05-onedir/test.yaml new file mode 100644 index 000000000..21f1557e3 --- /dev/null +++ b/tests/flowbits-prefilter-05-onedir/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 8 + +pcap: ../flowbit-oring/input.pcap + +args: + - -k none + - --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 2 diff --git a/tests/flowbits-prefilter-06-opdir/flowbit-prefilter.rules b/tests/flowbits-prefilter-06-opdir/flowbit-prefilter.rules new file mode 100644 index 000000000..38e0fde89 --- /dev/null +++ b/tests/flowbits-prefilter-06-opdir/flowbit-prefilter.rules @@ -0,0 +1,4 @@ +# packet 6 to client +alert tcp any any -> any any (flow:to_client; dsize:259; flowbits:set,size; sid:1;) +# packet 7 to server +alert tcp any any -> any any (flow:to_server; tcp.flags:A; tcp.ack:2548486954; flowbits:isset,size; prefilter; sid:2;) diff --git a/tests/flowbits-prefilter-06-opdir/test.yaml b/tests/flowbits-prefilter-06-opdir/test.yaml new file mode 100644 index 000000000..1109bdf79 --- /dev/null +++ b/tests/flowbits-prefilter-06-opdir/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 8 + +pcap: ../flowbit-oring/input.pcap + +args: + - -k none + - --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 7 + alert.signature_id: 2 diff --git a/tests/flowbits-prefilter-07-tx-onedir/flowbit-prefilter-tx.rules b/tests/flowbits-prefilter-07-tx-onedir/flowbit-prefilter-tx.rules new file mode 100644 index 000000000..2580f754e --- /dev/null +++ b/tests/flowbits-prefilter-07-tx-onedir/flowbit-prefilter-tx.rules @@ -0,0 +1,10 @@ +alert tcp any any -> any any (flow:to_client; http.response_line; content:"HTTP"; flowbits:set,rare; flowbits:set,common; sid:11;) +alert tcp any any -> any any (http.request_line; content:"ABC"; flowbits:set,never; flowbits:set,common; sid:12;) +alert tcp any any -> any any (flowbits:isset,never; sid:21;) +alert tcp any any -> any any (flowbits:isset,common; prefilter; http.stat_code; content:"200"; sid:22;) +alert tcp any any -> any any (flowbits:isset,never; prefilter; http.stat_code; content:"200"; sid:23;) +alert tcp any any -> any any (flowbits:isset,rare; prefilter; http.stat_code; content:"201"; sid:24;) +alert tcp any any -> any any (flowbits:isset,rare; prefilter; http.stat_code; content:"200"; sid:25;) +alert tcp any any -> any any (priority:10; http.stat_code; content:"202"; sid:31;) +alert tcp any any -> any any (priority:10; http.stat_code; content:"201"; sid:32;) +alert tcp any any -> any any (priority:10; http.stat_code; content:"200"; sid:33;) diff --git a/tests/flowbits-prefilter-07-tx-onedir/test.yaml b/tests/flowbits-prefilter-07-tx-onedir/test.yaml new file mode 100644 index 000000000..c9ee3b5c3 --- /dev/null +++ b/tests/flowbits-prefilter-07-tx-onedir/test.yaml @@ -0,0 +1,34 @@ +requires: + min-version: 8 + +pcap: ../flowbit-oring/input.pcap + +args: + - -k none + - --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 11 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 22 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 25 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 33 diff --git a/tests/flowbits-prefilter-08-tx-opdir/flowbit-prefilter-tx.rules b/tests/flowbits-prefilter-08-tx-opdir/flowbit-prefilter-tx.rules new file mode 100644 index 000000000..322f3627c --- /dev/null +++ b/tests/flowbits-prefilter-08-tx-opdir/flowbit-prefilter-tx.rules @@ -0,0 +1,10 @@ +alert tcp any any -> any any (http.request_line; content:"HTTP"; flowbits:set,common; sid:11;) +alert tcp any any -> any any (http.request_line; content:"ABC"; flowbits:set,rare; flowbits:set,common; sid:12;) +alert tcp any any -> any any (flowbits:isset,never; sid:21;) +alert tcp any any -> any any (flowbits:isset,common; prefilter; http.stat_code; content:"200"; sid:22;) +alert tcp any any -> any any (flowbits:isset,never; prefilter; http.stat_code; content:"200"; sid:23;) +alert tcp any any -> any any (flowbits:isset,rare; prefilter; http.stat_code; content:"201"; sid:24;) +alert tcp any any -> any any (flowbits:isset,rare; prefilter; http.stat_code; content:"200"; sid:25;) +alert tcp any any -> any any (priority:10; http.stat_code; content:"202"; sid:31;) +alert tcp any any -> any any (priority:10; http.stat_code; content:"201"; sid:32;) +alert tcp any any -> any any (priority:10; http.stat_code; content:"200"; sid:33;) diff --git a/tests/flowbits-prefilter-08-tx-opdir/test.yaml b/tests/flowbits-prefilter-08-tx-opdir/test.yaml new file mode 100644 index 000000000..ef603c8d2 --- /dev/null +++ b/tests/flowbits-prefilter-08-tx-opdir/test.yaml @@ -0,0 +1,32 @@ +requires: + min-version: 8 + +pcap: ../flowbit-oring/input.pcap + +args: + - -k none + - --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 4 + alert.signature_id: 11 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 22 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 23 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 25 diff --git a/tests/flowbits-prefilter-09-iponly-onedir/flowbit-prefilter.rules b/tests/flowbits-prefilter-09-iponly-onedir/flowbit-prefilter.rules new file mode 100644 index 000000000..ff690dd26 --- /dev/null +++ b/tests/flowbits-prefilter-09-iponly-onedir/flowbit-prefilter.rules @@ -0,0 +1,2 @@ +alert tcp 82.165.177.154 any -> any any (flowbits:set,set_by_iponly; sid:1;) +alert tcp any any -> any any (flow:to_client; dsize:259; flowbits:isset,set_by_iponly; prefilter; sid:2;) diff --git a/tests/flowbits-prefilter-09-iponly-onedir/test.yaml b/tests/flowbits-prefilter-09-iponly-onedir/test.yaml new file mode 100644 index 000000000..424e9ff36 --- /dev/null +++ b/tests/flowbits-prefilter-09-iponly-onedir/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 8 + +pcap: ../flowbit-oring/input.pcap + +args: + - -k none + - --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 2 + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 2 diff --git a/tests/flowbits-prefilter-10-iponly-opdir/flowbit-prefilter.rules b/tests/flowbits-prefilter-10-iponly-opdir/flowbit-prefilter.rules new file mode 100644 index 000000000..f48f021f5 --- /dev/null +++ b/tests/flowbits-prefilter-10-iponly-opdir/flowbit-prefilter.rules @@ -0,0 +1,2 @@ +alert tcp any any -> 82.165.177.154 any (flowbits:set,set_by_iponly; sid:1;) +alert tcp any any -> any any (flow:to_client; dsize:259; flowbits:isset,set_by_iponly; prefilter; sid:2;) diff --git a/tests/flowbits-prefilter-10-iponly-opdir/test.yaml b/tests/flowbits-prefilter-10-iponly-opdir/test.yaml new file mode 100644 index 000000000..a48b42a5a --- /dev/null +++ b/tests/flowbits-prefilter-10-iponly-opdir/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 8 + +pcap: ../flowbit-oring/input.pcap + +args: + - -k none + - --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 1 + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 2 diff --git a/tests/flowbits-prefilter-11-pkt-auto/flowbit-prefilter.rules b/tests/flowbits-prefilter-11-pkt-auto/flowbit-prefilter.rules new file mode 100644 index 000000000..652560ebd --- /dev/null +++ b/tests/flowbits-prefilter-11-pkt-auto/flowbit-prefilter.rules @@ -0,0 +1,10 @@ +alert tcp any any -> any any (flow:to_client; content:"HTTP"; flowbits:set,rare; flowbits:set,common; sid:11;) +alert tcp any any -> any any (dsize:10; flowbits:set,never; flowbits:set,common; sid:12;) +alert tcp any any -> any any (flowbits:isset,never; sid:21;) +alert tcp any any -> any any (flowbits:isset,common; dsize:259; sid:22;) +alert tcp any any -> any any (flowbits:isset,never; dsize:10; sid:23;) +alert tcp any any -> any any (flowbits:isset,rare; dsize:11; sid:24;) +alert tcp any any -> any any (flowbits:isset,rare; ack:3308437468; sid:25;) +alert tcp any any -> any any (priority:10; dsize:11; sid:31;) +alert tcp any any -> any any (priority:10; dsize:10; sid:32;) +alert tcp any any -> any any (priority:10; ack:3308437468; sid:33;) diff --git a/tests/flowbits-prefilter-11-pkt-auto/test.yaml b/tests/flowbits-prefilter-11-pkt-auto/test.yaml new file mode 100644 index 000000000..f7cbee51a --- /dev/null +++ b/tests/flowbits-prefilter-11-pkt-auto/test.yaml @@ -0,0 +1,23 @@ +requires: + min-version: 8 + +pcap: ../flowbit-oring/input.pcap + +args: + - -k none + - --simulate-ips + - --set detect.prefilter.default=auto + +checks: +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 11 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 22 diff --git a/tests/flowbits-prefilter-12-toggle/flowbit-prefilter.rules b/tests/flowbits-prefilter-12-toggle/flowbit-prefilter.rules new file mode 100644 index 000000000..72692c0c1 --- /dev/null +++ b/tests/flowbits-prefilter-12-toggle/flowbit-prefilter.rules @@ -0,0 +1,10 @@ +alert tcp any any -> any any (flow:to_client; content:"HTTP"; flowbits:toggle,rare; flowbits:toggle,common; sid:11;) +alert tcp any any -> any any (dsize:10; flowbits:set,never; flowbits:toggle,common; sid:12;) +alert tcp any any -> any any (flowbits:isset,never; sid:21;) +alert tcp any any -> any any (flowbits:isset,common; prefilter; dsize:259; sid:22;) +alert tcp any any -> any any (flowbits:isset,never; prefilter; dsize:10; sid:23;) +alert tcp any any -> any any (flowbits:isset,rare; prefilter; dsize:11; sid:24;) +alert tcp any any -> any any (flowbits:isset,rare; prefilter; ack:3308437468; sid:25;) +alert tcp any any -> any any (priority:10; dsize:11; sid:31;) +alert tcp any any -> any any (priority:10; dsize:10; sid:32;) +alert tcp any any -> any any (priority:10; ack:3308437468; sid:33;) diff --git a/tests/flowbits-prefilter-12-toggle/test.yaml b/tests/flowbits-prefilter-12-toggle/test.yaml new file mode 100644 index 000000000..5e035b078 --- /dev/null +++ b/tests/flowbits-prefilter-12-toggle/test.yaml @@ -0,0 +1,22 @@ +requires: + min-version: 8 + +pcap: ../flowbit-oring/input.pcap + +args: + - -k none + - --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 11 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 22 diff --git a/tests/flowbits-prefilter-13-tx-onedir-toggle/flowbit-prefilter-tx.rules b/tests/flowbits-prefilter-13-tx-onedir-toggle/flowbit-prefilter-tx.rules new file mode 100644 index 000000000..8308e548e --- /dev/null +++ b/tests/flowbits-prefilter-13-tx-onedir-toggle/flowbit-prefilter-tx.rules @@ -0,0 +1,10 @@ +alert tcp any any -> any any (flow:to_client; http.response_line; content:"HTTP"; flowbits:toggle,rare; flowbits:toggle,common; sid:11;) +alert tcp any any -> any any (http.request_line; content:"ABC"; flowbits:toggle,never; flowbits:toggle,common; sid:12;) +alert tcp any any -> any any (flowbits:isset,never; sid:21;) +alert tcp any any -> any any (flowbits:isset,common; prefilter; http.stat_code; content:"200"; sid:22;) +alert tcp any any -> any any (flowbits:isset,never; prefilter; http.stat_code; content:"200"; sid:23;) +alert tcp any any -> any any (flowbits:isset,rare; prefilter; http.stat_code; content:"201"; sid:24;) +alert tcp any any -> any any (flowbits:isset,rare; prefilter; http.stat_code; content:"200"; sid:25;) +alert tcp any any -> any any (priority:10; http.stat_code; content:"202"; sid:31;) +alert tcp any any -> any any (priority:10; http.stat_code; content:"201"; sid:32;) +alert tcp any any -> any any (priority:10; http.stat_code; content:"200"; sid:33;) diff --git a/tests/flowbits-prefilter-13-tx-onedir-toggle/test.yaml b/tests/flowbits-prefilter-13-tx-onedir-toggle/test.yaml new file mode 100644 index 000000000..c9ee3b5c3 --- /dev/null +++ b/tests/flowbits-prefilter-13-tx-onedir-toggle/test.yaml @@ -0,0 +1,34 @@ +requires: + min-version: 8 + +pcap: ../flowbit-oring/input.pcap + +args: + - -k none + - --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 11 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 22 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 25 +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 6 + alert.signature_id: 33