From: Victor Julien Date: Fri, 11 Apr 2025 07:14:10 +0000 (+0200) Subject: tests: drop/pass deconfliction updates X-Git-Tag: suricata-7.0.11~93 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=789c50c3a4e371f8e1aa38f6e80e68558e2aca9c;p=thirdparty%2Fsuricata-verify.git tests: drop/pass deconfliction updates --- diff --git a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml index 6fc663b02..b2ed858a9 100644 --- a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml +++ b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml @@ -25,7 +25,7 @@ checks: alert.action: allowed pcap_cnt: 6 - filter: - count: 3 # 105 also matches here + count: 2 match: event_type: alert pcap_cnt: 6 @@ -65,7 +65,7 @@ checks: event_type: alert alert.signature_id: 104 - filter: - count: 2 + count: 1 match: event_type: alert alert.signature_id: 105 diff --git a/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/test.yaml b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/test.yaml index f7305b4d2..ada6819d1 100644 --- a/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/test.yaml +++ b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/test.yaml @@ -37,8 +37,9 @@ checks: event_type: alert alert.signature_id: 104 pcap_cnt: 6 +# packet:td drop sid 666 takes precedence - filter: - count: 1 + count: 0 match: event_type: alert alert.signature_id: 105 diff --git a/tests/issue-5466-alert-then-pass-03-drop-pass/test.rules b/tests/issue-5466-alert-then-pass-03-drop-pass/test.rules index f697f217d..4ef95fc01 100644 --- a/tests/issue-5466-alert-then-pass-03-drop-pass/test.rules +++ b/tests/issue-5466-alert-then-pass-03-drop-pass/test.rules @@ -1,2 +1,2 @@ pass tcp any any -> any 22 (alert; sid:2; gid:10000003; msg:"PASS SSH";) -drop tcp any any -> any any (noalert; sid:1; rev:1; msg:"DROP all TCP";) +drop tcp any any -> any any (sid:1; rev:1; msg:"DROP all TCP";) diff --git a/tests/issue-5466-alert-then-pass-03-drop-pass/test.yaml b/tests/issue-5466-alert-then-pass-03-drop-pass/test.yaml index 11e15ef91..ab264ebf9 100644 --- a/tests/issue-5466-alert-then-pass-03-drop-pass/test.yaml +++ b/tests/issue-5466-alert-then-pass-03-drop-pass/test.yaml @@ -9,7 +9,7 @@ pcap: ../issue-5466-alert-then-pass-01/icmp_and_ssh.pcap checks: - filter: - count: 0 + count: 1 match: event_type: alert alert.signature_id: 1 @@ -18,7 +18,6 @@ checks: match: event_type: alert alert.signature_id: 2 - alert.signature: "PASS SSH" - filter: count: 322 match: diff --git a/tests/util-action-tests/util-action-13/test.yaml b/tests/util-action-tests/util-action-13/test.yaml index ede2edcbc..422ab2753 100644 --- a/tests/util-action-tests/util-action-13/test.yaml +++ b/tests/util-action-tests/util-action-13/test.yaml @@ -4,7 +4,7 @@ args: checks: - filter: - min-version: 7 + lt-version: 8 count: 1 match: event_type: flow @@ -21,6 +21,13 @@ checks: event_type: alert alert.signature_id: 1 - filter: + min-version: 8 + count: 3 + match: + event_type: alert + alert.signature_id: 2 +- filter: + lt-version: 8 count: 1 match: event_type: alert diff --git a/tests/util-action-tests/util-action-16/test.yaml b/tests/util-action-tests/util-action-16/test.yaml index 370cacafd..29b73f9e5 100644 --- a/tests/util-action-tests/util-action-16/test.yaml +++ b/tests/util-action-tests/util-action-16/test.yaml @@ -6,7 +6,7 @@ args: checks: - filter: - min-version: 7 + lt-version: 8 count: 1 match: event_type: flow @@ -23,11 +23,26 @@ checks: event_type: alert alert.signature_id: 1 - filter: + min-version: 8 + count: 3 + match: + event_type: alert + alert.signature_id: 2 +# IP-only, so max 2. +- filter: + min-version: 8 + count: 2 + match: + event_type: alert + alert.signature_id: 3 +- filter: + lt-version: 8 count: 1 match: event_type: alert alert.signature_id: 2 - filter: + lt-version: 8 count: 1 match: event_type: alert