From: Victor Julien Date: Fri, 17 Jun 2022 14:38:09 +0000 (+0200) Subject: tests: add tests to check flow drops X-Git-Tag: suricata-6.0.8~26 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7f646eeaaa1a11f52e5b579ff7085eb8f237c4a4;p=thirdparty%2Fsuricata-verify.git tests: add tests to check flow drops --- diff --git a/tests/flow-drop-iponly-01/suricata.yaml b/tests/flow-drop-iponly-01/suricata.yaml new file mode 100644 index 000000000..ef50188a2 --- /dev/null +++ b/tests/flow-drop-iponly-01/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - tls: + extended: no # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: start # start or all: 'start' logs only a single drop + - flow diff --git a/tests/flow-drop-iponly-01/test-limit.pcap b/tests/flow-drop-iponly-01/test-limit.pcap new file mode 100644 index 000000000..60fa36e76 Binary files /dev/null and b/tests/flow-drop-iponly-01/test-limit.pcap differ diff --git a/tests/flow-drop-iponly-01/test.rules b/tests/flow-drop-iponly-01/test.rules new file mode 100644 index 000000000..86c438bb6 --- /dev/null +++ b/tests/flow-drop-iponly-01/test.rules @@ -0,0 +1,2 @@ +drop ip 100.117.241.123 any -> any any (sid:1;) +drop ip 100.64.4.146 any -> any any (sid:2;) diff --git a/tests/flow-drop-iponly-01/test.yaml b/tests/flow-drop-iponly-01/test.yaml new file mode 100644 index 000000000..0679309c3 --- /dev/null +++ b/tests/flow-drop-iponly-01/test.yaml @@ -0,0 +1,35 @@ +requirements: + min-version: 6 + +args: +- -k none +- --simulate-ips + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + alert.action: blocked + pcap_cnt: 1 + - filter: + count: 1 + match: + event_type: drop + alert.signature_id: 1 + alert.action: blocked + pcap_cnt: 1 + drop.reason: rules + - filter: + count: 1 + match: + event_type: drop + pcap_cnt: 2 + drop.reason: flow drop + - filter: + count: 1 + match: + event_type: flow + flow.action: drop + tcp.state: syn_sent diff --git a/tests/flow-drop-iponly-02/input.pcap b/tests/flow-drop-iponly-02/input.pcap new file mode 100644 index 000000000..6e5b80363 Binary files /dev/null and b/tests/flow-drop-iponly-02/input.pcap differ diff --git a/tests/flow-drop-iponly-02/suricata.yaml b/tests/flow-drop-iponly-02/suricata.yaml new file mode 100644 index 000000000..ef50188a2 --- /dev/null +++ b/tests/flow-drop-iponly-02/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - tls: + extended: no # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: start # start or all: 'start' logs only a single drop + - flow diff --git a/tests/flow-drop-iponly-02/test.rules b/tests/flow-drop-iponly-02/test.rules new file mode 100644 index 000000000..5ea0d3fd7 --- /dev/null +++ b/tests/flow-drop-iponly-02/test.rules @@ -0,0 +1,2 @@ +drop ip 192.168.10.31 any -> any any (sid:1;) +drop ip 192.168.10.10 any -> any any (sid:2;) diff --git a/tests/flow-drop-iponly-02/test.yaml b/tests/flow-drop-iponly-02/test.yaml new file mode 100644 index 000000000..f79b5674c --- /dev/null +++ b/tests/flow-drop-iponly-02/test.yaml @@ -0,0 +1,34 @@ +requirements: + min-version: 6 + +args: +- -k none +- --simulate-ips + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + alert.action: blocked + pcap_cnt: 1 + - filter: + count: 1 + match: + event_type: drop + alert.signature_id: 1 + alert.action: blocked + pcap_cnt: 1 + drop.reason: rules + - filter: + count: 1 + match: + event_type: drop + pcap_cnt: 4 + drop.reason: flow drop + - filter: + count: 1 + match: + event_type: flow + flow.action: drop