From: Juliana Fajardini Date: Wed, 14 Jun 2023 22:56:11 +0000 (-0300) Subject: tests: add check for bug 6149 X-Git-Tag: suricata-6.0.13~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ab8efce8aaf8809d85ed388ca353a3baa1d471e8;p=thirdparty%2Fsuricata-verify.git tests: add check for bug 6149 Related to Bug #6149 --- diff --git a/tests/bug-6149-exception-policy-auto-ids/README.md b/tests/bug-6149-exception-policy-auto-ids/README.md new file mode 100644 index 000000000..64e9265de --- /dev/null +++ b/tests/bug-6149-exception-policy-auto-ids/README.md @@ -0,0 +1,14 @@ +Test +==== + +Check and capture the behavior when Suricata is run with `exception-policy: +auto` set in IDS mode. + +Behavior +======== + +We expect the master switch for exception policy to be set to `ignore` in that +case, as that's the default value in IDS. + +We also don't expect to see any Warning message in that case, as that's expected +behavior. diff --git a/tests/bug-6149-exception-policy-auto-ids/suricata.yaml b/tests/bug-6149-exception-policy-auto-ids/suricata.yaml new file mode 100644 index 000000000..8c0b99e6a --- /dev/null +++ b/tests/bug-6149-exception-policy-auto-ids/suricata.yaml @@ -0,0 +1,31 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. +action-order: + - pass + - drop + - reject + - alert + +exception-policy: auto + +logging: + default-log-level: info + outputs: + - file: + enabled: yes + level: info + filename: suricata.json + type: json diff --git a/tests/bug-6149-exception-policy-auto-ids/test.rules b/tests/bug-6149-exception-policy-auto-ids/test.rules new file mode 100644 index 000000000..c47db71d7 --- /dev/null +++ b/tests/bug-6149-exception-policy-auto-ids/test.rules @@ -0,0 +1,4 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;) +drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; priority:2; sid:2; rev:1;) +# matches packet 4, but no match due to action order +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;) diff --git a/tests/bug-6149-exception-policy-auto-ids/test.yaml b/tests/bug-6149-exception-policy-auto-ids/test.yaml new file mode 100644 index 000000000..4f52c44f9 --- /dev/null +++ b/tests/bug-6149-exception-policy-auto-ids/test.yaml @@ -0,0 +1,33 @@ +requires: + min-version: 7 + +pcap: ../tls/tls-ja3s/input.pcap + +args: +- -k none + +checks: + - filter: + filename: eve.json + count: 1 + match: + event_type: alert + - filter: + filename: eve.json + count: 0 + match: + event_type: drop + - filter: + filename: eve.json + count: 1 + match: + event_type: tls + tls.sni: example.com + - filter: + filename: suricata.json + count: 1 + match: + log_level: Info + event_type: engine + engine.module: exception-policy + engine.message: "master exception-policy set to: ignore" diff --git a/tests/bug-6149-exception-policy-auto-ips/README.md b/tests/bug-6149-exception-policy-auto-ips/README.md new file mode 100644 index 000000000..948f5c2f9 --- /dev/null +++ b/tests/bug-6149-exception-policy-auto-ips/README.md @@ -0,0 +1,15 @@ +Test +==== + +Check and capture the behavior when Suricata is run with `exception-policy: +auto` set in IPS mode. + +Behavior +======== + +We expect the master switch for exception policy to be set to `drop-flow` in this +case, as that's the default value in IPS. + +We also don't expect to see any Warning message in that case, as that's expected +behavior. We will see an info log output, as that's the level specified for this +test. diff --git a/tests/bug-6149-exception-policy-auto-ips/suricata.yaml b/tests/bug-6149-exception-policy-auto-ips/suricata.yaml new file mode 100644 index 000000000..8c0b99e6a --- /dev/null +++ b/tests/bug-6149-exception-policy-auto-ips/suricata.yaml @@ -0,0 +1,31 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. +action-order: + - pass + - drop + - reject + - alert + +exception-policy: auto + +logging: + default-log-level: info + outputs: + - file: + enabled: yes + level: info + filename: suricata.json + type: json diff --git a/tests/bug-6149-exception-policy-auto-ips/test.rules b/tests/bug-6149-exception-policy-auto-ips/test.rules new file mode 100644 index 000000000..c47db71d7 --- /dev/null +++ b/tests/bug-6149-exception-policy-auto-ips/test.rules @@ -0,0 +1,4 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;) +drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; priority:2; sid:2; rev:1;) +# matches packet 4, but no match due to action order +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;) diff --git a/tests/bug-6149-exception-policy-auto-ips/test.yaml b/tests/bug-6149-exception-policy-auto-ips/test.yaml new file mode 100644 index 000000000..587a8b8b2 --- /dev/null +++ b/tests/bug-6149-exception-policy-auto-ips/test.yaml @@ -0,0 +1,32 @@ +requires: + features: + - DEBUG + min-version: 7 + +pcap: ../tls/tls-ja3s/input.pcap + +args: +- -k none +- --simulate-applayer-error-at-offset-ts=0 +- --set app-layer.error-policy=auto +- --simulate-ips + +checks: + - filter: + filename: eve.json + count: 0 + match: + event_type: alert + - filter: + filename: eve.json + count: 29 + match: + event_type: drop + - filter: + filename: suricata.json + count: 1 + match: + log_level: Info + event_type: engine + engine.module: exception-policy + engine.message: "master exception-policy set to: drop-flow"