From: Juliana Fajardini Date: Wed, 24 May 2023 20:26:30 +0000 (-0300) Subject: tests: add bug-5825 tests for ips mode X-Git-Tag: suricata-6.0.13~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b6e08a60506f25bc5dc9bdeecc1a3dcf28df3b7d;p=thirdparty%2Fsuricata-verify.git tests: add bug-5825 tests for ips mode Related to Bug #5825 --- diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-bypass/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-bypass/README.md new file mode 100644 index 000000000..a5d51f3ff --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-bypass/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions disabled. In this test the exception policy +for midstream sessions is set to ``bypass``. This test is for IPS mode. + +# Behavior + +We expect to see no alerts nor ``http`` events logged, as the flow won't be inspected. +Flow will be bypassed. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-bypass/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-bypass/suricata.yaml new file mode 100644 index 000000000..66af8ebe3 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-bypass/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-bypass/test.rules b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-bypass/test.rules new file mode 100644 index 000000000..4f5ef27c4 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-bypass/test.rules @@ -0,0 +1,2 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) +alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;) diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-bypass/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-bypass/test.yaml new file mode 100644 index 000000000..b2bfbde77 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-bypass/test.yaml @@ -0,0 +1,24 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +args: +- --simulate-ips +- --set stream.midstream=false +- --set stream.midstream-policy=bypass + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: http + - filter: + count: 1 + match: + event_type: flow + flow.state: bypassed diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-flow/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-flow/README.md new file mode 100644 index 000000000..68d3f3c84 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-flow/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions disabled. In this test the exception policy +for midstream sessions is set to ``drop-flow``. This test is for IPS mode. + +# Behavior + +We expect to see no alerts nor ``http`` events logged, as the session won't be +tracked. The flow should be dropped. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-flow/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-flow/suricata.yaml new file mode 100644 index 000000000..66af8ebe3 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-flow/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-flow/test.rules b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-flow/test.rules new file mode 100644 index 000000000..3b7d12406 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-flow/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;) diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-flow/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-flow/test.yaml new file mode 100644 index 000000000..0e33c641e --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-flow/test.yaml @@ -0,0 +1,28 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +args: +- --set stream.midstream=false +- --set stream.midstream-policy=drop-flow + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: http + - filter: + count: 1 + match: + event_type: drop + drop.reason: stream midstream + - filter: + count: 1 + match: + event_type: flow + flow.action: drop diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-packet/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-packet/README.md new file mode 100644 index 000000000..dead8e80a --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-packet/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions disabled. In this test the exception policy +for midstream sessions is set to ``drop-packet``. This test is for IPS mode. + +# Behavior + +We expect Suri to error out without starting as ``drop-packet`` isn't a valid +exception policy value for the midstream exception policy. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-packet/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-packet/suricata.yaml new file mode 100644 index 000000000..f49b207f4 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-packet/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +logging: + default-log-level: notice + outputs: + - file: + enabled: yes + level: notice + filename: suricata.json + type: json diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-packet/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-packet/test.yaml new file mode 100644 index 000000000..37021b1da --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-drop-packet/test.yaml @@ -0,0 +1,19 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +exit-code: 1 + +args: +- --simulate-ips +- --set stream.midstream=false +- --set stream.midstream-policy=drop-packet + +checks: + - filter: + filename: suricata.json + count: 1 + match: + event_type: engine + log_level: Error diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-ignore/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-ignore/README.md new file mode 100644 index 000000000..bdfc0fd63 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-ignore/README.md @@ -0,0 +1,14 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions disabled. In this test the exception policy +for midstream sessions is set to ``ignore``. This test is for IPS mode. + +# Behavior + +We expect to see no alerts nor ``http`` events logged, as the flow won't be inspected. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-ignore/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-ignore/suricata.yaml new file mode 100644 index 000000000..66af8ebe3 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-ignore/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-ignore/test.rules b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-ignore/test.rules new file mode 100644 index 000000000..3b7d12406 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-ignore/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;) diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-ignore/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-ignore/test.yaml new file mode 100644 index 000000000..33442223d --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-ignore/test.yaml @@ -0,0 +1,23 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +args: +- --simulate-ips +- --set stream.midstream=false +- --set stream.midstream-policy=ignore + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: http + - filter: + count: 1 + match: + event_type: flow diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-flow/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-flow/README.md new file mode 100644 index 000000000..a99bf856c --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-flow/README.md @@ -0,0 +1,14 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions disabled. In this test the exception policy +for midstream sessions is set to ``pass-flow``. This test is for IPS mode. + +# Behavior + +We expect to see no alerts nor ``http`` events logged, as the flow won't be inspected. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-flow/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-flow/suricata.yaml new file mode 100644 index 000000000..66af8ebe3 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-flow/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-flow/test.rules b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-flow/test.rules new file mode 100644 index 000000000..4f5ef27c4 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-flow/test.rules @@ -0,0 +1,2 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) +alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;) diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-flow/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-flow/test.yaml new file mode 100644 index 000000000..6fce0d234 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-flow/test.yaml @@ -0,0 +1,24 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +args: +- --simulate-ips +- --set stream.midstream=false +- --set stream.midstream-policy=pass-flow + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: http + - filter: + count: 1 + match: + event_type: flow + flow.action: pass diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-packet/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-packet/README.md new file mode 100644 index 000000000..fc8f19521 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-packet/README.md @@ -0,0 +1,16 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions disabled. In this test the exception policy +for midstream sessions is set to ``pass-packet``. This test is for IPS mode. + +# Behavior + +We expect Suri to error out without starting as ``pass-packet`` isn't a valid +exception policy value. + + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-packet/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-packet/suricata.yaml new file mode 100644 index 000000000..c4e941bc9 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-packet/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - stats + +logging: + default-log-level: notice + outputs: + - file: + enabled: yes + level: notice + filename: suricata.json + type: json diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-packet/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-packet/test.yaml new file mode 100644 index 000000000..10d3b5e40 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-pass-packet/test.yaml @@ -0,0 +1,21 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +exit-code: 1 + +args: +- --simulate-ips +- --set stream.midstream=true +- --set stream.midstream-policy=pass-packet + + +checks: + - filter: + filename: suricata.json + count: 1 + match: + event_type: engine + log_level: Error + diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-reject/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-reject/README.md new file mode 100644 index 000000000..6b4fb2681 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-reject/README.md @@ -0,0 +1,16 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions disabled. In this test the exception policy +for midstream sessions is set to ``reject``. This test is for IPS mode. + +# Behavior + +We expect to see no alerts nor ``http`` events logged, as the session won't be +tracked. We also expect to see ``drop`` events, as in IPS mode the flow is +rejected and dropped. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-reject/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-reject/suricata.yaml new file mode 100644 index 000000000..66af8ebe3 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-reject/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-reject/test.rules b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-reject/test.rules new file mode 100644 index 000000000..3b7d12406 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-reject/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;) diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-reject/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-reject/test.yaml new file mode 100644 index 000000000..f46f801dc --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-disabled-reject/test.yaml @@ -0,0 +1,24 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +args: +- --simulate-ips +- --set stream.midstream=false +- --set stream.midstream-policy=reject + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: http + - filter: + count: 1 + match: + event_type: flow + flow.action: drop diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-bypass/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-bypass/README.md new file mode 100644 index 000000000..69e8049a1 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-bypass/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions enabled. In this test the exception policy +for midstream sessions is set to ``bypass``. This test is for IPS mode. + +# Behavior + +We expect Suri to error out without starting as ``bypass`` isn't a valid +exception policy value when midstream picku-up sessions are enabled. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-bypass/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-bypass/suricata.yaml new file mode 100644 index 000000000..f49b207f4 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-bypass/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +logging: + default-log-level: notice + outputs: + - file: + enabled: yes + level: notice + filename: suricata.json + type: json diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-bypass/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-bypass/test.yaml new file mode 100644 index 000000000..81eb36200 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-bypass/test.yaml @@ -0,0 +1,19 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +exit-code: 1 + +args: +- --simulate-ips +- --set stream.midstream=true +- --set stream.midstream-policy=bypass + +checks: + - filter: + filename: suricata.json + count: 1 + match: + event_type: engine + log_level: Error diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-drop-flow/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-drop-flow/README.md new file mode 100644 index 000000000..5d53a2a45 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-drop-flow/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions enabled. In this test the exception policy +for midstream sessions is set to ``drop-flow``. This test is for IPS mode. + +# Behavior + +We expect Suri to error out without starting as ``drop-flow`` isn't a valid +exception policy value when midstream picku-up sessions are enabled. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-drop-flow/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-drop-flow/suricata.yaml new file mode 100644 index 000000000..f49b207f4 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-drop-flow/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +logging: + default-log-level: notice + outputs: + - file: + enabled: yes + level: notice + filename: suricata.json + type: json diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-drop-flow/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-drop-flow/test.yaml new file mode 100644 index 000000000..00b13a25e --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-drop-flow/test.yaml @@ -0,0 +1,19 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +exit-code: 1 + +args: +- --simulate-ips +- --set stream.midstream=true +- --set stream.midstream-policy=drop-flow + +checks: + - filter: + filename: suricata.json + count: 1 + match: + event_type: engine + log_level: Error diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-drop-packet/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-drop-packet/README.md new file mode 100644 index 000000000..19cc6bc05 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-drop-packet/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions enabled. In this test the exception policy +for midstream sessions is set to ``drop-packet``. This test is for IPS mode. + +# Behavior + +We expect Suri to error out without starting as ``drop-packet`` isn't a valid +exception policy value when midstream picku-up sessions are enabled. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-drop-packet/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-drop-packet/suricata.yaml new file mode 100644 index 000000000..f49b207f4 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-drop-packet/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +logging: + default-log-level: notice + outputs: + - file: + enabled: yes + level: notice + filename: suricata.json + type: json diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-drop-packet/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-drop-packet/test.yaml new file mode 100644 index 000000000..6263617cc --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-drop-packet/test.yaml @@ -0,0 +1,19 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +exit-code: 1 + +args: +- --simulate-ips +- --set stream.midstream=true +- --set stream.midstream-policy=drop-packet + +checks: + - filter: + filename: suricata.json + count: 1 + match: + event_type: engine + log_level: Error diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-ignore/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-ignore/README.md new file mode 100644 index 000000000..72d59fc1c --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-ignore/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions enabled. In this test the exception policy +for midstream sessions is set to ``ignore``. This test is for IPS mode. + +# Behavior + +We expect to see alerts and ``http`` events logged, as the flow will +be inspected. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-ignore/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-ignore/suricata.yaml new file mode 100644 index 000000000..66af8ebe3 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-ignore/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-ignore/test.rules b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-ignore/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-ignore/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-ignore/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-ignore/test.yaml new file mode 100644 index 000000000..982079983 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-ignore/test.yaml @@ -0,0 +1,23 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +args: +- --simulate-ips +- --set stream.midstream=true +- --set stream.midstream-policy=ignore + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: http + - filter: + count: 1 + match: + event_type: flow diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-flow/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-flow/README.md new file mode 100644 index 000000000..8415af9c5 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-flow/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions enabled. In this test the exception policy +for midstream sessions is set to ``pass-flow``. This test is for IPS mode. + +# Behavior + +We expect to see no alerts, since detection won't run due to ``pass-flow``, but +to see ``http`` events logged, as the flow will be inspected. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-flow/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-flow/suricata.yaml new file mode 100644 index 000000000..66af8ebe3 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-flow/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-flow/test.rules b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-flow/test.rules new file mode 100644 index 000000000..4f5ef27c4 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-flow/test.rules @@ -0,0 +1,2 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) +alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;) diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-flow/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-flow/test.yaml new file mode 100644 index 000000000..a7d7ac238 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-flow/test.yaml @@ -0,0 +1,24 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +args: +- --simulate-ips +- --set stream.midstream=true +- --set stream.midstream-policy=pass-flow + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: http + - filter: + count: 1 + match: + event_type: flow + flow.action: pass diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-packet/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-packet/README.md new file mode 100644 index 000000000..0249bb5f8 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-packet/README.md @@ -0,0 +1,16 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions enabled. In this test the exception policy +for midstream sessions is set to ``pass-packet``. This test is for IPS mode. + +# Behavior + +We expect Suri to error out without starting as ``pass-packet`` isn't a valid +exception policy value. + + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-packet/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-packet/suricata.yaml new file mode 100644 index 000000000..c4e941bc9 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-packet/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - stats + +logging: + default-log-level: notice + outputs: + - file: + enabled: yes + level: notice + filename: suricata.json + type: json diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-packet/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-packet/test.yaml new file mode 100644 index 000000000..10d3b5e40 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-pass-packet/test.yaml @@ -0,0 +1,21 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +exit-code: 1 + +args: +- --simulate-ips +- --set stream.midstream=true +- --set stream.midstream-policy=pass-packet + + +checks: + - filter: + filename: suricata.json + count: 1 + match: + event_type: engine + log_level: Error + diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-reject/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-reject/README.md new file mode 100644 index 000000000..20bb610d2 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-reject/README.md @@ -0,0 +1,16 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions enabled. In this test the exception policy +for midstream sessions is set to ``reject``. This test is for IPS mode. + +# Behavior + +We expect Suri to error out without starting as ``reject`` isn't a valid +exception policy value when midstream picku-up sessions are enabled. + + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-reject/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-reject/suricata.yaml new file mode 100644 index 000000000..f49b207f4 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-reject/suricata.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +logging: + default-log-level: notice + outputs: + - file: + enabled: yes + level: notice + filename: suricata.json + type: json diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-reject/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-reject/test.yaml new file mode 100644 index 000000000..e11a0b537 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ips-midstream-enabled-reject/test.yaml @@ -0,0 +1,19 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +exit-code: 1 + +args: +- --simulate-ips +- --set stream.midstream=true +- --set stream.midstream-policy=reject + +checks: + - filter: + filename: suricata.json + count: 1 + match: + event_type: engine + log_level: Error