From: Juliana Fajardini <jufajardini@oisf.net>
Date: Sat, 1 Nov 2025 02:31:20 +0000 (-0700)
Subject: tests: add more tests for bug 8021
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bc9459f67417186cd905b5158ce66b6334215260;p=thirdparty%2Fsuricata-verify.git

tests: add more tests for bug 8021

Related to
Bug #8021
Bug #7630
---

diff --git a/tests/bug-8021-alert-max-verdict-01/README.md b/tests/bug-8021-alert-max-verdict-01/README.md
new file mode 100644
index 000000000..e54c34579
--- /dev/null
+++ b/tests/bug-8021-alert-max-verdict-01/README.md
@@ -0,0 +1,12 @@
+# Test Description
+
+Test that the engine doesn't access out of bounds elements when checking for
+the verdict of the last alert in the packet alert queue.
+
+## PCAP
+
+Shared by Jason Ish.
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/7630
diff --git a/tests/bug-8021-alert-max-verdict-01/input.pcap b/tests/bug-8021-alert-max-verdict-01/input.pcap
new file mode 100644
index 000000000..9165d9840
Binary files /dev/null and b/tests/bug-8021-alert-max-verdict-01/input.pcap differ
diff --git a/tests/bug-8021-alert-max-verdict-01/suricata.yaml b/tests/bug-8021-alert-max-verdict-01/suricata.yaml
new file mode 100644
index 000000000..eb26e884f
--- /dev/null
+++ b/tests/bug-8021-alert-max-verdict-01/suricata.yaml
@@ -0,0 +1,27 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+            tagged-packets: yes
+            verdict: yes
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
+                             # per flow direction. All logs each dropped pkt.
+            verdict: yes
+        - flow
+        - stats
+
+packet-alert-max: 6
+
+action-order:
+  - alert
+  - pass
+  - drop
+  - reject
diff --git a/tests/bug-8021-alert-max-verdict-01/test.rules b/tests/bug-8021-alert-max-verdict-01/test.rules
new file mode 100644
index 000000000..7b244b81a
--- /dev/null
+++ b/tests/bug-8021-alert-max-verdict-01/test.rules
@@ -0,0 +1,7 @@
+alert tcp any any -> any any (msg:"issue8021 rule 1"; content:"PAYLOAD_TRIGGER"; sid:8002101; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 2"; content:"PAYLOAD_TRIGGER"; sid:8002102; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 3"; content:"PAYLOAD_TRIGGER"; sid:8002103; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 4"; content:"PAYLOAD_TRIGGER"; sid:8002104; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 5"; content:"PAYLOAD_TRIGGER"; sid:8002105; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 6"; content:"PAYLOAD_TRIGGER"; sid:8002106; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 7"; content:"PAYLOAD_TRIGGER"; sid:8002107; rev:1;)
diff --git a/tests/bug-8021-alert-max-verdict-01/test.yaml b/tests/bug-8021-alert-max-verdict-01/test.yaml
new file mode 100644
index 000000000..5f4e82922
--- /dev/null
+++ b/tests/bug-8021-alert-max-verdict-01/test.yaml
@@ -0,0 +1,73 @@
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.severity: 3
+      alert.signature_id: 8002101
+      event_type: alert
+      pcap_cnt: 1
+      verdict.action: alert
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.signature_id: 8002102
+      event_type: alert
+      pcap_cnt: 1
+      verdict.action: alert
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.signature_id: 8002103
+      event_type: alert
+      pcap_cnt: 1
+      verdict.action: alert
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.signature_id: 8002104
+      event_type: alert
+      pcap_cnt: 1
+      verdict.action: alert
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.signature_id: 8002105
+      event_type: alert
+      pcap_cnt: 1
+      verdict.action: alert
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.signature_id: 8002106
+      event_type: alert
+      pcap_cnt: 1
+      verdict.action: alert
+- filter:
+    count: 0
+    match:
+      alert.action: allowed
+      alert.signature_id: 8002107
+      event_type: alert
+      pcap_cnt: 1
+      verdict.action: alert
+- filter:
+    count: 0
+    match:
+      event_type: stats
+      stats.detect.engines.rules_loaded: 7
+      stats.detect.engines.rules_failed: 0
+      stats.detect.engines.rules_skipped: 0
+      stats.detect.alert: 6
+      stats.detect.alert_queue_overflow: 1
+      stats.detect.alerts_suppressed: 0
+
+
diff --git a/tests/bug-8021-alert-max-verdict-02/README.md b/tests/bug-8021-alert-max-verdict-02/README.md
new file mode 100644
index 000000000..a497fe7a7
--- /dev/null
+++ b/tests/bug-8021-alert-max-verdict-02/README.md
@@ -0,0 +1,14 @@
+# Test Description
+
+Test that the engine doesn't access out of bounds elements when checking for
+the verdict of the last alert in the packet alert queue. And that it logs
+the `pass` verdic correctly, for an "PASS + ALERT" rule. (Sid 8002106).
+
+## PCAP
+
+Shared by Jason Ish. (Reused from bug-8021-alert-max-verdict-01).
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/7630
+https://redmine.openinfosecfoundation.org/issues/8021
diff --git a/tests/bug-8021-alert-max-verdict-02/suricata.yaml b/tests/bug-8021-alert-max-verdict-02/suricata.yaml
new file mode 100644
index 000000000..99e71ca0e
--- /dev/null
+++ b/tests/bug-8021-alert-max-verdict-02/suricata.yaml
@@ -0,0 +1,27 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+            tagged-packets: yes
+            verdict: yes
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
+                             # per flow direction. All logs each dropped pkt.
+            verdict: yes
+        - flow
+        - stats
+
+packet-alert-max: 6
+
+action-order:
+  - pass
+  - alert
+  - drop
+  - reject
diff --git a/tests/bug-8021-alert-max-verdict-02/test.rules b/tests/bug-8021-alert-max-verdict-02/test.rules
new file mode 100644
index 000000000..5c731bb2a
--- /dev/null
+++ b/tests/bug-8021-alert-max-verdict-02/test.rules
@@ -0,0 +1,7 @@
+alert tcp any any -> any any (msg:"issue8021 rule 1"; content:"PAYLOAD_TRIGGER"; sid:8002101; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 2"; content:"PAYLOAD_TRIGGER"; sid:8002102; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 3"; content:"PAYLOAD_TRIGGER"; sid:8002103; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 4"; content:"PAYLOAD_TRIGGER"; sid:8002104; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 5"; content:"PAYLOAD_TRIGGER"; sid:8002105; rev:1;)
+pass tcp any any -> any any (msg:"issue8021 rule 6"; alert; content:"PAYLOAD_TRIGGER"; sid:8002106; rev:1;)
+alert tcp any any -> any any (msg:"issue8021 rule 7"; content:"PAYLOAD_TRIGGER"; sid:8002107; rev:1;)
diff --git a/tests/bug-8021-alert-max-verdict-02/test.yaml b/tests/bug-8021-alert-max-verdict-02/test.yaml
new file mode 100644
index 000000000..8e21a6b2a
--- /dev/null
+++ b/tests/bug-8021-alert-max-verdict-02/test.yaml
@@ -0,0 +1,67 @@
+pcap: ../bug-8021-alert-max-verdict-01/input.pcap
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      alert.action: allowed
+      alert.severity: 3
+      alert.signature_id: 8002101
+      event_type: alert
+      pcap_cnt: 1
+- filter:
+    count: 0
+    match:
+      alert.action: allowed
+      alert.signature_id: 8002102
+      event_type: alert
+      pcap_cnt: 1
+- filter:
+    count: 0
+    match:
+      alert.action: allowed
+      alert.signature_id: 8002103
+      event_type: alert
+      pcap_cnt: 1
+- filter:
+    count: 0
+    match:
+      alert.action: allowed
+      alert.signature_id: 8002104
+      event_type: alert
+      pcap_cnt: 1
+- filter:
+    count: 0
+    match:
+      alert.action: allowed
+      alert.signature_id: 8002105
+      event_type: alert
+      pcap_cnt: 1
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.signature_id: 8002106
+      event_type: alert
+      pcap_cnt: 1
+      verdict.action: pass
+- filter:
+    count: 0
+    match:
+      alert.action: allowed
+      alert.signature_id: 8002107
+      event_type: alert
+      pcap_cnt: 1
+      verdict.action: alert
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.detect.engines[0].rules_loaded: 7
+      stats.detect.engines[0].rules_failed: 0
+      stats.detect.engines[0].rules_skipped: 0
+      stats.detect.alert: 1
+      stats.detect.alert_queue_overflow: 0
diff --git a/tests/bug-8021-alert-max-verdict-ips-03/README.md b/tests/bug-8021-alert-max-verdict-ips-03/README.md
new file mode 100644
index 000000000..cc7a959cb
--- /dev/null
+++ b/tests/bug-8021-alert-max-verdict-ips-03/README.md
@@ -0,0 +1,17 @@
+Test
+====
+
+Check that when there is only a pass rule, the verdict outputed is correct
+(pass, instead of alert).
+
+PCAP
+====
+
+Pcap from https://redmine.openinfosecfoundation.org/issues/7414
+Reused from test bug-7414-decoder-event-01/ip_secopt.pcap.
+
+Redmine ticket
+==============
+
+https://redmine.openinfosecfoundation.org/issues/7630
+
diff --git a/tests/bug-8021-alert-max-verdict-ips-03/decoder-event.rules b/tests/bug-8021-alert-max-verdict-ips-03/decoder-event.rules
new file mode 100644
index 000000000..4ee260c3d
--- /dev/null
+++ b/tests/bug-8021-alert-max-verdict-ips-03/decoder-event.rules
@@ -0,0 +1 @@
+pass pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; alert; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;)
diff --git a/tests/bug-8021-alert-max-verdict-ips-03/suricata.yaml b/tests/bug-8021-alert-max-verdict-ips-03/suricata.yaml
new file mode 100644
index 000000000..195d999d9
--- /dev/null
+++ b/tests/bug-8021-alert-max-verdict-ips-03/suricata.yaml
@@ -0,0 +1,16 @@
+%YAML 1.1
+---
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      ethernet: true
+      pcap-file: true
+
+      types:
+        - alert:
+            packet: yes              # enable dumping of packet (without stream segments)
+            verdict: yes
diff --git a/tests/bug-8021-alert-max-verdict-ips-03/test.yaml b/tests/bug-8021-alert-max-verdict-ips-03/test.yaml
new file mode 100644
index 000000000..a575a5837
--- /dev/null
+++ b/tests/bug-8021-alert-max-verdict-ips-03/test.yaml
@@ -0,0 +1,16 @@
+pcap: ../bug-7414-decoder-event-01/ip_secopt.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2200005
+        pcap_cnt: 3
+        pkt_src: "wire/pcap"
+        ether.src_mac: "f6:3a:04:28:26:77"
+        ether.dest_mac: "fe:2d:cf:ad:28:54"
+        alert.action: "allowed"
+        packet: "/i3PrShU9joEKCZ3CABIAABoAAEAAEARWEoeHh4eFBQUFIIC8TUAAN6tvu+qABPEE8QASB76g3Jy/3MMn6/gl+2PaHNYfvkOoBoRYsUb5ZV3mCocwk9Xbm1VI6ZMlgQ+xZbugYD/RB0xtXrOiZQ43SvBfdo36g=="
+        verdict.action: "pass"
+        pcap_filename.__endswith: "ip_secopt.pcap"
diff --git a/tests/bug-8021-ips-pass-verdict-04/README.md b/tests/bug-8021-ips-pass-verdict-04/README.md
new file mode 100644
index 000000000..6ce5170b4
--- /dev/null
+++ b/tests/bug-8021-ips-pass-verdict-04/README.md
@@ -0,0 +1,16 @@
+Test
+====
+
+Check that when there is only a pass rule without "alert", no verdict outputed.
+
+PCAP
+====
+
+Pcap from https://redmine.openinfosecfoundation.org/issues/7414
+Reused from test bug-7414-decoder-event-01/ip_secopt.pcap.
+
+Redmine ticket
+==============
+
+https://redmine.openinfosecfoundation.org/issues/7630
+
diff --git a/tests/bug-8021-ips-pass-verdict-04/decoder-event.rules b/tests/bug-8021-ips-pass-verdict-04/decoder-event.rules
new file mode 100644
index 000000000..9ec66c358
--- /dev/null
+++ b/tests/bug-8021-ips-pass-verdict-04/decoder-event.rules
@@ -0,0 +1 @@
+pass pkthdr any any -> any any (msg:"SURICATA IPv4 invalid option length"; decode-event:ipv4.opt_invalid_len; classtype:protocol-command-decode; sid:2200005; rev:2;)
diff --git a/tests/bug-8021-ips-pass-verdict-04/suricata.yaml b/tests/bug-8021-ips-pass-verdict-04/suricata.yaml
new file mode 100644
index 000000000..ff4ee8b47
--- /dev/null
+++ b/tests/bug-8021-ips-pass-verdict-04/suricata.yaml
@@ -0,0 +1,21 @@
+%YAML 1.1
+---
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      ethernet: true
+      pcap-file: true
+
+      types:
+        - alert:
+            packet: yes              # enable dumping of packet (without stream segments)
+            verdict: yes
+        - anomaly:
+            types:
+              decode: yes
+              packethdr: yes
+        - flow
diff --git a/tests/bug-8021-ips-pass-verdict-04/test.yaml b/tests/bug-8021-ips-pass-verdict-04/test.yaml
new file mode 100644
index 000000000..02405b03d
--- /dev/null
+++ b/tests/bug-8021-ips-pass-verdict-04/test.yaml
@@ -0,0 +1,25 @@
+pcap: ../bug-7414-decoder-event-01/ip_secopt.pcap
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2200005
+        verdict.action: "pass"
+  - filter:
+      count: 1
+      match:
+        event_type: anomaly
+        anomaly.type: decode
+        anomaly.event: decoder.ipv4.opt_pad_required
+  - filter:
+      count: 2
+      match:
+        event_type: anomaly
+        anomaly.type: decode
+        anomaly.event: decoder.ipv4.opt_invalid_len
+  - filter:
+      count: 1
+      match:
+        event_type: flow