From: Victor Julien Date: Sun, 18 May 2025 08:42:10 +0000 (+0200) Subject: tests: add pre_stream tests X-Git-Tag: suricata-7.0.11~34 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=be09f84cee3af47c8c55cdaaf1cc868a16388774;p=thirdparty%2Fsuricata-verify.git tests: add pre_stream tests --- diff --git a/tests/firewall/ruletype-firewall-39-pre-stream/firewall.rules b/tests/firewall/ruletype-firewall-39-pre-stream/firewall.rules new file mode 100644 index 000000000..6eebc5e03 --- /dev/null +++ b/tests/firewall/ruletype-firewall-39-pre-stream/firewall.rules @@ -0,0 +1,2 @@ +accept:packet tcp:all any any <> any 443 (sid:1;) +drop:packet tcp:pre_stream any any -> any 443 (flow:to_server; tcp.flags:S; alert; sid:2;) diff --git a/tests/firewall/ruletype-firewall-39-pre-stream/suricata.yaml b/tests/firewall/ruletype-firewall-39-pre-stream/suricata.yaml new file mode 100644 index 000000000..21b31afba --- /dev/null +++ b/tests/firewall/ruletype-firewall-39-pre-stream/suricata.yaml @@ -0,0 +1,65 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert: + verdict: true + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + verdict: true diff --git a/tests/firewall/ruletype-firewall-39-pre-stream/test.yaml b/tests/firewall/ruletype-firewall-39-pre-stream/test.yaml new file mode 100644 index 000000000..51293fc1a --- /dev/null +++ b/tests/firewall/ruletype-firewall-39-pre-stream/test.yaml @@ -0,0 +1,45 @@ +requires: + min-version: 8 + +pcap: ../../tls/tls-random/input.pcap + +args: + - --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + verdict.action: drop +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 13 + match: + event_type: drop +- filter: + count: 0 + match: + event_type: tls +- filter: + count: 1 + match: + event_type: flow + flow.state: new + tcp.tcp_flags: "00" + flow.alerted: true +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 0 + stats.ips.blocked: 13 + stats.ips.drop_reason.pre_stream_hook: 1 + stats.ips.drop_reason.default_packet_policy: 0 + stats.ips.drop_reason.flow_drop: 11 + stats.ips.drop_reason.stream_midstream: 1 diff --git a/tests/firewall/ruletype-firewall-40-pre-stream-wscale/firewall.rules b/tests/firewall/ruletype-firewall-40-pre-stream-wscale/firewall.rules new file mode 100644 index 000000000..e1e077155 --- /dev/null +++ b/tests/firewall/ruletype-firewall-40-pre-stream-wscale/firewall.rules @@ -0,0 +1,2 @@ +accept:packet tcp:all any any <> any 443 (sid:1;) +drop:packet tcp:pre_stream any any -> any 443 (flow:to_server; tcp.wscale:>5; alert; sid:2;) diff --git a/tests/firewall/ruletype-firewall-40-pre-stream-wscale/suricata.yaml b/tests/firewall/ruletype-firewall-40-pre-stream-wscale/suricata.yaml new file mode 100644 index 000000000..21b31afba --- /dev/null +++ b/tests/firewall/ruletype-firewall-40-pre-stream-wscale/suricata.yaml @@ -0,0 +1,65 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert: + verdict: true + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + verdict: true diff --git a/tests/firewall/ruletype-firewall-40-pre-stream-wscale/test.yaml b/tests/firewall/ruletype-firewall-40-pre-stream-wscale/test.yaml new file mode 100644 index 000000000..51293fc1a --- /dev/null +++ b/tests/firewall/ruletype-firewall-40-pre-stream-wscale/test.yaml @@ -0,0 +1,45 @@ +requires: + min-version: 8 + +pcap: ../../tls/tls-random/input.pcap + +args: + - --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + verdict.action: drop +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 13 + match: + event_type: drop +- filter: + count: 0 + match: + event_type: tls +- filter: + count: 1 + match: + event_type: flow + flow.state: new + tcp.tcp_flags: "00" + flow.alerted: true +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 0 + stats.ips.blocked: 13 + stats.ips.drop_reason.pre_stream_hook: 1 + stats.ips.drop_reason.default_packet_policy: 0 + stats.ips.drop_reason.flow_drop: 11 + stats.ips.drop_reason.stream_midstream: 1 diff --git a/tests/firewall/ruletype-firewall-41-pre-flow/firewall.rules b/tests/firewall/ruletype-firewall-41-pre-flow/firewall.rules new file mode 100644 index 000000000..ad56b24c9 --- /dev/null +++ b/tests/firewall/ruletype-firewall-41-pre-flow/firewall.rules @@ -0,0 +1,2 @@ +accept:packet tcp:all any any <> any 443 (sid:1;) +drop:packet tcp:pre_flow any any <> any 443 (alert; sid:2;) diff --git a/tests/firewall/ruletype-firewall-41-pre-flow/suricata.yaml b/tests/firewall/ruletype-firewall-41-pre-flow/suricata.yaml new file mode 100644 index 000000000..21b31afba --- /dev/null +++ b/tests/firewall/ruletype-firewall-41-pre-flow/suricata.yaml @@ -0,0 +1,65 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert: + verdict: true + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + verdict: true diff --git a/tests/firewall/ruletype-firewall-41-pre-flow/test.yaml b/tests/firewall/ruletype-firewall-41-pre-flow/test.yaml new file mode 100644 index 000000000..b259d0944 --- /dev/null +++ b/tests/firewall/ruletype-firewall-41-pre-flow/test.yaml @@ -0,0 +1,42 @@ +requires: + min-version: 8 + +pcap: ../../tls/tls-random/input.pcap + +args: + - --simulate-ips + +checks: +- filter: + count: 13 + match: + event_type: alert + alert.signature_id: 2 + verdict.action: drop +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 13 + match: + event_type: drop + alert.signature_id: 2 + verdict.action: drop +- filter: + count: 0 + match: + event_type: tls +- filter: + count: 0 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 0 + stats.ips.blocked: 13 + stats.ips.drop_reason.pre_flow_hook: 13 + stats.ips.drop_reason.default_packet_policy: 0 diff --git a/tests/firewall/ruletype-firewall-42-pre-flow-notrack/firewall.rules b/tests/firewall/ruletype-firewall-42-pre-flow-notrack/firewall.rules new file mode 100644 index 000000000..396792943 --- /dev/null +++ b/tests/firewall/ruletype-firewall-42-pre-flow-notrack/firewall.rules @@ -0,0 +1,2 @@ +accept:packet tcp:all any any <> any 443 (sid:1;) +config:packet ip:pre_flow any any <> any 443 (config: tracking disable, type flow, scope packet; sid:2;) diff --git a/tests/firewall/ruletype-firewall-42-pre-flow-notrack/suricata.yaml b/tests/firewall/ruletype-firewall-42-pre-flow-notrack/suricata.yaml new file mode 100644 index 000000000..21b31afba --- /dev/null +++ b/tests/firewall/ruletype-firewall-42-pre-flow-notrack/suricata.yaml @@ -0,0 +1,65 @@ +%YAML 1.1 +--- + +vars: + # more specific is better for alert accuracy and performance + address-groups: + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + #HOME_NET: "[192.168.0.0/16]" + #HOME_NET: "[10.0.0.0/8]" + #HOME_NET: "[172.16.0.0/12]" + #HOME_NET: "any" + + EXTERNAL_NET: "!$HOME_NET" + #EXTERNAL_NET: "any" + + HTTP_SERVERS: "$HOME_NET" + SMTP_SERVERS: "$HOME_NET" + SQL_SERVERS: "$HOME_NET" + DNS_SERVERS: "$HOME_NET" + TELNET_SERVERS: "$HOME_NET" + AIM_SERVERS: "$EXTERNAL_NET" + DC_SERVERS: "$HOME_NET" + DNP3_SERVER: "$HOME_NET" + DNP3_CLIENT: "$HOME_NET" + MODBUS_CLIENT: "$HOME_NET" + MODBUS_SERVER: "$HOME_NET" + ENIP_CLIENT: "$HOME_NET" + ENIP_SERVER: "$HOME_NET" + + port-groups: + HTTP_PORTS: "80" + SHELLCODE_PORTS: "!80" + ORACLE_PORTS: 1521 + SSH_PORTS: 22 + DNP3_PORTS: 20000 + MODBUS_PORTS: 502 + FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" + FTP_PORTS: 21 + GENEVE_PORTS: 6081 + VXLAN_PORTS: 4789 + TEREDO_PORTS: 3544 + SIP_PORTS: "[5060, 5061]" + +# Global stats configuration +stats: + enabled: yes + interval: 8 + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - stats + - flow + - alert: + verdict: true + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + verdict: true diff --git a/tests/firewall/ruletype-firewall-42-pre-flow-notrack/test.yaml b/tests/firewall/ruletype-firewall-42-pre-flow-notrack/test.yaml new file mode 100644 index 000000000..8fa8d9c0e --- /dev/null +++ b/tests/firewall/ruletype-firewall-42-pre-flow-notrack/test.yaml @@ -0,0 +1,38 @@ +requires: + min-version: 8 + +pcap: ../../tls/tls-random/input.pcap + +args: + - --simulate-ips + +checks: +- filter: + count: 0 + match: + event_type: alert +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 0 + match: + event_type: tls +- filter: + count: 0 + match: + event_type: flow +- filter: + count: 1 + match: + event_type: stats + stats.ips.accepted: 13 + stats.ips.blocked: 0 + stats.ips.drop_reason.pre_flow_hook: 0 + stats.ips.drop_reason.default_packet_policy: 0