From: Juliana Fajardini Date: Wed, 19 Apr 2023 18:25:25 +0000 (-0300) Subject: tests: add exception policy tests for midstream ids X-Git-Tag: suricata-6.0.13~18 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c31ca5528ffe35a173495a299329f12c9fc3f5d6;p=thirdparty%2Fsuricata-verify.git tests: add exception policy tests for midstream ids Related to Bug #5825 --- diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-bypass/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-bypass/README.md new file mode 100644 index 000000000..e5b9ef229 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-bypass/README.md @@ -0,0 +1,14 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions disabled. In this test the exception policy +for midstream sessions is set to ``bypass``. This test is for IDS mode. + +# Behavior + +We expect to see no alerts nor ``http`` events logged, as the flow won't be inspected. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-bypass/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-bypass/suricata.yaml new file mode 100644 index 000000000..66af8ebe3 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-bypass/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-bypass/test.rules b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-bypass/test.rules new file mode 100644 index 000000000..4f5ef27c4 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-bypass/test.rules @@ -0,0 +1,2 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) +alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;) diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-bypass/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-bypass/test.yaml new file mode 100644 index 000000000..b04b4b0b0 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-bypass/test.yaml @@ -0,0 +1,23 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +args: +- --set stream.midstream=false +- --set stream.midstream-policy=bypass + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: http + - filter: + count: 1 + match: + event_type: flow + flow.state: bypassed diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-drop-flow/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-drop-flow/README.md new file mode 100644 index 000000000..ee05dc57e --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-drop-flow/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions disabled. In this test the exception policy +for midstream sessions is set to ``drop-flow``. This test is for IDS mode. + +# Behavior + +We expect Suri to error out without starting as ``drop-flow`` isn't a valid +exception policy value for the midstream exception policy. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-drop-flow/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-drop-flow/suricata.yaml new file mode 100644 index 000000000..4a2487ef6 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-drop-flow/suricata.yaml @@ -0,0 +1,38 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats + +logging: + default-log-level: notice + outputs: + - file: + enabled: yes + level: notice + filename: suricata.json + type: json diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-drop-flow/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-drop-flow/test.yaml new file mode 100644 index 000000000..adf2cc2dd --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-drop-flow/test.yaml @@ -0,0 +1,18 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +exit-code: 1 + +args: +- --set stream.midstream=false +- --set stream.midstream-policy=drop-flow + +checks: + - filter: + filename: suricata.json + count: 1 + match: + event_type: engine + log_level: Error diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-drop-packet/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-drop-packet/README.md new file mode 100644 index 000000000..0b3064bce --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-drop-packet/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions disabled. In this test the exception policy +for midstream sessions is set to ``drop-packet``. This test is for IDS mode. + +# Behavior + +We expect Suri to error out without starting as ``drop-packet`` isn't a valid +exception policy value for the midstream exception policy. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-drop-packet/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-drop-packet/suricata.yaml new file mode 100644 index 000000000..4a2487ef6 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-drop-packet/suricata.yaml @@ -0,0 +1,38 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats + +logging: + default-log-level: notice + outputs: + - file: + enabled: yes + level: notice + filename: suricata.json + type: json diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-drop-packet/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-drop-packet/test.yaml new file mode 100644 index 000000000..9d6f2a791 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-drop-packet/test.yaml @@ -0,0 +1,18 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +exit-code: 1 + +args: +- --set stream.midstream=false +- --set stream.midstream-policy=drop-packet + +checks: + - filter: + filename: suricata.json + count: 1 + match: + event_type: engine + log_level: Error diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-ignore/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-ignore/README.md new file mode 100644 index 000000000..7d095f1df --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-ignore/README.md @@ -0,0 +1,14 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions disabled. In this test the exception policy +for midstream sessions is set to ``ignore``. This test is for IDS mode. + +# Behavior + +We expect to see no alerts nor ``http`` events logged, as the flow won't be inspected. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-ignore/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-ignore/suricata.yaml new file mode 100644 index 000000000..66af8ebe3 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-ignore/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-ignore/test.rules b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-ignore/test.rules new file mode 100644 index 000000000..3b7d12406 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-ignore/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;) diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-ignore/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-ignore/test.yaml new file mode 100644 index 000000000..9a2ca1b92 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-ignore/test.yaml @@ -0,0 +1,18 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +args: +- --set stream.midstream=false +- --set stream.midstream-policy=ignore + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: http diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-flow/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-flow/README.md new file mode 100644 index 000000000..2f4b00371 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-flow/README.md @@ -0,0 +1,14 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions disabled. In this test the exception policy +for midstream sessions is set to ``pass-flow``. This test is for IDS mode. + +# Behavior + +We expect to see no alerts nor ``http`` events logged, as the flow won't be inspected. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-flow/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-flow/suricata.yaml new file mode 100644 index 000000000..66af8ebe3 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-flow/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-flow/test.rules b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-flow/test.rules new file mode 100644 index 000000000..4f5ef27c4 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-flow/test.rules @@ -0,0 +1,2 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) +alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;) diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-flow/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-flow/test.yaml new file mode 100644 index 000000000..1612ed04f --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-flow/test.yaml @@ -0,0 +1,23 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +args: +- --set stream.midstream=false +- --set stream.midstream-policy=pass-flow + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: http + - filter: + count: 1 + match: + event_type: flow + flow.action: pass diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-packet/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-packet/README.md new file mode 100644 index 000000000..5787fb557 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-packet/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions disabled. In this test the exception policy +for midstream sessions is set to ``pass-packet``. This test is for IDS mode. + +# Behavior + +We expect Suri to error out without starting as ``pass-packet`` isn't a valid +exception policy value for the midstream exception policy. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-packet/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-packet/suricata.yaml new file mode 100644 index 000000000..4a2487ef6 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-packet/suricata.yaml @@ -0,0 +1,38 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats + +logging: + default-log-level: notice + outputs: + - file: + enabled: yes + level: notice + filename: suricata.json + type: json diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-packet/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-packet/test.yaml new file mode 100644 index 000000000..c4b553551 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-disabled-pass-packet/test.yaml @@ -0,0 +1,18 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +exit-code: 1 + +args: +- --set stream.midstream=false +- --set stream.midstream-policy=pass-packet + +checks: + - filter: + filename: suricata.json + count: 1 + match: + event_type: engine + log_level: Error diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-bypass/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-bypass/README.md new file mode 100644 index 000000000..d529c4fd5 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-bypass/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions enabled. In this test the exception policy +for midstream sessions is set to ``bypass``. This test is for IDS mode. + +# Behavior + +We expect Suri to error out without starting as ``bypass`` isn't a valid +exception policy value when midstream picku-up sessions are enabled. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-bypass/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-bypass/suricata.yaml new file mode 100644 index 000000000..647cd05bf --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-bypass/suricata.yaml @@ -0,0 +1,39 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats + - stats + +logging: + default-log-level: notice + outputs: + - file: + enabled: yes + level: notice + filename: suricata.json + type: json diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-bypass/test.rules b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-bypass/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-bypass/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-bypass/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-bypass/test.yaml new file mode 100644 index 000000000..f50b4003d --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-bypass/test.yaml @@ -0,0 +1,18 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +exit-code: 1 + +args: +- --set stream.midstream=true +- --set stream.midstream-policy=bypass + +checks: + - filter: + filename: suricata.json + count: 1 + match: + event_type: engine + log_level: Error diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-drop-flow/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-drop-flow/README.md new file mode 100644 index 000000000..a8ee89490 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-drop-flow/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions enabled. In this test the exception policy +for midstream sessions is set to ``drop-flow``. This test is for IDS mode. + +# Behavior + +We expect Suri to error out without starting as ``drop-flow`` isn't a valid +exception policy value. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-drop-flow/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-drop-flow/suricata.yaml new file mode 100644 index 000000000..e9c4ad590 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-drop-flow/suricata.yaml @@ -0,0 +1,38 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats + +logging: + default-log-level: Config + outputs: + - file: + enabled: yes + level: notice + filename: suricata.json + type: json diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-drop-flow/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-drop-flow/test.yaml new file mode 100644 index 000000000..4ab9a2726 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-drop-flow/test.yaml @@ -0,0 +1,18 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +exit-code: 1 + +args: +- --set stream.midstream=true +- --set stream.midstream-policy=drop-flow + +checks: + - filter: + filename: suricata.json + count: 1 + match: + event_type: engine + log_level: Error diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-drop-packet/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-drop-packet/README.md new file mode 100644 index 000000000..a1cb018e6 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-drop-packet/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions enabled. In this test the exception policy +for midstream sessions is set to ``drop-packet``. This test is for IDS mode. + +# Behavior + +We expect Suri to error out without starting as ``drop-packet`` isn't a valid +exception policy value. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-drop-packet/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-drop-packet/suricata.yaml new file mode 100644 index 000000000..e9c4ad590 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-drop-packet/suricata.yaml @@ -0,0 +1,38 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats + +logging: + default-log-level: Config + outputs: + - file: + enabled: yes + level: notice + filename: suricata.json + type: json diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-drop-packet/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-drop-packet/test.yaml new file mode 100644 index 000000000..670960a48 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-drop-packet/test.yaml @@ -0,0 +1,18 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +exit-code: 1 + +args: +- --set stream.midstream=true +- --set stream.midstream-policy=drop-packet + +checks: + - filter: + filename: suricata.json + count: 1 + match: + event_type: engine + log_level: Error diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-ignore/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-ignore/README.md new file mode 100644 index 000000000..1fc93e140 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-ignore/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions enabled. In this test the exception policy +for midstream sessions is set to ``ignore``. This test is for IDS mode. + +# Behavior + +We expect to see alerts and ``http`` events logged, as the flow will +be inspected. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-ignore/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-ignore/suricata.yaml new file mode 100644 index 000000000..66af8ebe3 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-ignore/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-ignore/test.rules b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-ignore/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-ignore/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-ignore/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-ignore/test.yaml new file mode 100644 index 000000000..4b4873515 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-ignore/test.yaml @@ -0,0 +1,18 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +args: +- --set stream.midstream=true +- --set stream.midstream-policy=ignore + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: http diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-flow/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-flow/README.md new file mode 100644 index 000000000..1da1a6716 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-flow/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions enabled. In this test the exception policy +for midstream sessions is set to ``pass-flow``. This test is for IDS mode. + +# Behavior + +We expect to see no alerts, since detection won't run due to ``pass-flow``, but +to see ``http`` events logged, as the flow will be inspected. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-flow/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-flow/suricata.yaml new file mode 100644 index 000000000..66af8ebe3 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-flow/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-flow/test.rules b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-flow/test.rules new file mode 100644 index 000000000..4f5ef27c4 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-flow/test.rules @@ -0,0 +1,2 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) +alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;) diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-flow/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-flow/test.yaml new file mode 100644 index 000000000..8eb1790aa --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-flow/test.yaml @@ -0,0 +1,23 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +args: +- --set stream.midstream=true +- --set stream.midstream-policy=pass-flow + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: http + - filter: + count: 1 + match: + event_type: flow + flow.action: pass diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-packet/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-packet/README.md new file mode 100644 index 000000000..d44dcf04b --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-packet/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions enabled. In this test, the exception policy +for midstream sessions is set to ``pass-packet``. This test is for IDS mode. + +# Behavior + +We expect Suri to error out without starting as ``pass-packet`` isn't a valid +exception policy value for the midstream exception policy. + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-packet/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-packet/suricata.yaml new file mode 100644 index 000000000..4a2487ef6 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-packet/suricata.yaml @@ -0,0 +1,38 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats + +logging: + default-log-level: notice + outputs: + - file: + enabled: yes + level: notice + filename: suricata.json + type: json diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-packet/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-packet/test.yaml new file mode 100644 index 000000000..81d2df9f0 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-pass-packet/test.yaml @@ -0,0 +1,18 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +exit-code: 1 + +args: +- --set stream.midstream=true +- --set stream.midstream-policy=pass-packet + +checks: + - filter: + filename: suricata.json + count: 1 + match: + event_type: engine + log_level: Error diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-reject/README.md b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-reject/README.md new file mode 100644 index 000000000..b117570af --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-reject/README.md @@ -0,0 +1,16 @@ +# Test + +Check that the midstream exception policy is properly applied in case Suricata +has stream midstream pick-up sessions enabled. In this test the exception policy +for midstream sessions is set to ``reject``. This test is for IDS mode. + +# Behavior + +We expect Suri to error out without starting as ``reject`` isn't a valid +exception policy value when midstream picku-up sessions are enabled. + + +# Pcap + +Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a +curl to www.testmyids.com. diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-reject/suricata.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-reject/suricata.yaml new file mode 100644 index 000000000..647cd05bf --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-reject/suricata.yaml @@ -0,0 +1,39 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats + - stats + +logging: + default-log-level: notice + outputs: + - file: + enabled: yes + level: notice + filename: suricata.json + type: json diff --git a/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-reject/test.yaml b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-reject/test.yaml new file mode 100644 index 000000000..5135d8238 --- /dev/null +++ b/tests/bug-5825-midstream-exception-policy/exception-policy-ids-midstream-enabled-reject/test.yaml @@ -0,0 +1,20 @@ +pcap: ../../exception-policy-midstream-03/input.pcap + +requires: + min-version: 7 + +exit-code: 1 + +args: +- --set stream.midstream=true +- --set stream.midstream-policy=reject + + +checks: + - filter: + filename: suricata.json + count: 1 + match: + event_type: engine + log_level: Error +