From: Juliana Fajardini <jufajardini@oisf.net>
Date: Fri, 2 Jun 2023 00:42:21 +0000 (-0300)
Subject: test: add test for bug 6109
X-Git-Tag: suricata-6.0.13~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d68157862c049c3d71c15cb7667159d3bb7c7c92;p=thirdparty%2Fsuricata-verify.git

test: add test for bug 6109

In IDS mode, with midstream disabled, it seems that the exception policy
'reject' is applying actions that should only be taken in IPS mode. This
leads to the flow being dropped (or logged as such?) in IDS mode. This
test showcases this.

Bug #6109
---

diff --git a/tests/bug-6109-reject-policy-ids/README.md b/tests/bug-6109-reject-policy-ids/README.md
new file mode 100644
index 000000000..69cd44108
--- /dev/null
+++ b/tests/bug-6109-reject-policy-ids/README.md
@@ -0,0 +1,20 @@
+# Test
+
+Check that the midstream exception policy is properly applied in case Suricata
+has stream midstream pick-up sessions disabled. In this test the exception policy
+for midstream sessions is set to ``reject``. This test is for IDS mode.
+
+# Behavior
+
+We expect to see no alerts nor ``http`` events logged, as the session won't be
+tracked. The flow should be rejected, but not dropped, as in IDS mode there's no
+drop.
+
+# Pcap
+
+Pcap comes from the test ``exception-policy-midstream-03`` and is the result of a
+curl to www.testmyids.com.
+
+# Note
+
+This test triggers Bug 6109 - exception/policy: reject changes flow action in IDS mode
diff --git a/tests/bug-6109-reject-policy-ids/suricata.yaml b/tests/bug-6109-reject-policy-ids/suricata.yaml
new file mode 100644
index 000000000..66af8ebe3
--- /dev/null
+++ b/tests/bug-6109-reject-policy-ids/suricata.yaml
@@ -0,0 +1,29 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            payload: yes
+            payload-buffer-size: 4kb
+            payload-printable: yes
+            packet: yes
+            http: yes
+            tls: yes
+            ssh: yes
+            smtp: yes
+            xff:
+              enabled: yes
+              mode: extra-data
+              deployment: reverse
+              header: X-Forwarded-For
+        - flow
+        - http
+        - drop:
+            alerts: yes
+            flows: all
+        - stats
diff --git a/tests/bug-6109-reject-policy-ids/test.rules b/tests/bug-6109-reject-policy-ids/test.rules
new file mode 100644
index 000000000..3b7d12406
--- /dev/null
+++ b/tests/bug-6109-reject-policy-ids/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;)
diff --git a/tests/bug-6109-reject-policy-ids/test.yaml b/tests/bug-6109-reject-policy-ids/test.yaml
new file mode 100644
index 000000000..52f392e5b
--- /dev/null
+++ b/tests/bug-6109-reject-policy-ids/test.yaml
@@ -0,0 +1,20 @@
+pcap: ../exception-policy-midstream-03/input.pcap
+
+args:
+- --set stream.midstream=false
+- --set stream.midstream-policy=reject
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+  - filter:
+      count: 0
+      match:
+        event_type: http
+  - filter:
+      count: 0
+      match:
+        event_type: flow
+        flow.action: drop