From: Jason Ish <jason.ish@oisf.net>
Date: Mon, 9 May 2022 15:37:32 +0000 (-0600)
Subject: ips-state: test flow pass for ip-only rule with negation
X-Git-Tag: suricata-5.0.10~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e28f67ea6f2a4b17643b176486975b71468fb2fc;p=thirdparty%2Fsuricata-verify.git

ips-state: test flow pass for ip-only rule with negation

Ticket: #5361
---

diff --git a/tests/ips-state-1/README.md b/tests/ips-state-1/README.md
new file mode 100644
index 000000000..61eb27126
--- /dev/null
+++ b/tests/ips-state-1/README.md
@@ -0,0 +1,13 @@
+## PCAP
+
+This PCAP contains 3 flows.  2 are http and one is TLS. The HTTP flows should
+be full passed with no alerts, while the TLS flow should be dropped.
+
+## Current Observations
+
+- HTTP response packets are being logged as dropped, however the transaction is
+  logged suggesting the drop is only in logging only, but not actually
+  occurring.
+
+- All the TLS packets apear to be getting dropped, but `flow.action` is never
+  set to true.
diff --git a/tests/ips-state-1/input.pcap b/tests/ips-state-1/input.pcap
new file mode 100644
index 000000000..90f36100b
Binary files /dev/null and b/tests/ips-state-1/input.pcap differ
diff --git a/tests/ips-state-1/test.rules b/tests/ips-state-1/test.rules
new file mode 100644
index 000000000..1812fb124
--- /dev/null
+++ b/tests/ips-state-1/test.rules
@@ -0,0 +1,2 @@
+pass tcp $HOME_NET any -> $EXTERNAL_NET 80 (sid:1;)
+drop ip any any -> any any (msg:"DROP ALL"; flow:stateless; sid:2;)
diff --git a/tests/ips-state-1/test.yaml b/tests/ips-state-1/test.yaml
new file mode 100644
index 000000000..7dce2b00e
--- /dev/null
+++ b/tests/ips-state-1/test.yaml
@@ -0,0 +1,45 @@
+requires:
+  min-version: 6
+
+args:
+- -k none --simulate-ips
+
+checks:
+- filter:
+    # We should see 2 http transactions as the pass rule should allow http
+    # flows.
+    #
+    # This fails.
+    count: 2
+    match:
+      event_type: http
+
+- filter:
+    # There should be no alerts for http.
+    count: 0
+    match:
+      event_type: alert
+      app_proto: http
+
+- filter:
+    # There should be 2 http flow events without alerts.
+    count: 2
+    match:
+      event_type: flow
+      app_proto: http
+      flow.alerted: false 
+
+- filter:
+    # We should see NO drops (or alerts) for http
+    count: 0
+    match:
+      event_type: alert
+      app_proto: http
+
+- filter:
+    # There should be one tls flow that is alerted
+    count: 1
+    match:
+      event_type: flow
+      dest_port: 443
+      flow.alerted: true