From: Victor Julien Date: Fri, 4 Feb 2022 15:05:26 +0000 (+0100) Subject: tests: tests for iponly issue 5066 X-Git-Tag: suricata-5.0.10~51 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e356ec881654f5f17982ca657eb592983509c36f;p=thirdparty%2Fsuricata-verify.git tests: tests for iponly issue 5066 --- diff --git a/tests/bug-5066-iponly-cidr-ordering-01/suricata.yaml b/tests/bug-5066-iponly-cidr-ordering-01/suricata.yaml new file mode 100644 index 000000000..d07252b6d --- /dev/null +++ b/tests/bug-5066-iponly-cidr-ordering-01/suricata.yaml @@ -0,0 +1,22 @@ +%YAML 1.1 +--- + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - tls: + extended: no # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: start # start or all: 'start' logs only a single drop + - flow + +action-order: +- pass +- drop +- reject +- alert diff --git a/tests/bug-5066-iponly-cidr-ordering-01/test-limit.pcap b/tests/bug-5066-iponly-cidr-ordering-01/test-limit.pcap new file mode 100644 index 000000000..60fa36e76 Binary files /dev/null and b/tests/bug-5066-iponly-cidr-ordering-01/test-limit.pcap differ diff --git a/tests/bug-5066-iponly-cidr-ordering-01/test.rules b/tests/bug-5066-iponly-cidr-ordering-01/test.rules new file mode 100644 index 000000000..e4058934e --- /dev/null +++ b/tests/bug-5066-iponly-cidr-ordering-01/test.rules @@ -0,0 +1,3 @@ +pass tcp [100.117.241.128/27,100.117.241.0/26,100.117.241.64/26] any -> 100.64.4.0/23 443 (msg:"Will allow connect to shared endpoints"; sid:221001; rev:1;) +pass IP [100.117.241.0/25,100.117.241.128/27] any -> [10.68.242.211,10.68.242.242] [4433,8143] (msg:"c5b0ff9d-defb-4f60-a02e-64974161076d"; ip_proto:6; sid:2410020; rev:1;) +drop tcp [100.117.241.0/26,100.117.241.128/27,100.117.241.64/26] any -> any any (msg:"Will drop established tcp-flow ACK from client to server if it turns out to be non HTTP/TLS or not in the allowed Domains or not allowed by some other TCP rule."; flow: from_client, established; sid:261000; rev:1;) diff --git a/tests/bug-5066-iponly-cidr-ordering-01/test.yaml b/tests/bug-5066-iponly-cidr-ordering-01/test.yaml new file mode 100644 index 000000000..10ee7458f --- /dev/null +++ b/tests/bug-5066-iponly-cidr-ordering-01/test.yaml @@ -0,0 +1,11 @@ +requirements: + min-version: 5 + +args: +- -k none + +checks: + - filter: + count: 0 + match: + event_type: alert diff --git a/tests/bug-5066-iponly-cidr-ordering-02/suricata.yaml b/tests/bug-5066-iponly-cidr-ordering-02/suricata.yaml new file mode 100644 index 000000000..f2f2a29e1 --- /dev/null +++ b/tests/bug-5066-iponly-cidr-ordering-02/suricata.yaml @@ -0,0 +1,34 @@ +%YAML 1.1 +--- + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + types: + - alert: + payload: no # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + packet: no # enable dumping of packet (without stream segments) + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + http-body: no # Requires metadata; enable dumping of HTTP body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - tls: + extended: no # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: start # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow + + +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/bug-5066-iponly-cidr-ordering-02/test-limit.pcap b/tests/bug-5066-iponly-cidr-ordering-02/test-limit.pcap new file mode 100644 index 000000000..60fa36e76 Binary files /dev/null and b/tests/bug-5066-iponly-cidr-ordering-02/test-limit.pcap differ diff --git a/tests/bug-5066-iponly-cidr-ordering-02/test.rules b/tests/bug-5066-iponly-cidr-ordering-02/test.rules new file mode 100644 index 000000000..f11e43388 --- /dev/null +++ b/tests/bug-5066-iponly-cidr-ordering-02/test.rules @@ -0,0 +1,4 @@ +pass tcp [100.117.241.128/27,100.117.241.64/26,100.117.241.0/26] any -> 100.64.4.0/23 443 (msg:"Will allow connect to shared endpoints"; sid:221001; rev:1;) +#pass tcp [100.117.241.128/27,100.117.241.0/26,100.117.241.64/26] any -> 100.64.4.0/23 443 (msg:"Will allow connect to shared endpoints"; sid:221001; rev:1;) +pass IP [100.117.241.0/25,100.117.241.128/27] any -> [10.68.242.211,10.68.242.242] [4433,8143] (msg:"c5b0ff9d-defb-4f60-a02e-64974161076d"; ip_proto:6; sid:2410020; rev:1;) +drop tcp [100.117.241.0/26,100.117.241.128/27,100.117.241.64/26] any -> any any (msg:"Will drop established tcp-flow ACK from client to server if it turns out to be non HTTP/TLS or not in the allowed Domains or not allowed by some other TCP rule."; flow: from_client, established; sid:261000; rev:1;) diff --git a/tests/bug-5066-iponly-cidr-ordering-02/test.yaml b/tests/bug-5066-iponly-cidr-ordering-02/test.yaml new file mode 100644 index 000000000..10ee7458f --- /dev/null +++ b/tests/bug-5066-iponly-cidr-ordering-02/test.yaml @@ -0,0 +1,11 @@ +requirements: + min-version: 5 + +args: +- -k none + +checks: + - filter: + count: 0 + match: + event_type: alert diff --git a/tests/bug-5066-iponly-cidr-ordering-03/suricata.yaml b/tests/bug-5066-iponly-cidr-ordering-03/suricata.yaml new file mode 100644 index 000000000..f2f2a29e1 --- /dev/null +++ b/tests/bug-5066-iponly-cidr-ordering-03/suricata.yaml @@ -0,0 +1,34 @@ +%YAML 1.1 +--- + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + types: + - alert: + payload: no # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + packet: no # enable dumping of packet (without stream segments) + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + http-body: no # Requires metadata; enable dumping of HTTP body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - tls: + extended: no # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: start # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow + + +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/bug-5066-iponly-cidr-ordering-03/test-limit.pcap b/tests/bug-5066-iponly-cidr-ordering-03/test-limit.pcap new file mode 100644 index 000000000..60fa36e76 Binary files /dev/null and b/tests/bug-5066-iponly-cidr-ordering-03/test-limit.pcap differ diff --git a/tests/bug-5066-iponly-cidr-ordering-03/test.rules b/tests/bug-5066-iponly-cidr-ordering-03/test.rules new file mode 100644 index 000000000..bb678da82 --- /dev/null +++ b/tests/bug-5066-iponly-cidr-ordering-03/test.rules @@ -0,0 +1,3 @@ +pass tcp [100.117.241.128/27,100.117.241.0/26,100.117.241.64/26] any -> 100.64.4.0/23 443 (msg:"Will allow connect to shared endpoints"; sid:221001; rev:1;) +pass IP [100.117.241.128/27,100.117.241.0/25] any -> [10.68.242.211,10.68.242.242] [4433,8143] (msg:"c5b0ff9d-defb-4f60-a02e-64974161076d"; ip_proto:6; sid:2410020; rev:1;) +drop tcp [100.117.241.0/26,100.117.241.128/27,100.117.241.64/26] any -> any any (msg:"Will drop established tcp-flow ACK from client to server if it turns out to be non HTTP/TLS or not in the allowed Domains or not allowed by some other TCP rule."; flow: from_client, established; sid:261000; rev:1;) diff --git a/tests/bug-5066-iponly-cidr-ordering-03/test.yaml b/tests/bug-5066-iponly-cidr-ordering-03/test.yaml new file mode 100644 index 000000000..10ee7458f --- /dev/null +++ b/tests/bug-5066-iponly-cidr-ordering-03/test.yaml @@ -0,0 +1,11 @@ +requirements: + min-version: 5 + +args: +- -k none + +checks: + - filter: + count: 0 + match: + event_type: alert diff --git a/tests/bug-5066-iponly-cidr-ordering-04/suricata.yaml b/tests/bug-5066-iponly-cidr-ordering-04/suricata.yaml new file mode 100644 index 000000000..f2f2a29e1 --- /dev/null +++ b/tests/bug-5066-iponly-cidr-ordering-04/suricata.yaml @@ -0,0 +1,34 @@ +%YAML 1.1 +--- + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + types: + - alert: + payload: no # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + packet: no # enable dumping of packet (without stream segments) + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + http-body: no # Requires metadata; enable dumping of HTTP body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - tls: + extended: no # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: start # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow + + +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/bug-5066-iponly-cidr-ordering-04/test-limit.pcap b/tests/bug-5066-iponly-cidr-ordering-04/test-limit.pcap new file mode 100644 index 000000000..60fa36e76 Binary files /dev/null and b/tests/bug-5066-iponly-cidr-ordering-04/test-limit.pcap differ diff --git a/tests/bug-5066-iponly-cidr-ordering-04/test.rules b/tests/bug-5066-iponly-cidr-ordering-04/test.rules new file mode 100644 index 000000000..0567358e5 --- /dev/null +++ b/tests/bug-5066-iponly-cidr-ordering-04/test.rules @@ -0,0 +1,3 @@ +pass tcp [100.117.241.128/27,100.117.241.64/26,100.117.241.0/26] any -> 100.64.4.0/23 443 (msg:"Will allow connect to shared endpoints"; sid:221001; rev:1;) +pass IP [100.117.241.128/27,100.117.241.0/25] any -> [10.68.242.211,10.68.242.242] [4433,8143] (msg:"c5b0ff9d-defb-4f60-a02e-64974161076d"; ip_proto:6; sid:2410020; rev:1;) +drop tcp [100.117.241.0/26,100.117.241.128/27,100.117.241.64/26] any -> any any (msg:"Will drop established tcp-flow ACK from client to server if it turns out to be non HTTP/TLS or not in the allowed Domains or not allowed by some other TCP rule."; flow: from_client, established; sid:261000; rev:1;) diff --git a/tests/bug-5066-iponly-cidr-ordering-04/test.yaml b/tests/bug-5066-iponly-cidr-ordering-04/test.yaml new file mode 100644 index 000000000..10ee7458f --- /dev/null +++ b/tests/bug-5066-iponly-cidr-ordering-04/test.yaml @@ -0,0 +1,11 @@ +requirements: + min-version: 5 + +args: +- -k none + +checks: + - filter: + count: 0 + match: + event_type: alert diff --git a/tests/bug-5066-iponly-cidr-ordering-05/suricata.yaml b/tests/bug-5066-iponly-cidr-ordering-05/suricata.yaml new file mode 100644 index 000000000..f2f2a29e1 --- /dev/null +++ b/tests/bug-5066-iponly-cidr-ordering-05/suricata.yaml @@ -0,0 +1,34 @@ +%YAML 1.1 +--- + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + types: + - alert: + payload: no # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + packet: no # enable dumping of packet (without stream segments) + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + http-body: no # Requires metadata; enable dumping of HTTP body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + - tls: + extended: no # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: start # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow + + +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/bug-5066-iponly-cidr-ordering-05/test-limit.pcap b/tests/bug-5066-iponly-cidr-ordering-05/test-limit.pcap new file mode 100644 index 000000000..60fa36e76 Binary files /dev/null and b/tests/bug-5066-iponly-cidr-ordering-05/test-limit.pcap differ diff --git a/tests/bug-5066-iponly-cidr-ordering-05/test.rules b/tests/bug-5066-iponly-cidr-ordering-05/test.rules new file mode 100644 index 000000000..0907946c7 --- /dev/null +++ b/tests/bug-5066-iponly-cidr-ordering-05/test.rules @@ -0,0 +1,3 @@ +pass tcp [100.117.241.128/27,100.117.241.0/26,100.117.241.64/26] any -> 100.64.4.0/23 443 (msg:"Will allow connect to shared endpoints"; sid:221001; rev:1;) +#pass IP [100.117.241.0/25,100.117.241.128/27] any -> [10.68.242.211,10.68.242.242] [4433,8143] (msg:"c5b0ff9d-defb-4f60-a02e-64974161076d"; ip_proto:6; sid:2410020; rev:1;) +drop tcp [100.117.241.0/26,100.117.241.128/27,100.117.241.64/26] any -> any any (msg:"Will drop established tcp-flow ACK from client to server if it turns out to be non HTTP/TLS or not in the allowed Domains or not allowed by some other TCP rule."; flow: from_client, established; sid:261000; rev:1;) diff --git a/tests/bug-5066-iponly-cidr-ordering-05/test.yaml b/tests/bug-5066-iponly-cidr-ordering-05/test.yaml new file mode 100644 index 000000000..10ee7458f --- /dev/null +++ b/tests/bug-5066-iponly-cidr-ordering-05/test.yaml @@ -0,0 +1,11 @@ +requirements: + min-version: 5 + +args: +- -k none + +checks: + - filter: + count: 0 + match: + event_type: alert