From: Juliana Fajardini Date: Mon, 10 Jul 2023 17:35:51 +0000 (-0300) Subject: exception/default: test for behavior in 6 and 7 X-Git-Tag: suricata-6.0.14~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eefba1cf9152a0ec5dc1d1a498b9dd61dcb915b5;p=thirdparty%2Fsuricata-verify.git exception/default: test for behavior in 6 and 7 --- diff --git a/tests/exception-policy-default-01/README.md b/tests/exception-policy-default-01/README.md new file mode 100644 index 000000000..26df61a51 --- /dev/null +++ b/tests/exception-policy-default-01/README.md @@ -0,0 +1,14 @@ +# Test + +Check the expected default behavior for Exception Policies in IPS, in Suricata +versions 6 and 7. + +# Behavior + +In 7, the auto behavior is to drop-packet and/or drop-flow in case of traffic +exceptions, in IPS mode. In 6, the default behavior is to 'ignore'. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-default-01/suricata.yaml b/tests/exception-policy-default-01/suricata.yaml index a22e556bf..8e0bca080 100644 --- a/tests/exception-policy-default-01/suricata.yaml +++ b/tests/exception-policy-default-01/suricata.yaml @@ -19,4 +19,4 @@ action-order: - reject - alert -exception-policy: ignore + #exception-policy: ignore diff --git a/tests/exception-policy-default-01/test.yaml b/tests/exception-policy-default-01/test.yaml index ab14d2470..a84a6ac82 100644 --- a/tests/exception-policy-default-01/test.yaml +++ b/tests/exception-policy-default-01/test.yaml @@ -7,17 +7,31 @@ pcap: ../tls/tls-ja3s/input.pcap args: - --simulate-ips - -k none + checks: - filter: count: 0 match: event_type: alert - filter: + lt-version: 7 count: 0 match: event_type: drop - filter: + min-version: 7 count: 1 + match: + event_type: drop + - filter: + lt-version: 7 + count: 1 + match: + event_type: tls + tls.sni: example.com + - filter: + min-version: 7 + count: 0 match: event_type: tls tls.sni: example.com diff --git a/tests/exception-policy-default-02/README.md b/tests/exception-policy-default-02/README.md new file mode 100644 index 000000000..696df9c90 --- /dev/null +++ b/tests/exception-policy-default-02/README.md @@ -0,0 +1,14 @@ +# Test + +Check the expected default behavior, in versions 6 and 7 of Suricata, for IDS +mode. + +# Behavior + +In both 6 and 7, the default behavior is to 'ignore' in case of traffic +exceptions, in IDS mode. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-default-02/suricata.yaml b/tests/exception-policy-default-02/suricata.yaml new file mode 100644 index 000000000..bceace8ff --- /dev/null +++ b/tests/exception-policy-default-02/suricata.yaml @@ -0,0 +1,38 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + - stats + +logging: + default-log-level: config + outputs: + - file: + enabled: yes + level: config + filename: suricata.json + type: json diff --git a/tests/exception-policy-default-02/test.rules b/tests/exception-policy-default-02/test.rules new file mode 100644 index 000000000..3b7d12406 --- /dev/null +++ b/tests/exception-policy-default-02/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"HTTP traffic"; sid:001; rev:1;) diff --git a/tests/exception-policy-default-02/test.yaml b/tests/exception-policy-default-02/test.yaml new file mode 100644 index 000000000..64fc4c670 --- /dev/null +++ b/tests/exception-policy-default-02/test.yaml @@ -0,0 +1,42 @@ +pcap: ../exception-policy-midstream-03/input.pcap + +args: +- --set stream.midstream=true + +checks: + - filter: + count: 6 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: http + - filter: + lt-version: 7 + count: 0 + match: + event_type: drop + drop.reason: stream midstream + - filter: + lt-version: 7 + count: 0 + match: + event_type: flow + flow.action: drop + - filter: + lt-version: 7 + filename: suricata.json + count: 1 + match: + event_type: engine + log_level: Config + engine.message: "exception-policy: ignore (defined via 'built-in default' for IDS-mode). Warning: this will change to drop-flow or drop-packet in Suricata 7." + - filter: + lt-version: 7 + filename: suricata.json + count: 1 + match: + event_type: engine + log_level: Config + engine.message: "stream.midstream-policy: ignore (defined via 'built-in default' for IDS-mode). Warning: this will change to drop-flow or drop-packet in Suricata 7." diff --git a/tests/exception-policy-default-03/README.md b/tests/exception-policy-default-03/README.md new file mode 100644 index 000000000..d29f5911f --- /dev/null +++ b/tests/exception-policy-default-03/README.md @@ -0,0 +1,14 @@ +# Test + +Check the expected auto behavior for exception policies, in versions 6 and 7 of +Suricata, in IPS mode. + +# Behavior + +In 7, the auto behavior is 'drop-packet' and/or 'drop-flow' in case of traffic +exceptions, in IPS mode. In 6, the auto behavior is to 'ignore'. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-default-03/input.pcap b/tests/exception-policy-default-03/input.pcap new file mode 100644 index 000000000..7a89ef172 Binary files /dev/null and b/tests/exception-policy-default-03/input.pcap differ diff --git a/tests/exception-policy-default-03/suricata.yaml b/tests/exception-policy-default-03/suricata.yaml new file mode 100644 index 000000000..1c39e6c37 --- /dev/null +++ b/tests/exception-policy-default-03/suricata.yaml @@ -0,0 +1,37 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + +logging: + default-log-level: config + outputs: + - file: + enabled: yes + level: config + filename: suricata.json + type: json diff --git a/tests/exception-policy-default-03/test.rules b/tests/exception-policy-default-03/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-default-03/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-default-03/test.yaml b/tests/exception-policy-default-03/test.yaml new file mode 100644 index 000000000..e25b741a7 --- /dev/null +++ b/tests/exception-policy-default-03/test.yaml @@ -0,0 +1,70 @@ +args: +- --simulate-ips +- --set exception-policy=auto + +checks: + - filter: + min-version: 7 + count: 0 + match: + event_type: alert + - filter: + min-version: 7 + count: 1 + match: + event_type: drop + drop.reason: stream midstream + - filter: + min-version: 7 + count: 9 + match: + event_type: drop + - filter: + count: 0 + match: + event_type: flow + flow.state: bypassed + - filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.action: drop + - filter: + count: 0 + match: + event_type: http + # checks for Suricata 6 + - filter: + lt-version: 7 + count: 1 + match: + event_type: alert + - filter: + lt-version: 7 + count: 2 + match: + event_type: drop + drop.reason: stream error + - filter: + lt-version: 7 + count: 0 + match: + event_type: flow + flow.action: drop + - filter: + filename: suricata.json + lt-version: 7 + count: 1 + match: + log_level: Info + event_type: engine + engine.message: "master exception-policy set to: auto" + - filter: + filename: suricata.json + lt-version: 7 + count: 1 + match: + log_level: Config + event_type: engine + engine.message: "stream.midstream-policy: ignore (defined via 'exception-policy' master switch). Warning: this will change to drop-flow or drop-packet in Suricata 7." diff --git a/tests/exception-policy-default-04/README.md b/tests/exception-policy-default-04/README.md new file mode 100644 index 000000000..9cd1781c3 --- /dev/null +++ b/tests/exception-policy-default-04/README.md @@ -0,0 +1,13 @@ +# Test + +Check the expected auto behavior for exception policies, in versions 6 and 7 +of Suricata, in IDS mode. + +# Behavior + +In IDS mode, the auto behavior for exception policies is 'ignore' for both 6 and 7. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-default-04/input.pcap b/tests/exception-policy-default-04/input.pcap new file mode 100644 index 000000000..7a89ef172 Binary files /dev/null and b/tests/exception-policy-default-04/input.pcap differ diff --git a/tests/exception-policy-default-04/suricata.yaml b/tests/exception-policy-default-04/suricata.yaml new file mode 100644 index 000000000..727e94710 --- /dev/null +++ b/tests/exception-policy-default-04/suricata.yaml @@ -0,0 +1,39 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + +logging: + default-log-level: config + outputs: + - file: + enabled: yes + level: config + filename: suricata.json + type: json + +exception-policy: auto diff --git a/tests/exception-policy-default-04/test.rules b/tests/exception-policy-default-04/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-default-04/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-default-04/test.yaml b/tests/exception-policy-default-04/test.yaml new file mode 100644 index 000000000..71655caed --- /dev/null +++ b/tests/exception-policy-default-04/test.yaml @@ -0,0 +1,66 @@ +checks: + - filter: + min-version: 7 + count: 0 + match: + event_type: alert + - filter: + min-version: 7 + count: 1 + match: + event_type: drop + drop.reason: stream midstream + - filter: + min-version: 7 + count: 9 + match: + event_type: drop + - filter: + count: 0 + match: + event_type: flow + flow.state: bypassed + - filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.action: drop + - filter: + count: 0 + match: + event_type: http + # checks for Suricata 6 + - filter: + lt-version: 7 + count: 1 + match: + event_type: alert + - filter: + lt-version: 7 + count: 0 + match: + event_type: drop + drop.reason: stream error + - filter: + lt-version: 7 + count: 0 + match: + event_type: flow + flow.action: drop + - filter: + filename: suricata.json + lt-version: 7 + count: 1 + match: + log_level: Info + event_type: engine + engine.message: "master exception-policy set to: auto" + - filter: + filename: suricata.json + lt-version: 7 + count: 1 + match: + log_level: Config + event_type: engine + engine.message: "app-layer.error-policy: ignore (defined via 'exception-policy' master switch). Warning: this will change to drop-flow or drop-packet in Suricata 7."