From: Juliana Fajardini <jufajardini@oisf.net>
Date: Thu, 16 Mar 2023 21:48:21 +0000 (-0300)
Subject: tests: add test for bug 5867 FP drop log events
X-Git-Tag: suricata-6.0.12~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f7e8e902bd7eca93f95dd4366c254472a7a2da12;p=thirdparty%2Fsuricata-verify.git

tests: add test for bug 5867 FP drop log events

Bug #5867
---

diff --git a/tests/bug-5867-fp-drop-01/README.md b/tests/bug-5867-fp-drop-01/README.md
new file mode 100644
index 000000000..94b2151f6
--- /dev/null
+++ b/tests/bug-5867-fp-drop-01/README.md
@@ -0,0 +1,18 @@
+# Test
+
+This test checks bug 5867 for false positive drop events in the eve logs,
+for packets that triggered higher priority PASS rules and DROP rules.
+
+Bug report: https://redmine.openinfosecfoundation.org/issues/5867
+
+# Behavior
+
+In the scenario shown in this test, `PASS` has a higher priority in the action
+order (as it's the default), so the packet should trigger the PASS rule first,
+so the DROP rule should have no effect.
+
+# Pcap
+
+Pcap comes from forum post where bug was reported the first time:
+https://forum.suricata.io/t/drop-log-false-positive-records-possible-since-6-0-6/3228
+
diff --git a/tests/bug-5867-fp-drop-01/input.pcap b/tests/bug-5867-fp-drop-01/input.pcap
new file mode 100644
index 000000000..0a56ee9a7
Binary files /dev/null and b/tests/bug-5867-fp-drop-01/input.pcap differ
diff --git a/tests/bug-5867-fp-drop-01/suricata.yaml b/tests/bug-5867-fp-drop-01/suricata.yaml
new file mode 100644
index 000000000..3bb23cb89
--- /dev/null
+++ b/tests/bug-5867-fp-drop-01/suricata.yaml
@@ -0,0 +1,25 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filename: eve.json
+      types:
+        - alert
+        - anomaly
+        - drop:
+            alerts: yes
+            flows: start
+        - flow
+        - smtp
+
+action-order:
+  - pass
+  - drop
+  - reject
+  - alert
+
+exception-policy: ignore
+
+
diff --git a/tests/bug-5867-fp-drop-01/test.rules b/tests/bug-5867-fp-drop-01/test.rules
new file mode 100644
index 000000000..b38b86aa5
--- /dev/null
+++ b/tests/bug-5867-fp-drop-01/test.rules
@@ -0,0 +1,2 @@
+pass tcp 172.17.1.0/24 any -> any 225 (msg:"PASS LOCAL NET Port 225::no flags::flow to_server::no thresholds"; flow:to_server; classtype:misc-activity; sid:1000100; rev:1; metadata:created_at 2023_02_07, updated_at 2023_02_07;)
+drop tcp 172.17.1.0/24 any -> any 225 (msg:"DROP LOCAL NET Port 225::no flags::flow established to_server::no thresholds"; flow:to_server,established; classtype:misc-activity; sid:1000101; rev:1; metadata:created_at 2023_02_07, updated_at 2023_02_07;)
diff --git a/tests/bug-5867-fp-drop-01/test.yaml b/tests/bug-5867-fp-drop-01/test.yaml
new file mode 100644
index 000000000..11bdb3011
--- /dev/null
+++ b/tests/bug-5867-fp-drop-01/test.yaml
@@ -0,0 +1,18 @@
+requires:
+   min-version: 6
+args:
+- -k none
+- --set stream.midstream=true
+- --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      dest_ip: 172.17.1.105
+      dest_port: 225
+      event_type: smtp
+- filter:
+    count: 0
+    match:
+      event_type: drop