From: Juliana Fajardini Date: Thu, 1 Dec 2022 15:10:10 +0000 (-0300) Subject: tests: add tests for exception policy master switch X-Git-Tag: suricata-7.0.0~22 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1286%2Fhead;p=thirdparty%2Fsuricata-verify.git tests: add tests for exception policy master switch Add tests for the new master switch config for the Exception policies. Added also a check in the exception-policy test that checks the default behavior, to ensure that things work as expected with the master switch disabled and the exception policies not set. Task #5219 --- diff --git a/tests/bug-6149-exception-policy-auto-ids/test.yaml b/tests/bug-6149-exception-policy-auto-ids/test.yaml index 4f52c44f9..77f2756b2 100644 --- a/tests/bug-6149-exception-policy-auto-ids/test.yaml +++ b/tests/bug-6149-exception-policy-auto-ids/test.yaml @@ -30,4 +30,4 @@ checks: log_level: Info event_type: engine engine.module: exception-policy - engine.message: "master exception-policy set to: ignore" + engine.message: "master exception-policy set to: auto" diff --git a/tests/bug-6149-exception-policy-auto-ips/test.yaml b/tests/bug-6149-exception-policy-auto-ips/test.yaml index 587a8b8b2..b35b50d2d 100644 --- a/tests/bug-6149-exception-policy-auto-ips/test.yaml +++ b/tests/bug-6149-exception-policy-auto-ips/test.yaml @@ -29,4 +29,4 @@ checks: log_level: Info event_type: engine engine.module: exception-policy - engine.message: "master exception-policy set to: drop-flow" + engine.message: "master exception-policy set to: auto" diff --git a/tests/exception-policy-default-01/suricata.yaml b/tests/exception-policy-default-01/suricata.yaml index b1a0e258c..a22e556bf 100644 --- a/tests/exception-policy-default-01/suricata.yaml +++ b/tests/exception-policy-default-01/suricata.yaml @@ -18,3 +18,5 @@ action-order: - drop - reject - alert + +exception-policy: ignore diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-01/README.md b/tests/exception-policy-master-switch/exception-policy-master-switch-01/README.md new file mode 100644 index 000000000..48a0ee0fe --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-01/README.md @@ -0,0 +1,15 @@ +# Test + +Check the expected auto behavior, for the master switch for drop-packet and +drop-flow in case of traffic exceptions, in IPS mode. + +# Behavior + +We expect to have no alerts, and see drop events, includding for the flow. Checks +for the bypassed flow are left to highlight the fact that the indicated exception +policy is overwritten by the master switch. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-01/input.pcap b/tests/exception-policy-master-switch/exception-policy-master-switch-01/input.pcap new file mode 100644 index 000000000..7a89ef172 Binary files /dev/null and b/tests/exception-policy-master-switch/exception-policy-master-switch-01/input.pcap differ diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-01/suricata.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-01/suricata.yaml new file mode 100644 index 000000000..510b047e9 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-01/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.rules b/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.yaml new file mode 100644 index 000000000..1d4f2b8a6 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.yaml @@ -0,0 +1,35 @@ +requires: + min-version: 7 + +args: +- --simulate-ips +- --set exception-policy=auto + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: drop + drop.reason: stream midstream + - filter: + count: 9 + match: + event_type: drop + - filter: + count: 0 + match: + event_type: flow + flow.state: bypassed + - filter: + count: 1 + match: + event_type: flow + flow.action: drop + - filter: + count: 0 + match: + event_type: http diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-02/README.md b/tests/exception-policy-master-switch/exception-policy-master-switch-02/README.md new file mode 100644 index 000000000..290c37b4c --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-02/README.md @@ -0,0 +1,15 @@ +# Test + +Check the bypass behavior for the Exception policies master switch in IPS +mode in case of traffic exceptions. + +# Behavior + +We expect to have no alerts, nor drop events, only the flow in bypassed state. +Checks are left to highlight the expected behavior in comparison to other +possible behaviors, with different policies in place. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-02/input.pcap b/tests/exception-policy-master-switch/exception-policy-master-switch-02/input.pcap new file mode 100644 index 000000000..7a89ef172 Binary files /dev/null and b/tests/exception-policy-master-switch/exception-policy-master-switch-02/input.pcap differ diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-02/suricata.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-02/suricata.yaml new file mode 100644 index 000000000..e9d7d7df5 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-02/suricata.yaml @@ -0,0 +1,30 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + +exception-policy: bypass diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.rules b/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.yaml new file mode 100644 index 000000000..dd2a2d565 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.yaml @@ -0,0 +1,25 @@ +requires: + min-version: 7 + +args: +- --simulate-ips +- --set stream.midstream=true + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: flow + flow.state: bypassed + - filter: + count: 0 + match: + event_type: http diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-03/README.md b/tests/exception-policy-master-switch/exception-policy-master-switch-03/README.md new file mode 100644 index 000000000..2a46cee1f --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-03/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the proper default exception policy is applied in case the master +switch is disabled and there is no exception policy configured. +stage. + +# Behavior + +We expect to have ``alert`` and ``http`` events logged, as the flow will +be inspected still. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-03/input.pcap b/tests/exception-policy-master-switch/exception-policy-master-switch-03/input.pcap new file mode 100644 index 000000000..7a89ef172 Binary files /dev/null and b/tests/exception-policy-master-switch/exception-policy-master-switch-03/input.pcap differ diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-03/suricata.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-03/suricata.yaml new file mode 100644 index 000000000..b0edf36d6 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-03/suricata.yaml @@ -0,0 +1,31 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + +exception-policy: ignore + diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.rules b/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.yaml new file mode 100644 index 000000000..efcc37494 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.yaml @@ -0,0 +1,25 @@ +requires: + min-version: 7 + +args: +- --simulate-ips +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 0 + match: + event_type: flow + flow.state: bypassed + - filter: + count: 1 + match: + event_type: http diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-04/README.md b/tests/exception-policy-master-switch/exception-policy-master-switch-04/README.md new file mode 100644 index 000000000..a7e990822 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-04/README.md @@ -0,0 +1,14 @@ +# Test + +Check the expected overriding behavior, in IPS mode, if an Exception Policy is +set, regardless of what is defined in the master switch. + +# Behavior + +We expect to see a flow event with the action set to pass, and the http +protocol event, since a pass policy will still mean inspection, just no detection. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-04/input.pcap b/tests/exception-policy-master-switch/exception-policy-master-switch-04/input.pcap new file mode 100644 index 000000000..7a89ef172 Binary files /dev/null and b/tests/exception-policy-master-switch/exception-policy-master-switch-04/input.pcap differ diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-04/suricata.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-04/suricata.yaml new file mode 100644 index 000000000..1f3898223 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-04/suricata.yaml @@ -0,0 +1,31 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + +exception-policy: auto + diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.rules b/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.yaml new file mode 100644 index 000000000..ef36588fd --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.yaml @@ -0,0 +1,26 @@ +requires: + min-version: 7 + +args: +- --simulate-ips +- --set stream.midstream=true +- --set stream.midstream-policy=pass-flow + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: flow + flow.action: pass + - filter: + count: 1 + match: + event_type: http diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-05/README.md b/tests/exception-policy-master-switch/exception-policy-master-switch-05/README.md new file mode 100644 index 000000000..c6c06c975 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-05/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the Exception Policy is properly applied in case it's set to +``bypass`` in IDS mode, when the engine firstly sees the stream during +SYNACK stage. + +# Behavior + +We expect to have no events other than ``flow``, with an indication that it was +bypassed. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-05/input.pcap b/tests/exception-policy-master-switch/exception-policy-master-switch-05/input.pcap new file mode 100644 index 000000000..7a89ef172 Binary files /dev/null and b/tests/exception-policy-master-switch/exception-policy-master-switch-05/input.pcap differ diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-05/suricata.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-05/suricata.yaml new file mode 100644 index 000000000..e9d7d7df5 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-05/suricata.yaml @@ -0,0 +1,30 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + +exception-policy: bypass diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.rules b/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.yaml new file mode 100644 index 000000000..54c74b354 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.yaml @@ -0,0 +1,20 @@ +requires: + min-version: 7 + +args: +- --set stream.midstream=true + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: flow + flow.state: bypassed + - filter: + count: 0 + match: + event_type: http diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-06/README.md b/tests/exception-policy-master-switch/exception-policy-master-switch-06/README.md new file mode 100644 index 000000000..7df989699 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-06/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the Exception Policy is properly applied in case it's set to +``auto`` in IPS mode, when the engine is set to midstream=true. + +# Behavior + +We expect the engine to define the exception policy for midstream as `ignore`, +as that's the default configuration value when midstream flows are accepted. +This means we should see ``alert`` and ``http`` events. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-06/input.pcap b/tests/exception-policy-master-switch/exception-policy-master-switch-06/input.pcap new file mode 100644 index 000000000..7a89ef172 Binary files /dev/null and b/tests/exception-policy-master-switch/exception-policy-master-switch-06/input.pcap differ diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-06/suricata.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-06/suricata.yaml new file mode 100644 index 000000000..17e07b85a --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-06/suricata.yaml @@ -0,0 +1,39 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + +exception-policy: auto + +logging: + default-log-level: notice + outputs: + - file: + enabled: yes + level: debug + filename: suricata.json + type: json diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.rules b/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.yaml new file mode 100644 index 000000000..e861245cd --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.yaml @@ -0,0 +1,36 @@ +requires: + min-version: 7 + +args: +- --set stream.midstream=true +- --simulate-ips + +checks: + - filter: + filename: eve.json + count: 1 + match: + event_type: alert + - filter: + filename: eve.json + count: 0 + match: + event_type: flow + flow.state: bypassed + - filter: + filename: eve.json + count: 1 + match: + event_type: http + - filter: + filename: eve.json + count: 0 + match: + event_type: drop + - filter: + filename: suricata.json + count: 0 + match: + event_type: engine + log_level: Warning + engine.module: exception-policy diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-07/README.md b/tests/exception-policy-master-switch/exception-policy-master-switch-07/README.md new file mode 100644 index 000000000..6da9817a9 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-07/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the Exception Policy is properly applied with default configuration +in IPS mode, when the engine is set to midstream=true. + +# Behavior + +We expect the engine to define the exception policy for midstream as `ignore`, +as that's the default configuration value when midstream flows are accepted. +This means we should see ``alert`` and ``http`` events. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-07/input.pcap b/tests/exception-policy-master-switch/exception-policy-master-switch-07/input.pcap new file mode 100644 index 000000000..7a89ef172 Binary files /dev/null and b/tests/exception-policy-master-switch/exception-policy-master-switch-07/input.pcap differ diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-07/suricata.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-07/suricata.yaml new file mode 100644 index 000000000..bd9e2147b --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-07/suricata.yaml @@ -0,0 +1,37 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + +logging: + default-log-level: notice + outputs: + - file: + enabled: yes + level: debug + filename: suricata.json + type: json diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.rules b/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.yaml new file mode 100644 index 000000000..e861245cd --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.yaml @@ -0,0 +1,36 @@ +requires: + min-version: 7 + +args: +- --set stream.midstream=true +- --simulate-ips + +checks: + - filter: + filename: eve.json + count: 1 + match: + event_type: alert + - filter: + filename: eve.json + count: 0 + match: + event_type: flow + flow.state: bypassed + - filter: + filename: eve.json + count: 1 + match: + event_type: http + - filter: + filename: eve.json + count: 0 + match: + event_type: drop + - filter: + filename: suricata.json + count: 0 + match: + event_type: engine + log_level: Warning + engine.module: exception-policy