From: Jeff Lucovsky Date: Tue, 19 Sep 2023 12:50:12 +0000 (-0400) Subject: test/eps: Test updates/additions for 6.0.x X-Git-Tag: suricata-6.0.15~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1391%2Fhead;p=thirdparty%2Fsuricata-verify.git test/eps: Test updates/additions for 6.0.x This commit adds support for 6.0.x eps stream reassembly testing - Output logging of ips drop reasons is limited to 7 and above - Create 6.0.x specific test cases for -01, -04, -05 Issue: 6364 --- diff --git a/tests/exception-policy-stream-reassembly-memcap-01/test.yaml b/tests/exception-policy-stream-reassembly-memcap-01/test.yaml index f20281159..6a4fac482 100644 --- a/tests/exception-policy-stream-reassembly-memcap-01/test.yaml +++ b/tests/exception-policy-stream-reassembly-memcap-01/test.yaml @@ -1,4 +1,5 @@ requires: + min-version: 7 features: - DEBUG files: diff --git a/tests/exception-policy-stream-reassembly-memcap-04/test.yaml b/tests/exception-policy-stream-reassembly-memcap-04/test.yaml index f20281159..6a4fac482 100644 --- a/tests/exception-policy-stream-reassembly-memcap-04/test.yaml +++ b/tests/exception-policy-stream-reassembly-memcap-04/test.yaml @@ -1,4 +1,5 @@ requires: + min-version: 7 features: - DEBUG files: diff --git a/tests/exception-policy-stream-reassembly-memcap-05/test.yaml b/tests/exception-policy-stream-reassembly-memcap-05/test.yaml index d19e9ad87..6e7d457bc 100644 --- a/tests/exception-policy-stream-reassembly-memcap-05/test.yaml +++ b/tests/exception-policy-stream-reassembly-memcap-05/test.yaml @@ -1,4 +1,5 @@ requires: + min-version: 7 features: - DEBUG files: diff --git a/tests/exception-policy-stream-reassembly-memcap-07/README.md b/tests/exception-policy-stream-reassembly-memcap-07/README.md new file mode 100644 index 000000000..88a687fc3 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-07/README.md @@ -0,0 +1,5 @@ +# Description + +Test exception policy logic for stream reassembly. + +DEBUG is required to enable the "eps" logic. diff --git a/tests/exception-policy-stream-reassembly-memcap-07/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-07/suricata.yaml new file mode 100644 index 000000000..3c973a2be --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-07/suricata.yaml @@ -0,0 +1,34 @@ +%YAML 1.1 +--- + +stats: + enabled: yes + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/exception-policy-stream-reassembly-memcap-07/test.rules b/tests/exception-policy-stream-reassembly-memcap-07/test.rules new file mode 100644 index 000000000..da4a536f4 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-07/test.rules @@ -0,0 +1,5 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;) +drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;) + +# matches packet 4, but should not alert due to memcap drop +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;) diff --git a/tests/exception-policy-stream-reassembly-memcap-07/test.yaml b/tests/exception-policy-stream-reassembly-memcap-07/test.yaml new file mode 100644 index 000000000..464e812ea --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-07/test.yaml @@ -0,0 +1,51 @@ +requires: + lt-version: 7 + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls/tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +# pretend tcp memcap was hit in packet 4, the client hello containing the sni +- --simulate-packet-tcp-reassembly-memcap=4 +- --set stream.reassembly.memcap-policy=drop-flow +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 29 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: drop + drop.reason: "stream reassembly" + - filter: + count: 28 + match: + event_type: drop + drop.reason: "flow drop" + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 0 + match: + event_type: tls + - filter: + count: 0 + match: + event_type: flow + app_proto: tls + - filter: + count: 1 + match: + event_type: flow + flow.action: drop diff --git a/tests/exception-policy-stream-reassembly-memcap-08/README.md b/tests/exception-policy-stream-reassembly-memcap-08/README.md new file mode 100644 index 000000000..88a687fc3 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-08/README.md @@ -0,0 +1,5 @@ +# Description + +Test exception policy logic for stream reassembly. + +DEBUG is required to enable the "eps" logic. diff --git a/tests/exception-policy-stream-reassembly-memcap-08/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-08/suricata.yaml new file mode 100644 index 000000000..aac4c605a --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-08/suricata.yaml @@ -0,0 +1,20 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values diff --git a/tests/exception-policy-stream-reassembly-memcap-08/test.rules b/tests/exception-policy-stream-reassembly-memcap-08/test.rules new file mode 100644 index 000000000..55923b296 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-08/test.rules @@ -0,0 +1,3 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;) +# matches packet 4, but no match due to memcap drop +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;) diff --git a/tests/exception-policy-stream-reassembly-memcap-08/test.yaml b/tests/exception-policy-stream-reassembly-memcap-08/test.yaml new file mode 100644 index 000000000..464e812ea --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-08/test.yaml @@ -0,0 +1,51 @@ +requires: + lt-version: 7 + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls/tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +# pretend tcp memcap was hit in packet 4, the client hello containing the sni +- --simulate-packet-tcp-reassembly-memcap=4 +- --set stream.reassembly.memcap-policy=drop-flow +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 29 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: drop + drop.reason: "stream reassembly" + - filter: + count: 28 + match: + event_type: drop + drop.reason: "flow drop" + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 0 + match: + event_type: tls + - filter: + count: 0 + match: + event_type: flow + app_proto: tls + - filter: + count: 1 + match: + event_type: flow + flow.action: drop diff --git a/tests/exception-policy-stream-reassembly-memcap-09/README.md b/tests/exception-policy-stream-reassembly-memcap-09/README.md new file mode 100644 index 000000000..88a687fc3 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-09/README.md @@ -0,0 +1,5 @@ +# Description + +Test exception policy logic for stream reassembly. + +DEBUG is required to enable the "eps" logic. diff --git a/tests/exception-policy-stream-reassembly-memcap-09/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-09/suricata.yaml new file mode 100644 index 000000000..aac4c605a --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-09/suricata.yaml @@ -0,0 +1,20 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow + - stats: + totals: yes # stats for all threads merged together + threads: no # per thread stats + deltas: no # include delta values diff --git a/tests/exception-policy-stream-reassembly-memcap-09/test.rules b/tests/exception-policy-stream-reassembly-memcap-09/test.rules new file mode 100644 index 000000000..55923b296 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-09/test.rules @@ -0,0 +1,3 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;) +# matches packet 4, but no match due to memcap drop +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;) diff --git a/tests/exception-policy-stream-reassembly-memcap-09/test.yaml b/tests/exception-policy-stream-reassembly-memcap-09/test.yaml new file mode 100644 index 000000000..8e5057b08 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-09/test.yaml @@ -0,0 +1,52 @@ +requires: + lt-version: 7 + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls/tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +# pretend tcp memcap was hit in packet 4, the client hello containing the sni +- --simulate-packet-tcp-reassembly-memcap=4 +- --set stream.reassembly.memcap-policy=drop-packet +- --set app-layer.error-policy=ignore +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: drop + drop.reason: "stream reassembly" + - filter: + count: 0 + match: + event_type: drop + drop.reason: "flow drop" + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 1 + match: + event_type: tls + - filter: + count: 1 + match: + event_type: flow + app_proto: tls + - filter: + count: 0 + match: + event_type: flow + flow.action: drop