From: Juliana Fajardini Date: Fri, 17 Feb 2023 20:28:02 +0000 (-0300) Subject: tests: check exception policy stats counters X-Git-Tag: suricata-6.0.19~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1752%2Fhead;p=thirdparty%2Fsuricata-verify.git tests: check exception policy stats counters Edit the existing exception policy tests to check for the new exception policy stats counters. Add two more tests, to showcase behavior for exception policy stats counters when set up to log counters for each app-proto error and zero-valued counters are enabled (default behavior). Ticket #5816 --- diff --git a/tests/exception-policy-applayer-01/README.md b/tests/exception-policy-applayer-01/README.md new file mode 100644 index 000000000..76e7e19be --- /dev/null +++ b/tests/exception-policy-applayer-01/README.md @@ -0,0 +1,9 @@ +# Test + +Showcase exception policy stats counters for application layer protocol errors, +showing only the summarized counters. + +## Ticket + +https://redmine.openinfosecfoundation.org/issues/5816 + diff --git a/tests/exception-policy-applayer-01/suricata.yaml b/tests/exception-policy-applayer-01/suricata.yaml index aa46e9763..f78de69fe 100644 --- a/tests/exception-policy-applayer-01/suricata.yaml +++ b/tests/exception-policy-applayer-01/suricata.yaml @@ -1,6 +1,10 @@ %YAML 1.1 --- +stats: + enabled: yes + interval: 8 + outputs: - eve-log: enabled: yes @@ -14,13 +18,18 @@ outputs: stream: yes applayer: yes - tls: - extended: yes # enable this for extended logging information + extended: yes - drop: - alerts: yes # log alerts that caused drops - flows: all # start or all: 'start' logs only a single drop - # per flow direction. All logs each dropped pkt. + alerts: yes + flows: all + - stats: + totals: yes + threads: no + deltas: no - flow - - stats + - stats: + enabled: yes + filename: stats.log action-order: - pass diff --git a/tests/exception-policy-applayer-01/test.yaml b/tests/exception-policy-applayer-01/test.yaml index d4d09ebaf..1d8e1d88b 100644 --- a/tests/exception-policy-applayer-01/test.yaml +++ b/tests/exception-policy-applayer-01/test.yaml @@ -54,3 +54,10 @@ checks: match: event_type: stats stats.ips.drop_reason.applayer_error: 1 + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.app_layer.error.exception_policy.drop_flow: 1 + stats.app_layer.error.exception_policy.pass_flow: 0 diff --git a/tests/exception-policy-applayer-02/README.md b/tests/exception-policy-applayer-02/README.md new file mode 100644 index 000000000..1582fb85a --- /dev/null +++ b/tests/exception-policy-applayer-02/README.md @@ -0,0 +1,9 @@ +# Test + +Showcase exception policy stats counters for application layer protocol errors, +including also indicating how it is possible to configure: exception policy +stats to log counters per app-proto, instead of only a summary. + +## Ticket + +https://redmine.openinfosecfoundation.org/issues/5816 diff --git a/tests/exception-policy-applayer-02/suricata.yaml b/tests/exception-policy-applayer-02/suricata.yaml new file mode 100644 index 000000000..aedf26e36 --- /dev/null +++ b/tests/exception-policy-applayer-02/suricata.yaml @@ -0,0 +1,40 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - tls: + extended: yes + - drop: + alerts: yes + flows: all + - stats: + totals: yes + threads: no + deltas: no + - flow + - stats: + enabled: yes + filename: stats.log + +action-order: + - pass + - drop + - reject + - alert + +stats: + enabled: yes + interval: 8 + exception-policy: + per-app-proto-errors: true diff --git a/tests/exception-policy-applayer-02/test.rules b/tests/exception-policy-applayer-02/test.rules new file mode 100644 index 000000000..3d147afdc --- /dev/null +++ b/tests/exception-policy-applayer-02/test.rules @@ -0,0 +1,5 @@ +#pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;) +#drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;) + +# matches packet 4, but should not alert due to memcap drop +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;) diff --git a/tests/exception-policy-applayer-02/test.yaml b/tests/exception-policy-applayer-02/test.yaml new file mode 100644 index 000000000..c0e33bba5 --- /dev/null +++ b/tests/exception-policy-applayer-02/test.yaml @@ -0,0 +1,50 @@ +requires: + features: + - DEBUG +pcap: ../tls/tls-certs-alert/input.pcap +args: +- --simulate-ips +- -k none +# pretend pretend error in the first data +- --simulate-applayer-error-at-offset-ts=0 +- --set app-layer.error-policy=pass-packet +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 0 + match: + event_type: drop + drop.reason: "flow drop" + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 0 + match: + event_type: tls + - filter: + count: 1 + match: + event_type: flow + app_proto: tls + - filter: + count: 0 + match: + event_type: flow + flow.action: drop + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.app_layer.error.tls.exception_policy.pass_packet: 1 + stats.app_layer.error.tls.exception_policy.drop_packet: 0 diff --git a/tests/exception-policy-applayer-03/README.md b/tests/exception-policy-applayer-03/README.md new file mode 100644 index 000000000..9bcd057d8 --- /dev/null +++ b/tests/exception-policy-applayer-03/README.md @@ -0,0 +1,15 @@ +# Test + +Showcase exception policy stats counters for application layer protocol errors +with a longer per-app-proto stats counter - in case, ``bittorrent-dht.pass-packet``. + +The result can be seen in the stats.log file in the output directory. + +## PCAP + +Reused from existing bittorrent-dht test. + +## Ticket + +Related to work for exception policy stats counters: +https://redmine.openinfosecfoundation.org/issues/5816 diff --git a/tests/exception-policy-applayer-03/suricata.yaml b/tests/exception-policy-applayer-03/suricata.yaml new file mode 100644 index 000000000..2f6b63692 --- /dev/null +++ b/tests/exception-policy-applayer-03/suricata.yaml @@ -0,0 +1,44 @@ +%YAML 1.1 +--- + +app-layer: + protocols: + bittorrent-dht: + enabled: yes + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - bittorrent-dht + - drop: + alerts: yes + flows: all + - stats: + totals: yes + threads: no + deltas: no + - flow + - stats: + enabled: yes + filename: stats.log + +action-order: + - pass + - drop + - reject + - alert + +stats: + enabled: yes + interval: 8 + exception-policy: + per-app-proto-errors: true diff --git a/tests/exception-policy-applayer-03/test.yaml b/tests/exception-policy-applayer-03/test.yaml new file mode 100644 index 000000000..3884db377 --- /dev/null +++ b/tests/exception-policy-applayer-03/test.yaml @@ -0,0 +1,67 @@ +requires: + min-version: 8 + features: + - DEBUG +pcap: ../bittorrent-dht/input.pcap +args: +- --simulate-ips +- -k none +- --simulate-applayer-error-at-offset-tc=3 +- --set app-layer.error-policy=pass-packet + +checks: +- filter: + count: 1 + match: + bittorrent_dht.request.id: 6162636465666768696a30313233343536373839 + bittorrent_dht.request_type: ping + bittorrent_dht.transaction_id: '6161' + dest_ip: 190.0.0.3 + dest_port: 30000 + event_type: bittorrent_dht + pcap_cnt: 3 + pkt_src: wire/pcap + proto: UDP + src_ip: 190.0.0.1 + src_port: 20000 +- filter: + count: 1 + match: + bittorrent_dht.request.id: 6162636465666768696a30313233343536373839 + bittorrent_dht.request_type: ping + bittorrent_dht.transaction_id: '6161' + dest_ip: 190.0.0.2 + dest_port: 50000 + event_type: bittorrent_dht + pcap_cnt: 1 + pkt_src: wire/pcap + proto: UDP + src_ip: 190.0.0.1 + src_port: 40000 +- filter: + count: 1 + match: + bittorrent_dht.error.msg: A Generic Error Ocurred + bittorrent_dht.error.num: 201 + bittorrent_dht.transaction_id: '6161' + dest_ip: 190.0.0.1 + dest_port: 20000 + event_type: bittorrent_dht + pcap_cnt: 4 + pkt_src: wire/pcap + proto: UDP + src_ip: 190.0.0.3 + src_port: 30000 +- filter: + count: 1 + match: + bittorrent_dht.response.id: 6d6e6f707172737475767778797a313233343536 + bittorrent_dht.transaction_id: '6161' + dest_ip: 190.0.0.1 + dest_port: 40000 + event_type: bittorrent_dht + pcap_cnt: 2 + pkt_src: wire/pcap + proto: UDP + src_ip: 190.0.0.2 + src_port: 50000 diff --git a/tests/exception-policy-default-01/suricata.yaml b/tests/exception-policy-default-01/suricata.yaml index 8e0bca080..09637bdec 100644 --- a/tests/exception-policy-default-01/suricata.yaml +++ b/tests/exception-policy-default-01/suricata.yaml @@ -12,11 +12,16 @@ outputs: - drop: alerts: yes # log alerts that caused drops flows: all # start or all: 'start' logs only a single drop - # per flow direction. All logs each dropped pkt. + - stats + - stats: + enabled: yes + filename: stats.log + append: yes + action-order: - pass - drop - reject - alert - #exception-policy: ignore +exception-policy: ignore diff --git a/tests/exception-policy-default-01/test.yaml b/tests/exception-policy-default-01/test.yaml index c3821598c..676b6c260 100644 --- a/tests/exception-policy-default-01/test.yaml +++ b/tests/exception-policy-default-01/test.yaml @@ -1,9 +1,9 @@ requires: features: - DEBUG - files: - - src/util-exception-policy.c + pcap: ../tls/tls-certs-alert/input.pcap + args: - --simulate-ips - -k none diff --git a/tests/exception-policy-defrag-01/test.yaml b/tests/exception-policy-defrag-01/test.yaml index 9daab6297..3f00f7808 100644 --- a/tests/exception-policy-defrag-01/test.yaml +++ b/tests/exception-policy-defrag-01/test.yaml @@ -1,8 +1,6 @@ requires: features: - DEBUG - files: - - src/util-exception-policy.c args: - --simulate-ips - -k none @@ -40,3 +38,11 @@ checks: match: event_type: stats stats.ips.drop_reason.defrag_memcap: 1 + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.defrag.memcap_exception_policy.drop_packet: 1 + stats.defrag.memcap_exception_policy.pass_packet: 0 + diff --git a/tests/exception-policy-midstream-01/suricata.yaml b/tests/exception-policy-midstream-01/suricata.yaml index b22aeadcd..6ffa252bb 100644 --- a/tests/exception-policy-midstream-01/suricata.yaml +++ b/tests/exception-policy-midstream-01/suricata.yaml @@ -1,6 +1,9 @@ %YAML 1.1 --- +stats: + enabled: yes + outputs: - eve-log: enabled: yes @@ -26,3 +29,10 @@ outputs: - drop: alerts: yes flows: all + - stats + - stats: + enabled: yes + filename: stats.log + append: yes + +exception-policy: ignore diff --git a/tests/exception-policy-midstream-01/test.yaml b/tests/exception-policy-midstream-01/test.yaml index 8cf3deb07..29fb09d8a 100644 --- a/tests/exception-policy-midstream-01/test.yaml +++ b/tests/exception-policy-midstream-01/test.yaml @@ -18,3 +18,9 @@ checks: count: 0 match: event_type: http + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.tcp.midstream_exception_policy.pass_flow: 9 diff --git a/tests/exception-policy-midstream-02/test.yaml b/tests/exception-policy-midstream-02/test.yaml index 83a2f4671..0db328543 100644 --- a/tests/exception-policy-midstream-02/test.yaml +++ b/tests/exception-policy-midstream-02/test.yaml @@ -30,3 +30,9 @@ checks: match: event_type: stats stats.ips.drop_reason.stream_midstream: 1 + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.tcp.midstream_exception_policy.drop_flow: 1 diff --git a/tests/exception-policy-midstream-03/suricata.yaml b/tests/exception-policy-midstream-03/suricata.yaml index 1d909b80a..32f0f4aa2 100644 --- a/tests/exception-policy-midstream-03/suricata.yaml +++ b/tests/exception-policy-midstream-03/suricata.yaml @@ -15,6 +15,11 @@ outputs: http: yes - flow - http + - stats + - stats: + enabled: yes + filename: stats.log + append: yes logging: default-log-level: notice diff --git a/tests/exception-policy-midstream-04/suricata.yaml b/tests/exception-policy-midstream-04/suricata.yaml index e142e7086..e318821f8 100644 --- a/tests/exception-policy-midstream-04/suricata.yaml +++ b/tests/exception-policy-midstream-04/suricata.yaml @@ -8,3 +8,8 @@ outputs: - alert - flow - http + - stats + - stats: + enabled: yes + filename: stats.log + append: yes diff --git a/tests/exception-policy-midstream-04/test.yaml b/tests/exception-policy-midstream-04/test.yaml index b57a41465..10fb97e7e 100644 --- a/tests/exception-policy-midstream-04/test.yaml +++ b/tests/exception-policy-midstream-04/test.yaml @@ -19,3 +19,9 @@ checks: count: 0 match: event_type: http +- filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.tcp.midstream_exception_policy.pass_flow: 2 diff --git a/tests/exception-policy-midstream-05/suricata.yaml b/tests/exception-policy-midstream-05/suricata.yaml index b22aeadcd..64b32f334 100644 --- a/tests/exception-policy-midstream-05/suricata.yaml +++ b/tests/exception-policy-midstream-05/suricata.yaml @@ -22,7 +22,12 @@ outputs: deployment: reverse header: X-Forwarded-For - flow + - stats - http - drop: alerts: yes flows: all + - stats: + enabled: yes + filename: stats.log + append: yes diff --git a/tests/exception-policy-midstream-05/test.yaml b/tests/exception-policy-midstream-05/test.yaml index bd54da62c..7c6db568a 100644 --- a/tests/exception-policy-midstream-05/test.yaml +++ b/tests/exception-policy-midstream-05/test.yaml @@ -18,3 +18,9 @@ checks: count: 0 match: event_type: http + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.tcp.midstream_exception_policy.bypass: 1 diff --git a/tests/exception-policy-midstream-06/suricata.yaml b/tests/exception-policy-midstream-06/suricata.yaml index d672946e9..ca0134c6b 100644 --- a/tests/exception-policy-midstream-06/suricata.yaml +++ b/tests/exception-policy-midstream-06/suricata.yaml @@ -8,6 +8,11 @@ outputs: - alert: - flow - http + - stats - drop: alerts: yes flows: all + - stats: + enabled: yes + filename: stats.log + append: yes diff --git a/tests/exception-policy-midstream-06/test.yaml b/tests/exception-policy-midstream-06/test.yaml index 67c8de631..f4e4c44f3 100644 --- a/tests/exception-policy-midstream-06/test.yaml +++ b/tests/exception-policy-midstream-06/test.yaml @@ -16,4 +16,9 @@ checks: match: event_type: flow flow.action: drop - + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.tcp.midstream_exception_policy.drop_flow: 1 diff --git a/tests/exception-policy-simulated-flow-memcap/suricata.yaml b/tests/exception-policy-simulated-flow-memcap/suricata.yaml index 20dcc8e0c..6baf208c7 100644 --- a/tests/exception-policy-simulated-flow-memcap/suricata.yaml +++ b/tests/exception-policy-simulated-flow-memcap/suricata.yaml @@ -1,6 +1,9 @@ %YAML 1.1 --- +stats: + enabled: yes + outputs: - eve-log: enabled: yes diff --git a/tests/exception-policy-simulated-flow-memcap/test.yaml b/tests/exception-policy-simulated-flow-memcap/test.yaml index afa5f294f..c378a8e85 100644 --- a/tests/exception-policy-simulated-flow-memcap/test.yaml +++ b/tests/exception-policy-simulated-flow-memcap/test.yaml @@ -32,3 +32,10 @@ checks: match: event_type: stats stats.ips.drop_reason.flow_memcap: 1 + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.flow.memcap_exception_policy.drop_packet: 1 + stats.flow.memcap_exception_policy.pass_packet: 0 diff --git a/tests/exception-policy-stream-reassembly-memcap-01/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-01/suricata.yaml index 3c973a2be..1c09123ac 100644 --- a/tests/exception-policy-stream-reassembly-memcap-01/suricata.yaml +++ b/tests/exception-policy-stream-reassembly-memcap-01/suricata.yaml @@ -26,7 +26,12 @@ outputs: - stats: totals: yes # stats for all threads merged together threads: no # per thread stats - deltas: no # include delta values + deltas: no + - stats: + enabled: yes + filename: stats.log + append: yes + action-order: - pass - drop diff --git a/tests/exception-policy-stream-reassembly-memcap-06/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-06/suricata.yaml index 758f72085..8894da2d2 100644 --- a/tests/exception-policy-stream-reassembly-memcap-06/suricata.yaml +++ b/tests/exception-policy-stream-reassembly-memcap-06/suricata.yaml @@ -14,3 +14,9 @@ outputs: flows: all # start or all: 'start' logs only a single drop # per flow direction. All logs each dropped pkt. - flow + - stats + + - stats: + enabled: yes + filename: stats.log + append: yes diff --git a/tests/exception-policy-stream-reassembly-memcap-06/test.yaml b/tests/exception-policy-stream-reassembly-memcap-06/test.yaml index d5c95b8b4..c43424241 100644 --- a/tests/exception-policy-stream-reassembly-memcap-06/test.yaml +++ b/tests/exception-policy-stream-reassembly-memcap-06/test.yaml @@ -49,3 +49,9 @@ checks: match: event_type: flow flow.action: drop + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.tcp.reassembly_exception_policy.pass_packet: 1 diff --git a/tests/exception-policy-stream-ssn-memcap-01/test.yaml b/tests/exception-policy-stream-ssn-memcap-01/test.yaml index 88576cade..c5f85bd3f 100644 --- a/tests/exception-policy-stream-ssn-memcap-01/test.yaml +++ b/tests/exception-policy-stream-ssn-memcap-01/test.yaml @@ -53,3 +53,9 @@ checks: match: event_type: stats stats.ips.drop_reason.stream_memcap: 1 + - filter: + min-version: 8 + count: 1 + match: + event_type: stats + stats.tcp.ssn_memcap_exception_policy.drop_flow: 1