From: Lukas Sismis Date: Thu, 19 Sep 2024 08:47:15 +0000 (+0200) Subject: bypass: verify bypass behavior X-Git-Tag: suricata-7.0.11~110 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2424%2Fhead;p=thirdparty%2Fsuricata-verify.git bypass: verify bypass behavior Ticket: 6788 --- diff --git a/tests/bypass-depth-disabled/README.md b/tests/bypass-depth-disabled/README.md new file mode 100644 index 000000000..3d4977267 --- /dev/null +++ b/tests/bypass-depth-disabled/README.md @@ -0,0 +1,13 @@ +# Test Description + +Tests that no traffic is bypassed even with minimal reassembly depth + +## PCAP + +Source: https://wiki.wireshark.org/SampleCaptures +File: dump.pcapng + +## Related issues + +Created with a work to decouple stream.bypass setting from TLS encrypted bypass. +https://redmine.openinfosecfoundation.org/issues/6788 diff --git a/tests/bypass-depth-disabled/input.pcap b/tests/bypass-depth-disabled/input.pcap new file mode 100644 index 000000000..2791053c4 Binary files /dev/null and b/tests/bypass-depth-disabled/input.pcap differ diff --git a/tests/bypass-depth-disabled/test.yaml b/tests/bypass-depth-disabled/test.yaml new file mode 100644 index 000000000..b2d87263e --- /dev/null +++ b/tests/bypass-depth-disabled/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 7 + +args: +- -k none +- --set app-layer.protocols.tls.encryption-handling=full +- --set app-layer.protocols.ssh.encryption-handling=full +- --set stream.reassembly.depth=1 +- --set stream.bypass=false + +checks: + - filter: + count: 1 + match: + event_type: stats + - stats: + flow_bypassed.local_pkts: 0 + flow_bypassed.local_bytes: 0 diff --git a/tests/bypass-depth-enabled/README.md b/tests/bypass-depth-enabled/README.md new file mode 100644 index 000000000..b052a679a --- /dev/null +++ b/tests/bypass-depth-enabled/README.md @@ -0,0 +1,13 @@ +# Test Description + +Tests that traffic is bypassed after reaching the reassembly depth + +## PCAP + +Source: https://wiki.wireshark.org/SampleCaptures +File: dump.pcapng + +## Related issues + +Created with a work to decouple stream.bypass setting from TLS encrypted bypass. +https://redmine.openinfosecfoundation.org/issues/6788 diff --git a/tests/bypass-depth-enabled/test.yaml b/tests/bypass-depth-enabled/test.yaml new file mode 100644 index 000000000..619d18728 --- /dev/null +++ b/tests/bypass-depth-enabled/test.yaml @@ -0,0 +1,20 @@ +pcap: ../bypass-depth-disabled/input.pcap + +requires: + min-version: 7 + +args: +- -k none +- --set app-layer.protocols.tls.encryption-handling=full +- --set app-layer.protocols.ssh.encryption-handling=full +- --set stream.reassembly.depth=1 +- --set stream.bypass=true + +checks: + - filter: + count: 1 + match: + event_type: stats + - stats: + flow_bypassed.local_pkts: 11 + flow_bypassed.local_bytes: 6126 diff --git a/tests/bypass-ssh-enabled/README.md b/tests/bypass-ssh-enabled/README.md new file mode 100644 index 000000000..e2f28ad63 --- /dev/null +++ b/tests/bypass-ssh-enabled/README.md @@ -0,0 +1,14 @@ +# Test Description + +Tests that the encrypted part of the SSH traffic is bypassed but it should not +bypass based on the depth + +## PCAP + +Source: https://www.cloudshark.org/captures/9b72eb8febf9 +File: ssh-server-client.pcapng + +## Related issues + +Created with a work to decouple stream.bypass setting from TLS encrypted bypass. +https://redmine.openinfosecfoundation.org/issues/6788 diff --git a/tests/bypass-ssh-enabled/input.pcap b/tests/bypass-ssh-enabled/input.pcap new file mode 100644 index 000000000..d89f3d136 Binary files /dev/null and b/tests/bypass-ssh-enabled/input.pcap differ diff --git a/tests/bypass-ssh-enabled/test.yaml b/tests/bypass-ssh-enabled/test.yaml new file mode 100644 index 000000000..29a4a715a --- /dev/null +++ b/tests/bypass-ssh-enabled/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 8 + +args: +- -k none +- --set app-layer.protocols.tls.encryption-handling=full +- --set app-layer.protocols.ssh.encryption-handling=bypass +- --set stream.reassembly.depth=1MB +- --set stream.bypass=false + +checks: + - filter: + count: 1 + match: + event_type: stats + - stats: + flow_bypassed.local_pkts: 45 + flow_bypassed.local_bytes: 3972 diff --git a/tests/bypass-tls-disabled/README.md b/tests/bypass-tls-disabled/README.md new file mode 100644 index 000000000..7dfb0901f --- /dev/null +++ b/tests/bypass-tls-disabled/README.md @@ -0,0 +1,13 @@ +# Test Description + +Tests that no traffic is bypassed with disabled bypass settings + +## PCAP + +Source: https://wiki.wireshark.org/SampleCaptures +File: dump.pcapng + +## Related issues + +Created with a work to decouple stream.bypass setting from TLS encrypted bypass. +https://redmine.openinfosecfoundation.org/issues/6788 diff --git a/tests/bypass-tls-disabled/test.yaml b/tests/bypass-tls-disabled/test.yaml new file mode 100644 index 000000000..09236fa18 --- /dev/null +++ b/tests/bypass-tls-disabled/test.yaml @@ -0,0 +1,20 @@ +pcap: ../bypass-depth-disabled/input.pcap + +requires: + min-version: 7 + +args: +- -k none +- --set app-layer.protocols.tls.encryption-handling=full +- --set app-layer.protocols.ssh.encryption-handling=full +- --set stream.reassembly.depth=1MB +- --set stream.bypass=false + +checks: + - filter: + count: 1 + match: + event_type: stats + - stats: + flow_bypassed.local_pkts: 0 + flow_bypassed.local_bytes: 0 diff --git a/tests/bypass-tls-enabled/README.md b/tests/bypass-tls-enabled/README.md new file mode 100644 index 000000000..79f3461c5 --- /dev/null +++ b/tests/bypass-tls-enabled/README.md @@ -0,0 +1,14 @@ +# Test Description + +Tests that the encrypted part of the traffic is bypassed but it should not +bypass based on the depth + +## PCAP + +Source: https://wiki.wireshark.org/SampleCaptures +File: dump.pcapng + +## Related issues + +Created with a work to decouple stream.bypass setting from TLS encrypted bypass. +https://redmine.openinfosecfoundation.org/issues/6788 diff --git a/tests/bypass-tls-enabled/test.yaml b/tests/bypass-tls-enabled/test.yaml new file mode 100644 index 000000000..bcfbbe06c --- /dev/null +++ b/tests/bypass-tls-enabled/test.yaml @@ -0,0 +1,20 @@ +pcap: ../bypass-depth-disabled/input.pcap + +requires: + min-version: 8 + +args: +- -k none +- --set app-layer.protocols.tls.encryption-handling=bypass +- --set app-layer.protocols.ssh.encryption-handling=full +- --set stream.reassembly.depth=1MB +- --set stream.bypass=false + +checks: + - filter: + count: 1 + match: + event_type: stats + - stats: + flow_bypassed.local_pkts: 4 + flow_bypassed.local_bytes: 275