From: Juliana Fajardini Date: Wed, 4 Jun 2025 18:03:25 +0000 (-0300) Subject: tests: add test for bug 7725 X-Git-Tag: suricata-7.0.11~42 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2543%2Fhead;p=thirdparty%2Fsuricata-verify.git tests: add test for bug 7725 --- diff --git a/tests/bug-7725/README.md b/tests/bug-7725/README.md new file mode 100644 index 000000000..362b8b5ad --- /dev/null +++ b/tests/bug-7725/README.md @@ -0,0 +1,12 @@ +# Test + +Test that in a scenario where a rule inspects traffic in an IP-in-IP tunnel, the +engine will generate alerts properly. + +## PCAP + +Shared by reporter. + +## Redmine ticket + +https://redmine.openinfosecfoundation.org/issues/7725 diff --git a/tests/bug-7725/ip_in_ip.pcap b/tests/bug-7725/ip_in_ip.pcap new file mode 100644 index 000000000..7d07a7ed2 Binary files /dev/null and b/tests/bug-7725/ip_in_ip.pcap differ diff --git a/tests/bug-7725/suricata.yaml b/tests/bug-7725/suricata.yaml new file mode 100644 index 000000000..94adab15f --- /dev/null +++ b/tests/bug-7725/suricata.yaml @@ -0,0 +1,27 @@ +%YAML 1.1 +--- + +stats: + enabled: yes + interval: 8 + +logging: + default-log-level: notice + default-output-filter: + outputs: + - console: + enabled: yes + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert + - drop: + alerts: yes + - flow + - stats: + enabled: yes + filename: stats.log diff --git a/tests/bug-7725/test.rules b/tests/bug-7725/test.rules new file mode 100644 index 000000000..d2ba77930 --- /dev/null +++ b/tests/bug-7725/test.rules @@ -0,0 +1,2 @@ +alert ip any any -> 10.0.0.0/8 any (msg:"IP-in-IP Test rule 1 - outer layer"; classtype:misc-activity; sid:60000000; rev:1;) +drop ip any any -> 192.168.0.0/16 any (msg:"IP-in-IP Test rule 2 - inner layer"; classtype:misc-activity; sid:60000001; rev:1;) diff --git a/tests/bug-7725/test.yaml b/tests/bug-7725/test.yaml new file mode 100644 index 000000000..10c3fccb4 --- /dev/null +++ b/tests/bug-7725/test.yaml @@ -0,0 +1,60 @@ +requires: + min-version: 8 + +args: +- -k none +- --simulate-ips +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 60000000 + pkt_src: wire/pcap + proto: IP-in-IP + src_ip: 10.0.0.94 + dest_ip: 10.1.0.237 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 60000001 + pkt_src: ipv4 tunnel + proto: ICMP + src_ip: 192.168.0.94 + dest_ip: 192.168.0.237 + tunnel.src_ip: 10.0.0.94 + tunnel.dest_ip: 10.1.0.237 + tunnel.proto: IP-in-IP + - filter: + count: 1 + match: + event_type: drop + alert.signature_id: 60000001 + pkt_src: ipv4 tunnel + proto: ICMP + - filter: + count: 2 + match: + event_type: drop + pkt_src: ipv4 tunnel + proto: ICMP + - filter: + count: 1 + match: + event_type: flow + proto: IP-in-IP + src_ip: 10.0.0.94 + dest_ip: 10.1.0.237 + flow.alerted: true + - filter: + count: 1 + match: + event_type: flow + proto: ICMP + src_ip: 192.168.0.94 + dest_ip: 192.168.0.237 + flow.alerted: true + flow.action: drop