From: Juliana Fajardini Date: Thu, 26 May 2022 21:35:55 +0000 (-0300) Subject: tests: add tests for rule's actions X-Git-Tag: suricata-5.0.10~41 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F832%2Fhead;p=thirdparty%2Fsuricata-verify.git tests: add tests for rule's actions These were converted from unittests present in `util-action`. Task #5371 --- diff --git a/tests/util-action-tests/util-action-01/README.md b/tests/util-action-tests/util-action-01/README.md new file mode 100644 index 000000000..ef81fe3e8 --- /dev/null +++ b/tests/util-action-tests/util-action-01/README.md @@ -0,0 +1,12 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +The second packet should match rule sid 2 first, meaning no alerts are generated for it. +Sids 1 and 3 should generate alerts for the other packets. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-01/input.pcap b/tests/util-action-tests/util-action-01/input.pcap new file mode 100644 index 000000000..95dd0d89a Binary files /dev/null and b/tests/util-action-tests/util-action-01/input.pcap differ diff --git a/tests/util-action-tests/util-action-01/test.rules b/tests/util-action-tests/util-action-01/test.rules new file mode 100644 index 000000000..21d1aacf4 --- /dev/null +++ b/tests/util-action-tests/util-action-01/test.rules @@ -0,0 +1,3 @@ +alert ip any any -> any any (msg:"sig 1"; sid:1;) +pass ip 192.168.1.1 80 -> any any (msg:"sig 2"; sid:2;) +alert ip any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-01/test.yaml b/tests/util-action-tests/util-action-01/test.yaml new file mode 100644 index 000000000..7fcc2044d --- /dev/null +++ b/tests/util-action-tests/util-action-01/test.yaml @@ -0,0 +1,30 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.action: pass +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-01/writepcap.py b/tests/util-action-tests/util-action-01/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-01/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-02/README.md b/tests/util-action-tests/util-action-02/README.md new file mode 100644 index 000000000..c5c873438 --- /dev/null +++ b/tests/util-action-tests/util-action-02/README.md @@ -0,0 +1,13 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +For the second packet, we expect to only see an alert for sid 3, as DROP and +PASS here have higher priority. The other two packets should generate alerts, +since sid 2 isn't triggered for them. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-02/input.pcap b/tests/util-action-tests/util-action-02/input.pcap new file mode 100644 index 000000000..95dd0d89a Binary files /dev/null and b/tests/util-action-tests/util-action-02/input.pcap differ diff --git a/tests/util-action-tests/util-action-02/suricata.yaml b/tests/util-action-tests/util-action-02/suricata.yaml new file mode 100644 index 000000000..d210eab85 --- /dev/null +++ b/tests/util-action-tests/util-action-02/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - flow + +action-order: + - drop + - pass + - reject + - alert diff --git a/tests/util-action-tests/util-action-02/test.rules b/tests/util-action-tests/util-action-02/test.rules new file mode 100644 index 000000000..b722f4e2e --- /dev/null +++ b/tests/util-action-tests/util-action-02/test.rules @@ -0,0 +1,3 @@ +alert ip any any -> any any (msg:"sig 1"; sid:1;) +pass ip 192.168.1.1 80 -> any any (msg:"sig 2"; sid:2;) +drop ip any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-02/test.yaml b/tests/util-action-tests/util-action-02/test.yaml new file mode 100644 index 000000000..dcdfdf0ea --- /dev/null +++ b/tests/util-action-tests/util-action-02/test.yaml @@ -0,0 +1,26 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.action: drop +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-02/writepcap.py b/tests/util-action-tests/util-action-02/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-02/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-03/README.md b/tests/util-action-tests/util-action-03/README.md new file mode 100644 index 000000000..693d73fbc --- /dev/null +++ b/tests/util-action-tests/util-action-03/README.md @@ -0,0 +1,12 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +For the second packet, we don't expect alerts, since it will be flagged by the +PASS sid (2). We expect alerts for sids 1 and 3 for the other two packets. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-03/input.pcap b/tests/util-action-tests/util-action-03/input.pcap new file mode 100644 index 000000000..a239a52d0 Binary files /dev/null and b/tests/util-action-tests/util-action-03/input.pcap differ diff --git a/tests/util-action-tests/util-action-03/test.rules b/tests/util-action-tests/util-action-03/test.rules new file mode 100644 index 000000000..ea21d79c1 --- /dev/null +++ b/tests/util-action-tests/util-action-03/test.rules @@ -0,0 +1,3 @@ +alert ip any any -> any any (msg:"sig 1"; content:"Hi all"; sid:1;) +pass ip any any -> any any (msg:"sig 2"; content:"wo"; sid:2;) +alert ip any any -> any any (msg:"sig 3"; content:"Hi all"; sid:3;) diff --git a/tests/util-action-tests/util-action-03/test.yaml b/tests/util-action-tests/util-action-03/test.yaml new file mode 100644 index 000000000..cfbd9fc2b --- /dev/null +++ b/tests/util-action-tests/util-action-03/test.yaml @@ -0,0 +1,29 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-03/writepcap.py b/tests/util-action-tests/util-action-03/writepcap.py new file mode 100644 index 000000000..bb1f9b717 --- /dev/null +++ b/tests/util-action-tests/util-action-03/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"wo!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-04/README.md b/tests/util-action-tests/util-action-04/README.md new file mode 100644 index 000000000..9a89ff9e6 --- /dev/null +++ b/tests/util-action-tests/util-action-04/README.md @@ -0,0 +1,12 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +First and third sids will be triggered by all three packets. The second packet +won't trigger sid 1, for the PASS rule will bypass that. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-04/input.pcap b/tests/util-action-tests/util-action-04/input.pcap new file mode 100644 index 000000000..48574c87c Binary files /dev/null and b/tests/util-action-tests/util-action-04/input.pcap differ diff --git a/tests/util-action-tests/util-action-04/suricata.yaml b/tests/util-action-tests/util-action-04/suricata.yaml new file mode 100644 index 000000000..d210eab85 --- /dev/null +++ b/tests/util-action-tests/util-action-04/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - flow + +action-order: + - drop + - pass + - reject + - alert diff --git a/tests/util-action-tests/util-action-04/test.rules b/tests/util-action-tests/util-action-04/test.rules new file mode 100644 index 000000000..9cd96f15f --- /dev/null +++ b/tests/util-action-tests/util-action-04/test.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any any (msg:"sig 1"; content:"Hi all"; sid:1;) +pass tcp any any -> any any (msg:"sig 2"; content:"wo"; sid:2;) +drop tcp any any -> any any (msg:"sig 3"; content:"Hi all"; sid:3;) diff --git a/tests/util-action-tests/util-action-04/test.yaml b/tests/util-action-tests/util-action-04/test.yaml new file mode 100644 index 000000000..f4c2d6a31 --- /dev/null +++ b/tests/util-action-tests/util-action-04/test.yaml @@ -0,0 +1,25 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-04/writepcap.py b/tests/util-action-tests/util-action-04/writepcap.py new file mode 100644 index 000000000..d27e53db1 --- /dev/null +++ b/tests/util-action-tests/util-action-04/writepcap.py @@ -0,0 +1,23 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi \ + all wo!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-05/README.md b/tests/util-action-tests/util-action-05/README.md new file mode 100644 index 000000000..4c0a7d49b --- /dev/null +++ b/tests/util-action-tests/util-action-05/README.md @@ -0,0 +1,11 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +The PASS rule (sid 2) will make so that no alerts will be registered by Suri. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-05/input.pcap b/tests/util-action-tests/util-action-05/input.pcap new file mode 100644 index 000000000..ea228e7b0 Binary files /dev/null and b/tests/util-action-tests/util-action-05/input.pcap differ diff --git a/tests/util-action-tests/util-action-05/test.rules b/tests/util-action-tests/util-action-05/test.rules new file mode 100644 index 000000000..545fc0ca4 --- /dev/null +++ b/tests/util-action-tests/util-action-05/test.rules @@ -0,0 +1,3 @@ +alert ip any any -> any any (msg:"sig 1"; sid:1;) +pass ip any any -> any any (msg:"Testing normal 2"; sid:2;) +alert ip any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-05/test.yaml b/tests/util-action-tests/util-action-05/test.yaml new file mode 100644 index 000000000..9c534f5cf --- /dev/null +++ b/tests/util-action-tests/util-action-05/test.yaml @@ -0,0 +1,32 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.alerted: false + flow.action: pass +- filter: + count: 1 + match: + event_type: flow + flow.alerted: false +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-05/writepcap.py b/tests/util-action-tests/util-action-05/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-05/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-06/README.md b/tests/util-action-tests/util-action-06/README.md new file mode 100644 index 000000000..d79db8423 --- /dev/null +++ b/tests/util-action-tests/util-action-06/README.md @@ -0,0 +1,12 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +The DROP rule (sid 3) will be triggered by all packets, and having the highest +priority, will make so that no other alerts will be registered by Suri. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-06/input.pcap b/tests/util-action-tests/util-action-06/input.pcap new file mode 100644 index 000000000..554cb6361 Binary files /dev/null and b/tests/util-action-tests/util-action-06/input.pcap differ diff --git a/tests/util-action-tests/util-action-06/suricata.yaml b/tests/util-action-tests/util-action-06/suricata.yaml new file mode 100644 index 000000000..d210eab85 --- /dev/null +++ b/tests/util-action-tests/util-action-06/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - flow + +action-order: + - drop + - pass + - reject + - alert diff --git a/tests/util-action-tests/util-action-06/test.rules b/tests/util-action-tests/util-action-06/test.rules new file mode 100644 index 000000000..99941ba82 --- /dev/null +++ b/tests/util-action-tests/util-action-06/test.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any any (msg:"sig 1"; content:"Hi all"; sid:1;) +pass tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +drop tcp any any -> any any (msg:"sig 3"; content:"Hi all"; sid:3;) diff --git a/tests/util-action-tests/util-action-06/test.yaml b/tests/util-action-tests/util-action-06/test.yaml new file mode 100644 index 000000000..722e5cde0 --- /dev/null +++ b/tests/util-action-tests/util-action-06/test.yaml @@ -0,0 +1,25 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-06/writepcap.py b/tests/util-action-tests/util-action-06/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-06/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-07/README.md b/tests/util-action-tests/util-action-07/README.md new file mode 100644 index 000000000..5b762c2df --- /dev/null +++ b/tests/util-action-tests/util-action-07/README.md @@ -0,0 +1,13 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +The three packets should trigger all three signatures, but since DROP and ALERT +have higher priority, only those two generate alerts, as the PASS rule won't +take place. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-07/input.pcap b/tests/util-action-tests/util-action-07/input.pcap new file mode 100644 index 000000000..f50dc35ef Binary files /dev/null and b/tests/util-action-tests/util-action-07/input.pcap differ diff --git a/tests/util-action-tests/util-action-07/suricata.yaml b/tests/util-action-tests/util-action-07/suricata.yaml new file mode 100644 index 000000000..6882c7c13 --- /dev/null +++ b/tests/util-action-tests/util-action-07/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - flow + +action-order: + - drop + - alert + - reject + - pass diff --git a/tests/util-action-tests/util-action-07/test.rules b/tests/util-action-tests/util-action-07/test.rules new file mode 100644 index 000000000..99941ba82 --- /dev/null +++ b/tests/util-action-tests/util-action-07/test.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any any (msg:"sig 1"; content:"Hi all"; sid:1;) +pass tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +drop tcp any any -> any any (msg:"sig 3"; content:"Hi all"; sid:3;) diff --git a/tests/util-action-tests/util-action-07/test.yaml b/tests/util-action-tests/util-action-07/test.yaml new file mode 100644 index 000000000..6e260b4c6 --- /dev/null +++ b/tests/util-action-tests/util-action-07/test.yaml @@ -0,0 +1,25 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-07/writepcap.py b/tests/util-action-tests/util-action-07/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-07/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-08/README.md b/tests/util-action-tests/util-action-08/README.md new file mode 100644 index 000000000..150dee78f --- /dev/null +++ b/tests/util-action-tests/util-action-08/README.md @@ -0,0 +1,13 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +The three packets should trigger all three signatures, but since with the +default settings PASS has higher priority, the DROP and ALERT signatures won't +generate alerts, as all packets trigger sid 2 (PASS). + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-08/input.pcap b/tests/util-action-tests/util-action-08/input.pcap new file mode 100644 index 000000000..00bc1102b Binary files /dev/null and b/tests/util-action-tests/util-action-08/input.pcap differ diff --git a/tests/util-action-tests/util-action-08/test.rules b/tests/util-action-tests/util-action-08/test.rules new file mode 100644 index 000000000..ff9b156f3 --- /dev/null +++ b/tests/util-action-tests/util-action-08/test.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any any (msg:"sig 1"; sid:1;) +pass tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +drop tcp any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-08/test.yaml b/tests/util-action-tests/util-action-08/test.yaml new file mode 100644 index 000000000..950d3c70c --- /dev/null +++ b/tests/util-action-tests/util-action-08/test.yaml @@ -0,0 +1,29 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: flow + flow.alerted: false +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-08/writepcap.py b/tests/util-action-tests/util-action-08/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-08/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-09/README.md b/tests/util-action-tests/util-action-09/README.md new file mode 100644 index 000000000..150dee78f --- /dev/null +++ b/tests/util-action-tests/util-action-09/README.md @@ -0,0 +1,13 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +The three packets should trigger all three signatures, but since with the +default settings PASS has higher priority, the DROP and ALERT signatures won't +generate alerts, as all packets trigger sid 2 (PASS). + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-09/input.pcap b/tests/util-action-tests/util-action-09/input.pcap new file mode 100644 index 000000000..f50dc35ef Binary files /dev/null and b/tests/util-action-tests/util-action-09/input.pcap differ diff --git a/tests/util-action-tests/util-action-09/test.rules b/tests/util-action-tests/util-action-09/test.rules new file mode 100644 index 000000000..31ef99b39 --- /dev/null +++ b/tests/util-action-tests/util-action-09/test.rules @@ -0,0 +1,3 @@ +drop tcp any any -> any any (msg:"sig 1"; sid:1;) +alert tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +pass tcp any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-09/test.yaml b/tests/util-action-tests/util-action-09/test.yaml new file mode 100644 index 000000000..9c534f5cf --- /dev/null +++ b/tests/util-action-tests/util-action-09/test.yaml @@ -0,0 +1,32 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.alerted: false + flow.action: pass +- filter: + count: 1 + match: + event_type: flow + flow.alerted: false +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-09/writepcap.py b/tests/util-action-tests/util-action-09/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-09/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-10/README.md b/tests/util-action-tests/util-action-10/README.md new file mode 100644 index 000000000..5b762c2df --- /dev/null +++ b/tests/util-action-tests/util-action-10/README.md @@ -0,0 +1,13 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +The three packets should trigger all three signatures, but since DROP and ALERT +have higher priority, only those two generate alerts, as the PASS rule won't +take place. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-10/input.pcap b/tests/util-action-tests/util-action-10/input.pcap new file mode 100644 index 000000000..f50dc35ef Binary files /dev/null and b/tests/util-action-tests/util-action-10/input.pcap differ diff --git a/tests/util-action-tests/util-action-10/test.rules b/tests/util-action-tests/util-action-10/test.rules new file mode 100644 index 000000000..b7321fc48 --- /dev/null +++ b/tests/util-action-tests/util-action-10/test.rules @@ -0,0 +1,3 @@ +pass tcp any any -> any any (msg:"sig 1"; sid:1;) +drop tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +alert tcp any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-10/test.yaml b/tests/util-action-tests/util-action-10/test.yaml new file mode 100644 index 000000000..9c534f5cf --- /dev/null +++ b/tests/util-action-tests/util-action-10/test.yaml @@ -0,0 +1,32 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.alerted: false + flow.action: pass +- filter: + count: 1 + match: + event_type: flow + flow.alerted: false +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-10/writepcap.py b/tests/util-action-tests/util-action-10/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-10/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-11/README.md b/tests/util-action-tests/util-action-11/README.md new file mode 100644 index 000000000..b0a1cb2eb --- /dev/null +++ b/tests/util-action-tests/util-action-11/README.md @@ -0,0 +1,12 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +As the DROP action has the higher priority, we expect that all packets generate +alert for sid 3. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-11/input.pcap b/tests/util-action-tests/util-action-11/input.pcap new file mode 100644 index 000000000..95dd0d89a Binary files /dev/null and b/tests/util-action-tests/util-action-11/input.pcap differ diff --git a/tests/util-action-tests/util-action-11/suricata.yaml b/tests/util-action-tests/util-action-11/suricata.yaml new file mode 100644 index 000000000..d210eab85 --- /dev/null +++ b/tests/util-action-tests/util-action-11/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - flow + +action-order: + - drop + - pass + - reject + - alert diff --git a/tests/util-action-tests/util-action-11/test.rules b/tests/util-action-tests/util-action-11/test.rules new file mode 100644 index 000000000..ff9b156f3 --- /dev/null +++ b/tests/util-action-tests/util-action-11/test.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any any (msg:"sig 1"; sid:1;) +pass tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +drop tcp any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-11/test.yaml b/tests/util-action-tests/util-action-11/test.yaml new file mode 100644 index 000000000..e99b42b83 --- /dev/null +++ b/tests/util-action-tests/util-action-11/test.yaml @@ -0,0 +1,32 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.alerted: true + flow.action: drop +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-11/writepcap.py b/tests/util-action-tests/util-action-11/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-11/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-12/README.md b/tests/util-action-tests/util-action-12/README.md new file mode 100644 index 000000000..3aa7a5662 --- /dev/null +++ b/tests/util-action-tests/util-action-12/README.md @@ -0,0 +1,15 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +The three packets should trigger all three signatures, but since DROP signature +has higher priority, all packets are dropped before other alerts are generated. +The packets are considered as being from a single flow, and with the first +packet being dropped, the whole flow is dropped, generated a single alert for +sid 1. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-12/input.pcap b/tests/util-action-tests/util-action-12/input.pcap new file mode 100644 index 000000000..0e8cec4ae Binary files /dev/null and b/tests/util-action-tests/util-action-12/input.pcap differ diff --git a/tests/util-action-tests/util-action-12/suricata.yaml b/tests/util-action-tests/util-action-12/suricata.yaml new file mode 100644 index 000000000..d210eab85 --- /dev/null +++ b/tests/util-action-tests/util-action-12/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - flow + +action-order: + - drop + - pass + - reject + - alert diff --git a/tests/util-action-tests/util-action-12/test.rules b/tests/util-action-tests/util-action-12/test.rules new file mode 100644 index 000000000..31ef99b39 --- /dev/null +++ b/tests/util-action-tests/util-action-12/test.rules @@ -0,0 +1,3 @@ +drop tcp any any -> any any (msg:"sig 1"; sid:1;) +alert tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +pass tcp any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-12/test.yaml b/tests/util-action-tests/util-action-12/test.yaml new file mode 100644 index 000000000..3c00d2a42 --- /dev/null +++ b/tests/util-action-tests/util-action-12/test.yaml @@ -0,0 +1,32 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.alerted: true + flow.action: drop +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-12/writepcap.py b/tests/util-action-tests/util-action-12/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-12/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-13/README.md b/tests/util-action-tests/util-action-13/README.md new file mode 100644 index 000000000..80005e0b0 --- /dev/null +++ b/tests/util-action-tests/util-action-13/README.md @@ -0,0 +1,12 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +As the DROP action has the higher priority, we expect that all packets generate +alert for sid 2, and sid 2 only. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-13/input.pcap b/tests/util-action-tests/util-action-13/input.pcap new file mode 100644 index 000000000..95dd0d89a Binary files /dev/null and b/tests/util-action-tests/util-action-13/input.pcap differ diff --git a/tests/util-action-tests/util-action-13/suricata.yaml b/tests/util-action-tests/util-action-13/suricata.yaml new file mode 100644 index 000000000..d210eab85 --- /dev/null +++ b/tests/util-action-tests/util-action-13/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - flow + +action-order: + - drop + - pass + - reject + - alert diff --git a/tests/util-action-tests/util-action-13/test.rules b/tests/util-action-tests/util-action-13/test.rules new file mode 100644 index 000000000..b7321fc48 --- /dev/null +++ b/tests/util-action-tests/util-action-13/test.rules @@ -0,0 +1,3 @@ +pass tcp any any -> any any (msg:"sig 1"; sid:1;) +drop tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +alert tcp any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-13/test.yaml b/tests/util-action-tests/util-action-13/test.yaml new file mode 100644 index 000000000..ede2edcbc --- /dev/null +++ b/tests/util-action-tests/util-action-13/test.yaml @@ -0,0 +1,32 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.alerted: true + flow.action: pass +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-13/writepcap.py b/tests/util-action-tests/util-action-13/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-13/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-14/README.md b/tests/util-action-tests/util-action-14/README.md new file mode 100644 index 000000000..29f3f8fcd --- /dev/null +++ b/tests/util-action-tests/util-action-14/README.md @@ -0,0 +1,12 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +As the DROP and ALERT actions have higher priority, we expect alerts for sids +1 and 3. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-14/input.pcap b/tests/util-action-tests/util-action-14/input.pcap new file mode 100644 index 000000000..95dd0d89a Binary files /dev/null and b/tests/util-action-tests/util-action-14/input.pcap differ diff --git a/tests/util-action-tests/util-action-14/suricata.yaml b/tests/util-action-tests/util-action-14/suricata.yaml new file mode 100644 index 000000000..6882c7c13 --- /dev/null +++ b/tests/util-action-tests/util-action-14/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - flow + +action-order: + - drop + - alert + - reject + - pass diff --git a/tests/util-action-tests/util-action-14/test.rules b/tests/util-action-tests/util-action-14/test.rules new file mode 100644 index 000000000..ff9b156f3 --- /dev/null +++ b/tests/util-action-tests/util-action-14/test.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any any (msg:"sig 1"; sid:1;) +pass tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +drop tcp any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-14/test.yaml b/tests/util-action-tests/util-action-14/test.yaml new file mode 100644 index 000000000..a25c45036 --- /dev/null +++ b/tests/util-action-tests/util-action-14/test.yaml @@ -0,0 +1,32 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.alerted: true + flow.action: drop +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-14/writepcap.py b/tests/util-action-tests/util-action-14/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-14/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-15/README.md b/tests/util-action-tests/util-action-15/README.md new file mode 100644 index 000000000..98d0af00a --- /dev/null +++ b/tests/util-action-tests/util-action-15/README.md @@ -0,0 +1,12 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +As the DROP and ALERT actions have higher priority, we expect that all packets generate +alerts for sids 1 and 2. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-15/input.pcap b/tests/util-action-tests/util-action-15/input.pcap new file mode 100644 index 000000000..95dd0d89a Binary files /dev/null and b/tests/util-action-tests/util-action-15/input.pcap differ diff --git a/tests/util-action-tests/util-action-15/suricata.yaml b/tests/util-action-tests/util-action-15/suricata.yaml new file mode 100644 index 000000000..6882c7c13 --- /dev/null +++ b/tests/util-action-tests/util-action-15/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - flow + +action-order: + - drop + - alert + - reject + - pass diff --git a/tests/util-action-tests/util-action-15/test.rules b/tests/util-action-tests/util-action-15/test.rules new file mode 100644 index 000000000..31ef99b39 --- /dev/null +++ b/tests/util-action-tests/util-action-15/test.rules @@ -0,0 +1,3 @@ +drop tcp any any -> any any (msg:"sig 1"; sid:1;) +alert tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +pass tcp any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-15/test.yaml b/tests/util-action-tests/util-action-15/test.yaml new file mode 100644 index 000000000..0df9caec5 --- /dev/null +++ b/tests/util-action-tests/util-action-15/test.yaml @@ -0,0 +1,32 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.alerted: true + flow.action: drop +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-15/writepcap.py b/tests/util-action-tests/util-action-15/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-15/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-16/README.md b/tests/util-action-tests/util-action-16/README.md new file mode 100644 index 000000000..76f16abbc --- /dev/null +++ b/tests/util-action-tests/util-action-16/README.md @@ -0,0 +1,12 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +As the DROP and ALERT actions have higher priority, we expect that all packets generate +alerts for sids 2 and 3. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-16/input.pcap b/tests/util-action-tests/util-action-16/input.pcap new file mode 100644 index 000000000..95dd0d89a Binary files /dev/null and b/tests/util-action-tests/util-action-16/input.pcap differ diff --git a/tests/util-action-tests/util-action-16/suricata.yaml b/tests/util-action-tests/util-action-16/suricata.yaml new file mode 100644 index 000000000..6882c7c13 --- /dev/null +++ b/tests/util-action-tests/util-action-16/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - flow + +action-order: + - drop + - alert + - reject + - pass diff --git a/tests/util-action-tests/util-action-16/test.rules b/tests/util-action-tests/util-action-16/test.rules new file mode 100644 index 000000000..b7321fc48 --- /dev/null +++ b/tests/util-action-tests/util-action-16/test.rules @@ -0,0 +1,3 @@ +pass tcp any any -> any any (msg:"sig 1"; sid:1;) +drop tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +alert tcp any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-16/test.yaml b/tests/util-action-tests/util-action-16/test.yaml new file mode 100644 index 000000000..a012c193b --- /dev/null +++ b/tests/util-action-tests/util-action-16/test.yaml @@ -0,0 +1,32 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.alerted: true + flow.action: pass +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-16/writepcap.py b/tests/util-action-tests/util-action-16/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-16/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts)