From: Victor Julien Date: Mon, 21 Mar 2022 21:03:13 +0000 (+0100) Subject: tests: ips exception handling tests X-Git-Tag: suricata-5.0.10~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F846%2Fhead;p=thirdparty%2Fsuricata-verify.git tests: ips exception handling tests --- diff --git a/tests/exception-policy-applayer-01/suricata.yaml b/tests/exception-policy-applayer-01/suricata.yaml new file mode 100644 index 000000000..dfccb8afa --- /dev/null +++ b/tests/exception-policy-applayer-01/suricata.yaml @@ -0,0 +1,27 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/exception-policy-applayer-01/test.rules b/tests/exception-policy-applayer-01/test.rules new file mode 100644 index 000000000..da4a536f4 --- /dev/null +++ b/tests/exception-policy-applayer-01/test.rules @@ -0,0 +1,5 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;) +drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;) + +# matches packet 4, but should not alert due to memcap drop +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;) diff --git a/tests/exception-policy-applayer-01/test.yaml b/tests/exception-policy-applayer-01/test.yaml new file mode 100644 index 000000000..a1727f50e --- /dev/null +++ b/tests/exception-policy-applayer-01/test.yaml @@ -0,0 +1,50 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +# pretend pretend error in the first data +- --simulate-applayer-error-at-offset-ts=0 +- --set app-layer.error-policy=drop-flow +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 29 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: drop + drop.reason: "applayer error" + - filter: + count: 28 + match: + event_type: drop + drop.reason: "flow drop" + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 0 + match: + event_type: tls + - filter: + count: 1 + match: + event_type: flow + app_proto: tls + - filter: + count: 1 + match: + event_type: flow + flow.action: drop diff --git a/tests/exception-policy-default-01/suricata.yaml b/tests/exception-policy-default-01/suricata.yaml new file mode 100644 index 000000000..b1a0e258c --- /dev/null +++ b/tests/exception-policy-default-01/suricata.yaml @@ -0,0 +1,20 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/exception-policy-default-01/test.rules b/tests/exception-policy-default-01/test.rules new file mode 100644 index 000000000..c47db71d7 --- /dev/null +++ b/tests/exception-policy-default-01/test.rules @@ -0,0 +1,4 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;) +drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; priority:2; sid:2; rev:1;) +# matches packet 4, but no match due to action order +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;) diff --git a/tests/exception-policy-default-01/test.yaml b/tests/exception-policy-default-01/test.yaml new file mode 100644 index 000000000..3c7a8d03c --- /dev/null +++ b/tests/exception-policy-default-01/test.yaml @@ -0,0 +1,23 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: tls + tls.sni: example.com diff --git a/tests/exception-policy-defrag-01/README.md b/tests/exception-policy-defrag-01/README.md new file mode 100644 index 000000000..de98e6b68 --- /dev/null +++ b/tests/exception-policy-defrag-01/README.md @@ -0,0 +1 @@ +pcap from https://wiki.wireshark.org/SampleCaptures diff --git a/tests/exception-policy-defrag-01/ipv4frags.pcap b/tests/exception-policy-defrag-01/ipv4frags.pcap new file mode 100644 index 000000000..5a6e4d20a Binary files /dev/null and b/tests/exception-policy-defrag-01/ipv4frags.pcap differ diff --git a/tests/exception-policy-defrag-01/suricata.yaml b/tests/exception-policy-defrag-01/suricata.yaml new file mode 100644 index 000000000..dfccb8afa --- /dev/null +++ b/tests/exception-policy-defrag-01/suricata.yaml @@ -0,0 +1,27 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/exception-policy-defrag-01/test.rules b/tests/exception-policy-defrag-01/test.rules new file mode 100644 index 000000000..c0f94ab54 --- /dev/null +++ b/tests/exception-policy-defrag-01/test.rules @@ -0,0 +1 @@ +alert icmp any any -> any any (itype:8; sid:1;) diff --git a/tests/exception-policy-defrag-01/test.yaml b/tests/exception-policy-defrag-01/test.yaml new file mode 100644 index 000000000..02a87c3a8 --- /dev/null +++ b/tests/exception-policy-defrag-01/test.yaml @@ -0,0 +1,36 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +args: +- --simulate-ips +- -k none +# pretend pretend error in the first fragment +- --simulate-packet-defrag-memcap=1 +- --set defrag.memcap-policy=drop-packet +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: drop + drop.reason: "defrag memcap" + - filter: + count: 1 + match: + event_type: flow + proto: ICMP + - filter: + count: 0 + match: + event_type: flow + flow.action: drop + proto: ICMP diff --git a/tests/exception-policy-stream-reassembly-memcap-01/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-01/suricata.yaml new file mode 100644 index 000000000..dfccb8afa --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-01/suricata.yaml @@ -0,0 +1,27 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/exception-policy-stream-reassembly-memcap-01/test.rules b/tests/exception-policy-stream-reassembly-memcap-01/test.rules new file mode 100644 index 000000000..da4a536f4 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-01/test.rules @@ -0,0 +1,5 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;) +drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;) + +# matches packet 4, but should not alert due to memcap drop +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;) diff --git a/tests/exception-policy-stream-reassembly-memcap-01/test.yaml b/tests/exception-policy-stream-reassembly-memcap-01/test.yaml new file mode 100644 index 000000000..81c72f685 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-01/test.yaml @@ -0,0 +1,50 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +# pretend tcp memcap was hit in packet 4, the client hello containing the sni +- --simulate-packet-tcp-reassembly-memcap=4 +- --set stream.reassembly.memcap-policy=drop-flow +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 29 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: drop + drop.reason: "stream memcap" + - filter: + count: 28 + match: + event_type: drop + drop.reason: "flow drop" + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 0 + match: + event_type: tls + - filter: + count: 0 + match: + event_type: flow + app_proto: tls + - filter: + count: 1 + match: + event_type: flow + flow.action: drop diff --git a/tests/exception-policy-stream-reassembly-memcap-02/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-02/suricata.yaml new file mode 100644 index 000000000..dfccb8afa --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-02/suricata.yaml @@ -0,0 +1,27 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/exception-policy-stream-reassembly-memcap-02/test.rules b/tests/exception-policy-stream-reassembly-memcap-02/test.rules new file mode 100644 index 000000000..4d794bf0b --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-02/test.rules @@ -0,0 +1,5 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;) +drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;) + +# matches packet 4, but should not alert due to memcap pass +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;) diff --git a/tests/exception-policy-stream-reassembly-memcap-02/test.yaml b/tests/exception-policy-stream-reassembly-memcap-02/test.yaml new file mode 100644 index 000000000..4ddaf4cf3 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-02/test.yaml @@ -0,0 +1,35 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +- --simulate-packet-tcp-reassembly-memcap=4 +- --set stream.reassembly.memcap-policy=pass-flow +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 1 + match: + event_type: tls + - filter: + count: 1 + match: + event_type: flow + app_proto: tls + flow.action: pass diff --git a/tests/exception-policy-stream-reassembly-memcap-03/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-03/suricata.yaml new file mode 100644 index 000000000..dfccb8afa --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-03/suricata.yaml @@ -0,0 +1,27 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/exception-policy-stream-reassembly-memcap-03/test.rules b/tests/exception-policy-stream-reassembly-memcap-03/test.rules new file mode 100644 index 000000000..080a424ce --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-03/test.rules @@ -0,0 +1,5 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;) +drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;) + +# matches packet 4, but should not alert due to memcap bypass +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;) diff --git a/tests/exception-policy-stream-reassembly-memcap-03/test.yaml b/tests/exception-policy-stream-reassembly-memcap-03/test.yaml new file mode 100644 index 000000000..5a7db9f7e --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-03/test.yaml @@ -0,0 +1,34 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +- --simulate-packet-tcp-reassembly-memcap=4 +- --set stream.reassembly.memcap-policy=bypass +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 0 + match: + event_type: tls + - filter: + count: 1 + match: + event_type: flow + flow.state: bypassed diff --git a/tests/exception-policy-stream-reassembly-memcap-04/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-04/suricata.yaml new file mode 100644 index 000000000..758f72085 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-04/suricata.yaml @@ -0,0 +1,16 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow diff --git a/tests/exception-policy-stream-reassembly-memcap-04/test.rules b/tests/exception-policy-stream-reassembly-memcap-04/test.rules new file mode 100644 index 000000000..55923b296 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-04/test.rules @@ -0,0 +1,3 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;) +# matches packet 4, but no match due to memcap drop +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;) diff --git a/tests/exception-policy-stream-reassembly-memcap-04/test.yaml b/tests/exception-policy-stream-reassembly-memcap-04/test.yaml new file mode 100644 index 000000000..81c72f685 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-04/test.yaml @@ -0,0 +1,50 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +# pretend tcp memcap was hit in packet 4, the client hello containing the sni +- --simulate-packet-tcp-reassembly-memcap=4 +- --set stream.reassembly.memcap-policy=drop-flow +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 29 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: drop + drop.reason: "stream memcap" + - filter: + count: 28 + match: + event_type: drop + drop.reason: "flow drop" + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 0 + match: + event_type: tls + - filter: + count: 0 + match: + event_type: flow + app_proto: tls + - filter: + count: 1 + match: + event_type: flow + flow.action: drop diff --git a/tests/exception-policy-stream-reassembly-memcap-05/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-05/suricata.yaml new file mode 100644 index 000000000..758f72085 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-05/suricata.yaml @@ -0,0 +1,16 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow diff --git a/tests/exception-policy-stream-reassembly-memcap-05/test.rules b/tests/exception-policy-stream-reassembly-memcap-05/test.rules new file mode 100644 index 000000000..55923b296 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-05/test.rules @@ -0,0 +1,3 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;) +# matches packet 4, but no match due to memcap drop +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;) diff --git a/tests/exception-policy-stream-reassembly-memcap-05/test.yaml b/tests/exception-policy-stream-reassembly-memcap-05/test.yaml new file mode 100644 index 000000000..24e399ac9 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-05/test.yaml @@ -0,0 +1,50 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +# pretend tcp memcap was hit in packet 4, the client hello containing the sni +- --simulate-packet-tcp-reassembly-memcap=4 +- --set stream.reassembly.memcap-policy=drop-packet +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: drop + drop.reason: "stream memcap" + - filter: + count: 0 + match: + event_type: drop + drop.reason: "flow drop" + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 1 + match: + event_type: tls + - filter: + count: 1 + match: + event_type: flow + app_proto: tls + - filter: + count: 0 + match: + event_type: flow + flow.action: drop diff --git a/tests/exception-policy-stream-reassembly-memcap-06/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-06/suricata.yaml new file mode 100644 index 000000000..758f72085 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-06/suricata.yaml @@ -0,0 +1,16 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow diff --git a/tests/exception-policy-stream-reassembly-memcap-06/test.rules b/tests/exception-policy-stream-reassembly-memcap-06/test.rules new file mode 100644 index 000000000..55923b296 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-06/test.rules @@ -0,0 +1,3 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;) +# matches packet 4, but no match due to memcap drop +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;) diff --git a/tests/exception-policy-stream-reassembly-memcap-06/test.yaml b/tests/exception-policy-stream-reassembly-memcap-06/test.yaml new file mode 100644 index 000000000..e742f8e4c --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-06/test.yaml @@ -0,0 +1,50 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +# pretend tcp memcap was hit in packet 4, the client hello containing the sni +- --simulate-packet-tcp-reassembly-memcap=4 +- --set stream.reassembly.memcap-policy=pass-packet +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 0 + match: + event_type: drop + drop.reason: "stream memcap" + - filter: + count: 0 + match: + event_type: drop + drop.reason: "flow drop" + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 1 + match: + event_type: tls + - filter: + count: 1 + match: + event_type: flow + app_proto: tls + - filter: + count: 0 + match: + event_type: flow + flow.action: drop diff --git a/tests/exception-policy-stream-ssn-memcap-01/suricata.yaml b/tests/exception-policy-stream-ssn-memcap-01/suricata.yaml new file mode 100644 index 000000000..dfccb8afa --- /dev/null +++ b/tests/exception-policy-stream-ssn-memcap-01/suricata.yaml @@ -0,0 +1,27 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/exception-policy-stream-ssn-memcap-01/test.rules b/tests/exception-policy-stream-ssn-memcap-01/test.rules new file mode 100644 index 000000000..da4a536f4 --- /dev/null +++ b/tests/exception-policy-stream-ssn-memcap-01/test.rules @@ -0,0 +1,5 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;) +drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;) + +# matches packet 4, but should not alert due to memcap drop +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;) diff --git a/tests/exception-policy-stream-ssn-memcap-01/test.yaml b/tests/exception-policy-stream-ssn-memcap-01/test.yaml new file mode 100644 index 000000000..1e59743e1 --- /dev/null +++ b/tests/exception-policy-stream-ssn-memcap-01/test.yaml @@ -0,0 +1,49 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +- --simulate-packet-tcp-ssn-memcap=1 +- --set stream.memcap-policy=drop-flow +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 32 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: drop + drop.reason: "stream memcap" + - filter: + count: 31 + match: + event_type: drop + drop.reason: "flow drop" + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 0 + match: + event_type: tls + - filter: + count: 0 + match: + event_type: flow + app_proto: tls + - filter: + count: 1 + match: + event_type: flow + flow.action: drop