From: Victor Julien Date: Sat, 15 Oct 2022 06:07:10 +0000 (+0200) Subject: tests: add rate_filter tests X-Git-Tag: suricata-6.0.9~38 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F960%2Fhead;p=thirdparty%2Fsuricata-verify.git tests: add rate_filter tests --- diff --git a/tests/threshold/threshold-config-rate-filter-alert-hostdst/README.md b/tests/threshold/threshold-config-rate-filter-alert-hostdst/README.md new file mode 100644 index 000000000..a9a4cbde0 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-hostdst/README.md @@ -0,0 +1,5 @@ +# Threshold.config with by_rule + +This test checks threshold.config file using by_rule keyword + +The pcap file is from http-all-headers test diff --git a/tests/threshold/threshold-config-rate-filter-alert-hostdst/input.pcap b/tests/threshold/threshold-config-rate-filter-alert-hostdst/input.pcap new file mode 100644 index 000000000..bf5caebc4 Binary files /dev/null and b/tests/threshold/threshold-config-rate-filter-alert-hostdst/input.pcap differ diff --git a/tests/threshold/threshold-config-rate-filter-alert-hostdst/input.rules b/tests/threshold/threshold-config-rate-filter-alert-hostdst/input.rules new file mode 100644 index 000000000..7cb862d41 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-hostdst/input.rules @@ -0,0 +1 @@ +drop tcp any any -> any any (dsize:0; sid: 1000001;) diff --git a/tests/threshold/threshold-config-rate-filter-alert-hostdst/suricata.yaml b/tests/threshold/threshold-config-rate-filter-alert-hostdst/suricata.yaml new file mode 100644 index 000000000..ee5c3f004 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-hostdst/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - drop: + flows: all + alerts: true + - http + - anomaly diff --git a/tests/threshold/threshold-config-rate-filter-alert-hostdst/test.yaml b/tests/threshold/threshold-config-rate-filter-alert-hostdst/test.yaml new file mode 100644 index 000000000..91a0d1564 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-hostdst/test.yaml @@ -0,0 +1,21 @@ +requires: + min-version: 7 + +args: +- --set threshold-file=${TEST_DIR}/threshold.config +- --simulate-ips + +checks: + - filter: + count: 19 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 2 # 1 per direction + match: + event_type: drop + - filter: + count: 1 + match: + event_type: http diff --git a/tests/threshold/threshold-config-rate-filter-alert-hostdst/threshold.config b/tests/threshold/threshold-config-rate-filter-alert-hostdst/threshold.config new file mode 100644 index 000000000..3aec47b64 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-hostdst/threshold.config @@ -0,0 +1 @@ +rate_filter gen_id 1, sig_id 1000001, track by_dst, count 1, seconds 60, new_action alert, timeout 1000 diff --git a/tests/threshold/threshold-config-rate-filter-alert-hostsrc/README.md b/tests/threshold/threshold-config-rate-filter-alert-hostsrc/README.md new file mode 100644 index 000000000..a9a4cbde0 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-hostsrc/README.md @@ -0,0 +1,5 @@ +# Threshold.config with by_rule + +This test checks threshold.config file using by_rule keyword + +The pcap file is from http-all-headers test diff --git a/tests/threshold/threshold-config-rate-filter-alert-hostsrc/input.pcap b/tests/threshold/threshold-config-rate-filter-alert-hostsrc/input.pcap new file mode 100644 index 000000000..bf5caebc4 Binary files /dev/null and b/tests/threshold/threshold-config-rate-filter-alert-hostsrc/input.pcap differ diff --git a/tests/threshold/threshold-config-rate-filter-alert-hostsrc/input.rules b/tests/threshold/threshold-config-rate-filter-alert-hostsrc/input.rules new file mode 100644 index 000000000..7cb862d41 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-hostsrc/input.rules @@ -0,0 +1 @@ +drop tcp any any -> any any (dsize:0; sid: 1000001;) diff --git a/tests/threshold/threshold-config-rate-filter-alert-hostsrc/suricata.yaml b/tests/threshold/threshold-config-rate-filter-alert-hostsrc/suricata.yaml new file mode 100644 index 000000000..ee5c3f004 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-hostsrc/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - drop: + flows: all + alerts: true + - http + - anomaly diff --git a/tests/threshold/threshold-config-rate-filter-alert-hostsrc/test.yaml b/tests/threshold/threshold-config-rate-filter-alert-hostsrc/test.yaml new file mode 100644 index 000000000..91a0d1564 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-hostsrc/test.yaml @@ -0,0 +1,21 @@ +requires: + min-version: 7 + +args: +- --set threshold-file=${TEST_DIR}/threshold.config +- --simulate-ips + +checks: + - filter: + count: 19 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 2 # 1 per direction + match: + event_type: drop + - filter: + count: 1 + match: + event_type: http diff --git a/tests/threshold/threshold-config-rate-filter-alert-hostsrc/threshold.config b/tests/threshold/threshold-config-rate-filter-alert-hostsrc/threshold.config new file mode 100644 index 000000000..060c8a967 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-hostsrc/threshold.config @@ -0,0 +1 @@ +rate_filter gen_id 1, sig_id 1000001, track by_src, count 1, seconds 60, new_action alert, timeout 1000 diff --git a/tests/threshold/threshold-config-rate-filter-alert-pair/README.md b/tests/threshold/threshold-config-rate-filter-alert-pair/README.md new file mode 100644 index 000000000..a9a4cbde0 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-pair/README.md @@ -0,0 +1,5 @@ +# Threshold.config with by_rule + +This test checks threshold.config file using by_rule keyword + +The pcap file is from http-all-headers test diff --git a/tests/threshold/threshold-config-rate-filter-alert-pair/input.pcap b/tests/threshold/threshold-config-rate-filter-alert-pair/input.pcap new file mode 100644 index 000000000..bf5caebc4 Binary files /dev/null and b/tests/threshold/threshold-config-rate-filter-alert-pair/input.pcap differ diff --git a/tests/threshold/threshold-config-rate-filter-alert-pair/input.rules b/tests/threshold/threshold-config-rate-filter-alert-pair/input.rules new file mode 100644 index 000000000..7cb862d41 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-pair/input.rules @@ -0,0 +1 @@ +drop tcp any any -> any any (dsize:0; sid: 1000001;) diff --git a/tests/threshold/threshold-config-rate-filter-alert-pair/suricata.yaml b/tests/threshold/threshold-config-rate-filter-alert-pair/suricata.yaml new file mode 100644 index 000000000..ee5c3f004 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-pair/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - drop: + flows: all + alerts: true + - http + - anomaly diff --git a/tests/threshold/threshold-config-rate-filter-alert-pair/test.yaml b/tests/threshold/threshold-config-rate-filter-alert-pair/test.yaml new file mode 100644 index 000000000..bbc6465b9 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-pair/test.yaml @@ -0,0 +1,21 @@ +requires: + min-version: 7 + +args: +- --set threshold-file=${TEST_DIR}/threshold.config +- --simulate-ips + +checks: + - filter: + count: 19 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 1 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: http diff --git a/tests/threshold/threshold-config-rate-filter-alert-pair/threshold.config b/tests/threshold/threshold-config-rate-filter-alert-pair/threshold.config new file mode 100644 index 000000000..bb7dcc06c --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-pair/threshold.config @@ -0,0 +1 @@ +rate_filter gen_id 1, sig_id 1000001, track by_both, count 1, seconds 60, new_action alert, timeout 1000 diff --git a/tests/threshold/threshold-config-rate-filter-alert-rule/README.md b/tests/threshold/threshold-config-rate-filter-alert-rule/README.md new file mode 100644 index 000000000..a9a4cbde0 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-rule/README.md @@ -0,0 +1,5 @@ +# Threshold.config with by_rule + +This test checks threshold.config file using by_rule keyword + +The pcap file is from http-all-headers test diff --git a/tests/threshold/threshold-config-rate-filter-alert-rule/input.pcap b/tests/threshold/threshold-config-rate-filter-alert-rule/input.pcap new file mode 100644 index 000000000..bf5caebc4 Binary files /dev/null and b/tests/threshold/threshold-config-rate-filter-alert-rule/input.pcap differ diff --git a/tests/threshold/threshold-config-rate-filter-alert-rule/input.rules b/tests/threshold/threshold-config-rate-filter-alert-rule/input.rules new file mode 100644 index 000000000..7cb862d41 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-rule/input.rules @@ -0,0 +1 @@ +drop tcp any any -> any any (dsize:0; sid: 1000001;) diff --git a/tests/threshold/threshold-config-rate-filter-alert-rule/suricata.yaml b/tests/threshold/threshold-config-rate-filter-alert-rule/suricata.yaml new file mode 100644 index 000000000..ee5c3f004 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-rule/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - drop: + flows: all + alerts: true + - http + - anomaly diff --git a/tests/threshold/threshold-config-rate-filter-alert-rule/test.yaml b/tests/threshold/threshold-config-rate-filter-alert-rule/test.yaml new file mode 100644 index 000000000..bbc6465b9 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-rule/test.yaml @@ -0,0 +1,21 @@ +requires: + min-version: 7 + +args: +- --set threshold-file=${TEST_DIR}/threshold.config +- --simulate-ips + +checks: + - filter: + count: 19 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 1 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: http diff --git a/tests/threshold/threshold-config-rate-filter-alert-rule/threshold.config b/tests/threshold/threshold-config-rate-filter-alert-rule/threshold.config new file mode 100644 index 000000000..4a00ba5bb --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-alert-rule/threshold.config @@ -0,0 +1 @@ +rate_filter gen_id 1, sig_id 1000001, track by_rule, count 1, seconds 60, new_action alert, timeout 1000 diff --git a/tests/threshold/threshold-config-rate-filter-drop-hostdst/README.md b/tests/threshold/threshold-config-rate-filter-drop-hostdst/README.md new file mode 100644 index 000000000..a9a4cbde0 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-hostdst/README.md @@ -0,0 +1,5 @@ +# Threshold.config with by_rule + +This test checks threshold.config file using by_rule keyword + +The pcap file is from http-all-headers test diff --git a/tests/threshold/threshold-config-rate-filter-drop-hostdst/input.pcap b/tests/threshold/threshold-config-rate-filter-drop-hostdst/input.pcap new file mode 100644 index 000000000..bf5caebc4 Binary files /dev/null and b/tests/threshold/threshold-config-rate-filter-drop-hostdst/input.pcap differ diff --git a/tests/threshold/threshold-config-rate-filter-drop-hostdst/input.rules b/tests/threshold/threshold-config-rate-filter-drop-hostdst/input.rules new file mode 100644 index 000000000..d3721f4f5 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-hostdst/input.rules @@ -0,0 +1 @@ +alert http any any -> any any (sid: 1000001;) diff --git a/tests/threshold/threshold-config-rate-filter-drop-hostdst/suricata.yaml b/tests/threshold/threshold-config-rate-filter-drop-hostdst/suricata.yaml new file mode 100644 index 000000000..ee5c3f004 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-hostdst/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - drop: + flows: all + alerts: true + - http + - anomaly diff --git a/tests/threshold/threshold-config-rate-filter-drop-hostdst/test.yaml b/tests/threshold/threshold-config-rate-filter-drop-hostdst/test.yaml new file mode 100644 index 000000000..1b351c028 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-hostdst/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 7 + +args: +- --set threshold-file=${TEST_DIR}/threshold.config +- --simulate-ips + +checks: + - filter: + count: 31 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 29 + match: + event_type: drop + drop.reason: threshold detection_filter diff --git a/tests/threshold/threshold-config-rate-filter-drop-hostdst/threshold.config b/tests/threshold/threshold-config-rate-filter-drop-hostdst/threshold.config new file mode 100644 index 000000000..68f21e691 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-hostdst/threshold.config @@ -0,0 +1 @@ +rate_filter gen_id 1, sig_id 1000001, track by_dst, count 1, seconds 60, new_action drop, timeout 1000 diff --git a/tests/threshold/threshold-config-rate-filter-drop-hostsrc/README.md b/tests/threshold/threshold-config-rate-filter-drop-hostsrc/README.md new file mode 100644 index 000000000..a9a4cbde0 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-hostsrc/README.md @@ -0,0 +1,5 @@ +# Threshold.config with by_rule + +This test checks threshold.config file using by_rule keyword + +The pcap file is from http-all-headers test diff --git a/tests/threshold/threshold-config-rate-filter-drop-hostsrc/input.pcap b/tests/threshold/threshold-config-rate-filter-drop-hostsrc/input.pcap new file mode 100644 index 000000000..bf5caebc4 Binary files /dev/null and b/tests/threshold/threshold-config-rate-filter-drop-hostsrc/input.pcap differ diff --git a/tests/threshold/threshold-config-rate-filter-drop-hostsrc/input.rules b/tests/threshold/threshold-config-rate-filter-drop-hostsrc/input.rules new file mode 100644 index 000000000..d3721f4f5 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-hostsrc/input.rules @@ -0,0 +1 @@ +alert http any any -> any any (sid: 1000001;) diff --git a/tests/threshold/threshold-config-rate-filter-drop-hostsrc/suricata.yaml b/tests/threshold/threshold-config-rate-filter-drop-hostsrc/suricata.yaml new file mode 100644 index 000000000..ee5c3f004 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-hostsrc/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - drop: + flows: all + alerts: true + - http + - anomaly diff --git a/tests/threshold/threshold-config-rate-filter-drop-hostsrc/test.yaml b/tests/threshold/threshold-config-rate-filter-drop-hostsrc/test.yaml new file mode 100644 index 000000000..1b351c028 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-hostsrc/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 7 + +args: +- --set threshold-file=${TEST_DIR}/threshold.config +- --simulate-ips + +checks: + - filter: + count: 31 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 29 + match: + event_type: drop + drop.reason: threshold detection_filter diff --git a/tests/threshold/threshold-config-rate-filter-drop-hostsrc/threshold.config b/tests/threshold/threshold-config-rate-filter-drop-hostsrc/threshold.config new file mode 100644 index 000000000..c05fe0a18 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-hostsrc/threshold.config @@ -0,0 +1 @@ +rate_filter gen_id 1, sig_id 1000001, track by_src, count 1, seconds 60, new_action drop, timeout 1000 diff --git a/tests/threshold/threshold-config-rate-filter-drop-ippair/README.md b/tests/threshold/threshold-config-rate-filter-drop-ippair/README.md new file mode 100644 index 000000000..a9a4cbde0 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-ippair/README.md @@ -0,0 +1,5 @@ +# Threshold.config with by_rule + +This test checks threshold.config file using by_rule keyword + +The pcap file is from http-all-headers test diff --git a/tests/threshold/threshold-config-rate-filter-drop-ippair/input.pcap b/tests/threshold/threshold-config-rate-filter-drop-ippair/input.pcap new file mode 100644 index 000000000..bf5caebc4 Binary files /dev/null and b/tests/threshold/threshold-config-rate-filter-drop-ippair/input.pcap differ diff --git a/tests/threshold/threshold-config-rate-filter-drop-ippair/input.rules b/tests/threshold/threshold-config-rate-filter-drop-ippair/input.rules new file mode 100644 index 000000000..d3721f4f5 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-ippair/input.rules @@ -0,0 +1 @@ +alert http any any -> any any (sid: 1000001;) diff --git a/tests/threshold/threshold-config-rate-filter-drop-ippair/suricata.yaml b/tests/threshold/threshold-config-rate-filter-drop-ippair/suricata.yaml new file mode 100644 index 000000000..ee5c3f004 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-ippair/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - drop: + flows: all + alerts: true + - http + - anomaly diff --git a/tests/threshold/threshold-config-rate-filter-drop-ippair/test.yaml b/tests/threshold/threshold-config-rate-filter-drop-ippair/test.yaml new file mode 100644 index 000000000..fea44cfe4 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-ippair/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 7 + +args: +- --set threshold-file=${TEST_DIR}/threshold.config +- --simulate-ips + +checks: + - filter: + count: 31 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 30 + match: + event_type: drop + drop.reason: threshold detection_filter diff --git a/tests/threshold/threshold-config-rate-filter-drop-ippair/threshold.config b/tests/threshold/threshold-config-rate-filter-drop-ippair/threshold.config new file mode 100644 index 000000000..c9231bd5e --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-ippair/threshold.config @@ -0,0 +1 @@ +rate_filter gen_id 1, sig_id 1000001, track by_both, count 1, seconds 60, new_action drop, timeout 1000 diff --git a/tests/threshold/threshold-config-rate-filter-drop-rule/README.md b/tests/threshold/threshold-config-rate-filter-drop-rule/README.md new file mode 100644 index 000000000..a9a4cbde0 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-rule/README.md @@ -0,0 +1,5 @@ +# Threshold.config with by_rule + +This test checks threshold.config file using by_rule keyword + +The pcap file is from http-all-headers test diff --git a/tests/threshold/threshold-config-rate-filter-drop-rule/input.pcap b/tests/threshold/threshold-config-rate-filter-drop-rule/input.pcap new file mode 100644 index 000000000..bf5caebc4 Binary files /dev/null and b/tests/threshold/threshold-config-rate-filter-drop-rule/input.pcap differ diff --git a/tests/threshold/threshold-config-rate-filter-drop-rule/input.rules b/tests/threshold/threshold-config-rate-filter-drop-rule/input.rules new file mode 100644 index 000000000..d3721f4f5 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-rule/input.rules @@ -0,0 +1 @@ +alert http any any -> any any (sid: 1000001;) diff --git a/tests/threshold/threshold-config-rate-filter-drop-rule/suricata.yaml b/tests/threshold/threshold-config-rate-filter-drop-rule/suricata.yaml new file mode 100644 index 000000000..ee5c3f004 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-rule/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - drop: + flows: all + alerts: true + - http + - anomaly diff --git a/tests/threshold/threshold-config-rate-filter-drop-rule/test.yaml b/tests/threshold/threshold-config-rate-filter-drop-rule/test.yaml new file mode 100644 index 000000000..fea44cfe4 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-rule/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 7 + +args: +- --set threshold-file=${TEST_DIR}/threshold.config +- --simulate-ips + +checks: + - filter: + count: 31 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 30 + match: + event_type: drop + drop.reason: threshold detection_filter diff --git a/tests/threshold/threshold-config-rate-filter-drop-rule/threshold.config b/tests/threshold/threshold-config-rate-filter-drop-rule/threshold.config new file mode 100644 index 000000000..f10e122e0 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-drop-rule/threshold.config @@ -0,0 +1 @@ +rate_filter gen_id 1, sig_id 1000001, track by_rule, count 1, seconds 60, new_action drop, timeout 1000 diff --git a/tests/threshold/threshold-config-rate-filter-pass-hostdst/README.md b/tests/threshold/threshold-config-rate-filter-pass-hostdst/README.md new file mode 100644 index 000000000..a9a4cbde0 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-hostdst/README.md @@ -0,0 +1,5 @@ +# Threshold.config with by_rule + +This test checks threshold.config file using by_rule keyword + +The pcap file is from http-all-headers test diff --git a/tests/threshold/threshold-config-rate-filter-pass-hostdst/input.pcap b/tests/threshold/threshold-config-rate-filter-pass-hostdst/input.pcap new file mode 100644 index 000000000..bf5caebc4 Binary files /dev/null and b/tests/threshold/threshold-config-rate-filter-pass-hostdst/input.pcap differ diff --git a/tests/threshold/threshold-config-rate-filter-pass-hostdst/input.rules b/tests/threshold/threshold-config-rate-filter-pass-hostdst/input.rules new file mode 100644 index 000000000..4b313e20b --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-hostdst/input.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"toto"; sid: 1000001;) diff --git a/tests/threshold/threshold-config-rate-filter-pass-hostdst/suricata.yaml b/tests/threshold/threshold-config-rate-filter-pass-hostdst/suricata.yaml new file mode 100644 index 000000000..ee5c3f004 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-hostdst/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - drop: + flows: all + alerts: true + - http + - anomaly diff --git a/tests/threshold/threshold-config-rate-filter-pass-hostdst/test.yaml b/tests/threshold/threshold-config-rate-filter-pass-hostdst/test.yaml new file mode 100644 index 000000000..7619df6be --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-hostdst/test.yaml @@ -0,0 +1,21 @@ +requires: + min-version: 7 + +args: +- --set threshold-file=${TEST_DIR}/threshold.config +- --simulate-ips + +checks: + - filter: + count: 2 # once for each dir + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: http diff --git a/tests/threshold/threshold-config-rate-filter-pass-hostdst/threshold.config b/tests/threshold/threshold-config-rate-filter-pass-hostdst/threshold.config new file mode 100644 index 000000000..8bd3f6c08 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-hostdst/threshold.config @@ -0,0 +1 @@ +rate_filter gen_id 1, sig_id 1000001, track by_dst, count 1, seconds 60, new_action pass, timeout 1000 diff --git a/tests/threshold/threshold-config-rate-filter-pass-hostsrc/README.md b/tests/threshold/threshold-config-rate-filter-pass-hostsrc/README.md new file mode 100644 index 000000000..a9a4cbde0 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-hostsrc/README.md @@ -0,0 +1,5 @@ +# Threshold.config with by_rule + +This test checks threshold.config file using by_rule keyword + +The pcap file is from http-all-headers test diff --git a/tests/threshold/threshold-config-rate-filter-pass-hostsrc/input.pcap b/tests/threshold/threshold-config-rate-filter-pass-hostsrc/input.pcap new file mode 100644 index 000000000..bf5caebc4 Binary files /dev/null and b/tests/threshold/threshold-config-rate-filter-pass-hostsrc/input.pcap differ diff --git a/tests/threshold/threshold-config-rate-filter-pass-hostsrc/input.rules b/tests/threshold/threshold-config-rate-filter-pass-hostsrc/input.rules new file mode 100644 index 000000000..4b313e20b --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-hostsrc/input.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"toto"; sid: 1000001;) diff --git a/tests/threshold/threshold-config-rate-filter-pass-hostsrc/suricata.yaml b/tests/threshold/threshold-config-rate-filter-pass-hostsrc/suricata.yaml new file mode 100644 index 000000000..ee5c3f004 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-hostsrc/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - drop: + flows: all + alerts: true + - http + - anomaly diff --git a/tests/threshold/threshold-config-rate-filter-pass-hostsrc/test.yaml b/tests/threshold/threshold-config-rate-filter-pass-hostsrc/test.yaml new file mode 100644 index 000000000..7619df6be --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-hostsrc/test.yaml @@ -0,0 +1,21 @@ +requires: + min-version: 7 + +args: +- --set threshold-file=${TEST_DIR}/threshold.config +- --simulate-ips + +checks: + - filter: + count: 2 # once for each dir + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: http diff --git a/tests/threshold/threshold-config-rate-filter-pass-hostsrc/threshold.config b/tests/threshold/threshold-config-rate-filter-pass-hostsrc/threshold.config new file mode 100644 index 000000000..b2145ce51 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-hostsrc/threshold.config @@ -0,0 +1 @@ +rate_filter gen_id 1, sig_id 1000001, track by_src, count 1, seconds 60, new_action pass, timeout 1000 diff --git a/tests/threshold/threshold-config-rate-filter-pass-pair/README.md b/tests/threshold/threshold-config-rate-filter-pass-pair/README.md new file mode 100644 index 000000000..a9a4cbde0 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-pair/README.md @@ -0,0 +1,5 @@ +# Threshold.config with by_rule + +This test checks threshold.config file using by_rule keyword + +The pcap file is from http-all-headers test diff --git a/tests/threshold/threshold-config-rate-filter-pass-pair/input.pcap b/tests/threshold/threshold-config-rate-filter-pass-pair/input.pcap new file mode 100644 index 000000000..bf5caebc4 Binary files /dev/null and b/tests/threshold/threshold-config-rate-filter-pass-pair/input.pcap differ diff --git a/tests/threshold/threshold-config-rate-filter-pass-pair/input.rules b/tests/threshold/threshold-config-rate-filter-pass-pair/input.rules new file mode 100644 index 000000000..4b313e20b --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-pair/input.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"toto"; sid: 1000001;) diff --git a/tests/threshold/threshold-config-rate-filter-pass-pair/suricata.yaml b/tests/threshold/threshold-config-rate-filter-pass-pair/suricata.yaml new file mode 100644 index 000000000..ee5c3f004 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-pair/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - drop: + flows: all + alerts: true + - http + - anomaly diff --git a/tests/threshold/threshold-config-rate-filter-pass-pair/test.yaml b/tests/threshold/threshold-config-rate-filter-pass-pair/test.yaml new file mode 100644 index 000000000..9ae94185e --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-pair/test.yaml @@ -0,0 +1,21 @@ +requires: + min-version: 7 + +args: +- --set threshold-file=${TEST_DIR}/threshold.config +- --simulate-ips + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: http diff --git a/tests/threshold/threshold-config-rate-filter-pass-pair/threshold.config b/tests/threshold/threshold-config-rate-filter-pass-pair/threshold.config new file mode 100644 index 000000000..7c36d963f --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-pair/threshold.config @@ -0,0 +1 @@ +rate_filter gen_id 1, sig_id 1000001, track by_both, count 1, seconds 60, new_action pass, timeout 1000 diff --git a/tests/threshold/threshold-config-rate-filter-pass-rule/README.md b/tests/threshold/threshold-config-rate-filter-pass-rule/README.md new file mode 100644 index 000000000..a9a4cbde0 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-rule/README.md @@ -0,0 +1,5 @@ +# Threshold.config with by_rule + +This test checks threshold.config file using by_rule keyword + +The pcap file is from http-all-headers test diff --git a/tests/threshold/threshold-config-rate-filter-pass-rule/input.pcap b/tests/threshold/threshold-config-rate-filter-pass-rule/input.pcap new file mode 100644 index 000000000..bf5caebc4 Binary files /dev/null and b/tests/threshold/threshold-config-rate-filter-pass-rule/input.pcap differ diff --git a/tests/threshold/threshold-config-rate-filter-pass-rule/input.rules b/tests/threshold/threshold-config-rate-filter-pass-rule/input.rules new file mode 100644 index 000000000..4b313e20b --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-rule/input.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"toto"; sid: 1000001;) diff --git a/tests/threshold/threshold-config-rate-filter-pass-rule/suricata.yaml b/tests/threshold/threshold-config-rate-filter-pass-rule/suricata.yaml new file mode 100644 index 000000000..ee5c3f004 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-rule/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - drop: + flows: all + alerts: true + - http + - anomaly diff --git a/tests/threshold/threshold-config-rate-filter-pass-rule/test.yaml b/tests/threshold/threshold-config-rate-filter-pass-rule/test.yaml new file mode 100644 index 000000000..9ae94185e --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-rule/test.yaml @@ -0,0 +1,21 @@ +requires: + min-version: 7 + +args: +- --set threshold-file=${TEST_DIR}/threshold.config +- --simulate-ips + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: http diff --git a/tests/threshold/threshold-config-rate-filter-pass-rule/threshold.config b/tests/threshold/threshold-config-rate-filter-pass-rule/threshold.config new file mode 100644 index 000000000..e9f85ecbd --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-pass-rule/threshold.config @@ -0,0 +1 @@ +rate_filter gen_id 1, sig_id 1000001, track by_rule, count 1, seconds 60, new_action pass, timeout 1000 diff --git a/tests/threshold/threshold-config-rate-filter-reject-hostdst/README.md b/tests/threshold/threshold-config-rate-filter-reject-hostdst/README.md new file mode 100644 index 000000000..a9a4cbde0 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-hostdst/README.md @@ -0,0 +1,5 @@ +# Threshold.config with by_rule + +This test checks threshold.config file using by_rule keyword + +The pcap file is from http-all-headers test diff --git a/tests/threshold/threshold-config-rate-filter-reject-hostdst/input.pcap b/tests/threshold/threshold-config-rate-filter-reject-hostdst/input.pcap new file mode 100644 index 000000000..bf5caebc4 Binary files /dev/null and b/tests/threshold/threshold-config-rate-filter-reject-hostdst/input.pcap differ diff --git a/tests/threshold/threshold-config-rate-filter-reject-hostdst/input.rules b/tests/threshold/threshold-config-rate-filter-reject-hostdst/input.rules new file mode 100644 index 000000000..d3721f4f5 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-hostdst/input.rules @@ -0,0 +1 @@ +alert http any any -> any any (sid: 1000001;) diff --git a/tests/threshold/threshold-config-rate-filter-reject-hostdst/suricata.yaml b/tests/threshold/threshold-config-rate-filter-reject-hostdst/suricata.yaml new file mode 100644 index 000000000..ee5c3f004 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-hostdst/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - drop: + flows: all + alerts: true + - http + - anomaly diff --git a/tests/threshold/threshold-config-rate-filter-reject-hostdst/test.yaml b/tests/threshold/threshold-config-rate-filter-reject-hostdst/test.yaml new file mode 100644 index 000000000..1b351c028 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-hostdst/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 7 + +args: +- --set threshold-file=${TEST_DIR}/threshold.config +- --simulate-ips + +checks: + - filter: + count: 31 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 29 + match: + event_type: drop + drop.reason: threshold detection_filter diff --git a/tests/threshold/threshold-config-rate-filter-reject-hostdst/threshold.config b/tests/threshold/threshold-config-rate-filter-reject-hostdst/threshold.config new file mode 100644 index 000000000..961b1439d --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-hostdst/threshold.config @@ -0,0 +1 @@ +rate_filter gen_id 1, sig_id 1000001, track by_dst, count 1, seconds 60, new_action reject, timeout 1000 diff --git a/tests/threshold/threshold-config-rate-filter-reject-hostsrc/README.md b/tests/threshold/threshold-config-rate-filter-reject-hostsrc/README.md new file mode 100644 index 000000000..a9a4cbde0 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-hostsrc/README.md @@ -0,0 +1,5 @@ +# Threshold.config with by_rule + +This test checks threshold.config file using by_rule keyword + +The pcap file is from http-all-headers test diff --git a/tests/threshold/threshold-config-rate-filter-reject-hostsrc/input.pcap b/tests/threshold/threshold-config-rate-filter-reject-hostsrc/input.pcap new file mode 100644 index 000000000..bf5caebc4 Binary files /dev/null and b/tests/threshold/threshold-config-rate-filter-reject-hostsrc/input.pcap differ diff --git a/tests/threshold/threshold-config-rate-filter-reject-hostsrc/input.rules b/tests/threshold/threshold-config-rate-filter-reject-hostsrc/input.rules new file mode 100644 index 000000000..d3721f4f5 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-hostsrc/input.rules @@ -0,0 +1 @@ +alert http any any -> any any (sid: 1000001;) diff --git a/tests/threshold/threshold-config-rate-filter-reject-hostsrc/suricata.yaml b/tests/threshold/threshold-config-rate-filter-reject-hostsrc/suricata.yaml new file mode 100644 index 000000000..ee5c3f004 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-hostsrc/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - drop: + flows: all + alerts: true + - http + - anomaly diff --git a/tests/threshold/threshold-config-rate-filter-reject-hostsrc/test.yaml b/tests/threshold/threshold-config-rate-filter-reject-hostsrc/test.yaml new file mode 100644 index 000000000..1b351c028 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-hostsrc/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 7 + +args: +- --set threshold-file=${TEST_DIR}/threshold.config +- --simulate-ips + +checks: + - filter: + count: 31 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 29 + match: + event_type: drop + drop.reason: threshold detection_filter diff --git a/tests/threshold/threshold-config-rate-filter-reject-hostsrc/threshold.config b/tests/threshold/threshold-config-rate-filter-reject-hostsrc/threshold.config new file mode 100644 index 000000000..b18c5d49e --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-hostsrc/threshold.config @@ -0,0 +1 @@ +rate_filter gen_id 1, sig_id 1000001, track by_src, count 1, seconds 60, new_action reject, timeout 1000 diff --git a/tests/threshold/threshold-config-rate-filter-reject-pair/README.md b/tests/threshold/threshold-config-rate-filter-reject-pair/README.md new file mode 100644 index 000000000..a9a4cbde0 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-pair/README.md @@ -0,0 +1,5 @@ +# Threshold.config with by_rule + +This test checks threshold.config file using by_rule keyword + +The pcap file is from http-all-headers test diff --git a/tests/threshold/threshold-config-rate-filter-reject-pair/input.pcap b/tests/threshold/threshold-config-rate-filter-reject-pair/input.pcap new file mode 100644 index 000000000..bf5caebc4 Binary files /dev/null and b/tests/threshold/threshold-config-rate-filter-reject-pair/input.pcap differ diff --git a/tests/threshold/threshold-config-rate-filter-reject-pair/input.rules b/tests/threshold/threshold-config-rate-filter-reject-pair/input.rules new file mode 100644 index 000000000..d3721f4f5 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-pair/input.rules @@ -0,0 +1 @@ +alert http any any -> any any (sid: 1000001;) diff --git a/tests/threshold/threshold-config-rate-filter-reject-pair/suricata.yaml b/tests/threshold/threshold-config-rate-filter-reject-pair/suricata.yaml new file mode 100644 index 000000000..ee5c3f004 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-pair/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - drop: + flows: all + alerts: true + - http + - anomaly diff --git a/tests/threshold/threshold-config-rate-filter-reject-pair/test.yaml b/tests/threshold/threshold-config-rate-filter-reject-pair/test.yaml new file mode 100644 index 000000000..fea44cfe4 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-pair/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 7 + +args: +- --set threshold-file=${TEST_DIR}/threshold.config +- --simulate-ips + +checks: + - filter: + count: 31 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 30 + match: + event_type: drop + drop.reason: threshold detection_filter diff --git a/tests/threshold/threshold-config-rate-filter-reject-pair/threshold.config b/tests/threshold/threshold-config-rate-filter-reject-pair/threshold.config new file mode 100644 index 000000000..4f489d2c0 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-pair/threshold.config @@ -0,0 +1 @@ +rate_filter gen_id 1, sig_id 1000001, track by_both, count 1, seconds 60, new_action reject, timeout 1000 diff --git a/tests/threshold/threshold-config-rate-filter-reject-rule/README.md b/tests/threshold/threshold-config-rate-filter-reject-rule/README.md new file mode 100644 index 000000000..a9a4cbde0 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-rule/README.md @@ -0,0 +1,5 @@ +# Threshold.config with by_rule + +This test checks threshold.config file using by_rule keyword + +The pcap file is from http-all-headers test diff --git a/tests/threshold/threshold-config-rate-filter-reject-rule/input.pcap b/tests/threshold/threshold-config-rate-filter-reject-rule/input.pcap new file mode 100644 index 000000000..bf5caebc4 Binary files /dev/null and b/tests/threshold/threshold-config-rate-filter-reject-rule/input.pcap differ diff --git a/tests/threshold/threshold-config-rate-filter-reject-rule/input.rules b/tests/threshold/threshold-config-rate-filter-reject-rule/input.rules new file mode 100644 index 000000000..d3721f4f5 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-rule/input.rules @@ -0,0 +1 @@ +alert http any any -> any any (sid: 1000001;) diff --git a/tests/threshold/threshold-config-rate-filter-reject-rule/suricata.yaml b/tests/threshold/threshold-config-rate-filter-reject-rule/suricata.yaml new file mode 100644 index 000000000..ee5c3f004 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-rule/suricata.yaml @@ -0,0 +1,15 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - drop: + flows: all + alerts: true + - http + - anomaly diff --git a/tests/threshold/threshold-config-rate-filter-reject-rule/test.yaml b/tests/threshold/threshold-config-rate-filter-reject-rule/test.yaml new file mode 100644 index 000000000..fea44cfe4 --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-rule/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 7 + +args: +- --set threshold-file=${TEST_DIR}/threshold.config +- --simulate-ips + +checks: + - filter: + count: 31 + match: + event_type: alert + alert.signature_id: 1000001 + - filter: + count: 30 + match: + event_type: drop + drop.reason: threshold detection_filter diff --git a/tests/threshold/threshold-config-rate-filter-reject-rule/threshold.config b/tests/threshold/threshold-config-rate-filter-reject-rule/threshold.config new file mode 100644 index 000000000..5b1e9012a --- /dev/null +++ b/tests/threshold/threshold-config-rate-filter-reject-rule/threshold.config @@ -0,0 +1 @@ +rate_filter gen_id 1, sig_id 1000001, track by_rule, count 1, seconds 60, new_action reject, timeout 1000