From: Victor Julien Date: Sat, 15 Oct 2022 14:56:14 +0000 (+0200) Subject: tests: various tag rules X-Git-Tag: suricata-6.0.9~36 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F962%2Fhead;p=thirdparty%2Fsuricata-verify.git tests: various tag rules --- diff --git a/tests/eve-tag-01/suricata.yaml b/tests/eve-tag-01/suricata.yaml new file mode 100644 index 000000000..0a1e2f4ac --- /dev/null +++ b/tests/eve-tag-01/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + tagged-packets: true + - dns + - smtp + - anomaly diff --git a/tests/eve-tag-01/test.rules b/tests/eve-tag-01/test.rules new file mode 100644 index 000000000..87786486d --- /dev/null +++ b/tests/eve-tag-01/test.rules @@ -0,0 +1 @@ +alert dns any any -> any any (dns.query; content:"mail"; tag:host,100,packets,src; tag:session; sid:1;) diff --git a/tests/eve-tag-01/test.yaml b/tests/eve-tag-01/test.yaml new file mode 100644 index 000000000..53aad32cf --- /dev/null +++ b/tests/eve-tag-01/test.yaml @@ -0,0 +1,21 @@ +args: +- --runmode=single +- -k none + +pcap: ../smtp-file-data-02/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 58 + match: + event_type: packet + - filter: + count: 1 + match: + event_type: packet + src_ip: 10.10.1.1 + dest_ip: 10.10.1.4 diff --git a/tests/eve-tag-02/suricata.yaml b/tests/eve-tag-02/suricata.yaml new file mode 100644 index 000000000..0a1e2f4ac --- /dev/null +++ b/tests/eve-tag-02/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + tagged-packets: true + - dns + - smtp + - anomaly diff --git a/tests/eve-tag-02/test.rules b/tests/eve-tag-02/test.rules new file mode 100644 index 000000000..36e1443f4 --- /dev/null +++ b/tests/eve-tag-02/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (flags:S; tag:session; sid:1;) diff --git a/tests/eve-tag-02/test.yaml b/tests/eve-tag-02/test.yaml new file mode 100644 index 000000000..6ffda4ab1 --- /dev/null +++ b/tests/eve-tag-02/test.yaml @@ -0,0 +1,15 @@ +args: +- --runmode=single +- -k none + +pcap: ../ssh-banner-only/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 8 + match: + event_type: packet diff --git a/tests/eve-tag-03/suricata.yaml b/tests/eve-tag-03/suricata.yaml new file mode 100644 index 000000000..0a1e2f4ac --- /dev/null +++ b/tests/eve-tag-03/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + tagged-packets: true + - dns + - smtp + - anomaly diff --git a/tests/eve-tag-03/test.rules b/tests/eve-tag-03/test.rules new file mode 100644 index 000000000..c4adb3bcf --- /dev/null +++ b/tests/eve-tag-03/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (flags:S; tag:host,100,packets,src; sid:1;) diff --git a/tests/eve-tag-03/test.yaml b/tests/eve-tag-03/test.yaml new file mode 100644 index 000000000..6ffda4ab1 --- /dev/null +++ b/tests/eve-tag-03/test.yaml @@ -0,0 +1,15 @@ +args: +- --runmode=single +- -k none + +pcap: ../ssh-banner-only/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 8 + match: + event_type: packet diff --git a/tests/eve-tag-04/suricata.yaml b/tests/eve-tag-04/suricata.yaml new file mode 100644 index 000000000..0a1e2f4ac --- /dev/null +++ b/tests/eve-tag-04/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + tagged-packets: true + - dns + - smtp + - anomaly diff --git a/tests/eve-tag-04/test.rules b/tests/eve-tag-04/test.rules new file mode 100644 index 000000000..c7a21b9f9 --- /dev/null +++ b/tests/eve-tag-04/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (flags:S; tag:host,9,packets,dst; sid:1;) diff --git a/tests/eve-tag-04/test.yaml b/tests/eve-tag-04/test.yaml new file mode 100644 index 000000000..6ffda4ab1 --- /dev/null +++ b/tests/eve-tag-04/test.yaml @@ -0,0 +1,15 @@ +args: +- --runmode=single +- -k none + +pcap: ../ssh-banner-only/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 8 + match: + event_type: packet diff --git a/tests/eve-tag-05/suricata.yaml b/tests/eve-tag-05/suricata.yaml new file mode 100644 index 000000000..0a1e2f4ac --- /dev/null +++ b/tests/eve-tag-05/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + tagged-packets: true + - dns + - smtp + - anomaly diff --git a/tests/eve-tag-05/test.rules b/tests/eve-tag-05/test.rules new file mode 100644 index 000000000..92d0a376a --- /dev/null +++ b/tests/eve-tag-05/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (flags:S; tag:host,100,packets,dst; sid:1;) diff --git a/tests/eve-tag-05/test.yaml b/tests/eve-tag-05/test.yaml new file mode 100644 index 000000000..f168439ce --- /dev/null +++ b/tests/eve-tag-05/test.yaml @@ -0,0 +1,15 @@ +args: +- --runmode=single +- -k none + +pcap: ../ssh-banner-only/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 14 + match: + event_type: packet diff --git a/tests/eve-tag-06/suricata.yaml b/tests/eve-tag-06/suricata.yaml new file mode 100644 index 000000000..0a1e2f4ac --- /dev/null +++ b/tests/eve-tag-06/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + tagged-packets: true + - dns + - smtp + - anomaly diff --git a/tests/eve-tag-06/test.rules b/tests/eve-tag-06/test.rules new file mode 100644 index 000000000..6660a48e5 --- /dev/null +++ b/tests/eve-tag-06/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (flags:S; tag:host,9,packets,src; tag:host,15,packets,dst; sid:1;) diff --git a/tests/eve-tag-06/test.yaml b/tests/eve-tag-06/test.yaml new file mode 100644 index 000000000..f168439ce --- /dev/null +++ b/tests/eve-tag-06/test.yaml @@ -0,0 +1,15 @@ +args: +- --runmode=single +- -k none + +pcap: ../ssh-banner-only/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 14 + match: + event_type: packet diff --git a/tests/eve-tag-07/suricata.yaml b/tests/eve-tag-07/suricata.yaml new file mode 100644 index 000000000..0a1e2f4ac --- /dev/null +++ b/tests/eve-tag-07/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + tagged-packets: true + - dns + - smtp + - anomaly diff --git a/tests/eve-tag-07/test.rules b/tests/eve-tag-07/test.rules new file mode 100644 index 000000000..33e0bff69 --- /dev/null +++ b/tests/eve-tag-07/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any any (flags:S; tag:host,2,packets,src; tag:session; sid:1;) diff --git a/tests/eve-tag-07/test.yaml b/tests/eve-tag-07/test.yaml new file mode 100644 index 000000000..6ffda4ab1 --- /dev/null +++ b/tests/eve-tag-07/test.yaml @@ -0,0 +1,15 @@ +args: +- --runmode=single +- -k none + +pcap: ../ssh-banner-only/input.pcap + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 8 + match: + event_type: packet