From 07491caabea838f280ac8a5bf24162a3ad821c97 Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@oisf.net>
Date: Mon, 20 Mar 2023 14:14:30 -0300
Subject: [PATCH] tests: add test for flow.memcap exception policy

---
 .../README.md                                 | 19 +++++++++++
 .../suricata.yaml                             | 24 ++++++++++++++
 .../test.rules                                |  1 +
 .../test.yaml                                 | 32 +++++++++++++++++++
 4 files changed, 76 insertions(+)
 create mode 100644 tests/exception-policy-simulated-flow-memcap/README.md
 create mode 100644 tests/exception-policy-simulated-flow-memcap/suricata.yaml
 create mode 100644 tests/exception-policy-simulated-flow-memcap/test.rules
 create mode 100644 tests/exception-policy-simulated-flow-memcap/test.yaml

diff --git a/tests/exception-policy-simulated-flow-memcap/README.md b/tests/exception-policy-simulated-flow-memcap/README.md
new file mode 100644
index 000000000..b23c22a0f
--- /dev/null
+++ b/tests/exception-policy-simulated-flow-memcap/README.md
@@ -0,0 +1,19 @@
+Test
+====
+
+Test both the exception policy for when Suricata reaches a flow memcap, and the
+command-line option to simulate said memcap hit.
+
+Expected Behavior
+=================
+
+When Suricata tries to create a new flow reaching packet 6, it will simulate a
+failure, therefore dropping said packet. As midstream pickup is said to true,
+Suri will later on register a midstream flow for that. Other packets/flows will
+be decoded and inspected normally.
+
+PCAP
+====
+
+Pcap from `tls` suricata-verify test.
+
diff --git a/tests/exception-policy-simulated-flow-memcap/suricata.yaml b/tests/exception-policy-simulated-flow-memcap/suricata.yaml
new file mode 100644
index 000000000..20dcc8e0c
--- /dev/null
+++ b/tests/exception-policy-simulated-flow-memcap/suricata.yaml
@@ -0,0 +1,24 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+            tagged-packets: yes
+        - anomaly:
+            enabled: yes
+            types:
+              decode: no
+              stream: yes
+              applayer: yes
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
+        - flow
+        - stats
+
+exception-policy: ignore
diff --git a/tests/exception-policy-simulated-flow-memcap/test.rules b/tests/exception-policy-simulated-flow-memcap/test.rules
new file mode 100644
index 000000000..b9d1df2fb
--- /dev/null
+++ b/tests/exception-policy-simulated-flow-memcap/test.rules
@@ -0,0 +1 @@
+alert tls any any -> any any (msg:"tls app-proto"; sid:1000001; rev:1;)
diff --git a/tests/exception-policy-simulated-flow-memcap/test.yaml b/tests/exception-policy-simulated-flow-memcap/test.yaml
new file mode 100644
index 000000000..11632c687
--- /dev/null
+++ b/tests/exception-policy-simulated-flow-memcap/test.yaml
@@ -0,0 +1,32 @@
+requires:
+  features:
+    - DEBUG
+
+pcap: ../tls/tls-cert-issuer/tls.pcap
+
+args:
+- --simulate-ips
+- -k none
+- --set stream.midstream=true
+- --simulate-packet-flow-memcap=6
+- --set flow.memcap-policy=drop-flow
+
+checks:
+  - filter:
+      count: 97
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        drop.reason: "flow memcap"
+  - filter:
+      count: 5
+      match:
+        event_type: tls
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.tcp.midstream_pickups: 1
-- 
2.47.2