From 61d3d5cfa441b485e69d24af92231716a3880498 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Mon, 31 Mar 2025 10:25:19 +0200
Subject: [PATCH] tests: firewall tests

---
 .../test.yaml                                 |   3 +
 .../firewall-02-tcp-pkt-state-flow/test.yaml  |   3 +
 .../firewall-03-tcp-tls-enforce/test.yaml     |   3 +
 .../firewall-04-tls-sni-enforce/test.yaml     |   3 +
 .../firewall-06-tls-sni-enforce/test.yaml     |   3 +
 .../firewall.rules                            |   2 +
 .../suricata.yaml                             |  63 +++++++++++
 .../ruletype-firewall-01-flow-start/test.yaml |  22 ++++
 .../firewall.rules                            |   2 +
 .../suricata.yaml                             |  63 +++++++++++
 .../ruletype-firewall-02-flow-start/test.yaml |  22 ++++
 .../firewall.rules                            |   9 ++
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 |  35 ++++++
 .../firewall.rules                            |  29 +++++
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 |  71 ++++++++++++
 .../firewall.rules                            |   9 ++
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 |  49 +++++++++
 .../firewall.rules                            |   9 ++
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 |  49 +++++++++
 .../firewall.rules                            |  10 ++
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 |  45 ++++++++
 .../firewall.rules                            |  29 +++++
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 |  73 +++++++++++++
 .../firewall.rules                            |  29 +++++
 .../suricata.yaml                             |  63 +++++++++++
 .../td.rules                                  |   1 +
 .../test.yaml                                 |  93 ++++++++++++++++
 .../firewall.rules                            |  22 ++++
 .../suricata.yaml                             |  63 +++++++++++
 .../td.rules                                  |   4 +
 .../test.yaml                                 |  95 ++++++++++++++++
 .../firewall.rules                            |  11 ++
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 |  46 ++++++++
 .../firewall.rules                            |  18 +++
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 |  54 +++++++++
 .../firewall.rules                            |  22 ++++
 .../suricata.yaml                             |  63 +++++++++++
 .../td.rules                                  |   4 +
 .../test.yaml                                 |  94 ++++++++++++++++
 .../firewall.rules                            |  29 +++++
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 |  94 ++++++++++++++++
 .../firewall.rules                            |  19 ++++
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 | 100 +++++++++++++++++
 .../firewall.rules                            |  25 +++++
 .../http-sticky-server-s8.pcap                | Bin 0 -> 12878 bytes
 .../test.yaml                                 | 102 +++++++++++++++++
 .../firewall.rules                            |  19 ++++
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 | 100 +++++++++++++++++
 .../firewall.rules                            |  19 ++++
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 | 100 +++++++++++++++++
 .../firewall.rules                            |  17 +++
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 | 100 +++++++++++++++++
 .../firewall.rules                            |  12 ++
 .../http-sticky-server-s8.pcap                | Bin 0 -> 12878 bytes
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 |  47 ++++++++
 .../firewall.rules                            |  12 ++
 .../http-sticky-server-s8.pcap                | Bin 0 -> 12878 bytes
 .../suricata.yaml                             |  63 +++++++++++
 .../td.rules                                  |   2 +
 .../test.yaml                                 |  57 ++++++++++
 .../firewall.rules                            |  11 ++
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 |  63 +++++++++++
 .../firewall.rules                            |  11 ++
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 |  55 ++++++++++
 .../firewall.rules                            |   2 +
 .../suricata.yaml                             |  63 +++++++++++
 .../ruletype-firewall-25-tcp-udp/test.yaml    |  43 ++++++++
 .../firewall.rules                            |   3 +
 .../suricata.yaml                             |  63 +++++++++++
 .../ruletype-firewall-26-drop-rule/test.yaml  |  33 ++++++
 .../firewall.rules                            |  20 ++++
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 |  96 ++++++++++++++++
 .../firewall.rules                            |  20 ++++
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 | 103 ++++++++++++++++++
 .../firewall.rules                            |   1 +
 .../suricata.yaml                             |  63 +++++++++++
 .../test.yaml                                 |  43 ++++++++
 .../firewall.rules                            |  20 ++++
 .../suricata.yaml                             |  63 +++++++++++
 .../td.rules                                  |   1 +
 .../test.yaml                                 |  71 ++++++++++++
 .../.suricata.yaml.swp                        | Bin 0 -> 12288 bytes
 .../firewall.rules                            |  19 ++++
 .../input.pcap                                | Bin 0 -> 769 bytes
 .../suricata.yaml                             |  65 +++++++++++
 .../test.yaml                                 |  98 +++++++++++++++++
 .../writepcap.py                              |  17 +++
 105 files changed, 4386 insertions(+)
 create mode 100644 tests/firewall/ruletype-firewall-01-flow-start/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-01-flow-start/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-01-flow-start/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-02-flow-start/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-02-flow-start/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-02-flow-start/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-03-ruleset-vs-ping/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-03-ruleset-vs-ping/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-03-ruleset-vs-ping/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-05-ruleset-vs-sni/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-05-ruleset-vs-sni/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-05-ruleset-vs-sni/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/td.rules
 create mode 100644 tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/td.rules
 create mode 100644 tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/td.rules
 create mode 100644 tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-15-state-keyword/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-15-state-keyword/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-15-state-keyword/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-16-http-per-hook/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-16-http-per-hook/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-16-http-per-hook/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/http-sticky-server-s8.pcap
 create mode 100644 tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-18-http-per-hook/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-18-http-per-hook/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-18-http-per-hook/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-19-http-per-hook/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-19-http-per-hook/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-19-http-per-hook/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-20-http-per-hook/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-20-http-per-hook/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-20-http-per-hook/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-21-http-accept-tx/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-21-http-accept-tx/http-sticky-server-s8.pcap
 create mode 100644 tests/firewall/ruletype-firewall-21-http-accept-tx/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-21-http-accept-tx/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/http-sticky-server-s8.pcap
 create mode 100644 tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/td.rules
 create mode 100644 tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-23-dns-per-hook/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-23-dns-per-hook/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-23-dns-per-hook/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-24-dnstcp-per-hook/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-24-dnstcp-per-hook/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-24-dnstcp-per-hook/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-25-tcp-udp/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-25-tcp-udp/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-25-tcp-udp/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-26-drop-rule/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-26-drop-rule/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-26-drop-rule/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-27-http-drop-rule/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-27-http-drop-rule/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-27-http-drop-rule/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-28-http-drop-flow-rule/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-28-http-drop-flow-rule/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-28-http-drop-flow-rule/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-29-http-drop-flow-rule/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-29-http-drop-flow-rule/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-29-http-drop-flow-rule/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-30-fw-accept-td-drop/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-30-fw-accept-td-drop/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-30-fw-accept-td-drop/td.rules
 create mode 100644 tests/firewall/ruletype-firewall-30-fw-accept-td-drop/test.yaml
 create mode 100644 tests/firewall/ruletype-firewall-31-retrans-of-drop/.suricata.yaml.swp
 create mode 100644 tests/firewall/ruletype-firewall-31-retrans-of-drop/firewall.rules
 create mode 100644 tests/firewall/ruletype-firewall-31-retrans-of-drop/input.pcap
 create mode 100644 tests/firewall/ruletype-firewall-31-retrans-of-drop/suricata.yaml
 create mode 100644 tests/firewall/ruletype-firewall-31-retrans-of-drop/test.yaml
 create mode 100755 tests/firewall/ruletype-firewall-31-retrans-of-drop/writepcap.py

diff --git a/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.yaml b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.yaml
index e6b9e7dac..d1e6556ea 100644
--- a/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.yaml
+++ b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 pcap: ../../tls/tls-random/input.pcap
 
 args:
diff --git a/tests/firewall/firewall-02-tcp-pkt-state-flow/test.yaml b/tests/firewall/firewall-02-tcp-pkt-state-flow/test.yaml
index e6b9e7dac..d1e6556ea 100644
--- a/tests/firewall/firewall-02-tcp-pkt-state-flow/test.yaml
+++ b/tests/firewall/firewall-02-tcp-pkt-state-flow/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 pcap: ../../tls/tls-random/input.pcap
 
 args:
diff --git a/tests/firewall/firewall-03-tcp-tls-enforce/test.yaml b/tests/firewall/firewall-03-tcp-tls-enforce/test.yaml
index e6b9e7dac..d1e6556ea 100644
--- a/tests/firewall/firewall-03-tcp-tls-enforce/test.yaml
+++ b/tests/firewall/firewall-03-tcp-tls-enforce/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 pcap: ../../tls/tls-random/input.pcap
 
 args:
diff --git a/tests/firewall/firewall-04-tls-sni-enforce/test.yaml b/tests/firewall/firewall-04-tls-sni-enforce/test.yaml
index e6f58dbac..7e204b71e 100644
--- a/tests/firewall/firewall-04-tls-sni-enforce/test.yaml
+++ b/tests/firewall/firewall-04-tls-sni-enforce/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 pcap: ../../bug-2646-01/input.pcap
 
 args:
diff --git a/tests/firewall/firewall-06-tls-sni-enforce/test.yaml b/tests/firewall/firewall-06-tls-sni-enforce/test.yaml
index 4a1b7618c..5180be1a3 100644
--- a/tests/firewall/firewall-06-tls-sni-enforce/test.yaml
+++ b/tests/firewall/firewall-06-tls-sni-enforce/test.yaml
@@ -1,3 +1,6 @@
+requires:
+  min-version: 8
+
 pcap: ../../bug-2646-01/input.pcap
 
 args:
diff --git a/tests/firewall/ruletype-firewall-01-flow-start/firewall.rules b/tests/firewall/ruletype-firewall-01-flow-start/firewall.rules
new file mode 100644
index 000000000..53b88e7d1
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-01-flow-start/firewall.rules
@@ -0,0 +1,2 @@
+accept:flow tcp:flow_start any any -> any 443 (flow:to_server; sid:1;)
+drop:flow tcp:flow_start any any -> any any (sid:2;)
diff --git a/tests/firewall/ruletype-firewall-01-flow-start/suricata.yaml b/tests/firewall/ruletype-firewall-01-flow-start/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-01-flow-start/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-01-flow-start/test.yaml b/tests/firewall/ruletype-firewall-01-flow-start/test.yaml
new file mode 100644
index 000000000..6f877f5bc
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-01-flow-start/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 8
+
+pcap: ../../tls/tls-random/input.pcap
+
+args:
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: tls
+      tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
diff --git a/tests/firewall/ruletype-firewall-02-flow-start/firewall.rules b/tests/firewall/ruletype-firewall-02-flow-start/firewall.rules
new file mode 100644
index 000000000..529b443a8
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-02-flow-start/firewall.rules
@@ -0,0 +1,2 @@
+accept:flow tcp:flow_start any any -> any 80 (flow:to_server; alert; sid:1;)
+drop:flow tcp:flow_start any any -> any any (sid:2;)
diff --git a/tests/firewall/ruletype-firewall-02-flow-start/suricata.yaml b/tests/firewall/ruletype-firewall-02-flow-start/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-02-flow-start/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-02-flow-start/test.yaml b/tests/firewall/ruletype-firewall-02-flow-start/test.yaml
new file mode 100644
index 000000000..ee89e692d
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-02-flow-start/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 8
+
+pcap: ../../tls/tls-random/input.pcap
+
+args:
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.action: blocked
+- filter:
+    count: 13
+    match:
+      event_type: drop
+- filter:
+    count: 0
+    match:
+      event_type: tls
diff --git a/tests/firewall/ruletype-firewall-03-ruleset-vs-ping/firewall.rules b/tests/firewall/ruletype-firewall-03-ruleset-vs-ping/firewall.rules
new file mode 100644
index 000000000..63a5f0732
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-03-ruleset-vs-ping/firewall.rules
@@ -0,0 +1,9 @@
+accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:101;)
+
+drop:flow tls:client_hello_done $HOME_NET any -> 172.16.0.0/12 any (ja3.hash; content:"e7eca2baf4458d095b7f45da28c16c34"; msg:"Drop naughty JA3"; sid:102;)
+
+drop:flow tls:server_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:103;)
+
+accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:104; alert;)
+
+# Implicit drop all else
diff --git a/tests/firewall/ruletype-firewall-03-ruleset-vs-ping/suricata.yaml b/tests/firewall/ruletype-firewall-03-ruleset-vs-ping/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-03-ruleset-vs-ping/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-03-ruleset-vs-ping/test.yaml b/tests/firewall/ruletype-firewall-03-ruleset-vs-ping/test.yaml
new file mode 100644
index 000000000..1b8c585ef
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-03-ruleset-vs-ping/test.yaml
@@ -0,0 +1,35 @@
+requires:
+  min-version: 8
+  features:
+    - HAVE_JA3
+
+pcap: ../../detect-itype-prefilter/icmpv4-ping.pcap
+
+args:
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 101
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 75
+      flow.pkts_toclient: 75
+      flow.state: "established"
+      flow.alerted: true
+      flow.action: "accept"
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 150
+      stats.ips.blocked: 0
diff --git a/tests/firewall/ruletype-firewall-05-ruleset-vs-sni/firewall.rules b/tests/firewall/ruletype-firewall-05-ruleset-vs-sni/firewall.rules
new file mode 100644
index 000000000..6fc79ac5e
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-05-ruleset-vs-sni/firewall.rules
@@ -0,0 +1,29 @@
+# Packet rules
+
+# accept outgoing ping and the returning pongs
+accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;)
+# allow session setup
+accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+# some exception test
+accept:flow tcp:all $HOME_NET any <> 1.2.3.4 443 (flow:established; alert; sid:1022;)
+
+# pass rest of the flow to 
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+# deny list some hash
+drop:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (ja3.hash; content:"e7eca2baf4458d095b7f45da28c16c34"; msg:"Drop naughty JA3"; sid:102;)
+# Disallow TLS v1.0 to some destinations.
+drop:flow tls:server_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:103;)
+
+accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:104; alert;)
+# allow tls before client hello is done.
+accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;)
+
+# default drop
diff --git a/tests/firewall/ruletype-firewall-05-ruleset-vs-sni/suricata.yaml b/tests/firewall/ruletype-firewall-05-ruleset-vs-sni/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-05-ruleset-vs-sni/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-05-ruleset-vs-sni/test.yaml b/tests/firewall/ruletype-firewall-05-ruleset-vs-sni/test.yaml
new file mode 100644
index 000000000..595ecea41
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-05-ruleset-vs-sni/test.yaml
@@ -0,0 +1,71 @@
+requires:
+  min-version: 8
+  features:
+    - HAVE_JA3
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1011
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1021
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1022
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 102
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 103
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 104
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 105
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 32
+      flow.pkts_toclient: 30
+      flow.state: "closed"
+      flow.alerted: true
+      flow.action: "accept"
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 62
+      stats.ips.blocked: 0
diff --git a/tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/firewall.rules b/tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/firewall.rules
new file mode 100644
index 000000000..bd3872956
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/firewall.rules
@@ -0,0 +1,9 @@
+# Packet rules
+
+# allow session setup
+accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+
+# allow rest of the flow, packet by packet
+accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
diff --git a/tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/suricata.yaml b/tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/test.yaml b/tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/test.yaml
new file mode 100644
index 000000000..87c593247
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-06-ruleset-pass-per-packet/test.yaml
@@ -0,0 +1,49 @@
+requires:
+  min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1011
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1021
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1022
+- filter:
+    count: 59
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 32
+      flow.pkts_toclient: 30
+      flow.state: "closed"
+      flow.alerted: true
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 62
+      stats.ips.blocked: 0
diff --git a/tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/firewall.rules b/tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/firewall.rules
new file mode 100644
index 000000000..4041767d2
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/firewall.rules
@@ -0,0 +1,9 @@
+# Packet rules
+
+# allow session setup
+accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+
+# allow rest of the flow. Bidir as we don't know which side will talk first.
+accept:flow tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
diff --git a/tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/suricata.yaml b/tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/test.yaml b/tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/test.yaml
new file mode 100644
index 000000000..45ea4fb35
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-07-ruleset-pass-per-flow/test.yaml
@@ -0,0 +1,49 @@
+requires:
+  min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1011
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1021
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1022
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 32
+      flow.pkts_toclient: 30
+      flow.state: "closed"
+      flow.alerted: true
+      flow.action: accept
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 62
+      stats.ips.blocked: 0
diff --git a/tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/firewall.rules b/tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/firewall.rules
new file mode 100644
index 000000000..52c1b1185
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/firewall.rules
@@ -0,0 +1,10 @@
+# Packet rules
+
+# accept outgoing ping and the returning pongs
+accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;)
+# allow session setup
+accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+# some exception test
+accept:flow tcp:all $HOME_NET any <> 1.2.3.4 443 (flow:established; alert; sid:1022;)
+
+# default drop
diff --git a/tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/suricata.yaml b/tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/test.yaml b/tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/test.yaml
new file mode 100644
index 000000000..f87a80081
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-08-ruleset-default-packet-policy/test.yaml
@@ -0,0 +1,45 @@
+requires:
+  min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1011
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1021
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1022
+- filter:
+    count: 59
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 32
+      flow.pkts_toclient: 30
+      flow.state: "closed" # TODO due to no drop being applied to the flow, we only drop after stream/app-layer
+      flow.alerted: true
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 3
+      stats.ips.blocked: 59
+      stats.ips.drop_reason.default_packet_policy: 59
diff --git a/tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/firewall.rules b/tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/firewall.rules
new file mode 100644
index 000000000..034d6c654
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/firewall.rules
@@ -0,0 +1,29 @@
+# Packet rules
+
+# accept outgoing ping and the returning pongs
+accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;)
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+# some exception test
+accept:flow tcp:all $HOME_NET any <> 1.2.3.4 443 (flow:established; alert; sid:1022;)
+
+# allow rest of the flow to 
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+# deny list some hash
+drop:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (ja3.hash; content:"e7eca2baf4458d095b7f45da28c16c34"; msg:"Drop naughty JA3"; sid:102;)
+# Disallow TLS v1.0 to some destinations.
+drop:flow tls:server_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:103;)
+# should not match, pcap is to google
+accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.bing.com"; sid:104; alert;)
+# allow tls before client hello is done.
+accept:packet tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;)
+
+# default drop
diff --git a/tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/suricata.yaml b/tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/test.yaml b/tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/test.yaml
new file mode 100644
index 000000000..decfaea2e
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-09-ruleset-default-app-policy/test.yaml
@@ -0,0 +1,73 @@
+requires:
+  min-version: 8
+  features:
+    - HAVE_JA3
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1011
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1021
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1022
+- filter:
+    count: 7
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 102
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 103
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 104
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 105
+- filter:
+    count: 53
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 32
+      flow.pkts_toclient: 30
+      flow.state: "established"
+      flow.alerted: true
+      flow.action: drop
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 9
+      stats.ips.blocked: 53
+      stats.ips.drop_reason.default_app_policy: 1
+      stats.ips.drop_reason.flow_drop: 52
diff --git a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/firewall.rules b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/firewall.rules
new file mode 100644
index 000000000..034d6c654
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/firewall.rules
@@ -0,0 +1,29 @@
+# Packet rules
+
+# accept outgoing ping and the returning pongs
+accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;)
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+# some exception test
+accept:flow tcp:all $HOME_NET any <> 1.2.3.4 443 (flow:established; alert; sid:1022;)
+
+# allow rest of the flow to 
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+# deny list some hash
+drop:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (ja3.hash; content:"e7eca2baf4458d095b7f45da28c16c34"; msg:"Drop naughty JA3"; sid:102;)
+# Disallow TLS v1.0 to some destinations.
+drop:flow tls:server_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:103;)
+# should not match, pcap is to google
+accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.bing.com"; sid:104; alert;)
+# allow tls before client hello is done.
+accept:packet tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;)
+
+# default drop
diff --git a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/suricata.yaml b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/td.rules b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/td.rules
new file mode 100644
index 000000000..b9d167efe
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/td.rules
@@ -0,0 +1 @@
+drop tcp any any -> any any (dsize:21; seq:538452275; sid:999;)
diff --git a/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml
new file mode 100644
index 000000000..6fc663b02
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-10-ruleset-packet-drop-vs-app/test.yaml
@@ -0,0 +1,93 @@
+requires:
+  min-version: 8
+  features:
+    - HAVE_JA3
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 999
+      alert.action: blocked
+      pcap_cnt: 6
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+      alert.action: allowed
+      pcap_cnt: 6
+- filter:
+    count: 3 # 105 also matches here
+    match:
+      event_type: alert
+      pcap_cnt: 6
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1011
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1021
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1022
+- filter:
+    count: 7
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 102
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 103
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 104
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 105
+- filter:
+    count: 54 # 53 + 1 (drop sid 999)
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 32
+      flow.pkts_toclient: 30
+      flow.state: "established"
+      flow.alerted: true
+      flow.action: drop
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 8
+      stats.ips.blocked: 54
+      stats.ips.drop_reason.default_app_policy: 1
+      stats.ips.drop_reason.rules: 1
+      stats.ips.drop_reason.flow_drop: 52
diff --git a/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/firewall.rules b/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/firewall.rules
new file mode 100644
index 000000000..af4ab86c1
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/firewall.rules
@@ -0,0 +1,22 @@
+# Packet rules
+
+# accept outgoing ping and the returning pongs
+accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;)
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+# allow rest of the flow to 
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+# should match, pcap is to google
+accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:104; alert;)
+# allow tls before client hello is done.
+accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;)
+
+# default drop
diff --git a/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/suricata.yaml b/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/td.rules b/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/td.rules
new file mode 100644
index 000000000..c69638197
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/td.rules
@@ -0,0 +1,4 @@
+# this pass should prevent match of 998, but it should not affect the fw rules
+pass:flow tcp any any -> any any (flags:S; sid:999; alert;)
+# would match if 999 didn't set a flow pass
+alert tls any any -> any any (tls.sni; content:"google"; sid:998;)
diff --git a/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/test.yaml b/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/test.yaml
new file mode 100644
index 000000000..f67b570b8
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-11-ruleset-pass-vs-fw/test.yaml
@@ -0,0 +1,95 @@
+requires:
+  min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 999
+      pcap_cnt: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 998
+      pcap_cnt: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+      alert.action: allowed
+      pcap_cnt: 6
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      pcap_cnt: 6
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1011
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1021
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1022
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 102
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 103
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 104
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 105
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 32
+      flow.pkts_toclient: 30
+      flow.state: "closed"
+      flow.alerted: true
+      flow.action: "accept"
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 62
+      stats.ips.blocked: 0
+      stats.ips.drop_reason.default_app_policy: 0
+      stats.ips.drop_reason.rules: 0
diff --git a/tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/firewall.rules b/tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/firewall.rules
new file mode 100644
index 000000000..9891fb9f9
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/firewall.rules
@@ -0,0 +1,11 @@
+# Packet rules
+
+accept:packet ip:all any any -> any any (flowbits:isset,fw_flow_accept; alert; sid:1010;)
+
+# allow session setup
+accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+
+# allow rest of the flow to 
+accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; flowbits:set,fw_flow_accept; alert; sid:1023;)
+
+# default drop
diff --git a/tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/suricata.yaml b/tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/test.yaml b/tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/test.yaml
new file mode 100644
index 000000000..7b1d61902
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-12-ruleset-accept-flowbit/test.yaml
@@ -0,0 +1,46 @@
+requires:
+  min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+      alert.action: allowed
+      pcap_cnt: 4
+- filter:
+    count: 58
+    match:
+      event_type: alert
+      alert.signature_id: 1010
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1021
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 32
+      flow.pkts_toclient: 30
+      flow.state: "closed"
+      flow.alerted: true
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 62
+      stats.ips.blocked: 0
diff --git a/tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/firewall.rules b/tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/firewall.rules
new file mode 100644
index 000000000..c97323b25
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/firewall.rules
@@ -0,0 +1,18 @@
+# Packet rules
+
+accept:packet ip:all any any -> any any (flowbits:isset,fw_flow_accept; alert; sid:1010;)
+
+# allow session setup
+accept:packet tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+
+# allow rest of the flow 
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
+
+
+
+
+accept:hook tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; flowbits:set,fw_flow_accept; sid:104; alert;)
+accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;)
+# default drop
diff --git a/tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/suricata.yaml b/tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/test.yaml b/tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/test.yaml
new file mode 100644
index 000000000..370aa69c9
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-13-ruleset-accept-flowbit/test.yaml
@@ -0,0 +1,54 @@
+requires:
+  min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+- filter:
+    count: 56
+    match:
+      event_type: alert
+      alert.signature_id: 1010
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1021
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 104
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 105
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 32
+      flow.pkts_toclient: 30
+      flow.state: "closed"
+      flow.alerted: true
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 62
+      stats.ips.blocked: 0
diff --git a/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/firewall.rules b/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/firewall.rules
new file mode 100644
index 000000000..af4ab86c1
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/firewall.rules
@@ -0,0 +1,22 @@
+# Packet rules
+
+# accept outgoing ping and the returning pongs
+accept:flow icmp:flow_start $HOME_NET any -> $HOME_NET any (itype:8; msg:"Ping!"; alert; sid:1011;)
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+# allow rest of the flow to 
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+# should match, pcap is to google
+accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:104; alert;)
+# allow tls before client hello is done.
+accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;)
+
+# default drop
diff --git a/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/suricata.yaml b/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/td.rules b/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/td.rules
new file mode 100644
index 000000000..6029bde37
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/td.rules
@@ -0,0 +1,4 @@
+# this pass should prevent match of 998, but it should not affect the fw rules
+pass:flow tls any any -> any any (flow:to_server; tls.version:1.0; sid:999; alert;)
+# would match if 999 didn't set a flow pass
+alert tls any any -> any any (tls.sni; content:"google"; sid:998;)
diff --git a/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/test.yaml b/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/test.yaml
new file mode 100644
index 000000000..778449f03
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-14-ruleset-pass-vs-fw/test.yaml
@@ -0,0 +1,94 @@
+requires:
+  min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 999
+      pcap_cnt: 4
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 998
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+      alert.action: allowed
+      pcap_cnt: 6
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      pcap_cnt: 6
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1011
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1021
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1022
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 102
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 103
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 104
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 105
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 32
+      flow.pkts_toclient: 30
+      flow.state: "closed"
+      flow.alerted: true
+      flow.action: "accept"
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 62
+      stats.ips.blocked: 0
+      stats.ips.drop_reason.default_app_policy: 0
+      stats.ips.drop_reason.rules: 0
diff --git a/tests/firewall/ruletype-firewall-15-state-keyword/firewall.rules b/tests/firewall/ruletype-firewall-15-state-keyword/firewall.rules
new file mode 100644
index 000000000..f71a8d048
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-15-state-keyword/firewall.rules
@@ -0,0 +1,29 @@
+# Packet rules
+
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+
+# pass rest of the flow to 
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:100;)
+accept:hook tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:101; alert;)
+accept:hook tls:client_cert_done $HOME_NET any -> $EXTERNAL_NET any (alert; sid:102;)
+accept:hook tls:client_handshake_done $HOME_NET any -> $EXTERNAL_NET any (alert; sid:103;)
+accept:hook tls:client_finished $HOME_NET any -> $EXTERNAL_NET any (alert; sid:104;)
+
+accept:hook tls:server_in_progress $EXTERNAL_NET any -> $HOME_NET any (alert; sid:200;)
+accept:hook tls:server_hello $EXTERNAL_NET any -> $HOME_NET any (alert; sid:201;)
+accept:hook tls:server_cert_done $EXTERNAL_NET any -> $HOME_NET any (alert; sid:202;)
+accept:hook tls:server_hello_done $EXTERNAL_NET any -> $HOME_NET any (alert; sid:203;)
+accept:hook tls:server_handshake_done $EXTERNAL_NET any -> $HOME_NET any (alert; sid:204;)
+accept:hook tls:server_finished $EXTERNAL_NET any -> $HOME_NET any (alert; sid:205;)
+
+# default drop
diff --git a/tests/firewall/ruletype-firewall-15-state-keyword/suricata.yaml b/tests/firewall/ruletype-firewall-15-state-keyword/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-15-state-keyword/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-15-state-keyword/test.yaml b/tests/firewall/ruletype-firewall-15-state-keyword/test.yaml
new file mode 100644
index 000000000..8139319b3
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-15-state-keyword/test.yaml
@@ -0,0 +1,94 @@
+requires:
+  min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1021
+- filter:
+    count: 59
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 100
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 101
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 102
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 103
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 104
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 200
+- filter:
+    count: 2
+    match:
+      event_type: alert
+      alert.signature_id: 201
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 202
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 203
+- filter:
+    count: 18
+    match:
+      event_type: alert
+      alert.signature_id: 204
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 205
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 32
+      flow.pkts_toclient: 30
+      flow.state: "closed"
+      flow.alerted: true
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 62
+      stats.ips.blocked: 0
diff --git a/tests/firewall/ruletype-firewall-16-http-per-hook/firewall.rules b/tests/firewall/ruletype-firewall-16-http-per-hook/firewall.rules
new file mode 100644
index 000000000..7fde25449
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-16-http-per-hook/firewall.rules
@@ -0,0 +1,19 @@
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook http1:request_started any any -> any any (alert; sid:101;)
+accept:hook http1:request_line any any -> any any (http.method; bsize:4; alert; sid:102;)
+accept:hook http1:request_headers any any -> any any (alert; sid:103;)
+accept:hook http1:request_body any any -> any any (alert; sid:104;)
+accept:hook http1:request_trailer any any -> any any (alert; sid:105;)
+accept:hook http1:request_complete any any -> any any (alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
diff --git a/tests/firewall/ruletype-firewall-16-http-per-hook/suricata.yaml b/tests/firewall/ruletype-firewall-16-http-per-hook/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-16-http-per-hook/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-16-http-per-hook/test.yaml b/tests/firewall/ruletype-firewall-16-http-per-hook/test.yaml
new file mode 100644
index 000000000..d3667bb69
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-16-http-per-hook/test.yaml
@@ -0,0 +1,100 @@
+requires:
+  min-version: 8
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 100
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 101
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 102
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 103
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 104
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 105
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 106
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 201
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 202
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 203
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 204
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 205
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 206
+- filter:
+    count: 7
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 6
+      flow.pkts_toclient: 4
+      flow.state: "established"
+      flow.alerted: true
+      flow.action: drop
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 3
+      stats.ips.blocked: 7
+      stats.ips.drop_reason.default_app_policy: 1
+      stats.ips.drop_reason.flow_drop: 6
diff --git a/tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/firewall.rules b/tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/firewall.rules
new file mode 100644
index 000000000..86b6951af
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/firewall.rules
@@ -0,0 +1,25 @@
+# Packet rules
+
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 80 (flow:not_established; alert; sid:1021;)
+
+# pass rest of the flow to 
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 80 (flow:established; alert; sid:1023;)
+
+# default drop
+
+accept:hook http1:request_started any any -> any any (alert; sid:100;)
+accept:hook http1:request_line any any -> any any (http.method; content:"GET"; http.uri; content:"/c.gif"; xbits:set,xxx,track tx; alert; sid:101;)
+accept:hook http1:request_headers any any -> any any (http.user_agent; content:"Windows NT"; xbits:isset,xxx,track tx; alert; sid:102;)
+accept:hook http1:request_headers any any -> any any (http.host; content:"msn"; xbits:isset,xxx,track tx; alert; sid:103;)
+
+accept:hook http1:request_body any any -> any any (xbits:isset,xxx,track tx; alert; sid:104;)
+accept:hook http1:request_trailer any any -> any any (xbits:isset,xxx,track tx; alert; sid:105;)
+accept:hook http1:request_complete any any -> any any (xbits:isset,xxx,track tx; alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (xbits:isset,xxx,track tx; alert; sid:200;)
+accept:hook http1:response_line any any -> any any (http.stat_code; content:"200"; xbits:isset,xxx,track tx; alert; sid:201;)
+accept:hook http1:response_headers any any -> any any (xbits:isset,xxx,track tx; alert; sid:202;)
+accept:hook http1:response_body any any -> any any (xbits:isset,xxx,track tx; alert; sid:203;)
+accept:hook http1:response_trailer any any -> any any (xbits:isset,xxx,track tx; alert; sid:204;)
+accept:hook http1:response_complete any any -> any any (xbits:isset,xxx,track tx; alert; sid:205;)
diff --git a/tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/http-sticky-server-s8.pcap b/tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/http-sticky-server-s8.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..cfa60b817948bfc2b9f4aac64e01d0d469c56c6e
GIT binary patch
literal 12878
zc-rlnZHyDg8OP_23k0Vos8S=Bq%cM0c*(83>wU4k&g$^_g*)H*ZiVeYL?yDfJGPgz
zcg=e5;1bl5qBd=Hi7K_Bw91zj)JBO~DM?kSG*Ti+qcmwq$&r?(m6|VY`A`C+1p)-<
zj9<w4&N3fj($ir}tDW5)|95ttXZ}CWj!ztY;U}G-3)DW>uLID5_y4-LH}UmTOF$nk
zlMSqx`og8X8<lVU_}uwBK@<Sa{pLonck!P-eC3%%`$E1m2jANd<Xk-TXHt1@Cj{><
z0id(%j$d^wTGZLm(bY*5g)c1y58&%$t7uhp%Zfc$4g+v*@n0N7ji>_oz5UtgH6^Ti
z^5M^~x>h_=QLMDi#99K@5gN5_o%=+&b?0Zb?j+W;<>i;p{$i@4^47|wV0R}dZ?jc8
zcevjrDkolOsN%YO_N{LNuqm2?9@U-IGrgKFc^SI9s7nkZ@LYGXBr&wt$93C9DQDY7
z(c@7SccEmsRkJX&sG*E9p10jfsknPfx0R7#e<~$=7&qf|^qVDHgles>(-Afe1F5!d
z8X_D+s7NV!eF8Zhn^6W?$P(e)TR9yeRYgUtv%#~$=}4E5MTN4+z$X&sBYHlscz8Dr
z*KN@a&D>QA!gLT;%Wyaa1ve9f$e_~6^)OT{=Ft{3I;h(op5@#O{@P%FDlyap^ZFQq
zn~*wYu7}~AWfqXf@21^6?{#}wA51D4#nP)^s<nuU8mg)3MplH`NAzM3?uoo&qn?tc
z=5Ev(QjF}ll0{;r5k1HV?v!Y^|3-yyPO(Y|Kg~dLg!23O0LAo-+ZoDVuIKC7P~Nko
z@60hB>m<UA^q|CcZ%PkDBrc#Ryuxs_Kr`H^rUW#V&ICqjR-jp*st7??$VrK0EER;|
z^iV3jIVwemsc;A%h9$B~5S2bQEU-Moa?xmnqkW-(kN5FWUzFpbbc_pxgD^BaG92z7
zl;|MtivsROi4mL*r-S6-*cJykjt3suW{-@Hqww{Oz`K~q&KenZE*@Dy^6)#a08q;q
z=%r~mGKim5QFDmG*<xE}UW7$UpCCO84U<yIr5=3B+&xKIXaZ-DhOaptvZZ7Tig=?=
zIooWUC{${)i2F@1;4pY_t~(t=O39`YICdEwX(EhSdJkk77(ps-0nQ4B5oy232yjy(
zbt6!laU@Ymgrk!-Dmfj|l!61l8dujcyf&)%)lvMd)lNqeSra6c6S``dB{O4F0|QBq
z&&@j>TPfMxg%e$)`X)sfO3LoxD87Nr$|4NQ((1l+5{GFs437+(Fg7p@2Of-=aAbH0
zj^ML$|3fetN|-Pe9WwEaBKWaIm>S2u;pJgmF-YSX$oNIxE3#ar@wGk}LPplkiIDS>
zux%QM`2$J^w#&U$>%9KuOI;nrKYPeAxdJ*nhCq-6cw(!wnO$8g+tr)(MiW_)onCvl
zy!=x7xj5FluQzce>;R{+Rh@2RSAVBJA}a5!XsF`4ls<NDwp}r7Ai&NtES$qL3@fi^
zP|2RmBliqH$>Fh0Wfe<9h9`r~hq7~c2$wvThR^2n$eJu$8F8|?X4DFA`!ucURg08n
zs^bM5QeBh0KAL9*hHZP~eD+9^{O|0!tBFTWo+2K3GFI=AYwym*W5;FJM=PiL+8)_*
zk7PyMkuC8^5@7kzvL+tM#L7R$_SL&v?09y1-LvxYi-({2J^=S&m7fj(fVwK%Y?ZDp
z{9>Z=haWUlaa}yTdC&jNBX5DJ%~P-KF5)2~F>TA8ua+BxrR}OJ+15BB#nMg*2fk=p
zwvsQY#WieXjhFWdMP0*tHo}u5-b<&-IZ!(=tA$9duuHdd)nd9ZY9SooTIKT27p@*9
z!*WgEF5iGDADY$Mk-RL|WJ8}WJ1Ziwx*V;Xi_|i;(jtN6YxPRCEtQ6ah{+Mt*}Jc!
z37bau6E>YWP|v1y&*tKTKz3dD*<&BH*>nro<P}=OCK6zEva1Q3_&!3FKR#Yhl|hi5
z-Vl|SUs!cW17Iyyd17rBIDolypb?wCD?CS3-gv2@itEBE-{T93O;rfYYeae5h*}tk
zN+@HfN*6h=7<P>`Ha=g25LMmZRygy{!5Q(X=)-q3!C5R%aCX<xdYo;D=Herxvg`b|
zJ;654ZUN4)6SM?pB)}&NcQ(P9aGHSV*x%|wG%}i<zW;sl_WVct0oZ|6*8I=`4q}uY
zY=pC?f=?2a-yLhH;<|ix=Z=MkGw-~{S^Fi|0>N3>#C}x8%R}aPttjiNp{vz{m}zRa
zGuhZVWFwaK;<08g5t)w(*&tg_w)@}D#glIn%d(zslda`s<3x^c4cSP5ul}{!OT^$y
z<tdi4o=M5Kv(wb0WTEA$^#JU`DyROl1RTOtJJg75`=xb6<yE$!itAGPYng>dw)y=o
zk!zD}!A;Z@qgog+O7<snwiE%9ep^r4xH)Jep7m?b(k5v8${0Z#^=duZs7G`0t&;4z
zkTvdYqwN-;jrX?(Z6v_gzWTW)Xp{O0lwN<V9!guK?6l_|vOe~`-vTg&Ret~RGVtF;
zpuEjiS@h4|FA|j_A2w8RT|E5D@i}PYyevo1#tQ;3RM5tF{WH*ppBv%ft{Wu1XO5AA
zIiaJH=d-{U*9v^y>_OTPS{M*Y=5&<T=FYE@2x<8le3=jMxmixmLB$i;1D>XvEmx__
z%ga?O>rvskCl}v#h0KET?e}}FM+Gl>Tl7~75@27V*>Y9yH;Ku=7O6M+ZCA3>^z&r7
zYU(NgKgTKuU+e-`F($4yLdBWB*NDo?4>VM9U0Br}Z9OU~e*Z~n&iv<Q0-ps28aHw_
zo&?6v1%yDG8Et0Fdu9+b$b8UjO$c2k%=kA~&kXwcTzvZx{JU|P_M0{{ZUHm67X8J6
h1bFx#&DMm%j`GCd<$AZ@ek42X9U^N&-*^Ln{{a%3I6VLW

literal 0
Hc-jL100001

diff --git a/tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/test.yaml b/tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/test.yaml
new file mode 100644
index 000000000..d6065f4f6
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-17-http-txbits-multi-tx/test.yaml
@@ -0,0 +1,102 @@
+requires:
+  min-version: 8
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1021
+- filter:
+    count: 24
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 100
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 101
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 102
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 103
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 104
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 105
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 106
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 200
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 201
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 202
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 203
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 204
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 205
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 18
+      flow.pkts_toclient: 9
+      flow.state: "established"
+      flow.alerted: true
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 27
+      stats.ips.blocked: 0
diff --git a/tests/firewall/ruletype-firewall-18-http-per-hook/firewall.rules b/tests/firewall/ruletype-firewall-18-http-per-hook/firewall.rules
new file mode 100644
index 000000000..7b8599924
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-18-http-per-hook/firewall.rules
@@ -0,0 +1,19 @@
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook http1:request_started any any -> any any (alert; sid:101;)
+# No rule to accept the request_line
+accept:hook http1:request_headers any any -> any any (alert; sid:103;)
+accept:hook http1:request_body any any -> any any (alert; sid:104;)
+accept:hook http1:request_trailer any any -> any any (alert; sid:105;)
+accept:hook http1:request_complete any any -> any any (alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
diff --git a/tests/firewall/ruletype-firewall-18-http-per-hook/suricata.yaml b/tests/firewall/ruletype-firewall-18-http-per-hook/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-18-http-per-hook/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-18-http-per-hook/test.yaml b/tests/firewall/ruletype-firewall-18-http-per-hook/test.yaml
new file mode 100644
index 000000000..d3667bb69
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-18-http-per-hook/test.yaml
@@ -0,0 +1,100 @@
+requires:
+  min-version: 8
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 100
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 101
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 102
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 103
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 104
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 105
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 106
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 201
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 202
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 203
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 204
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 205
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 206
+- filter:
+    count: 7
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 6
+      flow.pkts_toclient: 4
+      flow.state: "established"
+      flow.alerted: true
+      flow.action: drop
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 3
+      stats.ips.blocked: 7
+      stats.ips.drop_reason.default_app_policy: 1
+      stats.ips.drop_reason.flow_drop: 6
diff --git a/tests/firewall/ruletype-firewall-19-http-per-hook/firewall.rules b/tests/firewall/ruletype-firewall-19-http-per-hook/firewall.rules
new file mode 100644
index 000000000..6bd9b71c8
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-19-http-per-hook/firewall.rules
@@ -0,0 +1,19 @@
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook http1:request_started any any -> any any (alert; sid:101;)
+accept:hook http1:request_line any any -> any any (http.method; content:"POST"; alert; sid:102;)
+accept:hook http1:request_headers any any -> any any (alert; sid:103;)
+accept:hook http1:request_body any any -> any any (alert; sid:104;)
+accept:hook http1:request_trailer any any -> any any (alert; sid:105;)
+accept:hook http1:request_complete any any -> any any (alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
diff --git a/tests/firewall/ruletype-firewall-19-http-per-hook/suricata.yaml b/tests/firewall/ruletype-firewall-19-http-per-hook/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-19-http-per-hook/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-19-http-per-hook/test.yaml b/tests/firewall/ruletype-firewall-19-http-per-hook/test.yaml
new file mode 100644
index 000000000..d3667bb69
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-19-http-per-hook/test.yaml
@@ -0,0 +1,100 @@
+requires:
+  min-version: 8
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 100
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 101
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 102
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 103
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 104
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 105
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 106
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 201
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 202
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 203
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 204
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 205
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 206
+- filter:
+    count: 7
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 6
+      flow.pkts_toclient: 4
+      flow.state: "established"
+      flow.alerted: true
+      flow.action: drop
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 3
+      stats.ips.blocked: 7
+      stats.ips.drop_reason.default_app_policy: 1
+      stats.ips.drop_reason.flow_drop: 6
diff --git a/tests/firewall/ruletype-firewall-20-http-per-hook/firewall.rules b/tests/firewall/ruletype-firewall-20-http-per-hook/firewall.rules
new file mode 100644
index 000000000..86aaa8dc4
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-20-http-per-hook/firewall.rules
@@ -0,0 +1,17 @@
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook http1:request_started any any -> any any (alert; sid:101;)
+accept:hook http1:request_line any any -> any any (http.method; content:"POST"; alert; sid:102;)
+# test that packet and flow is still dropped if last rule was accept but several states
+# have no rules
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
diff --git a/tests/firewall/ruletype-firewall-20-http-per-hook/suricata.yaml b/tests/firewall/ruletype-firewall-20-http-per-hook/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-20-http-per-hook/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-20-http-per-hook/test.yaml b/tests/firewall/ruletype-firewall-20-http-per-hook/test.yaml
new file mode 100644
index 000000000..d3667bb69
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-20-http-per-hook/test.yaml
@@ -0,0 +1,100 @@
+requires:
+  min-version: 8
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 100
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 101
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 102
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 103
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 104
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 105
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 106
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 201
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 202
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 203
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 204
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 205
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 206
+- filter:
+    count: 7
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 6
+      flow.pkts_toclient: 4
+      flow.state: "established"
+      flow.alerted: true
+      flow.action: drop
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 3
+      stats.ips.blocked: 7
+      stats.ips.drop_reason.default_app_policy: 1
+      stats.ips.drop_reason.flow_drop: 6
diff --git a/tests/firewall/ruletype-firewall-21-http-accept-tx/firewall.rules b/tests/firewall/ruletype-firewall-21-http-accept-tx/firewall.rules
new file mode 100644
index 000000000..7bc43939f
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-21-http-accept-tx/firewall.rules
@@ -0,0 +1,12 @@
+# Packet rules
+
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 80 (flow:not_established; alert; sid:1021;)
+
+# pass rest of the flow to 
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 80 (flow:established; alert; sid:1023;)
+
+# default drop
+
+accept:hook http1:request_started any any -> any any (alert; sid:100;)
+accept:tx http1:request_line any any -> any any (http.method; content:"GET"; http.uri; content:"/c.gif"; alert; sid:101;)
diff --git a/tests/firewall/ruletype-firewall-21-http-accept-tx/http-sticky-server-s8.pcap b/tests/firewall/ruletype-firewall-21-http-accept-tx/http-sticky-server-s8.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..cfa60b817948bfc2b9f4aac64e01d0d469c56c6e
GIT binary patch
literal 12878
zc-rlnZHyDg8OP_23k0Vos8S=Bq%cM0c*(83>wU4k&g$^_g*)H*ZiVeYL?yDfJGPgz
zcg=e5;1bl5qBd=Hi7K_Bw91zj)JBO~DM?kSG*Ti+qcmwq$&r?(m6|VY`A`C+1p)-<
zj9<w4&N3fj($ir}tDW5)|95ttXZ}CWj!ztY;U}G-3)DW>uLID5_y4-LH}UmTOF$nk
zlMSqx`og8X8<lVU_}uwBK@<Sa{pLonck!P-eC3%%`$E1m2jANd<Xk-TXHt1@Cj{><
z0id(%j$d^wTGZLm(bY*5g)c1y58&%$t7uhp%Zfc$4g+v*@n0N7ji>_oz5UtgH6^Ti
z^5M^~x>h_=QLMDi#99K@5gN5_o%=+&b?0Zb?j+W;<>i;p{$i@4^47|wV0R}dZ?jc8
zcevjrDkolOsN%YO_N{LNuqm2?9@U-IGrgKFc^SI9s7nkZ@LYGXBr&wt$93C9DQDY7
z(c@7SccEmsRkJX&sG*E9p10jfsknPfx0R7#e<~$=7&qf|^qVDHgles>(-Afe1F5!d
z8X_D+s7NV!eF8Zhn^6W?$P(e)TR9yeRYgUtv%#~$=}4E5MTN4+z$X&sBYHlscz8Dr
z*KN@a&D>QA!gLT;%Wyaa1ve9f$e_~6^)OT{=Ft{3I;h(op5@#O{@P%FDlyap^ZFQq
zn~*wYu7}~AWfqXf@21^6?{#}wA51D4#nP)^s<nuU8mg)3MplH`NAzM3?uoo&qn?tc
z=5Ev(QjF}ll0{;r5k1HV?v!Y^|3-yyPO(Y|Kg~dLg!23O0LAo-+ZoDVuIKC7P~Nko
z@60hB>m<UA^q|CcZ%PkDBrc#Ryuxs_Kr`H^rUW#V&ICqjR-jp*st7??$VrK0EER;|
z^iV3jIVwemsc;A%h9$B~5S2bQEU-Moa?xmnqkW-(kN5FWUzFpbbc_pxgD^BaG92z7
zl;|MtivsROi4mL*r-S6-*cJykjt3suW{-@Hqww{Oz`K~q&KenZE*@Dy^6)#a08q;q
z=%r~mGKim5QFDmG*<xE}UW7$UpCCO84U<yIr5=3B+&xKIXaZ-DhOaptvZZ7Tig=?=
zIooWUC{${)i2F@1;4pY_t~(t=O39`YICdEwX(EhSdJkk77(ps-0nQ4B5oy232yjy(
zbt6!laU@Ymgrk!-Dmfj|l!61l8dujcyf&)%)lvMd)lNqeSra6c6S``dB{O4F0|QBq
z&&@j>TPfMxg%e$)`X)sfO3LoxD87Nr$|4NQ((1l+5{GFs437+(Fg7p@2Of-=aAbH0
zj^ML$|3fetN|-Pe9WwEaBKWaIm>S2u;pJgmF-YSX$oNIxE3#ar@wGk}LPplkiIDS>
zux%QM`2$J^w#&U$>%9KuOI;nrKYPeAxdJ*nhCq-6cw(!wnO$8g+tr)(MiW_)onCvl
zy!=x7xj5FluQzce>;R{+Rh@2RSAVBJA}a5!XsF`4ls<NDwp}r7Ai&NtES$qL3@fi^
zP|2RmBliqH$>Fh0Wfe<9h9`r~hq7~c2$wvThR^2n$eJu$8F8|?X4DFA`!ucURg08n
zs^bM5QeBh0KAL9*hHZP~eD+9^{O|0!tBFTWo+2K3GFI=AYwym*W5;FJM=PiL+8)_*
zk7PyMkuC8^5@7kzvL+tM#L7R$_SL&v?09y1-LvxYi-({2J^=S&m7fj(fVwK%Y?ZDp
z{9>Z=haWUlaa}yTdC&jNBX5DJ%~P-KF5)2~F>TA8ua+BxrR}OJ+15BB#nMg*2fk=p
zwvsQY#WieXjhFWdMP0*tHo}u5-b<&-IZ!(=tA$9duuHdd)nd9ZY9SooTIKT27p@*9
z!*WgEF5iGDADY$Mk-RL|WJ8}WJ1Ziwx*V;Xi_|i;(jtN6YxPRCEtQ6ah{+Mt*}Jc!
z37bau6E>YWP|v1y&*tKTKz3dD*<&BH*>nro<P}=OCK6zEva1Q3_&!3FKR#Yhl|hi5
z-Vl|SUs!cW17Iyyd17rBIDolypb?wCD?CS3-gv2@itEBE-{T93O;rfYYeae5h*}tk
zN+@HfN*6h=7<P>`Ha=g25LMmZRygy{!5Q(X=)-q3!C5R%aCX<xdYo;D=Herxvg`b|
zJ;654ZUN4)6SM?pB)}&NcQ(P9aGHSV*x%|wG%}i<zW;sl_WVct0oZ|6*8I=`4q}uY
zY=pC?f=?2a-yLhH;<|ix=Z=MkGw-~{S^Fi|0>N3>#C}x8%R}aPttjiNp{vz{m}zRa
zGuhZVWFwaK;<08g5t)w(*&tg_w)@}D#glIn%d(zslda`s<3x^c4cSP5ul}{!OT^$y
z<tdi4o=M5Kv(wb0WTEA$^#JU`DyROl1RTOtJJg75`=xb6<yE$!itAGPYng>dw)y=o
zk!zD}!A;Z@qgog+O7<snwiE%9ep^r4xH)Jep7m?b(k5v8${0Z#^=duZs7G`0t&;4z
zkTvdYqwN-;jrX?(Z6v_gzWTW)Xp{O0lwN<V9!guK?6l_|vOe~`-vTg&Ret~RGVtF;
zpuEjiS@h4|FA|j_A2w8RT|E5D@i}PYyevo1#tQ;3RM5tF{WH*ppBv%ft{Wu1XO5AA
zIiaJH=d-{U*9v^y>_OTPS{M*Y=5&<T=FYE@2x<8le3=jMxmixmLB$i;1D>XvEmx__
z%ga?O>rvskCl}v#h0KET?e}}FM+Gl>Tl7~75@27V*>Y9yH;Ku=7O6M+ZCA3>^z&r7
zYU(NgKgTKuU+e-`F($4yLdBWB*NDo?4>VM9U0Br}Z9OU~e*Z~n&iv<Q0-ps28aHw_
zo&?6v1%yDG8Et0Fdu9+b$b8UjO$c2k%=kA~&kXwcTzvZx{JU|P_M0{{ZUHm67X8J6
h1bFx#&DMm%j`GCd<$AZ@ek42X9U^N&-*^Ln{{a%3I6VLW

literal 0
Hc-jL100001

diff --git a/tests/firewall/ruletype-firewall-21-http-accept-tx/suricata.yaml b/tests/firewall/ruletype-firewall-21-http-accept-tx/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-21-http-accept-tx/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-21-http-accept-tx/test.yaml b/tests/firewall/ruletype-firewall-21-http-accept-tx/test.yaml
new file mode 100644
index 000000000..c53d1a06e
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-21-http-accept-tx/test.yaml
@@ -0,0 +1,47 @@
+requires:
+  min-version: 8
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1021
+- filter:
+    count: 24
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 100
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 101
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 18
+      flow.pkts_toclient: 9
+      flow.state: "established"
+      flow.alerted: true
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 27
+      stats.ips.blocked: 0
diff --git a/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/firewall.rules b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/firewall.rules
new file mode 100644
index 000000000..7bc43939f
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/firewall.rules
@@ -0,0 +1,12 @@
+# Packet rules
+
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 80 (flow:not_established; alert; sid:1021;)
+
+# pass rest of the flow to 
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 80 (flow:established; alert; sid:1023;)
+
+# default drop
+
+accept:hook http1:request_started any any -> any any (alert; sid:100;)
+accept:tx http1:request_line any any -> any any (http.method; content:"GET"; http.uri; content:"/c.gif"; alert; sid:101;)
diff --git a/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/http-sticky-server-s8.pcap b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/http-sticky-server-s8.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..cfa60b817948bfc2b9f4aac64e01d0d469c56c6e
GIT binary patch
literal 12878
zc-rlnZHyDg8OP_23k0Vos8S=Bq%cM0c*(83>wU4k&g$^_g*)H*ZiVeYL?yDfJGPgz
zcg=e5;1bl5qBd=Hi7K_Bw91zj)JBO~DM?kSG*Ti+qcmwq$&r?(m6|VY`A`C+1p)-<
zj9<w4&N3fj($ir}tDW5)|95ttXZ}CWj!ztY;U}G-3)DW>uLID5_y4-LH}UmTOF$nk
zlMSqx`og8X8<lVU_}uwBK@<Sa{pLonck!P-eC3%%`$E1m2jANd<Xk-TXHt1@Cj{><
z0id(%j$d^wTGZLm(bY*5g)c1y58&%$t7uhp%Zfc$4g+v*@n0N7ji>_oz5UtgH6^Ti
z^5M^~x>h_=QLMDi#99K@5gN5_o%=+&b?0Zb?j+W;<>i;p{$i@4^47|wV0R}dZ?jc8
zcevjrDkolOsN%YO_N{LNuqm2?9@U-IGrgKFc^SI9s7nkZ@LYGXBr&wt$93C9DQDY7
z(c@7SccEmsRkJX&sG*E9p10jfsknPfx0R7#e<~$=7&qf|^qVDHgles>(-Afe1F5!d
z8X_D+s7NV!eF8Zhn^6W?$P(e)TR9yeRYgUtv%#~$=}4E5MTN4+z$X&sBYHlscz8Dr
z*KN@a&D>QA!gLT;%Wyaa1ve9f$e_~6^)OT{=Ft{3I;h(op5@#O{@P%FDlyap^ZFQq
zn~*wYu7}~AWfqXf@21^6?{#}wA51D4#nP)^s<nuU8mg)3MplH`NAzM3?uoo&qn?tc
z=5Ev(QjF}ll0{;r5k1HV?v!Y^|3-yyPO(Y|Kg~dLg!23O0LAo-+ZoDVuIKC7P~Nko
z@60hB>m<UA^q|CcZ%PkDBrc#Ryuxs_Kr`H^rUW#V&ICqjR-jp*st7??$VrK0EER;|
z^iV3jIVwemsc;A%h9$B~5S2bQEU-Moa?xmnqkW-(kN5FWUzFpbbc_pxgD^BaG92z7
zl;|MtivsROi4mL*r-S6-*cJykjt3suW{-@Hqww{Oz`K~q&KenZE*@Dy^6)#a08q;q
z=%r~mGKim5QFDmG*<xE}UW7$UpCCO84U<yIr5=3B+&xKIXaZ-DhOaptvZZ7Tig=?=
zIooWUC{${)i2F@1;4pY_t~(t=O39`YICdEwX(EhSdJkk77(ps-0nQ4B5oy232yjy(
zbt6!laU@Ymgrk!-Dmfj|l!61l8dujcyf&)%)lvMd)lNqeSra6c6S``dB{O4F0|QBq
z&&@j>TPfMxg%e$)`X)sfO3LoxD87Nr$|4NQ((1l+5{GFs437+(Fg7p@2Of-=aAbH0
zj^ML$|3fetN|-Pe9WwEaBKWaIm>S2u;pJgmF-YSX$oNIxE3#ar@wGk}LPplkiIDS>
zux%QM`2$J^w#&U$>%9KuOI;nrKYPeAxdJ*nhCq-6cw(!wnO$8g+tr)(MiW_)onCvl
zy!=x7xj5FluQzce>;R{+Rh@2RSAVBJA}a5!XsF`4ls<NDwp}r7Ai&NtES$qL3@fi^
zP|2RmBliqH$>Fh0Wfe<9h9`r~hq7~c2$wvThR^2n$eJu$8F8|?X4DFA`!ucURg08n
zs^bM5QeBh0KAL9*hHZP~eD+9^{O|0!tBFTWo+2K3GFI=AYwym*W5;FJM=PiL+8)_*
zk7PyMkuC8^5@7kzvL+tM#L7R$_SL&v?09y1-LvxYi-({2J^=S&m7fj(fVwK%Y?ZDp
z{9>Z=haWUlaa}yTdC&jNBX5DJ%~P-KF5)2~F>TA8ua+BxrR}OJ+15BB#nMg*2fk=p
zwvsQY#WieXjhFWdMP0*tHo}u5-b<&-IZ!(=tA$9duuHdd)nd9ZY9SooTIKT27p@*9
z!*WgEF5iGDADY$Mk-RL|WJ8}WJ1Ziwx*V;Xi_|i;(jtN6YxPRCEtQ6ah{+Mt*}Jc!
z37bau6E>YWP|v1y&*tKTKz3dD*<&BH*>nro<P}=OCK6zEva1Q3_&!3FKR#Yhl|hi5
z-Vl|SUs!cW17Iyyd17rBIDolypb?wCD?CS3-gv2@itEBE-{T93O;rfYYeae5h*}tk
zN+@HfN*6h=7<P>`Ha=g25LMmZRygy{!5Q(X=)-q3!C5R%aCX<xdYo;D=Herxvg`b|
zJ;654ZUN4)6SM?pB)}&NcQ(P9aGHSV*x%|wG%}i<zW;sl_WVct0oZ|6*8I=`4q}uY
zY=pC?f=?2a-yLhH;<|ix=Z=MkGw-~{S^Fi|0>N3>#C}x8%R}aPttjiNp{vz{m}zRa
zGuhZVWFwaK;<08g5t)w(*&tg_w)@}D#glIn%d(zslda`s<3x^c4cSP5ul}{!OT^$y
z<tdi4o=M5Kv(wb0WTEA$^#JU`DyROl1RTOtJJg75`=xb6<yE$!itAGPYng>dw)y=o
zk!zD}!A;Z@qgog+O7<snwiE%9ep^r4xH)Jep7m?b(k5v8${0Z#^=duZs7G`0t&;4z
zkTvdYqwN-;jrX?(Z6v_gzWTW)Xp{O0lwN<V9!guK?6l_|vOe~`-vTg&Ret~RGVtF;
zpuEjiS@h4|FA|j_A2w8RT|E5D@i}PYyevo1#tQ;3RM5tF{WH*ppBv%ft{Wu1XO5AA
zIiaJH=d-{U*9v^y>_OTPS{M*Y=5&<T=FYE@2x<8le3=jMxmixmLB$i;1D>XvEmx__
z%ga?O>rvskCl}v#h0KET?e}}FM+Gl>Tl7~75@27V*>Y9yH;Ku=7O6M+ZCA3>^z&r7
zYU(NgKgTKuU+e-`F($4yLdBWB*NDo?4>VM9U0Br}Z9OU~e*Z~n&iv<Q0-ps28aHw_
zo&?6v1%yDG8Et0Fdu9+b$b8UjO$c2k%=kA~&kXwcTzvZx{JU|P_M0{{ZUHm67X8J6
h1bFx#&DMm%j`GCd<$AZ@ek42X9U^N&-*^Ln{{a%3I6VLW

literal 0
Hc-jL100001

diff --git a/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/suricata.yaml b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/td.rules b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/td.rules
new file mode 100644
index 000000000..ca0dee28c
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/td.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (http.user_agent; content:"Mozilla"; sid:9998;)
+alert http any any -> any any (http.stat_code; content:"200"; sid:9999;)
diff --git a/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/test.yaml b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/test.yaml
new file mode 100644
index 000000000..aa28596b9
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-22-http-accept-tx-with-td/test.yaml
@@ -0,0 +1,57 @@
+requires:
+  min-version: 8
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1021
+- filter:
+    count: 24
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 100
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 101
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 9998
+- filter:
+    count: 8
+    match:
+      event_type: alert
+      alert.signature_id: 9999
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 18
+      flow.pkts_toclient: 9
+      flow.state: "established"
+      flow.alerted: true
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 27
+      stats.ips.blocked: 0
diff --git a/tests/firewall/ruletype-firewall-23-dns-per-hook/firewall.rules b/tests/firewall/ruletype-firewall-23-dns-per-hook/firewall.rules
new file mode 100644
index 000000000..2851034ee
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-23-dns-per-hook/firewall.rules
@@ -0,0 +1,11 @@
+# Packet rules
+
+accept:hook udp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook dns:request_started any any -> any any (alert; sid:101;)
+accept:hook dns:request_complete any any -> any any (dns.query; content:"dropbox"; alert; sid:102;)
+
+accept:hook dns:response_started any any -> any any (alert; sid:201;)
+accept:hook dns:response_complete any any -> any any (dns.response.rrname; content:"dropbox"; alert; sid:202;)
diff --git a/tests/firewall/ruletype-firewall-23-dns-per-hook/suricata.yaml b/tests/firewall/ruletype-firewall-23-dns-per-hook/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-23-dns-per-hook/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-23-dns-per-hook/test.yaml b/tests/firewall/ruletype-firewall-23-dns-per-hook/test.yaml
new file mode 100644
index 000000000..46c308772
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-23-dns-per-hook/test.yaml
@@ -0,0 +1,63 @@
+requires:
+  min-version: 8
+
+pcap: ../../dns/dns-eve/input.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 100
+- filter:
+    count: 4
+    match:
+      event_type: alert
+      alert.signature_id: 101
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 102
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 201
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 202
+- filter:
+    count: 2
+    match:
+      event_type: drop
+- filter:
+    count: 3
+    match:
+      event_type: flow
+      flow.pkts_toserver: 1
+      flow.pkts_toclient: 1
+      flow.alerted: true
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 1
+      flow.pkts_toclient: 1
+      flow.alerted: true
+      flow.action: drop
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 6
+      stats.ips.blocked: 2
+      stats.ips.drop_reason.default_app_policy: 1
+      stats.ips.drop_reason.flow_drop: 1
diff --git a/tests/firewall/ruletype-firewall-24-dnstcp-per-hook/firewall.rules b/tests/firewall/ruletype-firewall-24-dnstcp-per-hook/firewall.rules
new file mode 100644
index 000000000..9cf74122e
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-24-dnstcp-per-hook/firewall.rules
@@ -0,0 +1,11 @@
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook dns:request_started any any -> any any (alert; sid:101;)
+accept:hook dns:request_complete any any -> any any (dns.query; content:"suricata.io"; alert; sid:102;)
+
+accept:hook dns:response_started any any -> any any (alert; sid:201;)
+accept:hook dns:response_complete any any -> any any (dns.response.rrname; content:"suricata.io"; alert; sid:202;)
diff --git a/tests/firewall/ruletype-firewall-24-dnstcp-per-hook/suricata.yaml b/tests/firewall/ruletype-firewall-24-dnstcp-per-hook/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-24-dnstcp-per-hook/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-24-dnstcp-per-hook/test.yaml b/tests/firewall/ruletype-firewall-24-dnstcp-per-hook/test.yaml
new file mode 100644
index 000000000..fddd1c74c
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-24-dnstcp-per-hook/test.yaml
@@ -0,0 +1,55 @@
+requires:
+  min-version: 8
+
+pcap: ../../dns/dns-frames/input.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 100
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 101
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 102
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 201
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 202
+- filter:
+    count: 2
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 6
+      flow.pkts_toclient: 4
+      flow.alerted: true
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 10
+      stats.ips.blocked: 2
+      stats.ips.drop_reason.default_packet_policy: 2
+      stats.ips.drop_reason.default_app_policy: 0
diff --git a/tests/firewall/ruletype-firewall-25-tcp-udp/firewall.rules b/tests/firewall/ruletype-firewall-25-tcp-udp/firewall.rules
new file mode 100644
index 000000000..d48e4c59d
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-25-tcp-udp/firewall.rules
@@ -0,0 +1,2 @@
+accept:packet udp:all any any -> any any (sid:100;)
+# default drop
diff --git a/tests/firewall/ruletype-firewall-25-tcp-udp/suricata.yaml b/tests/firewall/ruletype-firewall-25-tcp-udp/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-25-tcp-udp/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-25-tcp-udp/test.yaml b/tests/firewall/ruletype-firewall-25-tcp-udp/test.yaml
new file mode 100644
index 000000000..d439cde63
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-25-tcp-udp/test.yaml
@@ -0,0 +1,43 @@
+requires:
+  min-version: 8
+
+pcap: ../../dns/dns-frames/input.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 100
+- filter:
+    count: 10
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      proto: TCP
+      flow.pkts_toserver: 6
+      flow.pkts_toclient: 4
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      proto: UDP
+      flow.pkts_toserver: 1
+      flow.pkts_toclient: 1
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 2
+      stats.ips.blocked: 10
+      stats.ips.drop_reason.default_packet_policy: 10
+      stats.ips.drop_reason.default_app_policy: 0
diff --git a/tests/firewall/ruletype-firewall-26-drop-rule/firewall.rules b/tests/firewall/ruletype-firewall-26-drop-rule/firewall.rules
new file mode 100644
index 000000000..e1b5ded1c
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-26-drop-rule/firewall.rules
@@ -0,0 +1,3 @@
+drop:packet tcp:all any any -> any any (sid:99;)
+accept:flow tcp:flow_start any any -> any 443 (alert; flow:to_server; sid:1;)
+drop:flow tcp:flow_start any any -> any any (sid:2;)
diff --git a/tests/firewall/ruletype-firewall-26-drop-rule/suricata.yaml b/tests/firewall/ruletype-firewall-26-drop-rule/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-26-drop-rule/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-26-drop-rule/test.yaml b/tests/firewall/ruletype-firewall-26-drop-rule/test.yaml
new file mode 100644
index 000000000..7ae218f53
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-26-drop-rule/test.yaml
@@ -0,0 +1,33 @@
+requires:
+  min-version: 8
+
+pcap: ../../tls/tls-random/input.pcap
+
+args:
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 13
+    match:
+      event_type: alert
+      alert.signature_id: 99
+- filter:
+    count: 13
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: tls
+      tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS
diff --git a/tests/firewall/ruletype-firewall-27-http-drop-rule/firewall.rules b/tests/firewall/ruletype-firewall-27-http-drop-rule/firewall.rules
new file mode 100644
index 000000000..6e4e2ef9e
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-27-http-drop-rule/firewall.rules
@@ -0,0 +1,20 @@
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook http1:request_started any any -> any any (alert; sid:101;)
+drop:packet http1:request_line any any -> any any (sid:999; alert;)
+accept:hook http1:request_line any any -> any any (http.method; content:"GET"; alert; sid:102;)
+accept:hook http1:request_headers any any -> any any (alert; sid:103;)
+accept:hook http1:request_body any any -> any any (alert; sid:104;)
+accept:hook http1:request_trailer any any -> any any (alert; sid:105;)
+accept:hook http1:request_complete any any -> any any (alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
diff --git a/tests/firewall/ruletype-firewall-27-http-drop-rule/suricata.yaml b/tests/firewall/ruletype-firewall-27-http-drop-rule/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-27-http-drop-rule/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-27-http-drop-rule/test.yaml b/tests/firewall/ruletype-firewall-27-http-drop-rule/test.yaml
new file mode 100644
index 000000000..d3b205969
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-27-http-drop-rule/test.yaml
@@ -0,0 +1,96 @@
+requires:
+  min-version: 8
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 100
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 101
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 999
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 102
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 104
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 105
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 106
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 201
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 202
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 203
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 204
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 205
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 206
+- filter:
+    count: 1
+    match:
+      event_type: drop
+      alert.signature_id: 999
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 6
+      flow.pkts_toclient: 4
+      flow.state: "closed"
+      flow.alerted: true
+      not-has-key: flow.action
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 9
+      stats.ips.blocked: 1
+      stats.ips.drop_reason.rules: 1
diff --git a/tests/firewall/ruletype-firewall-28-http-drop-flow-rule/firewall.rules b/tests/firewall/ruletype-firewall-28-http-drop-flow-rule/firewall.rules
new file mode 100644
index 000000000..ffb869e15
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-28-http-drop-flow-rule/firewall.rules
@@ -0,0 +1,20 @@
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook http1:request_started any any -> any any (alert; sid:101;)
+drop:flow http1:request_line any any -> any any (sid:999; alert;)
+accept:hook http1:request_line any any -> any any (http.method; content:"GET"; alert; sid:102;)
+accept:hook http1:request_headers any any -> any any (alert; sid:103;)
+accept:hook http1:request_body any any -> any any (alert; sid:104;)
+accept:hook http1:request_trailer any any -> any any (alert; sid:105;)
+accept:hook http1:request_complete any any -> any any (alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
diff --git a/tests/firewall/ruletype-firewall-28-http-drop-flow-rule/suricata.yaml b/tests/firewall/ruletype-firewall-28-http-drop-flow-rule/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-28-http-drop-flow-rule/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-28-http-drop-flow-rule/test.yaml b/tests/firewall/ruletype-firewall-28-http-drop-flow-rule/test.yaml
new file mode 100644
index 000000000..f64962946
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-28-http-drop-flow-rule/test.yaml
@@ -0,0 +1,103 @@
+requires:
+  min-version: 8
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 100
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 101
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 999
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 102
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 104
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 105
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 106
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 201
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 202
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 203
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 204
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 205
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 206
+- filter:
+    count: 1
+    match:
+      event_type: drop
+      alert.signature_id: 999
+      drop.reason: "rules"
+- filter:
+    count: 6
+    match:
+      event_type: drop
+      drop.reason: "flow drop"
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 6
+      flow.pkts_toclient: 4
+      flow.state: "established"
+      flow.alerted: true
+      flow.action: drop
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 3
+      stats.ips.blocked: 7
+      stats.ips.drop_reason.rules: 1
+      stats.ips.drop_reason.flow_drop: 6
diff --git a/tests/firewall/ruletype-firewall-29-http-drop-flow-rule/firewall.rules b/tests/firewall/ruletype-firewall-29-http-drop-flow-rule/firewall.rules
new file mode 100644
index 000000000..fc8d3bd99
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-29-http-drop-flow-rule/firewall.rules
@@ -0,0 +1 @@
+drop:flow tcp:flow_start any any -> any any (flags:S; sid:100;)
diff --git a/tests/firewall/ruletype-firewall-29-http-drop-flow-rule/suricata.yaml b/tests/firewall/ruletype-firewall-29-http-drop-flow-rule/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-29-http-drop-flow-rule/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-29-http-drop-flow-rule/test.yaml b/tests/firewall/ruletype-firewall-29-http-drop-flow-rule/test.yaml
new file mode 100644
index 000000000..5795a002c
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-29-http-drop-flow-rule/test.yaml
@@ -0,0 +1,43 @@
+requires:
+  min-version: 8
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 100
+- filter:
+    count: 1
+    match:
+      event_type: drop
+      alert.signature_id: 100
+      drop.reason: "rules"
+- filter:
+    count: 9
+    match:
+      event_type: drop
+      drop.reason: "flow drop"
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 6
+      flow.pkts_toclient: 4
+      flow.state: "new"
+      flow.alerted: true
+      flow.action: drop
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 0
+      stats.ips.blocked: 10
+      stats.ips.drop_reason.rules: 1
+      stats.ips.drop_reason.flow_drop: 9
diff --git a/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/firewall.rules b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/firewall.rules
new file mode 100644
index 000000000..aefd2c38e
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/firewall.rules
@@ -0,0 +1,20 @@
+# Packet rules
+
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; alert; sid:1021;)
+# allow rest of the flow to 
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; alert; sid:1023;)
+
+# default drop
+
+
+
+
+# App-layer rules
+
+# should match, pcap is to google
+accept:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:104; alert;)
+# allow tls before client hello is done.
+accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (alert; sid:105;)
+
+# default drop
diff --git a/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/suricata.yaml b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/suricata.yaml
new file mode 100644
index 000000000..24e38b5ab
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/suricata.yaml
@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
diff --git a/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/td.rules b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/td.rules
new file mode 100644
index 000000000..3882c92e3
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/td.rules
@@ -0,0 +1 @@
+drop:packet tcp-pkt any any -> any any (flow:to_server; content:"|16 03 01 02 00|"; startswith; sid:666;)
diff --git a/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/test.yaml b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/test.yaml
new file mode 100644
index 000000000..f7305b4d2
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-30-fw-accept-td-drop/test.yaml
@@ -0,0 +1,71 @@
+requires:
+  min-version: 8
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 666
+      pcap_cnt: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+      alert.action: allowed
+      pcap_cnt: 6
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1021
+- filter:
+    count: 3
+    match:
+      event_type: alert
+      alert.signature_id: 1023
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 104
+      pcap_cnt: 6
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 105
+      pcap_cnt: 4
+- filter:
+    count: 1
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: drop
+      pcap_cnt: 4
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 32
+      flow.pkts_toclient: 30
+      flow.state: "closed"
+      flow.alerted: true
+      flow.action: "accept"
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 61
+      stats.ips.blocked: 1
+      stats.ips.drop_reason.default_app_policy: 0
+      stats.ips.drop_reason.rules: 1
diff --git a/tests/firewall/ruletype-firewall-31-retrans-of-drop/.suricata.yaml.swp b/tests/firewall/ruletype-firewall-31-retrans-of-drop/.suricata.yaml.swp
new file mode 100644
index 0000000000000000000000000000000000000000..23c957ff38f46c200f58ba460764057d9ed1f6d4
GIT binary patch
literal 12288
zc-rln&u<$=6vwBPKolsydV|X(E-I9)y_;Wkj06~aNsRm>wcWH(RbjFoyGz%**6gfP
zOA%c73pgOefeR9+BJtzG1qnDJ4jhoUfH;?Op#mgM@ZBF?J3ritBVxYMC%g0Bn>TOX
zu1AXE9et}(qib1%K#vge{L8m{KR4eckN)~B8QPZg1i7oEvD`E69!B1X6XyJpYvnq8
z$eo-Y2-{+kX+tjT?kFd@Fa2EC7JQdEPEG_4m!kpK#ujbK&;*x)xxVIgwT|!xX^!lO
z^&O(5q;yz;>}vUwWNFdR!(nEAj-Gn#g6fNsl9G~=l9G~=(*H<uaE!c(>+xh<Os>Zc
zT$PlRl$4Z|l$4Z|l$4Z|{<~rwLMrzW!cUOs|NrB^|NnfLklWxla0}c3?}69AbAW=s
zA0p%za1(q3J^>$tw}Au~K><7t{yIs>PvA@N0eA~=umPR{XTcNTUU2I{LcRxIgB#!-
zV1tX`1#lLe0)IR}$nW3>@E!OHd<H%R1JDDnf^~2l+`ONVAHlca3-A$mADjn8a1Zz#
zefaQ1+>dT@RZ>z?Qc_Y<`q!dUVvbXwQUshHsSI_zUKm8%rA<0u)-^8uG=WBaDLCsF
z_NDAP-mYJWCXJK$k_kyY5ifTp8lDML`_yxt5oOf3-JZi~_zlVf^>HDQZN&Zk6@_Lh
zuQEw37WljqO`R?+9PclTUzgnN@XjP#hH{tfU|o6D_GuRdj$^`AdZ>xoF3f!<ZO@%b
zE*-xxHH^xc8iy^|*Cm#AE&TpyI=5>(D4@>^ln;6Kbw6DrbcB%wDtIq&n4p>DX3rn_
zsBJHB?d#i}o?!j>HhvO&f_LokQt{s6?UJw#ETUm<fp~!&1ZXSC(30nN?Oq_l9`L9-
z>UHA{(WjW(p&snw>9ijsFQB_#;GjeHHJ%OMCfk)<3>ltmo*Y;;+IhIly5sFIC+-Bb
zk~QP5M%A_|o7<a>X1i6O^OsljRegctw{c}Y^0v*US#FF2mR6RRBlFg!YOy}HE}zS<
zMb>q*Zf==l^QxXVBJ)e_bcMylQmLBT<zl-yS^4xvdmOf482W;-yp)tsYm{HS&>Bas
z=!=oHT;E(uv+7X1nbt;XjN=;3VyT+eWUM3=v^LCYwbUr5p82`F9<Mhk1lHI%@PyQQ
z!V3myX%uAE(YBV^+%lVpI=#`TncH=<JwI`lsui=|KI}}kGiz?*o;5q#_8pzG5|>Mf
zt995{tkkBR<|RD#da*hQXq#2s&rVRTw`MzA=c{*c*4mr1z0tEc(i^!m)0M){+)?rb
z_S@$UO&pJ>CrukK8|N0Y#%fm2>N#Wa%25G&Hu}lskMypE)ARBC)g)qez``Wk!r_%!
zrz5!Ur*B|*eD*yY9R7e?cGtEj&d?n$aTr8LX?%t-%fbiU!WoaVWWYsqnz|MzLngx4
RSkpA}<SWHml^R)t`~wO(9%29h

literal 0
Hc-jL100001

diff --git a/tests/firewall/ruletype-firewall-31-retrans-of-drop/firewall.rules b/tests/firewall/ruletype-firewall-31-retrans-of-drop/firewall.rules
new file mode 100644
index 000000000..6bd9b71c8
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-31-retrans-of-drop/firewall.rules
@@ -0,0 +1,19 @@
+# Packet rules
+
+accept:hook tcp:all any any -> any any (sid:100;)
+# default drop
+
+
+accept:hook http1:request_started any any -> any any (alert; sid:101;)
+accept:hook http1:request_line any any -> any any (http.method; content:"POST"; alert; sid:102;)
+accept:hook http1:request_headers any any -> any any (alert; sid:103;)
+accept:hook http1:request_body any any -> any any (alert; sid:104;)
+accept:hook http1:request_trailer any any -> any any (alert; sid:105;)
+accept:hook http1:request_complete any any -> any any (alert; sid:106;)
+
+accept:hook http1:response_started any any -> any any (alert; sid:201;)
+accept:hook http1:response_line any any -> any any (alert; sid:202;)
+accept:hook http1:response_headers any any -> any any (alert; sid:203;)
+accept:hook http1:response_body any any -> any any (alert; sid:204;)
+accept:hook http1:response_trailer any any -> any any (alert; sid:205;)
+accept:hook http1:response_complete any any -> any any (alert; sid:206;)
diff --git a/tests/firewall/ruletype-firewall-31-retrans-of-drop/input.pcap b/tests/firewall/ruletype-firewall-31-retrans-of-drop/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d984ec1805bb0ce53e71f90706b3922c341f189b
GIT binary patch
literal 769
zc-p&ic+)~A1{MYw`2U}Qfe}bMd45V)*v7<Q2V{dVD+@CdP@Iv8nT55Hfq{*K!IgnQ
z2c*=2t>hRZ5HJCOfu;Ne28aO+2}}wMk~|Cy%*=dX)2wzQOoNyMF%#1?kVzmD<tG?e
z0`<QDs%J_N`v2cl7-3r7ekKMhpoA4Jw`o94JB8*pCZHKF0|fs650i%Ya@t`g1}~t5
z7cP@5peF6YWl~Ei1B1J3h=RU?M@UG3zM-B0FBiyUwv)6nS?3&?CJVt#K9S78;GCbI
zotbK-keHO5l9~oF+3zwFgBwtx8!nSgpeFA_Gg%2{a_l(<hS1{FB3;My)VvZa1(2yt
zH<&<r!5FKl#!yrDqnWA)Gj&Z11A}jVRc203A}<%jslV?ck^t5O1y2HK3F;*%AOb{y
JNr0V!0RRCBd{O`a

literal 0
Hc-jL100001

diff --git a/tests/firewall/ruletype-firewall-31-retrans-of-drop/suricata.yaml b/tests/firewall/ruletype-firewall-31-retrans-of-drop/suricata.yaml
new file mode 100644
index 000000000..b95e719f4
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-31-retrans-of-drop/suricata.yaml
@@ -0,0 +1,65 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop
+        - stream:
+            all: true                      # log all TCP packets
diff --git a/tests/firewall/ruletype-firewall-31-retrans-of-drop/test.yaml b/tests/firewall/ruletype-firewall-31-retrans-of-drop/test.yaml
new file mode 100644
index 000000000..3bd0abaf1
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-31-retrans-of-drop/test.yaml
@@ -0,0 +1,98 @@
+requires:
+  min-version: 8
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 100
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 101
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 102
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 103
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 104
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 105
+# No match due to 102 dropping the prior hook
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 106
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 201
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 202
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 203
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 204
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 205
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 206
+- filter:
+    count: 4
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 7
+      flow.pkts_toclient: 2
+      flow.state: "established"
+      flow.alerted: true
+      flow.action: drop
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 5
+      stats.ips.blocked: 4
+      stats.ips.drop_reason.default_app_policy: 1
+      stats.ips.drop_reason.flow_drop: 3
diff --git a/tests/firewall/ruletype-firewall-31-retrans-of-drop/writepcap.py b/tests/firewall/ruletype-firewall-31-retrans-of-drop/writepcap.py
new file mode 100755
index 000000000..81952ff74
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-31-retrans-of-drop/writepcap.py
@@ -0,0 +1,17 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='S',seq=1,options=[('WScale', 14)])
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='SA',seq=1000,ack=2,options=[('WScale', 14)],window=65535)
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)
+
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=2,ack=1001,window=65535)/"GET / HTTP/1.0\r\n"
+#pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=18,ack=1001,window=65535)/"Cookie: abcdef\r\n"
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=34,ack=1001,window=65535)/"User-Agent: "
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(src='1.1.1.1', dst='2.2.2.2')/TCP(dport=8080,sport=12345,flags='A',seq=46,ack=1001,window=65535)/"Mozilla\r\n\r\n"
+
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/Dot1Q(vlan=6)/IP(dst='1.1.1.1', src='2.2.2.2')/TCP(sport=8080,dport=12345,flags='RA',seq=1001,ack=18,window=65535)
+
+wrpcap('input.pcap', pkts)
-- 
2.47.2