From a434f48db23b46f4c0ce2bc116f7d858a3d28740 Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Wed, 19 Jan 2022 18:46:17 +0000 Subject: [PATCH] tests: add test for packet_alert_max more than 15 Task#4207 --- tests/alert-max/alert-max-20/input.pcap | Bin 0 -> 80 bytes tests/alert-max/alert-max-20/suricata.yaml | 14 ++++++++++++++ tests/alert-max/alert-max-20/test.rules | 20 ++++++++++++++++++++ tests/alert-max/alert-max-20/test.yaml | 8 ++++++++ tests/alert-max/alert-max-20/writepcap.py | 7 +++++++ 5 files changed, 49 insertions(+) create mode 100644 tests/alert-max/alert-max-20/input.pcap create mode 100644 tests/alert-max/alert-max-20/suricata.yaml create mode 100644 tests/alert-max/alert-max-20/test.rules create mode 100644 tests/alert-max/alert-max-20/test.yaml create mode 100755 tests/alert-max/alert-max-20/writepcap.py diff --git a/tests/alert-max/alert-max-20/input.pcap b/tests/alert-max/alert-max-20/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..baa322b8ce4ab9aa7db8afc15efd90a5dc67abc4 GIT binary patch literal 80 zc-p&ic+)~A1{MYw`2U}Q;R%rD5WbP<8O+Y00c3-)D~MubU~pioIa|-bzzD(&A`AgA NeF01g3=?Y@7yx+04Eg{7 literal 0 Hc-jL100001 diff --git a/tests/alert-max/alert-max-20/suricata.yaml b/tests/alert-max/alert-max-20/suricata.yaml new file mode 100644 index 000000000..8e52a1cc8 --- /dev/null +++ b/tests/alert-max/alert-max-20/suricata.yaml @@ -0,0 +1,14 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + +# Define maximum number of possible alerts that can be triggered for the same +# packet. Default is 15 +packet-alert-max: 20 diff --git a/tests/alert-max/alert-max-20/test.rules b/tests/alert-max/alert-max-20/test.rules new file mode 100644 index 000000000..51c7dfa3b --- /dev/null +++ b/tests/alert-max/alert-max-20/test.rules @@ -0,0 +1,20 @@ +alert tcp any any -> any any (msg:"Noalert rule 1"; noalert; sid:1; rev:1;) +alert tcp any any -> any any (msg:"Noalert rule 2"; noalert; sid:2; rev:1;) +alert tcp any any -> any any (msg:"Noalert rule 3"; noalert; sid:3; rev:1;) +alert tcp any any -> any any (msg:"Noalert rule 4"; noalert; sid:4; rev:1;) +alert tcp any any -> any any (msg:"Noalert rule 5"; noalert; sid:5; rev:1;) +alert tcp any any -> any any (msg:"Noalert rule 6"; noalert; sid:6; rev:1;) +alert tcp any any -> any any (msg:"Noalert rule 7"; noalert; sid:7; rev:1;) +alert tcp any any -> any any (msg:"Noalert rule 8"; noalert; sid:8; rev:1;) +alert tcp any any -> any any (msg:"Noalert rule 9"; noalert; sid:9; rev:1;) +alert tcp any any -> any any (msg:"Noalert rule 10"; noalert; sid:10; rev:1;) +alert tcp any any -> any any (msg:"Noalert rule 11"; noalert; sid:11; rev:1;) +alert tcp any any -> any any (msg:"Noalert rule 12"; noalert; sid:12; rev:1;) +alert tcp any any -> any any (msg:"Noalert rule 13"; noalert; sid:13; rev:1;) +alert tcp any any -> any any (msg:"Noalert rule 14"; noalert; sid:14; rev:1;) +alert tcp any any -> any any (msg:"Noalert rule 15"; noalert; sid:15; rev:1;) +alert tcp any any -> any any (msg:"Noalert rule 16"; noalert; sid:16; rev:1;) +alert tcp any any -> any any (msg:"Noalert rule 17"; noalert; sid:17; rev:1;) +alert tcp any any -> any any (msg:"Noalert rule 18"; noalert; sid:18; rev:1;) +alert tcp any any -> any any (msg:"Noalert rule 19"; noalert; sid:19; rev:1;) +alert tcp any any -> any any (msg:"Alert rule"; sid:20; rev:1;) diff --git a/tests/alert-max/alert-max-20/test.yaml b/tests/alert-max/alert-max-20/test.yaml new file mode 100644 index 000000000..cd8540ce2 --- /dev/null +++ b/tests/alert-max/alert-max-20/test.yaml @@ -0,0 +1,8 @@ +args: +- -k none + +checks: +- filter: + count: 1 + match: + event_type: alert diff --git a/tests/alert-max/alert-max-20/writepcap.py b/tests/alert-max/alert-max-20/writepcap.py new file mode 100755 index 000000000..df22b22a8 --- /dev/null +++ b/tests/alert-max/alert-max-20/writepcap.py @@ -0,0 +1,7 @@ +#!/usr/bin/env python +from scapy.all import * + +pkts = list() +pkts.append(IP()/TCP()) + +wrpcap('input.pcap', pkts) -- 2.47.2