From ecb8abd5a945aad0d46661fbd2e8d6cd02f263d2 Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@gmail.com>
Date: Wed, 23 Feb 2022 12:35:41 +0000
Subject: [PATCH] tests: add test for cornercase alert_max case

With dynamic memory alocation of the packet alert queue, we must make
sure that when we rearrange signatures in the alert queue we are not
leaking memory. This test is intended to cover such a case.

Related to
Task #4943
---
 .../README.md                                 |  20 +++++++
 .../input.pcap                                | Bin 0 -> 228 bytes
 .../suricata.yaml                             |  21 +++++++
 .../test.rules                                |  16 ++++++
 .../test.yaml                                 |  54 ++++++++++++++++++
 .../writepcap.py                              |  10 ++++
 6 files changed, 121 insertions(+)
 create mode 100644 tests/alert-max/alert-max-append-higher-priority/README.md
 create mode 100644 tests/alert-max/alert-max-append-higher-priority/input.pcap
 create mode 100644 tests/alert-max/alert-max-append-higher-priority/suricata.yaml
 create mode 100644 tests/alert-max/alert-max-append-higher-priority/test.rules
 create mode 100644 tests/alert-max/alert-max-append-higher-priority/test.yaml
 create mode 100755 tests/alert-max/alert-max-append-higher-priority/writepcap.py

diff --git a/tests/alert-max/alert-max-append-higher-priority/README.md b/tests/alert-max/alert-max-append-higher-priority/README.md
new file mode 100644
index 000000000..0312e87ce
--- /dev/null
+++ b/tests/alert-max/alert-max-append-higher-priority/README.md
@@ -0,0 +1,20 @@
+This is a test for corner cases scenarios where we have a low packet_alert_max
+configuration, and we try to add a signature with an id which is lower than an
+existing queued signature.
+
+The expected behavior is as follows:
+- Rules with sid 1, 2, and 4 should not match (there to ensure we have the right
+scenario in terms of internal ids and signature ordering)
+- 1st rule triggered: sid 4 (internal id 3)
+- 2nd rule triggered: sid 6 (internal id 5)
+- 3rd rule triggered: sid 8 (internal id 7)
+- 4th rule triggered: sid 7 (internal id 6)
+
+In this scenario, packet_alert_max is set to 3, meaning that one of the rules
+should not generate an alert, at the end, due to being discarded from the Packet's
+alert queue.
+
+Expected final result:
+
+Alerts for sids 4, 6 and 7. Sid 8 should be discarded, as its higher id implies a
+lower priority rule - discarded.
diff --git a/tests/alert-max/alert-max-append-higher-priority/input.pcap b/tests/alert-max/alert-max-append-higher-priority/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..93868b87cefec725b16b374e7efff76a129c40c7
GIT binary patch
literal 228
zc-p&ic+)~A1{MYw`2U}Qfe}a_m61!T+t0wThXI2Bg8>606Eh2IBLf2)2ZJjE!zz$c
z2evFLRyKAHkdzb`gFVco00{*K`8f;>?yeyU`k8qtsTFz|CAm2Y9w8wC`i6Q2yj&jn
z#U)k><>lpi`30$YnR#jX#i_|@`K5U&i6xo&d3yOp>AYN_#i>QQj_Ij+K&2rWnZ*h~
xl&FwWnwwjxkegauoS2@fkd&WN$;;)OpH~7@rW;aOkZPq+l3G!s53-P#3jmXaKdk@&

literal 0
Hc-jL100001

diff --git a/tests/alert-max/alert-max-append-higher-priority/suricata.yaml b/tests/alert-max/alert-max-append-higher-priority/suricata.yaml
new file mode 100644
index 000000000..affc4f204
--- /dev/null
+++ b/tests/alert-max/alert-max-append-higher-priority/suricata.yaml
@@ -0,0 +1,21 @@
+%YAML 1.1
+---
+
+outputs:
+  - stats:
+      enabled: yes
+      filename: stats.log
+      append: yes       # append to file (yes) or overwrite it (no)
+      totals: yes       # stats for all threads merged together
+      threads: no       # per thread stats
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert
+        - http
+
+# Define maximum number of possible alerts that can be triggered for the same
+# packet. Default is 15
+packet-alert-max: 2
diff --git a/tests/alert-max/alert-max-append-higher-priority/test.rules b/tests/alert-max/alert-max-append-higher-priority/test.rules
new file mode 100644
index 000000000..3c0133f94
--- /dev/null
+++ b/tests/alert-max/alert-max-append-higher-priority/test.rules
@@ -0,0 +1,16 @@
+# internal id 0 -- should not trigger
+alert http any any -> any any (msg:"No match rule 1"; http.request_line; bsize:<10; priority:1; sid:1;)
+# internal id 1 -- should not trigger
+alert http any any -> any any (msg:"No match rule 2"; http.request_line; bsize:>150; priority: 1; sid:2; rev:1;)
+# internal id 2 -- should not trigger
+alert tcp any any -> any any (msg:"No match rule 3"; dsize:>130; sid:3; rev:1;)
+# internal id 3
+alert tcp any any -> any any (msg:"Match rule - internal id 3"; dsize:<140; sid:4; rev:1;)
+# internal id 4 -- sould not trigger
+alert tcp any any -> any any (msg:"No match rule 4"; dsize:>140; sid:5; rev:1;)
+# internal id 5
+alert http any any -> any any (msg:"Match rule internal id 5"; uricontent:"/index.html"; sid:6; rev:1;)
+# internal id 6
+alert http any any -> any any (msg:"Match rule internal id 6"; http.request_line; bsize:10<>100; sid:7; rev:1;)
+# Internal id 7
+alert http any any -> any any (msg:"Match rule internal id 7"; http.request_line; content:"GET /index.html HTTP/1.0"; sid:8;)
diff --git a/tests/alert-max/alert-max-append-higher-priority/test.yaml b/tests/alert-max/alert-max-append-higher-priority/test.yaml
new file mode 100644
index 000000000..6d71b4218
--- /dev/null
+++ b/tests/alert-max/alert-max-append-higher-priority/test.yaml
@@ -0,0 +1,54 @@
+args:
+- -k none
+- --runmode=single
+- --set stream.midstream=true
+
+checks:
+# Subtest 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 1
+# Subtest 2
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
+# Subtest 3
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 3
+# Subtest 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 4
+# Subtest 5
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 5
+# Subtest 6
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6
+# Subtest 7
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 7
+# Subtest 8
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 8
diff --git a/tests/alert-max/alert-max-append-higher-priority/writepcap.py b/tests/alert-max/alert-max-append-higher-priority/writepcap.py
new file mode 100755
index 000000000..0fe1f32cf
--- /dev/null
+++ b/tests/alert-max/alert-max-append-higher-priority/writepcap.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=63, flags='P''A')/"GET /index.html HTTP/1.0\r\nHost: www.openinfosecfoundation.org\r\nUser-Agent: This is a dummy message body\r\nContent-Type: text/html\r\n"
+
+wrpcap('input.pcap', pkts)
-- 
2.47.2