From 1960935bf1c06830ad24f48e5793206709320c2a Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Thu, 1 Jun 2023 10:56:13 +0200 Subject: [PATCH] tests: update for fixed rate_filter drops --- tests/http-gap-simple-frames-ips/test.yaml | 4 ++-- .../test.yaml | 23 +++++++++++++++++- .../test.yaml | 23 +++++++++++++++++- .../test.yaml | 3 +-- .../test.yaml | 24 ++++++++++++++++++- .../test.yaml | 23 +++++++++++++++++- .../test.yaml | 23 +++++++++++++++++- .../test.yaml | 3 +-- .../test.yaml | 24 ++++++++++++++++++- 9 files changed, 138 insertions(+), 12 deletions(-) diff --git a/tests/http-gap-simple-frames-ips/test.yaml b/tests/http-gap-simple-frames-ips/test.yaml index 8f41b1a9d..34bc09c28 100644 --- a/tests/http-gap-simple-frames-ips/test.yaml +++ b/tests/http-gap-simple-frames-ips/test.yaml @@ -18,7 +18,7 @@ checks: http.url: "/1" http.status: 200 - filter: - count: 1 + count: 0 match: event_type: http http.url: "/2" @@ -37,7 +37,7 @@ checks: fileinfo.state: "CLOSED" fileinfo.gaps: false - filter: - count: 1 + count: 0 match: event_type: fileinfo fileinfo.size: 14 diff --git a/tests/threshold/threshold-config-rate-filter-drop-hostdst/test.yaml b/tests/threshold/threshold-config-rate-filter-drop-hostdst/test.yaml index 65594aa5f..3c0eddff6 100644 --- a/tests/threshold/threshold-config-rate-filter-drop-hostdst/test.yaml +++ b/tests/threshold/threshold-config-rate-filter-drop-hostdst/test.yaml @@ -7,15 +7,36 @@ args: checks: - filter: - count: 31 + count: 3 match: event_type: alert alert.signature_id: 1000001 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000001 + alert.action: blocked + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 1000001 + alert.action: allowed - filter: count: 29 match: event_type: drop + - filter: + count: 1 + match: + event_type: drop drop.reason: threshold detection_filter + - filter: + count: 28 + match: + event_type: drop + drop.reason: flow drop # due to the drops, we don't expect to see any http event - filter: count: 0 diff --git a/tests/threshold/threshold-config-rate-filter-drop-hostsrc/test.yaml b/tests/threshold/threshold-config-rate-filter-drop-hostsrc/test.yaml index 1b351c028..a333cc9aa 100644 --- a/tests/threshold/threshold-config-rate-filter-drop-hostsrc/test.yaml +++ b/tests/threshold/threshold-config-rate-filter-drop-hostsrc/test.yaml @@ -7,12 +7,33 @@ args: checks: - filter: - count: 31 + count: 3 match: event_type: alert alert.signature_id: 1000001 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000001 + alert.action: blocked + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 1000001 + alert.action: allowed - filter: count: 29 match: event_type: drop + - filter: + count: 1 + match: + event_type: drop drop.reason: threshold detection_filter + - filter: + count: 28 + match: + event_type: drop + drop.reason: flow drop diff --git a/tests/threshold/threshold-config-rate-filter-drop-ippair/test.yaml b/tests/threshold/threshold-config-rate-filter-drop-ippair/test.yaml index fea44cfe4..012af667a 100644 --- a/tests/threshold/threshold-config-rate-filter-drop-ippair/test.yaml +++ b/tests/threshold/threshold-config-rate-filter-drop-ippair/test.yaml @@ -7,7 +7,7 @@ args: checks: - filter: - count: 31 + count: 2 match: event_type: alert alert.signature_id: 1000001 @@ -15,4 +15,3 @@ checks: count: 30 match: event_type: drop - drop.reason: threshold detection_filter diff --git a/tests/threshold/threshold-config-rate-filter-drop-rule/test.yaml b/tests/threshold/threshold-config-rate-filter-drop-rule/test.yaml index fea44cfe4..ec6a9f076 100644 --- a/tests/threshold/threshold-config-rate-filter-drop-rule/test.yaml +++ b/tests/threshold/threshold-config-rate-filter-drop-rule/test.yaml @@ -7,12 +7,34 @@ args: checks: - filter: - count: 31 + count: 2 match: event_type: alert alert.signature_id: 1000001 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000001 + alert.action: blocked + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000001 + alert.action: allowed - filter: count: 30 + match: + event_type: drop + #drop.reason: threshold detection_filter + - filter: + count: 1 match: event_type: drop drop.reason: threshold detection_filter + - filter: + count: 29 + match: + event_type: drop + drop.reason: flow drop diff --git a/tests/threshold/threshold-config-rate-filter-reject-hostdst/test.yaml b/tests/threshold/threshold-config-rate-filter-reject-hostdst/test.yaml index 1b351c028..a333cc9aa 100644 --- a/tests/threshold/threshold-config-rate-filter-reject-hostdst/test.yaml +++ b/tests/threshold/threshold-config-rate-filter-reject-hostdst/test.yaml @@ -7,12 +7,33 @@ args: checks: - filter: - count: 31 + count: 3 match: event_type: alert alert.signature_id: 1000001 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000001 + alert.action: blocked + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 1000001 + alert.action: allowed - filter: count: 29 match: event_type: drop + - filter: + count: 1 + match: + event_type: drop drop.reason: threshold detection_filter + - filter: + count: 28 + match: + event_type: drop + drop.reason: flow drop diff --git a/tests/threshold/threshold-config-rate-filter-reject-hostsrc/test.yaml b/tests/threshold/threshold-config-rate-filter-reject-hostsrc/test.yaml index 1b351c028..a333cc9aa 100644 --- a/tests/threshold/threshold-config-rate-filter-reject-hostsrc/test.yaml +++ b/tests/threshold/threshold-config-rate-filter-reject-hostsrc/test.yaml @@ -7,12 +7,33 @@ args: checks: - filter: - count: 31 + count: 3 match: event_type: alert alert.signature_id: 1000001 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000001 + alert.action: blocked + - filter: + count: 2 + match: + event_type: alert + alert.signature_id: 1000001 + alert.action: allowed - filter: count: 29 match: event_type: drop + - filter: + count: 1 + match: + event_type: drop drop.reason: threshold detection_filter + - filter: + count: 28 + match: + event_type: drop + drop.reason: flow drop diff --git a/tests/threshold/threshold-config-rate-filter-reject-pair/test.yaml b/tests/threshold/threshold-config-rate-filter-reject-pair/test.yaml index fea44cfe4..012af667a 100644 --- a/tests/threshold/threshold-config-rate-filter-reject-pair/test.yaml +++ b/tests/threshold/threshold-config-rate-filter-reject-pair/test.yaml @@ -7,7 +7,7 @@ args: checks: - filter: - count: 31 + count: 2 match: event_type: alert alert.signature_id: 1000001 @@ -15,4 +15,3 @@ checks: count: 30 match: event_type: drop - drop.reason: threshold detection_filter diff --git a/tests/threshold/threshold-config-rate-filter-reject-rule/test.yaml b/tests/threshold/threshold-config-rate-filter-reject-rule/test.yaml index fea44cfe4..ec6a9f076 100644 --- a/tests/threshold/threshold-config-rate-filter-reject-rule/test.yaml +++ b/tests/threshold/threshold-config-rate-filter-reject-rule/test.yaml @@ -7,12 +7,34 @@ args: checks: - filter: - count: 31 + count: 2 match: event_type: alert alert.signature_id: 1000001 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000001 + alert.action: blocked + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000001 + alert.action: allowed - filter: count: 30 + match: + event_type: drop + #drop.reason: threshold detection_filter + - filter: + count: 1 match: event_type: drop drop.reason: threshold detection_filter + - filter: + count: 29 + match: + event_type: drop + drop.reason: flow drop -- 2.47.2