From df4eee34685aab1bb082cd46357754c5d0e6eb46 Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Thu, 1 Dec 2022 12:10:10 -0300 Subject: [PATCH] tests: add tests for exception policy master switch Add tests for the new master switch config for the Exception policies. Added also a check in the exception-policy test that checks the default behavior, to ensure that things work as expected with the master switch disabled and the exception policies not set. Task #5219 --- .../test.yaml | 2 +- .../test.yaml | 2 +- .../exception-policy-default-01/suricata.yaml | 2 + .../README.md | 15 +++++++ .../input.pcap | Bin 0 -> 1014 bytes .../suricata.yaml | 29 +++++++++++++ .../test.rules | 1 + .../test.yaml | 35 ++++++++++++++++ .../README.md | 15 +++++++ .../input.pcap | Bin 0 -> 1014 bytes .../suricata.yaml | 30 ++++++++++++++ .../test.rules | 1 + .../test.yaml | 25 +++++++++++ .../README.md | 15 +++++++ .../input.pcap | Bin 0 -> 1014 bytes .../suricata.yaml | 31 ++++++++++++++ .../test.rules | 1 + .../test.yaml | 25 +++++++++++ .../README.md | 14 +++++++ .../input.pcap | Bin 0 -> 1014 bytes .../suricata.yaml | 31 ++++++++++++++ .../test.rules | 1 + .../test.yaml | 26 ++++++++++++ .../README.md | 15 +++++++ .../input.pcap | Bin 0 -> 1014 bytes .../suricata.yaml | 30 ++++++++++++++ .../test.rules | 1 + .../test.yaml | 20 +++++++++ .../README.md | 15 +++++++ .../input.pcap | Bin 0 -> 1014 bytes .../suricata.yaml | 39 ++++++++++++++++++ .../test.rules | 1 + .../test.yaml | 36 ++++++++++++++++ .../README.md | 15 +++++++ .../input.pcap | Bin 0 -> 1014 bytes .../suricata.yaml | 37 +++++++++++++++++ .../test.rules | 1 + .../test.yaml | 36 ++++++++++++++++ 38 files changed, 545 insertions(+), 2 deletions(-) create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-01/README.md create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-01/input.pcap create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-01/suricata.yaml create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-01/test.rules create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-01/test.yaml create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-02/README.md create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-02/input.pcap create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-02/suricata.yaml create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-02/test.rules create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-02/test.yaml create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-03/README.md create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-03/input.pcap create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-03/suricata.yaml create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-03/test.rules create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-03/test.yaml create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-04/README.md create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-04/input.pcap create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-04/suricata.yaml create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-04/test.rules create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-04/test.yaml create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-05/README.md create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-05/input.pcap create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-05/suricata.yaml create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-05/test.rules create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-05/test.yaml create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-06/README.md create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-06/input.pcap create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-06/suricata.yaml create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-06/test.rules create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-06/test.yaml create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-07/README.md create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-07/input.pcap create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-07/suricata.yaml create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-07/test.rules create mode 100644 tests/exception-policy-master-switch/exception-policy-master-switch-07/test.yaml diff --git a/tests/bug-6149-exception-policy-auto-ids/test.yaml b/tests/bug-6149-exception-policy-auto-ids/test.yaml index 4f52c44f9..77f2756b2 100644 --- a/tests/bug-6149-exception-policy-auto-ids/test.yaml +++ b/tests/bug-6149-exception-policy-auto-ids/test.yaml @@ -30,4 +30,4 @@ checks: log_level: Info event_type: engine engine.module: exception-policy - engine.message: "master exception-policy set to: ignore" + engine.message: "master exception-policy set to: auto" diff --git a/tests/bug-6149-exception-policy-auto-ips/test.yaml b/tests/bug-6149-exception-policy-auto-ips/test.yaml index 587a8b8b2..b35b50d2d 100644 --- a/tests/bug-6149-exception-policy-auto-ips/test.yaml +++ b/tests/bug-6149-exception-policy-auto-ips/test.yaml @@ -29,4 +29,4 @@ checks: log_level: Info event_type: engine engine.module: exception-policy - engine.message: "master exception-policy set to: drop-flow" + engine.message: "master exception-policy set to: auto" diff --git a/tests/exception-policy-default-01/suricata.yaml b/tests/exception-policy-default-01/suricata.yaml index b1a0e258c..a22e556bf 100644 --- a/tests/exception-policy-default-01/suricata.yaml +++ b/tests/exception-policy-default-01/suricata.yaml @@ -18,3 +18,5 @@ action-order: - drop - reject - alert + +exception-policy: ignore diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-01/README.md b/tests/exception-policy-master-switch/exception-policy-master-switch-01/README.md new file mode 100644 index 000000000..48a0ee0fe --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-01/README.md @@ -0,0 +1,15 @@ +# Test + +Check the expected auto behavior, for the master switch for drop-packet and +drop-flow in case of traffic exceptions, in IPS mode. + +# Behavior + +We expect to have no alerts, and see drop events, includding for the flow. Checks +for the bypassed flow are left to highlight the fact that the indicated exception +policy is overwritten by the master switch. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-01/input.pcap b/tests/exception-policy-master-switch/exception-policy-master-switch-01/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..7a89ef1727926127879095cbf66118a64006501c GIT binary patch literal 1014 zc-no^!B5jr90%}U*@mREVVD?+rxy+~huhk2W2|Awq7!6H7p&o2yT`T!+NJHB;}4L; zm~celL?U5uF&e#im?m5>-kb-c#*-{2ibwUP?{!&#Wm%KgyuRjr@_XO+`>^+Xvj?1T z^f-Yb@7H_x=l{ALFhS;Ye0=xdaPu0RJ;(L_>4PKy4=@QrucXawJzHlzj2klb-L=O1 z3(Nc4wc?qrto90^$LV^(I2@;_7C-HPQ6kaNbeg8Ec~{paVX}AQE0w5N--Qg7h&Y__ zz`O@ST9z|GAs}$c9Luq^tex*J7$+5tcZ$j@ z8#Jnhqb;i8<^5`Z#>1p0ZnVOuR_%uiV&o3!Xt$UV*`(IDe;utsCiTV*&^jCvc^=(N zaqLya!V;Rt*-J#7EIoTISeW*tm-g2_=e(n#UYFtC*HQt!E1h z1)P;oTGz<#2%1qe>PC?mk_17DM4G#kvXYa~kT52wW8s+M7o+~L7!}mWf}p5jl^<&5 z=ATov95y9%r$Pef*ekkbk&OMbSj$;?358-uYjUMX>bCGbE10*I7HQh0LN?BO4PCb` zqTKPhp_htg>(joJUnIyb9rxJol`kiIrP{yNsQXCA9maQ>*YWaaS7qH+K6g|Gh*E7T vPiuYM8pN_2ggJSsbsv#DnE@shzka+yeiN%pMH_ZSpV}(&5O2gj*EYa^IN~-+ literal 0 Hc-jL100001 diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-01/suricata.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-01/suricata.yaml new file mode 100644 index 000000000..510b047e9 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-01/suricata.yaml @@ -0,0 +1,29 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.rules b/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.yaml new file mode 100644 index 000000000..1d4f2b8a6 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-01/test.yaml @@ -0,0 +1,35 @@ +requires: + min-version: 7 + +args: +- --simulate-ips +- --set exception-policy=auto + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: drop + drop.reason: stream midstream + - filter: + count: 9 + match: + event_type: drop + - filter: + count: 0 + match: + event_type: flow + flow.state: bypassed + - filter: + count: 1 + match: + event_type: flow + flow.action: drop + - filter: + count: 0 + match: + event_type: http diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-02/README.md b/tests/exception-policy-master-switch/exception-policy-master-switch-02/README.md new file mode 100644 index 000000000..290c37b4c --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-02/README.md @@ -0,0 +1,15 @@ +# Test + +Check the bypass behavior for the Exception policies master switch in IPS +mode in case of traffic exceptions. + +# Behavior + +We expect to have no alerts, nor drop events, only the flow in bypassed state. +Checks are left to highlight the expected behavior in comparison to other +possible behaviors, with different policies in place. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-02/input.pcap b/tests/exception-policy-master-switch/exception-policy-master-switch-02/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..7a89ef1727926127879095cbf66118a64006501c GIT binary patch literal 1014 zc-no^!B5jr90%}U*@mREVVD?+rxy+~huhk2W2|Awq7!6H7p&o2yT`T!+NJHB;}4L; zm~celL?U5uF&e#im?m5>-kb-c#*-{2ibwUP?{!&#Wm%KgyuRjr@_XO+`>^+Xvj?1T z^f-Yb@7H_x=l{ALFhS;Ye0=xdaPu0RJ;(L_>4PKy4=@QrucXawJzHlzj2klb-L=O1 z3(Nc4wc?qrto90^$LV^(I2@;_7C-HPQ6kaNbeg8Ec~{paVX}AQE0w5N--Qg7h&Y__ zz`O@ST9z|GAs}$c9Luq^tex*J7$+5tcZ$j@ z8#Jnhqb;i8<^5`Z#>1p0ZnVOuR_%uiV&o3!Xt$UV*`(IDe;utsCiTV*&^jCvc^=(N zaqLya!V;Rt*-J#7EIoTISeW*tm-g2_=e(n#UYFtC*HQt!E1h z1)P;oTGz<#2%1qe>PC?mk_17DM4G#kvXYa~kT52wW8s+M7o+~L7!}mWf}p5jl^<&5 z=ATov95y9%r$Pef*ekkbk&OMbSj$;?358-uYjUMX>bCGbE10*I7HQh0LN?BO4PCb` zqTKPhp_htg>(joJUnIyb9rxJol`kiIrP{yNsQXCA9maQ>*YWaaS7qH+K6g|Gh*E7T vPiuYM8pN_2ggJSsbsv#DnE@shzka+yeiN%pMH_ZSpV}(&5O2gj*EYa^IN~-+ literal 0 Hc-jL100001 diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-02/suricata.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-02/suricata.yaml new file mode 100644 index 000000000..e9d7d7df5 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-02/suricata.yaml @@ -0,0 +1,30 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + +exception-policy: bypass diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.rules b/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.yaml new file mode 100644 index 000000000..dd2a2d565 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-02/test.yaml @@ -0,0 +1,25 @@ +requires: + min-version: 7 + +args: +- --simulate-ips +- --set stream.midstream=true + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: flow + flow.state: bypassed + - filter: + count: 0 + match: + event_type: http diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-03/README.md b/tests/exception-policy-master-switch/exception-policy-master-switch-03/README.md new file mode 100644 index 000000000..2a46cee1f --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-03/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the proper default exception policy is applied in case the master +switch is disabled and there is no exception policy configured. +stage. + +# Behavior + +We expect to have ``alert`` and ``http`` events logged, as the flow will +be inspected still. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-03/input.pcap b/tests/exception-policy-master-switch/exception-policy-master-switch-03/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..7a89ef1727926127879095cbf66118a64006501c GIT binary patch literal 1014 zc-no^!B5jr90%}U*@mREVVD?+rxy+~huhk2W2|Awq7!6H7p&o2yT`T!+NJHB;}4L; zm~celL?U5uF&e#im?m5>-kb-c#*-{2ibwUP?{!&#Wm%KgyuRjr@_XO+`>^+Xvj?1T z^f-Yb@7H_x=l{ALFhS;Ye0=xdaPu0RJ;(L_>4PKy4=@QrucXawJzHlzj2klb-L=O1 z3(Nc4wc?qrto90^$LV^(I2@;_7C-HPQ6kaNbeg8Ec~{paVX}AQE0w5N--Qg7h&Y__ zz`O@ST9z|GAs}$c9Luq^tex*J7$+5tcZ$j@ z8#Jnhqb;i8<^5`Z#>1p0ZnVOuR_%uiV&o3!Xt$UV*`(IDe;utsCiTV*&^jCvc^=(N zaqLya!V;Rt*-J#7EIoTISeW*tm-g2_=e(n#UYFtC*HQt!E1h z1)P;oTGz<#2%1qe>PC?mk_17DM4G#kvXYa~kT52wW8s+M7o+~L7!}mWf}p5jl^<&5 z=ATov95y9%r$Pef*ekkbk&OMbSj$;?358-uYjUMX>bCGbE10*I7HQh0LN?BO4PCb` zqTKPhp_htg>(joJUnIyb9rxJol`kiIrP{yNsQXCA9maQ>*YWaaS7qH+K6g|Gh*E7T vPiuYM8pN_2ggJSsbsv#DnE@shzka+yeiN%pMH_ZSpV}(&5O2gj*EYa^IN~-+ literal 0 Hc-jL100001 diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-03/suricata.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-03/suricata.yaml new file mode 100644 index 000000000..b0edf36d6 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-03/suricata.yaml @@ -0,0 +1,31 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + +exception-policy: ignore + diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.rules b/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.yaml new file mode 100644 index 000000000..efcc37494 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-03/test.yaml @@ -0,0 +1,25 @@ +requires: + min-version: 7 + +args: +- --simulate-ips +- --set stream.midstream=true + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 0 + match: + event_type: flow + flow.state: bypassed + - filter: + count: 1 + match: + event_type: http diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-04/README.md b/tests/exception-policy-master-switch/exception-policy-master-switch-04/README.md new file mode 100644 index 000000000..a7e990822 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-04/README.md @@ -0,0 +1,14 @@ +# Test + +Check the expected overriding behavior, in IPS mode, if an Exception Policy is +set, regardless of what is defined in the master switch. + +# Behavior + +We expect to see a flow event with the action set to pass, and the http +protocol event, since a pass policy will still mean inspection, just no detection. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-04/input.pcap b/tests/exception-policy-master-switch/exception-policy-master-switch-04/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..7a89ef1727926127879095cbf66118a64006501c GIT binary patch literal 1014 zc-no^!B5jr90%}U*@mREVVD?+rxy+~huhk2W2|Awq7!6H7p&o2yT`T!+NJHB;}4L; zm~celL?U5uF&e#im?m5>-kb-c#*-{2ibwUP?{!&#Wm%KgyuRjr@_XO+`>^+Xvj?1T z^f-Yb@7H_x=l{ALFhS;Ye0=xdaPu0RJ;(L_>4PKy4=@QrucXawJzHlzj2klb-L=O1 z3(Nc4wc?qrto90^$LV^(I2@;_7C-HPQ6kaNbeg8Ec~{paVX}AQE0w5N--Qg7h&Y__ zz`O@ST9z|GAs}$c9Luq^tex*J7$+5tcZ$j@ z8#Jnhqb;i8<^5`Z#>1p0ZnVOuR_%uiV&o3!Xt$UV*`(IDe;utsCiTV*&^jCvc^=(N zaqLya!V;Rt*-J#7EIoTISeW*tm-g2_=e(n#UYFtC*HQt!E1h z1)P;oTGz<#2%1qe>PC?mk_17DM4G#kvXYa~kT52wW8s+M7o+~L7!}mWf}p5jl^<&5 z=ATov95y9%r$Pef*ekkbk&OMbSj$;?358-uYjUMX>bCGbE10*I7HQh0LN?BO4PCb` zqTKPhp_htg>(joJUnIyb9rxJol`kiIrP{yNsQXCA9maQ>*YWaaS7qH+K6g|Gh*E7T vPiuYM8pN_2ggJSsbsv#DnE@shzka+yeiN%pMH_ZSpV}(&5O2gj*EYa^IN~-+ literal 0 Hc-jL100001 diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-04/suricata.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-04/suricata.yaml new file mode 100644 index 000000000..1f3898223 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-04/suricata.yaml @@ -0,0 +1,31 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + +exception-policy: auto + diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.rules b/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.yaml new file mode 100644 index 000000000..ef36588fd --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-04/test.yaml @@ -0,0 +1,26 @@ +requires: + min-version: 7 + +args: +- --simulate-ips +- --set stream.midstream=true +- --set stream.midstream-policy=pass-flow + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: flow + flow.action: pass + - filter: + count: 1 + match: + event_type: http diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-05/README.md b/tests/exception-policy-master-switch/exception-policy-master-switch-05/README.md new file mode 100644 index 000000000..c6c06c975 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-05/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the Exception Policy is properly applied in case it's set to +``bypass`` in IDS mode, when the engine firstly sees the stream during +SYNACK stage. + +# Behavior + +We expect to have no events other than ``flow``, with an indication that it was +bypassed. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-05/input.pcap b/tests/exception-policy-master-switch/exception-policy-master-switch-05/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..7a89ef1727926127879095cbf66118a64006501c GIT binary patch literal 1014 zc-no^!B5jr90%}U*@mREVVD?+rxy+~huhk2W2|Awq7!6H7p&o2yT`T!+NJHB;}4L; zm~celL?U5uF&e#im?m5>-kb-c#*-{2ibwUP?{!&#Wm%KgyuRjr@_XO+`>^+Xvj?1T z^f-Yb@7H_x=l{ALFhS;Ye0=xdaPu0RJ;(L_>4PKy4=@QrucXawJzHlzj2klb-L=O1 z3(Nc4wc?qrto90^$LV^(I2@;_7C-HPQ6kaNbeg8Ec~{paVX}AQE0w5N--Qg7h&Y__ zz`O@ST9z|GAs}$c9Luq^tex*J7$+5tcZ$j@ z8#Jnhqb;i8<^5`Z#>1p0ZnVOuR_%uiV&o3!Xt$UV*`(IDe;utsCiTV*&^jCvc^=(N zaqLya!V;Rt*-J#7EIoTISeW*tm-g2_=e(n#UYFtC*HQt!E1h z1)P;oTGz<#2%1qe>PC?mk_17DM4G#kvXYa~kT52wW8s+M7o+~L7!}mWf}p5jl^<&5 z=ATov95y9%r$Pef*ekkbk&OMbSj$;?358-uYjUMX>bCGbE10*I7HQh0LN?BO4PCb` zqTKPhp_htg>(joJUnIyb9rxJol`kiIrP{yNsQXCA9maQ>*YWaaS7qH+K6g|Gh*E7T vPiuYM8pN_2ggJSsbsv#DnE@shzka+yeiN%pMH_ZSpV}(&5O2gj*EYa^IN~-+ literal 0 Hc-jL100001 diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-05/suricata.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-05/suricata.yaml new file mode 100644 index 000000000..e9d7d7df5 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-05/suricata.yaml @@ -0,0 +1,30 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + +exception-policy: bypass diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.rules b/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.yaml new file mode 100644 index 000000000..54c74b354 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-05/test.yaml @@ -0,0 +1,20 @@ +requires: + min-version: 7 + +args: +- --set stream.midstream=true + +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: flow + flow.state: bypassed + - filter: + count: 0 + match: + event_type: http diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-06/README.md b/tests/exception-policy-master-switch/exception-policy-master-switch-06/README.md new file mode 100644 index 000000000..7df989699 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-06/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the Exception Policy is properly applied in case it's set to +``auto`` in IPS mode, when the engine is set to midstream=true. + +# Behavior + +We expect the engine to define the exception policy for midstream as `ignore`, +as that's the default configuration value when midstream flows are accepted. +This means we should see ``alert`` and ``http`` events. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-06/input.pcap b/tests/exception-policy-master-switch/exception-policy-master-switch-06/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..7a89ef1727926127879095cbf66118a64006501c GIT binary patch literal 1014 zc-no^!B5jr90%}U*@mREVVD?+rxy+~huhk2W2|Awq7!6H7p&o2yT`T!+NJHB;}4L; zm~celL?U5uF&e#im?m5>-kb-c#*-{2ibwUP?{!&#Wm%KgyuRjr@_XO+`>^+Xvj?1T z^f-Yb@7H_x=l{ALFhS;Ye0=xdaPu0RJ;(L_>4PKy4=@QrucXawJzHlzj2klb-L=O1 z3(Nc4wc?qrto90^$LV^(I2@;_7C-HPQ6kaNbeg8Ec~{paVX}AQE0w5N--Qg7h&Y__ zz`O@ST9z|GAs}$c9Luq^tex*J7$+5tcZ$j@ z8#Jnhqb;i8<^5`Z#>1p0ZnVOuR_%uiV&o3!Xt$UV*`(IDe;utsCiTV*&^jCvc^=(N zaqLya!V;Rt*-J#7EIoTISeW*tm-g2_=e(n#UYFtC*HQt!E1h z1)P;oTGz<#2%1qe>PC?mk_17DM4G#kvXYa~kT52wW8s+M7o+~L7!}mWf}p5jl^<&5 z=ATov95y9%r$Pef*ekkbk&OMbSj$;?358-uYjUMX>bCGbE10*I7HQh0LN?BO4PCb` zqTKPhp_htg>(joJUnIyb9rxJol`kiIrP{yNsQXCA9maQ>*YWaaS7qH+K6g|Gh*E7T vPiuYM8pN_2ggJSsbsv#DnE@shzka+yeiN%pMH_ZSpV}(&5O2gj*EYa^IN~-+ literal 0 Hc-jL100001 diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-06/suricata.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-06/suricata.yaml new file mode 100644 index 000000000..17e07b85a --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-06/suricata.yaml @@ -0,0 +1,39 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + +exception-policy: auto + +logging: + default-log-level: notice + outputs: + - file: + enabled: yes + level: debug + filename: suricata.json + type: json diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.rules b/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.yaml new file mode 100644 index 000000000..e861245cd --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-06/test.yaml @@ -0,0 +1,36 @@ +requires: + min-version: 7 + +args: +- --set stream.midstream=true +- --simulate-ips + +checks: + - filter: + filename: eve.json + count: 1 + match: + event_type: alert + - filter: + filename: eve.json + count: 0 + match: + event_type: flow + flow.state: bypassed + - filter: + filename: eve.json + count: 1 + match: + event_type: http + - filter: + filename: eve.json + count: 0 + match: + event_type: drop + - filter: + filename: suricata.json + count: 0 + match: + event_type: engine + log_level: Warning + engine.module: exception-policy diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-07/README.md b/tests/exception-policy-master-switch/exception-policy-master-switch-07/README.md new file mode 100644 index 000000000..6da9817a9 --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-07/README.md @@ -0,0 +1,15 @@ +# Test + +Check that the Exception Policy is properly applied with default configuration +in IPS mode, when the engine is set to midstream=true. + +# Behavior + +We expect the engine to define the exception policy for midstream as `ignore`, +as that's the default configuration value when midstream flows are accepted. +This means we should see ``alert`` and ``http`` events. + +# Pcap + +Pcap is the result of a curl to www.testmyids.com, later extracted with +Wireshark to keep the ``http`` packets only. diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-07/input.pcap b/tests/exception-policy-master-switch/exception-policy-master-switch-07/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..7a89ef1727926127879095cbf66118a64006501c GIT binary patch literal 1014 zc-no^!B5jr90%}U*@mREVVD?+rxy+~huhk2W2|Awq7!6H7p&o2yT`T!+NJHB;}4L; zm~celL?U5uF&e#im?m5>-kb-c#*-{2ibwUP?{!&#Wm%KgyuRjr@_XO+`>^+Xvj?1T z^f-Yb@7H_x=l{ALFhS;Ye0=xdaPu0RJ;(L_>4PKy4=@QrucXawJzHlzj2klb-L=O1 z3(Nc4wc?qrto90^$LV^(I2@;_7C-HPQ6kaNbeg8Ec~{paVX}AQE0w5N--Qg7h&Y__ zz`O@ST9z|GAs}$c9Luq^tex*J7$+5tcZ$j@ z8#Jnhqb;i8<^5`Z#>1p0ZnVOuR_%uiV&o3!Xt$UV*`(IDe;utsCiTV*&^jCvc^=(N zaqLya!V;Rt*-J#7EIoTISeW*tm-g2_=e(n#UYFtC*HQt!E1h z1)P;oTGz<#2%1qe>PC?mk_17DM4G#kvXYa~kT52wW8s+M7o+~L7!}mWf}p5jl^<&5 z=ATov95y9%r$Pef*ekkbk&OMbSj$;?358-uYjUMX>bCGbE10*I7HQh0LN?BO4PCb` zqTKPhp_htg>(joJUnIyb9rxJol`kiIrP{yNsQXCA9maQ>*YWaaS7qH+K6g|Gh*E7T vPiuYM8pN_2ggJSsbsv#DnE@shzka+yeiN%pMH_ZSpV}(&5O2gj*EYa^IN~-+ literal 0 Hc-jL100001 diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-07/suricata.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-07/suricata.yaml new file mode 100644 index 000000000..bd9e2147b --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-07/suricata.yaml @@ -0,0 +1,37 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: yes + payload-buffer-size: 4kb + payload-printable: yes + packet: yes + http: yes + tls: yes + ssh: yes + smtp: yes + xff: + enabled: yes + mode: extra-data + deployment: reverse + header: X-Forwarded-For + - flow + - http + - drop: + alerts: yes + flows: all + +logging: + default-log-level: notice + outputs: + - file: + enabled: yes + level: debug + filename: suricata.json + type: json diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.rules b/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.rules new file mode 100644 index 000000000..9f1307bdb --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7;) diff --git a/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.yaml b/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.yaml new file mode 100644 index 000000000..e861245cd --- /dev/null +++ b/tests/exception-policy-master-switch/exception-policy-master-switch-07/test.yaml @@ -0,0 +1,36 @@ +requires: + min-version: 7 + +args: +- --set stream.midstream=true +- --simulate-ips + +checks: + - filter: + filename: eve.json + count: 1 + match: + event_type: alert + - filter: + filename: eve.json + count: 0 + match: + event_type: flow + flow.state: bypassed + - filter: + filename: eve.json + count: 1 + match: + event_type: http + - filter: + filename: eve.json + count: 0 + match: + event_type: drop + - filter: + filename: suricata.json + count: 0 + match: + event_type: engine + log_level: Warning + engine.module: exception-policy -- 2.47.2