From 667a9b86c062190aa9a28b038fea75ebc6bae305 Mon Sep 17 00:00:00 2001 From: Juliana Fajardini Date: Thu, 26 May 2022 18:35:55 -0300 Subject: [PATCH] tests: add tests for rule's actions These were converted from unittests present in `util-action`. Task #5371 --- .../util-action-01/README.md | 12 +++++++ .../util-action-01/input.pcap | Bin 0 -> 273 bytes .../util-action-01/test.rules | 3 ++ .../util-action-01/test.yaml | 30 ++++++++++++++++ .../util-action-01/writepcap.py | 22 ++++++++++++ .../util-action-02/README.md | 13 +++++++ .../util-action-02/input.pcap | Bin 0 -> 273 bytes .../util-action-02/suricata.yaml | 17 ++++++++++ .../util-action-02/test.rules | 3 ++ .../util-action-02/test.yaml | 26 ++++++++++++++ .../util-action-02/writepcap.py | 22 ++++++++++++ .../util-action-03/README.md | 12 +++++++ .../util-action-03/input.pcap | Bin 0 -> 269 bytes .../util-action-03/test.rules | 3 ++ .../util-action-03/test.yaml | 29 ++++++++++++++++ .../util-action-03/writepcap.py | 22 ++++++++++++ .../util-action-04/README.md | 12 +++++++ .../util-action-04/input.pcap | Bin 0 -> 284 bytes .../util-action-04/suricata.yaml | 17 ++++++++++ .../util-action-04/test.rules | 3 ++ .../util-action-04/test.yaml | 25 ++++++++++++++ .../util-action-04/writepcap.py | 23 +++++++++++++ .../util-action-05/README.md | 11 ++++++ .../util-action-05/input.pcap | Bin 0 -> 273 bytes .../util-action-05/test.rules | 3 ++ .../util-action-05/test.yaml | 32 ++++++++++++++++++ .../util-action-05/writepcap.py | 22 ++++++++++++ .../util-action-06/README.md | 12 +++++++ .../util-action-06/input.pcap | Bin 0 -> 273 bytes .../util-action-06/suricata.yaml | 17 ++++++++++ .../util-action-06/test.rules | 3 ++ .../util-action-06/test.yaml | 25 ++++++++++++++ .../util-action-06/writepcap.py | 22 ++++++++++++ .../util-action-07/README.md | 13 +++++++ .../util-action-07/input.pcap | Bin 0 -> 273 bytes .../util-action-07/suricata.yaml | 17 ++++++++++ .../util-action-07/test.rules | 3 ++ .../util-action-07/test.yaml | 25 ++++++++++++++ .../util-action-07/writepcap.py | 22 ++++++++++++ .../util-action-08/README.md | 13 +++++++ .../util-action-08/input.pcap | Bin 0 -> 273 bytes .../util-action-08/test.rules | 3 ++ .../util-action-08/test.yaml | 29 ++++++++++++++++ .../util-action-08/writepcap.py | 22 ++++++++++++ .../util-action-09/README.md | 13 +++++++ .../util-action-09/input.pcap | Bin 0 -> 273 bytes .../util-action-09/test.rules | 3 ++ .../util-action-09/test.yaml | 32 ++++++++++++++++++ .../util-action-09/writepcap.py | 22 ++++++++++++ .../util-action-10/README.md | 13 +++++++ .../util-action-10/input.pcap | Bin 0 -> 273 bytes .../util-action-10/test.rules | 3 ++ .../util-action-10/test.yaml | 32 ++++++++++++++++++ .../util-action-10/writepcap.py | 22 ++++++++++++ .../util-action-11/README.md | 12 +++++++ .../util-action-11/input.pcap | Bin 0 -> 273 bytes .../util-action-11/suricata.yaml | 17 ++++++++++ .../util-action-11/test.rules | 3 ++ .../util-action-11/test.yaml | 32 ++++++++++++++++++ .../util-action-11/writepcap.py | 22 ++++++++++++ .../util-action-12/README.md | 15 ++++++++ .../util-action-12/input.pcap | Bin 0 -> 273 bytes .../util-action-12/suricata.yaml | 17 ++++++++++ .../util-action-12/test.rules | 3 ++ .../util-action-12/test.yaml | 32 ++++++++++++++++++ .../util-action-12/writepcap.py | 22 ++++++++++++ .../util-action-13/README.md | 12 +++++++ .../util-action-13/input.pcap | Bin 0 -> 273 bytes .../util-action-13/suricata.yaml | 17 ++++++++++ .../util-action-13/test.rules | 3 ++ .../util-action-13/test.yaml | 32 ++++++++++++++++++ .../util-action-13/writepcap.py | 22 ++++++++++++ .../util-action-14/README.md | 12 +++++++ .../util-action-14/input.pcap | Bin 0 -> 273 bytes .../util-action-14/suricata.yaml | 17 ++++++++++ .../util-action-14/test.rules | 3 ++ .../util-action-14/test.yaml | 32 ++++++++++++++++++ .../util-action-14/writepcap.py | 22 ++++++++++++ .../util-action-15/README.md | 12 +++++++ .../util-action-15/input.pcap | Bin 0 -> 273 bytes .../util-action-15/suricata.yaml | 17 ++++++++++ .../util-action-15/test.rules | 3 ++ .../util-action-15/test.yaml | 32 ++++++++++++++++++ .../util-action-15/writepcap.py | 22 ++++++++++++ .../util-action-16/README.md | 12 +++++++ .../util-action-16/input.pcap | Bin 0 -> 273 bytes .../util-action-16/suricata.yaml | 17 ++++++++++ .../util-action-16/test.rules | 3 ++ .../util-action-16/test.yaml | 32 ++++++++++++++++++ .../util-action-16/writepcap.py | 22 ++++++++++++ 90 files changed, 1247 insertions(+) create mode 100644 tests/util-action-tests/util-action-01/README.md create mode 100644 tests/util-action-tests/util-action-01/input.pcap create mode 100644 tests/util-action-tests/util-action-01/test.rules create mode 100644 tests/util-action-tests/util-action-01/test.yaml create mode 100644 tests/util-action-tests/util-action-01/writepcap.py create mode 100644 tests/util-action-tests/util-action-02/README.md create mode 100644 tests/util-action-tests/util-action-02/input.pcap create mode 100644 tests/util-action-tests/util-action-02/suricata.yaml create mode 100644 tests/util-action-tests/util-action-02/test.rules create mode 100644 tests/util-action-tests/util-action-02/test.yaml create mode 100644 tests/util-action-tests/util-action-02/writepcap.py create mode 100644 tests/util-action-tests/util-action-03/README.md create mode 100644 tests/util-action-tests/util-action-03/input.pcap create mode 100644 tests/util-action-tests/util-action-03/test.rules create mode 100644 tests/util-action-tests/util-action-03/test.yaml create mode 100644 tests/util-action-tests/util-action-03/writepcap.py create mode 100644 tests/util-action-tests/util-action-04/README.md create mode 100644 tests/util-action-tests/util-action-04/input.pcap create mode 100644 tests/util-action-tests/util-action-04/suricata.yaml create mode 100644 tests/util-action-tests/util-action-04/test.rules create mode 100644 tests/util-action-tests/util-action-04/test.yaml create mode 100644 tests/util-action-tests/util-action-04/writepcap.py create mode 100644 tests/util-action-tests/util-action-05/README.md create mode 100644 tests/util-action-tests/util-action-05/input.pcap create mode 100644 tests/util-action-tests/util-action-05/test.rules create mode 100644 tests/util-action-tests/util-action-05/test.yaml create mode 100644 tests/util-action-tests/util-action-05/writepcap.py create mode 100644 tests/util-action-tests/util-action-06/README.md create mode 100644 tests/util-action-tests/util-action-06/input.pcap create mode 100644 tests/util-action-tests/util-action-06/suricata.yaml create mode 100644 tests/util-action-tests/util-action-06/test.rules create mode 100644 tests/util-action-tests/util-action-06/test.yaml create mode 100644 tests/util-action-tests/util-action-06/writepcap.py create mode 100644 tests/util-action-tests/util-action-07/README.md create mode 100644 tests/util-action-tests/util-action-07/input.pcap create mode 100644 tests/util-action-tests/util-action-07/suricata.yaml create mode 100644 tests/util-action-tests/util-action-07/test.rules create mode 100644 tests/util-action-tests/util-action-07/test.yaml create mode 100644 tests/util-action-tests/util-action-07/writepcap.py create mode 100644 tests/util-action-tests/util-action-08/README.md create mode 100644 tests/util-action-tests/util-action-08/input.pcap create mode 100644 tests/util-action-tests/util-action-08/test.rules create mode 100644 tests/util-action-tests/util-action-08/test.yaml create mode 100644 tests/util-action-tests/util-action-08/writepcap.py create mode 100644 tests/util-action-tests/util-action-09/README.md create mode 100644 tests/util-action-tests/util-action-09/input.pcap create mode 100644 tests/util-action-tests/util-action-09/test.rules create mode 100644 tests/util-action-tests/util-action-09/test.yaml create mode 100644 tests/util-action-tests/util-action-09/writepcap.py create mode 100644 tests/util-action-tests/util-action-10/README.md create mode 100644 tests/util-action-tests/util-action-10/input.pcap create mode 100644 tests/util-action-tests/util-action-10/test.rules create mode 100644 tests/util-action-tests/util-action-10/test.yaml create mode 100644 tests/util-action-tests/util-action-10/writepcap.py create mode 100644 tests/util-action-tests/util-action-11/README.md create mode 100644 tests/util-action-tests/util-action-11/input.pcap create mode 100644 tests/util-action-tests/util-action-11/suricata.yaml create mode 100644 tests/util-action-tests/util-action-11/test.rules create mode 100644 tests/util-action-tests/util-action-11/test.yaml create mode 100644 tests/util-action-tests/util-action-11/writepcap.py create mode 100644 tests/util-action-tests/util-action-12/README.md create mode 100644 tests/util-action-tests/util-action-12/input.pcap create mode 100644 tests/util-action-tests/util-action-12/suricata.yaml create mode 100644 tests/util-action-tests/util-action-12/test.rules create mode 100644 tests/util-action-tests/util-action-12/test.yaml create mode 100644 tests/util-action-tests/util-action-12/writepcap.py create mode 100644 tests/util-action-tests/util-action-13/README.md create mode 100644 tests/util-action-tests/util-action-13/input.pcap create mode 100644 tests/util-action-tests/util-action-13/suricata.yaml create mode 100644 tests/util-action-tests/util-action-13/test.rules create mode 100644 tests/util-action-tests/util-action-13/test.yaml create mode 100644 tests/util-action-tests/util-action-13/writepcap.py create mode 100644 tests/util-action-tests/util-action-14/README.md create mode 100644 tests/util-action-tests/util-action-14/input.pcap create mode 100644 tests/util-action-tests/util-action-14/suricata.yaml create mode 100644 tests/util-action-tests/util-action-14/test.rules create mode 100644 tests/util-action-tests/util-action-14/test.yaml create mode 100644 tests/util-action-tests/util-action-14/writepcap.py create mode 100644 tests/util-action-tests/util-action-15/README.md create mode 100644 tests/util-action-tests/util-action-15/input.pcap create mode 100644 tests/util-action-tests/util-action-15/suricata.yaml create mode 100644 tests/util-action-tests/util-action-15/test.rules create mode 100644 tests/util-action-tests/util-action-15/test.yaml create mode 100644 tests/util-action-tests/util-action-15/writepcap.py create mode 100644 tests/util-action-tests/util-action-16/README.md create mode 100644 tests/util-action-tests/util-action-16/input.pcap create mode 100644 tests/util-action-tests/util-action-16/suricata.yaml create mode 100644 tests/util-action-tests/util-action-16/test.rules create mode 100644 tests/util-action-tests/util-action-16/test.yaml create mode 100644 tests/util-action-tests/util-action-16/writepcap.py diff --git a/tests/util-action-tests/util-action-01/README.md b/tests/util-action-tests/util-action-01/README.md new file mode 100644 index 000000000..ef81fe3e8 --- /dev/null +++ b/tests/util-action-tests/util-action-01/README.md @@ -0,0 +1,12 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +The second packet should match rule sid 2 first, meaning no alerts are generated for it. +Sids 1 and 3 should generate alerts for the other packets. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-01/input.pcap b/tests/util-action-tests/util-action-01/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..95dd0d89a38ae15099c7d011486cddd288251a53 GIT binary patch literal 273 zc-p&ic+)~A1{MYw`2U}Qfe}cT% any any (msg:"sig 1"; sid:1;) +pass ip 192.168.1.1 80 -> any any (msg:"sig 2"; sid:2;) +alert ip any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-01/test.yaml b/tests/util-action-tests/util-action-01/test.yaml new file mode 100644 index 000000000..7fcc2044d --- /dev/null +++ b/tests/util-action-tests/util-action-01/test.yaml @@ -0,0 +1,30 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.action: pass +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-01/writepcap.py b/tests/util-action-tests/util-action-01/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-01/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-02/README.md b/tests/util-action-tests/util-action-02/README.md new file mode 100644 index 000000000..c5c873438 --- /dev/null +++ b/tests/util-action-tests/util-action-02/README.md @@ -0,0 +1,13 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +For the second packet, we expect to only see an alert for sid 3, as DROP and +PASS here have higher priority. The other two packets should generate alerts, +since sid 2 isn't triggered for them. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-02/input.pcap b/tests/util-action-tests/util-action-02/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..95dd0d89a38ae15099c7d011486cddd288251a53 GIT binary patch literal 273 zc-p&ic+)~A1{MYw`2U}Qfe}cT% any any (msg:"sig 1"; sid:1;) +pass ip 192.168.1.1 80 -> any any (msg:"sig 2"; sid:2;) +drop ip any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-02/test.yaml b/tests/util-action-tests/util-action-02/test.yaml new file mode 100644 index 000000000..dcdfdf0ea --- /dev/null +++ b/tests/util-action-tests/util-action-02/test.yaml @@ -0,0 +1,26 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.action: drop +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-02/writepcap.py b/tests/util-action-tests/util-action-02/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-02/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-03/README.md b/tests/util-action-tests/util-action-03/README.md new file mode 100644 index 000000000..693d73fbc --- /dev/null +++ b/tests/util-action-tests/util-action-03/README.md @@ -0,0 +1,12 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +For the second packet, we don't expect alerts, since it will be flagged by the +PASS sid (2). We expect alerts for sids 1 and 3 for the other two packets. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-03/input.pcap b/tests/util-action-tests/util-action-03/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..a239a52d0fc23d590c7001afdd949a3b796ee4f4 GIT binary patch literal 269 zc-p&ic+)~A1{MYw`2U}Qfe}c5`q-aj_K}yt8OU}9i-Q0IBNHfMn7m8dc0dye;k_!P_tVGBF literal 0 Hc-jL100001 diff --git a/tests/util-action-tests/util-action-03/test.rules b/tests/util-action-tests/util-action-03/test.rules new file mode 100644 index 000000000..ea21d79c1 --- /dev/null +++ b/tests/util-action-tests/util-action-03/test.rules @@ -0,0 +1,3 @@ +alert ip any any -> any any (msg:"sig 1"; content:"Hi all"; sid:1;) +pass ip any any -> any any (msg:"sig 2"; content:"wo"; sid:2;) +alert ip any any -> any any (msg:"sig 3"; content:"Hi all"; sid:3;) diff --git a/tests/util-action-tests/util-action-03/test.yaml b/tests/util-action-tests/util-action-03/test.yaml new file mode 100644 index 000000000..cfbd9fc2b --- /dev/null +++ b/tests/util-action-tests/util-action-03/test.yaml @@ -0,0 +1,29 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-03/writepcap.py b/tests/util-action-tests/util-action-03/writepcap.py new file mode 100644 index 000000000..bb1f9b717 --- /dev/null +++ b/tests/util-action-tests/util-action-03/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"wo!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-04/README.md b/tests/util-action-tests/util-action-04/README.md new file mode 100644 index 000000000..9a89ff9e6 --- /dev/null +++ b/tests/util-action-tests/util-action-04/README.md @@ -0,0 +1,12 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +First and third sids will be triggered by all three packets. The second packet +won't trigger sid 1, for the PASS rule will bypass that. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-04/input.pcap b/tests/util-action-tests/util-action-04/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..48574c87ca65680e5e84f8746714a78015709250 GIT binary patch literal 284 zc-p&ic+)~A1{MYw`2U}Qfe}dW{@9;XlF7y33}icl#X*39k%^gwwUL2=jf26Jfx!@@ z)Pe1L{(%*YtU%1T@B%{s%%lJ&1%@m+1_qBzg~Xg3MP4qDkyY7T41PdKKU_xIK#fcR n83!_!ApmG7l9A any any (msg:"sig 1"; content:"Hi all"; sid:1;) +pass tcp any any -> any any (msg:"sig 2"; content:"wo"; sid:2;) +drop tcp any any -> any any (msg:"sig 3"; content:"Hi all"; sid:3;) diff --git a/tests/util-action-tests/util-action-04/test.yaml b/tests/util-action-tests/util-action-04/test.yaml new file mode 100644 index 000000000..f4c2d6a31 --- /dev/null +++ b/tests/util-action-tests/util-action-04/test.yaml @@ -0,0 +1,25 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 2 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-04/writepcap.py b/tests/util-action-tests/util-action-04/writepcap.py new file mode 100644 index 000000000..d27e53db1 --- /dev/null +++ b/tests/util-action-tests/util-action-04/writepcap.py @@ -0,0 +1,23 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi \ + all wo!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-05/README.md b/tests/util-action-tests/util-action-05/README.md new file mode 100644 index 000000000..4c0a7d49b --- /dev/null +++ b/tests/util-action-tests/util-action-05/README.md @@ -0,0 +1,11 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +The PASS rule (sid 2) will make so that no alerts will be registered by Suri. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-05/input.pcap b/tests/util-action-tests/util-action-05/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..ea228e7b0cc3b543063584921fd1f2dd53acfb2b GIT binary patch literal 273 zc-p&ic+)~A1{MYw`2U}Qfe}cjz3NXAZR2Ke2C|*O;vm4l$i&RT+Q`7b#=+pqz+ebc z>cI9r|G)}HRv>0vc!41RW>Nr?0z;M@1A|AVLSjyiA}<%n$oMW2jAR5E%MbuG6rYhd Odnj_H1kgwhBqISXX+i%0 literal 0 Hc-jL100001 diff --git a/tests/util-action-tests/util-action-05/test.rules b/tests/util-action-tests/util-action-05/test.rules new file mode 100644 index 000000000..545fc0ca4 --- /dev/null +++ b/tests/util-action-tests/util-action-05/test.rules @@ -0,0 +1,3 @@ +alert ip any any -> any any (msg:"sig 1"; sid:1;) +pass ip any any -> any any (msg:"Testing normal 2"; sid:2;) +alert ip any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-05/test.yaml b/tests/util-action-tests/util-action-05/test.yaml new file mode 100644 index 000000000..9c534f5cf --- /dev/null +++ b/tests/util-action-tests/util-action-05/test.yaml @@ -0,0 +1,32 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.alerted: false + flow.action: pass +- filter: + count: 1 + match: + event_type: flow + flow.alerted: false +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-05/writepcap.py b/tests/util-action-tests/util-action-05/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-05/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-06/README.md b/tests/util-action-tests/util-action-06/README.md new file mode 100644 index 000000000..d79db8423 --- /dev/null +++ b/tests/util-action-tests/util-action-06/README.md @@ -0,0 +1,12 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +The DROP rule (sid 3) will be triggered by all packets, and having the highest +priority, will make so that no other alerts will be registered by Suri. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-06/input.pcap b/tests/util-action-tests/util-action-06/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..554cb63614d5d474752eb9aeb4ff9fd441021a9b GIT binary patch literal 273 zc-p&ic+)~A1{MYw`2U}Qfe}bM9qLcgo661L3}icl#X*39k%^gwwUL2=jf26Jfx!@@ z)Pe1L{(%*YtU%1T@B%{s%%lJ&1%@m+1_qBzg~Xg3MP4qDk=fHpFp?2uEJFa$P<%%2 Pm_d;%C4fe9AQ=e&%5gzQ literal 0 Hc-jL100001 diff --git a/tests/util-action-tests/util-action-06/suricata.yaml b/tests/util-action-tests/util-action-06/suricata.yaml new file mode 100644 index 000000000..d210eab85 --- /dev/null +++ b/tests/util-action-tests/util-action-06/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - flow + +action-order: + - drop + - pass + - reject + - alert diff --git a/tests/util-action-tests/util-action-06/test.rules b/tests/util-action-tests/util-action-06/test.rules new file mode 100644 index 000000000..99941ba82 --- /dev/null +++ b/tests/util-action-tests/util-action-06/test.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any any (msg:"sig 1"; content:"Hi all"; sid:1;) +pass tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +drop tcp any any -> any any (msg:"sig 3"; content:"Hi all"; sid:3;) diff --git a/tests/util-action-tests/util-action-06/test.yaml b/tests/util-action-tests/util-action-06/test.yaml new file mode 100644 index 000000000..722e5cde0 --- /dev/null +++ b/tests/util-action-tests/util-action-06/test.yaml @@ -0,0 +1,25 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-06/writepcap.py b/tests/util-action-tests/util-action-06/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-06/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-07/README.md b/tests/util-action-tests/util-action-07/README.md new file mode 100644 index 000000000..5b762c2df --- /dev/null +++ b/tests/util-action-tests/util-action-07/README.md @@ -0,0 +1,13 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +The three packets should trigger all three signatures, but since DROP and ALERT +have higher priority, only those two generate alerts, as the PASS rule won't +take place. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-07/input.pcap b/tests/util-action-tests/util-action-07/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..f50dc35efcd2f19afee5bcb78b0011d3b4f0a551 GIT binary patch literal 273 zc-p&ic+)~A1{MYw`2U}Qfe}crz22Y1lfl8@3}icl#X*39k%^gwwUL2=jf26Jfx!@@ z)Pe1L{(%*YtU%1T@B%{s%%lJ&1%@m+1_qBzg~Xg3MP4qDkt=dYFp?2uEJFa$P<%$p P any any (msg:"sig 1"; content:"Hi all"; sid:1;) +pass tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +drop tcp any any -> any any (msg:"sig 3"; content:"Hi all"; sid:3;) diff --git a/tests/util-action-tests/util-action-07/test.yaml b/tests/util-action-tests/util-action-07/test.yaml new file mode 100644 index 000000000..6e260b4c6 --- /dev/null +++ b/tests/util-action-tests/util-action-07/test.yaml @@ -0,0 +1,25 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 3 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-07/writepcap.py b/tests/util-action-tests/util-action-07/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-07/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-08/README.md b/tests/util-action-tests/util-action-08/README.md new file mode 100644 index 000000000..150dee78f --- /dev/null +++ b/tests/util-action-tests/util-action-08/README.md @@ -0,0 +1,13 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +The three packets should trigger all three signatures, but since with the +default settings PASS has higher priority, the DROP and ALERT signatures won't +generate alerts, as all packets trigger sid 2 (PASS). + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-08/input.pcap b/tests/util-action-tests/util-action-08/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..00bc1102bcbb848f5c6e79adfc118f71c446a60b GIT binary patch literal 273 zc-p&ic+)~A1{MYw`2U}Qfe}c*zuBL}n#;`K3}icl#X*39k%^gwwUL2=jf26Jfx!@@ z)Pe1L{(%*YtU%1T@B%{s%%lJ&1%@m+1_qBzg~Xg3MP4qDk!<-S7|94SmLULWC_W any any (msg:"sig 1"; sid:1;) +pass tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +drop tcp any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-08/test.yaml b/tests/util-action-tests/util-action-08/test.yaml new file mode 100644 index 000000000..950d3c70c --- /dev/null +++ b/tests/util-action-tests/util-action-08/test.yaml @@ -0,0 +1,29 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 1 + match: + event_type: flow + flow.alerted: false +- filter: + count: 1 + match: + event_type: stats +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-08/writepcap.py b/tests/util-action-tests/util-action-08/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-08/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-09/README.md b/tests/util-action-tests/util-action-09/README.md new file mode 100644 index 000000000..150dee78f --- /dev/null +++ b/tests/util-action-tests/util-action-09/README.md @@ -0,0 +1,13 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +The three packets should trigger all three signatures, but since with the +default settings PASS has higher priority, the DROP and ALERT signatures won't +generate alerts, as all packets trigger sid 2 (PASS). + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-09/input.pcap b/tests/util-action-tests/util-action-09/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..f50dc35efcd2f19afee5bcb78b0011d3b4f0a551 GIT binary patch literal 273 zc-p&ic+)~A1{MYw`2U}Qfe}crz22Y1lfl8@3}icl#X*39k%^gwwUL2=jf26Jfx!@@ z)Pe1L{(%*YtU%1T@B%{s%%lJ&1%@m+1_qBzg~Xg3MP4qDkt=dYFp?2uEJFa$P<%$p P any any (msg:"sig 1"; sid:1;) +alert tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +pass tcp any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-09/test.yaml b/tests/util-action-tests/util-action-09/test.yaml new file mode 100644 index 000000000..9c534f5cf --- /dev/null +++ b/tests/util-action-tests/util-action-09/test.yaml @@ -0,0 +1,32 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.alerted: false + flow.action: pass +- filter: + count: 1 + match: + event_type: flow + flow.alerted: false +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-09/writepcap.py b/tests/util-action-tests/util-action-09/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-09/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-10/README.md b/tests/util-action-tests/util-action-10/README.md new file mode 100644 index 000000000..5b762c2df --- /dev/null +++ b/tests/util-action-tests/util-action-10/README.md @@ -0,0 +1,13 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +The three packets should trigger all three signatures, but since DROP and ALERT +have higher priority, only those two generate alerts, as the PASS rule won't +take place. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-10/input.pcap b/tests/util-action-tests/util-action-10/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..f50dc35efcd2f19afee5bcb78b0011d3b4f0a551 GIT binary patch literal 273 zc-p&ic+)~A1{MYw`2U}Qfe}crz22Y1lfl8@3}icl#X*39k%^gwwUL2=jf26Jfx!@@ z)Pe1L{(%*YtU%1T@B%{s%%lJ&1%@m+1_qBzg~Xg3MP4qDkt=dYFp?2uEJFa$P<%$p P any any (msg:"sig 1"; sid:1;) +drop tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +alert tcp any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-10/test.yaml b/tests/util-action-tests/util-action-10/test.yaml new file mode 100644 index 000000000..9c534f5cf --- /dev/null +++ b/tests/util-action-tests/util-action-10/test.yaml @@ -0,0 +1,32 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.alerted: false + flow.action: pass +- filter: + count: 1 + match: + event_type: flow + flow.alerted: false +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-10/writepcap.py b/tests/util-action-tests/util-action-10/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-10/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-11/README.md b/tests/util-action-tests/util-action-11/README.md new file mode 100644 index 000000000..b0a1cb2eb --- /dev/null +++ b/tests/util-action-tests/util-action-11/README.md @@ -0,0 +1,12 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +As the DROP action has the higher priority, we expect that all packets generate +alert for sid 3. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-11/input.pcap b/tests/util-action-tests/util-action-11/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..95dd0d89a38ae15099c7d011486cddd288251a53 GIT binary patch literal 273 zc-p&ic+)~A1{MYw`2U}Qfe}cT% any any (msg:"sig 1"; sid:1;) +pass tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +drop tcp any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-11/test.yaml b/tests/util-action-tests/util-action-11/test.yaml new file mode 100644 index 000000000..e99b42b83 --- /dev/null +++ b/tests/util-action-tests/util-action-11/test.yaml @@ -0,0 +1,32 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.alerted: true + flow.action: drop +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-11/writepcap.py b/tests/util-action-tests/util-action-11/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-11/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-12/README.md b/tests/util-action-tests/util-action-12/README.md new file mode 100644 index 000000000..3aa7a5662 --- /dev/null +++ b/tests/util-action-tests/util-action-12/README.md @@ -0,0 +1,15 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +The three packets should trigger all three signatures, but since DROP signature +has higher priority, all packets are dropped before other alerts are generated. +The packets are considered as being from a single flow, and with the first +packet being dropped, the whole flow is dropped, generated a single alert for +sid 1. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-12/input.pcap b/tests/util-action-tests/util-action-12/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0e8cec4ae64428f8eb8abd869a94b6cd2c15e96e GIT binary patch literal 273 zc-p&ic+)~A1{MYw`2U}Qfe}b^J?~Evh-YMQ2C|*O;vm4l$i&RT+Q`7b#=+pqz+ebc z>cI9r|G)}HRv>0vc!41RW>Nr?0z;M@1A|AVLSjyiA}<%nNbN)tjAR5E%MbuG6rYim ONffzK0%#-$l92$@v_G)` literal 0 Hc-jL100001 diff --git a/tests/util-action-tests/util-action-12/suricata.yaml b/tests/util-action-tests/util-action-12/suricata.yaml new file mode 100644 index 000000000..d210eab85 --- /dev/null +++ b/tests/util-action-tests/util-action-12/suricata.yaml @@ -0,0 +1,17 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - flow + +action-order: + - drop + - pass + - reject + - alert diff --git a/tests/util-action-tests/util-action-12/test.rules b/tests/util-action-tests/util-action-12/test.rules new file mode 100644 index 000000000..31ef99b39 --- /dev/null +++ b/tests/util-action-tests/util-action-12/test.rules @@ -0,0 +1,3 @@ +drop tcp any any -> any any (msg:"sig 1"; sid:1;) +alert tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +pass tcp any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-12/test.yaml b/tests/util-action-tests/util-action-12/test.yaml new file mode 100644 index 000000000..3c00d2a42 --- /dev/null +++ b/tests/util-action-tests/util-action-12/test.yaml @@ -0,0 +1,32 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.alerted: true + flow.action: drop +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-12/writepcap.py b/tests/util-action-tests/util-action-12/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-12/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-13/README.md b/tests/util-action-tests/util-action-13/README.md new file mode 100644 index 000000000..80005e0b0 --- /dev/null +++ b/tests/util-action-tests/util-action-13/README.md @@ -0,0 +1,12 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +As the DROP action has the higher priority, we expect that all packets generate +alert for sid 2, and sid 2 only. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-13/input.pcap b/tests/util-action-tests/util-action-13/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..95dd0d89a38ae15099c7d011486cddd288251a53 GIT binary patch literal 273 zc-p&ic+)~A1{MYw`2U}Qfe}cT% any any (msg:"sig 1"; sid:1;) +drop tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +alert tcp any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-13/test.yaml b/tests/util-action-tests/util-action-13/test.yaml new file mode 100644 index 000000000..ede2edcbc --- /dev/null +++ b/tests/util-action-tests/util-action-13/test.yaml @@ -0,0 +1,32 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.alerted: true + flow.action: pass +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-13/writepcap.py b/tests/util-action-tests/util-action-13/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-13/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-14/README.md b/tests/util-action-tests/util-action-14/README.md new file mode 100644 index 000000000..29f3f8fcd --- /dev/null +++ b/tests/util-action-tests/util-action-14/README.md @@ -0,0 +1,12 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +As the DROP and ALERT actions have higher priority, we expect alerts for sids +1 and 3. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-14/input.pcap b/tests/util-action-tests/util-action-14/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..95dd0d89a38ae15099c7d011486cddd288251a53 GIT binary patch literal 273 zc-p&ic+)~A1{MYw`2U}Qfe}cT% any any (msg:"sig 1"; sid:1;) +pass tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +drop tcp any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-14/test.yaml b/tests/util-action-tests/util-action-14/test.yaml new file mode 100644 index 000000000..a25c45036 --- /dev/null +++ b/tests/util-action-tests/util-action-14/test.yaml @@ -0,0 +1,32 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.alerted: true + flow.action: drop +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-14/writepcap.py b/tests/util-action-tests/util-action-14/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-14/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-15/README.md b/tests/util-action-tests/util-action-15/README.md new file mode 100644 index 000000000..98d0af00a --- /dev/null +++ b/tests/util-action-tests/util-action-15/README.md @@ -0,0 +1,12 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +As the DROP and ALERT actions have higher priority, we expect that all packets generate +alerts for sids 1 and 2. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-15/input.pcap b/tests/util-action-tests/util-action-15/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..95dd0d89a38ae15099c7d011486cddd288251a53 GIT binary patch literal 273 zc-p&ic+)~A1{MYw`2U}Qfe}cT% any any (msg:"sig 1"; sid:1;) +alert tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +pass tcp any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-15/test.yaml b/tests/util-action-tests/util-action-15/test.yaml new file mode 100644 index 000000000..0df9caec5 --- /dev/null +++ b/tests/util-action-tests/util-action-15/test.yaml @@ -0,0 +1,32 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.alerted: true + flow.action: drop +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-15/writepcap.py b/tests/util-action-tests/util-action-15/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-15/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) diff --git a/tests/util-action-tests/util-action-16/README.md b/tests/util-action-tests/util-action-16/README.md new file mode 100644 index 000000000..76f16abbc --- /dev/null +++ b/tests/util-action-tests/util-action-16/README.md @@ -0,0 +1,12 @@ +Test based on former Suricata unit test from util-action file. + +Expected Behavior +================= + +As the DROP and ALERT actions have higher priority, we expect that all packets generate +alerts for sids 2 and 3. + +PCAP +==== +pcap generated with scapy. + diff --git a/tests/util-action-tests/util-action-16/input.pcap b/tests/util-action-tests/util-action-16/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..95dd0d89a38ae15099c7d011486cddd288251a53 GIT binary patch literal 273 zc-p&ic+)~A1{MYw`2U}Qfe}cT% any any (msg:"sig 1"; sid:1;) +drop tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;) +alert tcp any any -> any any (msg:"sig 3"; sid:3;) diff --git a/tests/util-action-tests/util-action-16/test.yaml b/tests/util-action-tests/util-action-16/test.yaml new file mode 100644 index 000000000..a012c193b --- /dev/null +++ b/tests/util-action-tests/util-action-16/test.yaml @@ -0,0 +1,32 @@ +args: +- -k none +- --simulate-ips + +checks: +- filter: + min-version: 7 + count: 1 + match: + event_type: flow + flow.alerted: true + flow.action: pass +- filter: + count: 1 + match: + event_type: flow + flow.alerted: true +- filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 +- filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 diff --git a/tests/util-action-tests/util-action-16/writepcap.py b/tests/util-action-tests/util-action-16/writepcap.py new file mode 100644 index 000000000..cb0cf5c13 --- /dev/null +++ b/tests/util-action-tests/util-action-16/writepcap.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from scapy.all import * + +pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n" + +pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n" + +pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \ + Dot1Q(vlan=6)/ \ + IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80, + flags='P''A')/"Hi all!\r\n" + +pkts = [] +pkts += pkt1 +pkts += pkt2 +pkts += pkt3 + +wrpcap('input.pcap', pkts) -- 2.47.2