From 618ec934dfa21c59b666dd988f1f6cd8297ca856 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Mon, 21 Mar 2022 22:03:13 +0100 Subject: [PATCH] tests: ips exception handling tests --- .../suricata.yaml | 27 ++++++++++ tests/exception-policy-applayer-01/test.rules | 5 ++ tests/exception-policy-applayer-01/test.yaml | 50 ++++++++++++++++++ .../exception-policy-default-01/suricata.yaml | 20 +++++++ tests/exception-policy-default-01/test.rules | 4 ++ tests/exception-policy-default-01/test.yaml | 23 ++++++++ tests/exception-policy-defrag-01/README.md | 1 + .../exception-policy-defrag-01/ipv4frags.pcap | Bin 0 -> 2990 bytes .../exception-policy-defrag-01/suricata.yaml | 27 ++++++++++ tests/exception-policy-defrag-01/test.rules | 1 + tests/exception-policy-defrag-01/test.yaml | 36 +++++++++++++ .../suricata.yaml | 27 ++++++++++ .../test.rules | 5 ++ .../test.yaml | 50 ++++++++++++++++++ .../suricata.yaml | 27 ++++++++++ .../test.rules | 5 ++ .../test.yaml | 35 ++++++++++++ .../suricata.yaml | 27 ++++++++++ .../test.rules | 5 ++ .../test.yaml | 34 ++++++++++++ .../suricata.yaml | 16 ++++++ .../test.rules | 3 ++ .../test.yaml | 50 ++++++++++++++++++ .../suricata.yaml | 16 ++++++ .../test.rules | 3 ++ .../test.yaml | 50 ++++++++++++++++++ .../suricata.yaml | 16 ++++++ .../test.rules | 3 ++ .../test.yaml | 50 ++++++++++++++++++ .../suricata.yaml | 27 ++++++++++ .../test.rules | 5 ++ .../test.yaml | 49 +++++++++++++++++ 32 files changed, 697 insertions(+) create mode 100644 tests/exception-policy-applayer-01/suricata.yaml create mode 100644 tests/exception-policy-applayer-01/test.rules create mode 100644 tests/exception-policy-applayer-01/test.yaml create mode 100644 tests/exception-policy-default-01/suricata.yaml create mode 100644 tests/exception-policy-default-01/test.rules create mode 100644 tests/exception-policy-default-01/test.yaml create mode 100644 tests/exception-policy-defrag-01/README.md create mode 100644 tests/exception-policy-defrag-01/ipv4frags.pcap create mode 100644 tests/exception-policy-defrag-01/suricata.yaml create mode 100644 tests/exception-policy-defrag-01/test.rules create mode 100644 tests/exception-policy-defrag-01/test.yaml create mode 100644 tests/exception-policy-stream-reassembly-memcap-01/suricata.yaml create mode 100644 tests/exception-policy-stream-reassembly-memcap-01/test.rules create mode 100644 tests/exception-policy-stream-reassembly-memcap-01/test.yaml create mode 100644 tests/exception-policy-stream-reassembly-memcap-02/suricata.yaml create mode 100644 tests/exception-policy-stream-reassembly-memcap-02/test.rules create mode 100644 tests/exception-policy-stream-reassembly-memcap-02/test.yaml create mode 100644 tests/exception-policy-stream-reassembly-memcap-03/suricata.yaml create mode 100644 tests/exception-policy-stream-reassembly-memcap-03/test.rules create mode 100644 tests/exception-policy-stream-reassembly-memcap-03/test.yaml create mode 100644 tests/exception-policy-stream-reassembly-memcap-04/suricata.yaml create mode 100644 tests/exception-policy-stream-reassembly-memcap-04/test.rules create mode 100644 tests/exception-policy-stream-reassembly-memcap-04/test.yaml create mode 100644 tests/exception-policy-stream-reassembly-memcap-05/suricata.yaml create mode 100644 tests/exception-policy-stream-reassembly-memcap-05/test.rules create mode 100644 tests/exception-policy-stream-reassembly-memcap-05/test.yaml create mode 100644 tests/exception-policy-stream-reassembly-memcap-06/suricata.yaml create mode 100644 tests/exception-policy-stream-reassembly-memcap-06/test.rules create mode 100644 tests/exception-policy-stream-reassembly-memcap-06/test.yaml create mode 100644 tests/exception-policy-stream-ssn-memcap-01/suricata.yaml create mode 100644 tests/exception-policy-stream-ssn-memcap-01/test.rules create mode 100644 tests/exception-policy-stream-ssn-memcap-01/test.yaml diff --git a/tests/exception-policy-applayer-01/suricata.yaml b/tests/exception-policy-applayer-01/suricata.yaml new file mode 100644 index 000000000..dfccb8afa --- /dev/null +++ b/tests/exception-policy-applayer-01/suricata.yaml @@ -0,0 +1,27 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/exception-policy-applayer-01/test.rules b/tests/exception-policy-applayer-01/test.rules new file mode 100644 index 000000000..da4a536f4 --- /dev/null +++ b/tests/exception-policy-applayer-01/test.rules @@ -0,0 +1,5 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;) +drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;) + +# matches packet 4, but should not alert due to memcap drop +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;) diff --git a/tests/exception-policy-applayer-01/test.yaml b/tests/exception-policy-applayer-01/test.yaml new file mode 100644 index 000000000..a1727f50e --- /dev/null +++ b/tests/exception-policy-applayer-01/test.yaml @@ -0,0 +1,50 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +# pretend pretend error in the first data +- --simulate-applayer-error-at-offset-ts=0 +- --set app-layer.error-policy=drop-flow +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 29 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: drop + drop.reason: "applayer error" + - filter: + count: 28 + match: + event_type: drop + drop.reason: "flow drop" + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 0 + match: + event_type: tls + - filter: + count: 1 + match: + event_type: flow + app_proto: tls + - filter: + count: 1 + match: + event_type: flow + flow.action: drop diff --git a/tests/exception-policy-default-01/suricata.yaml b/tests/exception-policy-default-01/suricata.yaml new file mode 100644 index 000000000..b1a0e258c --- /dev/null +++ b/tests/exception-policy-default-01/suricata.yaml @@ -0,0 +1,20 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/exception-policy-default-01/test.rules b/tests/exception-policy-default-01/test.rules new file mode 100644 index 000000000..c47db71d7 --- /dev/null +++ b/tests/exception-policy-default-01/test.rules @@ -0,0 +1,4 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;) +drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; priority:2; sid:2; rev:1;) +# matches packet 4, but no match due to action order +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;) diff --git a/tests/exception-policy-default-01/test.yaml b/tests/exception-policy-default-01/test.yaml new file mode 100644 index 000000000..3c7a8d03c --- /dev/null +++ b/tests/exception-policy-default-01/test.yaml @@ -0,0 +1,23 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: tls + tls.sni: example.com diff --git a/tests/exception-policy-defrag-01/README.md b/tests/exception-policy-defrag-01/README.md new file mode 100644 index 000000000..de98e6b68 --- /dev/null +++ b/tests/exception-policy-defrag-01/README.md @@ -0,0 +1 @@ +pcap from https://wiki.wireshark.org/SampleCaptures diff --git a/tests/exception-policy-defrag-01/ipv4frags.pcap b/tests/exception-policy-defrag-01/ipv4frags.pcap new file mode 100644 index 0000000000000000000000000000000000000000..5a6e4d20ac82dc86750b7b2184a6b335c39aae39 GIT binary patch literal 2990 zc-p&ic+)~A1{MYwxWLZ9zzC#8v@b=*XmK!nVrBqi4hHo{^Oph1KUpU^7+e{cpKQIL zz~I0*+l7gdkqL+yIT(Bkg%2?>f^>pRvIXh}0RcfFVG&U=aS2H&X&G5Lc?Cr!WffI5 zbq!4|Z5>@beFH-yV-r&|a|=r=Ya3fTdk04+XBSsDcMnf5Zy#Sj|A4@t;E>R;@QBE$ z=$P2J_=LoyYCcR`i91)=9bpB_Kwc3?w;Ph z{s|K&O`bA!+VmMSXU(27ci#L33l}Y3vUJ(<6)RV*UbA-H`VAX5ZQinV+x8thckSM@ zci;X42M--Sa`f2o6DLodK6Ccm`3n~>UA}Vl+VvYZZ{5Cg_ul;n4<9{#^7PsB7cXDE ze)IO-`wt&Keg5+G+xH(ofBpXR_uqd8MkZz!RyKAHPA+a9UOxU&|Bw2ADEc3ikLLpO z@Fiez0K(`c0OOIZ7Z|D>827w_l>nnDW@z~z6vL4^91M$C8Ne78w~%;tWni7s{EY!v f#=p)3#V#n885lxG%lOe0JL>;Y|Bw2A0Q?UC!GvQ2 literal 0 Hc-jL100001 diff --git a/tests/exception-policy-defrag-01/suricata.yaml b/tests/exception-policy-defrag-01/suricata.yaml new file mode 100644 index 000000000..dfccb8afa --- /dev/null +++ b/tests/exception-policy-defrag-01/suricata.yaml @@ -0,0 +1,27 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/exception-policy-defrag-01/test.rules b/tests/exception-policy-defrag-01/test.rules new file mode 100644 index 000000000..c0f94ab54 --- /dev/null +++ b/tests/exception-policy-defrag-01/test.rules @@ -0,0 +1 @@ +alert icmp any any -> any any (itype:8; sid:1;) diff --git a/tests/exception-policy-defrag-01/test.yaml b/tests/exception-policy-defrag-01/test.yaml new file mode 100644 index 000000000..02a87c3a8 --- /dev/null +++ b/tests/exception-policy-defrag-01/test.yaml @@ -0,0 +1,36 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +args: +- --simulate-ips +- -k none +# pretend pretend error in the first fragment +- --simulate-packet-defrag-memcap=1 +- --set defrag.memcap-policy=drop-packet +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: drop + drop.reason: "defrag memcap" + - filter: + count: 1 + match: + event_type: flow + proto: ICMP + - filter: + count: 0 + match: + event_type: flow + flow.action: drop + proto: ICMP diff --git a/tests/exception-policy-stream-reassembly-memcap-01/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-01/suricata.yaml new file mode 100644 index 000000000..dfccb8afa --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-01/suricata.yaml @@ -0,0 +1,27 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/exception-policy-stream-reassembly-memcap-01/test.rules b/tests/exception-policy-stream-reassembly-memcap-01/test.rules new file mode 100644 index 000000000..da4a536f4 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-01/test.rules @@ -0,0 +1,5 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;) +drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;) + +# matches packet 4, but should not alert due to memcap drop +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;) diff --git a/tests/exception-policy-stream-reassembly-memcap-01/test.yaml b/tests/exception-policy-stream-reassembly-memcap-01/test.yaml new file mode 100644 index 000000000..81c72f685 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-01/test.yaml @@ -0,0 +1,50 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +# pretend tcp memcap was hit in packet 4, the client hello containing the sni +- --simulate-packet-tcp-reassembly-memcap=4 +- --set stream.reassembly.memcap-policy=drop-flow +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 29 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: drop + drop.reason: "stream memcap" + - filter: + count: 28 + match: + event_type: drop + drop.reason: "flow drop" + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 0 + match: + event_type: tls + - filter: + count: 0 + match: + event_type: flow + app_proto: tls + - filter: + count: 1 + match: + event_type: flow + flow.action: drop diff --git a/tests/exception-policy-stream-reassembly-memcap-02/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-02/suricata.yaml new file mode 100644 index 000000000..dfccb8afa --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-02/suricata.yaml @@ -0,0 +1,27 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/exception-policy-stream-reassembly-memcap-02/test.rules b/tests/exception-policy-stream-reassembly-memcap-02/test.rules new file mode 100644 index 000000000..4d794bf0b --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-02/test.rules @@ -0,0 +1,5 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;) +drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;) + +# matches packet 4, but should not alert due to memcap pass +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;) diff --git a/tests/exception-policy-stream-reassembly-memcap-02/test.yaml b/tests/exception-policy-stream-reassembly-memcap-02/test.yaml new file mode 100644 index 000000000..4ddaf4cf3 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-02/test.yaml @@ -0,0 +1,35 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +- --simulate-packet-tcp-reassembly-memcap=4 +- --set stream.reassembly.memcap-policy=pass-flow +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 1 + match: + event_type: tls + - filter: + count: 1 + match: + event_type: flow + app_proto: tls + flow.action: pass diff --git a/tests/exception-policy-stream-reassembly-memcap-03/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-03/suricata.yaml new file mode 100644 index 000000000..dfccb8afa --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-03/suricata.yaml @@ -0,0 +1,27 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/exception-policy-stream-reassembly-memcap-03/test.rules b/tests/exception-policy-stream-reassembly-memcap-03/test.rules new file mode 100644 index 000000000..080a424ce --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-03/test.rules @@ -0,0 +1,5 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;) +drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;) + +# matches packet 4, but should not alert due to memcap bypass +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;) diff --git a/tests/exception-policy-stream-reassembly-memcap-03/test.yaml b/tests/exception-policy-stream-reassembly-memcap-03/test.yaml new file mode 100644 index 000000000..5a7db9f7e --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-03/test.yaml @@ -0,0 +1,34 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +- --simulate-packet-tcp-reassembly-memcap=4 +- --set stream.reassembly.memcap-policy=bypass +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 0 + match: + event_type: tls + - filter: + count: 1 + match: + event_type: flow + flow.state: bypassed diff --git a/tests/exception-policy-stream-reassembly-memcap-04/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-04/suricata.yaml new file mode 100644 index 000000000..758f72085 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-04/suricata.yaml @@ -0,0 +1,16 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow diff --git a/tests/exception-policy-stream-reassembly-memcap-04/test.rules b/tests/exception-policy-stream-reassembly-memcap-04/test.rules new file mode 100644 index 000000000..55923b296 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-04/test.rules @@ -0,0 +1,3 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;) +# matches packet 4, but no match due to memcap drop +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;) diff --git a/tests/exception-policy-stream-reassembly-memcap-04/test.yaml b/tests/exception-policy-stream-reassembly-memcap-04/test.yaml new file mode 100644 index 000000000..81c72f685 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-04/test.yaml @@ -0,0 +1,50 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +# pretend tcp memcap was hit in packet 4, the client hello containing the sni +- --simulate-packet-tcp-reassembly-memcap=4 +- --set stream.reassembly.memcap-policy=drop-flow +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 29 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: drop + drop.reason: "stream memcap" + - filter: + count: 28 + match: + event_type: drop + drop.reason: "flow drop" + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 0 + match: + event_type: tls + - filter: + count: 0 + match: + event_type: flow + app_proto: tls + - filter: + count: 1 + match: + event_type: flow + flow.action: drop diff --git a/tests/exception-policy-stream-reassembly-memcap-05/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-05/suricata.yaml new file mode 100644 index 000000000..758f72085 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-05/suricata.yaml @@ -0,0 +1,16 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow diff --git a/tests/exception-policy-stream-reassembly-memcap-05/test.rules b/tests/exception-policy-stream-reassembly-memcap-05/test.rules new file mode 100644 index 000000000..55923b296 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-05/test.rules @@ -0,0 +1,3 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;) +# matches packet 4, but no match due to memcap drop +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;) diff --git a/tests/exception-policy-stream-reassembly-memcap-05/test.yaml b/tests/exception-policy-stream-reassembly-memcap-05/test.yaml new file mode 100644 index 000000000..24e399ac9 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-05/test.yaml @@ -0,0 +1,50 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +# pretend tcp memcap was hit in packet 4, the client hello containing the sni +- --simulate-packet-tcp-reassembly-memcap=4 +- --set stream.reassembly.memcap-policy=drop-packet +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: drop + drop.reason: "stream memcap" + - filter: + count: 0 + match: + event_type: drop + drop.reason: "flow drop" + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 1 + match: + event_type: tls + - filter: + count: 1 + match: + event_type: flow + app_proto: tls + - filter: + count: 0 + match: + event_type: flow + flow.action: drop diff --git a/tests/exception-policy-stream-reassembly-memcap-06/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-06/suricata.yaml new file mode 100644 index 000000000..758f72085 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-06/suricata.yaml @@ -0,0 +1,16 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow diff --git a/tests/exception-policy-stream-reassembly-memcap-06/test.rules b/tests/exception-policy-stream-reassembly-memcap-06/test.rules new file mode 100644 index 000000000..55923b296 --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-06/test.rules @@ -0,0 +1,3 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; priority:2; sid:1;) +# matches packet 4, but no match due to memcap drop +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; priority:1; sid:3;) diff --git a/tests/exception-policy-stream-reassembly-memcap-06/test.yaml b/tests/exception-policy-stream-reassembly-memcap-06/test.yaml new file mode 100644 index 000000000..e742f8e4c --- /dev/null +++ b/tests/exception-policy-stream-reassembly-memcap-06/test.yaml @@ -0,0 +1,50 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +# pretend tcp memcap was hit in packet 4, the client hello containing the sni +- --simulate-packet-tcp-reassembly-memcap=4 +- --set stream.reassembly.memcap-policy=pass-packet +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 0 + match: + event_type: drop + drop.reason: "stream memcap" + - filter: + count: 0 + match: + event_type: drop + drop.reason: "flow drop" + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 1 + match: + event_type: tls + - filter: + count: 1 + match: + event_type: flow + app_proto: tls + - filter: + count: 0 + match: + event_type: flow + flow.action: drop diff --git a/tests/exception-policy-stream-ssn-memcap-01/suricata.yaml b/tests/exception-policy-stream-ssn-memcap-01/suricata.yaml new file mode 100644 index 000000000..dfccb8afa --- /dev/null +++ b/tests/exception-policy-stream-ssn-memcap-01/suricata.yaml @@ -0,0 +1,27 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + types: + - alert: + tagged-packets: yes + - anomaly: + enabled: yes + types: + decode: no + stream: yes + applayer: yes + - tls: + extended: yes # enable this for extended logging information + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + - flow +action-order: + - pass + - drop + - reject + - alert diff --git a/tests/exception-policy-stream-ssn-memcap-01/test.rules b/tests/exception-policy-stream-ssn-memcap-01/test.rules new file mode 100644 index 000000000..da4a536f4 --- /dev/null +++ b/tests/exception-policy-stream-ssn-memcap-01/test.rules @@ -0,0 +1,5 @@ +pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;) +drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;) + +# matches packet 4, but should not alert due to memcap drop +alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;) diff --git a/tests/exception-policy-stream-ssn-memcap-01/test.yaml b/tests/exception-policy-stream-ssn-memcap-01/test.yaml new file mode 100644 index 000000000..1e59743e1 --- /dev/null +++ b/tests/exception-policy-stream-ssn-memcap-01/test.yaml @@ -0,0 +1,49 @@ +requires: + features: + - DEBUG + files: + - src/util-exception-policy.c +pcap: ../tls-ja3s/input.pcap +args: +- --simulate-ips +- -k none +- --simulate-packet-tcp-ssn-memcap=1 +- --set stream.memcap-policy=drop-flow +checks: + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 32 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: drop + drop.reason: "stream memcap" + - filter: + count: 31 + match: + event_type: drop + drop.reason: "flow drop" + - filter: + count: 0 + match: + event_type: tls + tls.sni: example.com + - filter: + count: 0 + match: + event_type: tls + - filter: + count: 0 + match: + event_type: flow + app_proto: tls + - filter: + count: 1 + match: + event_type: flow + flow.action: drop -- 2.47.2