tests: add test for packet policy alert skipping app rule

author Jason Ish <jason.ish@oisf.net>

Wed, 27 May 2026 16:40:50 +0000 (10:40 -0600)

committer Victor Julien <victor@inliniac.net>

Wed, 27 May 2026 20:16:10 +0000 (22:16 +0200)
author Jason Ish <jason.ish@oisf.net>
Wed, 27 May 2026 16:40:50 +0000 (10:40 -0600)
committer Victor Julien <victor@inliniac.net>
Wed, 27 May 2026 20:16:10 +0000 (22:16 +0200)
diff --git a/tests/firewall/ruletype-firewall-105-default-packet-policy-alert-app-rule/README.md b/tests/firewall/ruletype-firewall-105-default-packet-policy-alert-app-rule/README.md

new file mode 100644 (file)

index 0000000..838b7ff
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-105-default-packet-policy-alert-app-rule/README.md
@@ -0,0 +1,3 @@
+Test that a default packet policy of accept:hook,alert logs an alert without
+turning the hook accept into a packet accept that skips later app firewall
+rules.
diff --git a/tests/firewall/ruletype-firewall-105-default-packet-policy-alert-app-rule/firewall.rules b/tests/firewall/ruletype-firewall-105-default-packet-policy-alert-app-rule/firewall.rules

new file mode 100644 (file)

index 0000000..1cc7128
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-105-default-packet-policy-alert-app-rule/firewall.rules
@@ -0,0 +1 @@
+accept:hook,alert http1:request_started any any -> any any (sid:101;)
diff --git a/tests/firewall/ruletype-firewall-105-default-packet-policy-alert-app-rule/suricata.yaml b/tests/firewall/ruletype-firewall-105-default-packet-policy-alert-app-rule/suricata.yaml

new file mode 100644 (file)

index 0000000..c272104
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-105-default-packet-policy-alert-app-rule/suricata.yaml
@@ -0,0 +1,37 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - stats
+        - alert
+        - flow
+        - http
+        - drop:
+            alerts: yes
+            flows: all
+
+firewall:
+  policies:
+    packet-filter: ["accept:hook", "alert"]
+    http:
+      request-started: ["accept:hook"]
+      request-line: ["accept:hook"]
+      request-headers: ["accept:hook"]
+      request-body: ["accept:hook"]
+      request-trailer: ["accept:hook"]
+      request-complete: ["accept:hook"]
+      response-started: ["accept:hook"]
+      response-line: ["accept:hook"]
+      response-headers: ["accept:hook"]
+      response-body: ["accept:hook"]
+      response-trailer: ["accept:hook"]
+      response-complete: ["accept:hook"]
diff --git a/tests/firewall/ruletype-firewall-105-default-packet-policy-alert-app-rule/test.yaml b/tests/firewall/ruletype-firewall-105-default-packet-policy-alert-app-rule/test.yaml

new file mode 100644 (file)

index 0000000..50f87b8
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-105-default-packet-policy-alert-app-rule/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 9
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+# We should see an alert for SID 101.
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 101
+# Should see a default packet policy alert for each packet.
+- filter:
+    count: 10
+    match:
+      event_type: alert
+      alert.signature_id: 2201000
author	Jason Ish <jason.ish@oisf.net>
	Wed, 27 May 2026 16:40:50 +0000 (10:40 -0600)
committer	Victor Julien <victor@inliniac.net>
	Wed, 27 May 2026 20:16:10 +0000 (22:16 +0200)
tests/firewall/ruletype-firewall-105-default-packet-policy-alert-app-rule/README.md	[new file with mode: 0644]	patch \| blob
tests/firewall/ruletype-firewall-105-default-packet-policy-alert-app-rule/firewall.rules	[new file with mode: 0644]	patch \| blob
tests/firewall/ruletype-firewall-105-default-packet-policy-alert-app-rule/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/firewall/ruletype-firewall-105-default-packet-policy-alert-app-rule/test.yaml	[new file with mode: 0644]	patch \| blob