tests: check tls.cert_chain_len in firewall mode

Related to
Ticket #8387

diff --git a/tests/firewall/ruletype-firewall-43-tls-cert-chain/README.md b/tests/firewall/ruletype-firewall-43-tls-cert-chain/README.md
new file mode 100644 (file)
index 0000000..1eadd14
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-43-tls-cert-chain/README.md
@@ -0,0 +1,3 @@
+Test that the ``tls.cert_chain_len`` keyword works in firewall mode.
+
+Expected result: traffic not allowed.

diff --git a/tests/firewall/ruletype-firewall-43-tls-cert-chain/firewall.rules b/tests/firewall/ruletype-firewall-43-tls-cert-chain/firewall.rules
new file mode 100644 (file)
index 0000000..a5931dd
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-43-tls-cert-chain/firewall.rules
@@ -0,0 +1,22 @@
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET any (flow:not_established; sid:1021;)
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; sid:1022;)
+
+accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (sid:101;)
+drop:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:102;)
+accept:hook tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:103;)
+accept:hook tls:client_cert_done $HOME_NET any -> $EXTERNAL_NET any (sid:104;)
+accept:hook tls:client_handshake_done $HOME_NET any -> $EXTERNAL_NET any (sid:105;)
+accept:hook tls:client_finished $HOME_NET any -> $EXTERNAL_NET any (sid:106;)
+
+accept:hook tls:server_in_progress $EXTERNAL_NET any -> $HOME_NET any (sid:107;)
+accept:hook tls:server_hello $EXTERNAL_NET any -> $HOME_NET any (sid:109;)
+drop:flow tls:server_hello_done $EXTERNAL_NET any -> $HOME_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:108;)
+drop:flow tls:server_cert_done $EXTERNAL_NET any -> $HOME_NET any (tls.cert_chain_len:>2; sid:110; msg:"TLS certs chain length check"; alert;)
+accept:hook tls:server_hello_done $EXTERNAL_NET any -> $HOME_NET any (sid:111;)
+accept:hook tls:server_cert_done $EXTERNAL_NET any -> $HOME_NET any (sid:112;)
+accept:hook tls:server_handshake_done $EXTERNAL_NET any -> $HOME_NET any (sid:113;)
+accept:hook tls:server_finished $EXTERNAL_NET any -> $HOME_NET any (sid:114;)
+
+
+# Implicit drop all else

diff --git a/tests/firewall/ruletype-firewall-43-tls-cert-chain/suricata.yaml b/tests/firewall/ruletype-firewall-43-tls-cert-chain/suricata.yaml
new file mode 100644 (file)
index 0000000..655d9e1
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-43-tls-cert-chain/suricata.yaml
@@ -0,0 +1,32 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+
+    EXTERNAL_NET: "!$HOME_NET"
+
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+          - stats
+          - flow
+          - alert:
+              verdict: yes
+          - tls:
+              extended: yes     # enable this for extended logging information
+          - drop:
+              alerts: yes      # log alerts that caused drops
+              flows: all       # start or all: 'start' logs only a single drop

diff --git a/tests/firewall/ruletype-firewall-43-tls-cert-chain/test.yaml b/tests/firewall/ruletype-firewall-43-tls-cert-chain/test.yaml
new file mode 100644 (file)
index 0000000..60a11b1
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-43-tls-cert-chain/test.yaml
@@ -0,0 +1,37 @@
+requires:
+  min-version: 9
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 110
+- filter:
+    count: 42
+    match:
+      event_type: drop
+      drop.reason: "flow drop"
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      app_proto: tls
+      flow.action: drop
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.app_layer.flow.tls: 1
+      stats.flow.total: 1
+      stats.ips.accepted: 19
+      stats.ips.blocked: 43
+      stats.ips.drop_reason.flow_drop: 42
+      stats.ips.drop_reason.rules: 1
+      stats.decoder.pkts: 62

diff --git a/tests/firewall/ruletype-firewall-51-tls-cert-chain/README.md b/tests/firewall/ruletype-firewall-51-tls-cert-chain/README.md
new file mode 100644 (file)
index 0000000..28ee932
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-51-tls-cert-chain/README.md
@@ -0,0 +1,3 @@
+Test that the ``tls.cert_chain_len`` keyword works in firewall mode.
+
+Expected result: traffic allowed.

diff --git a/tests/firewall/ruletype-firewall-51-tls-cert-chain/firewall.rules b/tests/firewall/ruletype-firewall-51-tls-cert-chain/firewall.rules
new file mode 100644 (file)
index 0000000..481ee4b
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-51-tls-cert-chain/firewall.rules
@@ -0,0 +1,20 @@
+# allow session setup
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET any (flow:not_established; sid:1021;)
+accept:hook tcp:all $HOME_NET any <> $EXTERNAL_NET 443 (flow:established; sid:1022;)
+
+accept:hook tls:client_in_progress $HOME_NET any -> $EXTERNAL_NET any (sid:101;)
+drop:flow tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:102;)
+accept:hook tls:client_hello_done $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"www.google.com"; sid:103;)
+accept:hook tls:client_cert_done $HOME_NET any -> $EXTERNAL_NET any (sid:104;)
+accept:hook tls:client_handshake_done $HOME_NET any -> $EXTERNAL_NET any (sid:105;)
+accept:hook tls:client_finished $HOME_NET any -> $EXTERNAL_NET any (sid:106;)
+
+accept:hook tls:server_in_progress $EXTERNAL_NET any -> $HOME_NET any (sid:107;)
+accept:hook tls:server_hello $EXTERNAL_NET any -> $HOME_NET any (sid:108;)
+drop:flow tls:server_hello_done $EXTERNAL_NET any -> $HOME_NET any (tls.version:1.0; msg:"TLS 1.0 not allowed"; sid:109;)
+accept:hook tls:server_hello_done $EXTERNAL_NET any -> $HOME_NET any (sid:110;)
+accept:flow tls:server_cert_done $EXTERNAL_NET any -> $HOME_NET any (tls.cert_chain_len:>2; sid:111; msg:"TLS certs chain length check"; alert;)
+# other hooks skipped
+
+
+# Implicit drop all else

diff --git a/tests/firewall/ruletype-firewall-51-tls-cert-chain/suricata.yaml b/tests/firewall/ruletype-firewall-51-tls-cert-chain/suricata.yaml
new file mode 100644 (file)
index 0000000..00b63b0
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-51-tls-cert-chain/suricata.yaml
@@ -0,0 +1,31 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+
+    EXTERNAL_NET: "!$HOME_NET"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+          - stats
+          - flow
+          - alert:
+              verdict: yes
+          - tls:
+              extended: yes     # enable this for extended logging information
+          - drop:
+              alerts: yes      # log alerts that caused drops
+              flows: all       # start or all: 'start' logs only a single drop

diff --git a/tests/firewall/ruletype-firewall-51-tls-cert-chain/test.yaml b/tests/firewall/ruletype-firewall-51-tls-cert-chain/test.yaml
new file mode 100644 (file)
index 0000000..91e6dae
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-51-tls-cert-chain/test.yaml
@@ -0,0 +1,30 @@
+requires:
+  min-version: 9
+
+pcap: ../../tls/tls-client-hello-frag-01/dump_mtu300.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 111
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.app_layer.flow.tls: 1
+      stats.flow.total: 1
+      stats.ips.accepted: 62
+      stats.ips.blocked: 0
+      stats.ips.drop_reason.flow_drop: 0
+      stats.ips.drop_reason.rules: 0
+      stats.decoder.pkts: 62