tests: add test for missing default policy alert

Test that a default app policy with alert logs an alert when an explicit rule
exists for the same hook but does not match.

diff --git a/tests/firewall/ruletype-firewall-104-default-app-policy-missed-rule-alert/README.md b/tests/firewall/ruletype-firewall-104-default-app-policy-missed-rule-alert/README.md
new file mode 100644 (file)
index 0000000..4614e18
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-104-default-app-policy-missed-rule-alert/README.md
@@ -0,0 +1,3 @@
+Test that a default app policy with alert logs an alert when an explicit rule
+exists for the same hook but does not match. This exercises the
+fw_last_for_progress miss path.

diff --git a/tests/firewall/ruletype-firewall-104-default-app-policy-missed-rule-alert/firewall.rules b/tests/firewall/ruletype-firewall-104-default-app-policy-missed-rule-alert/firewall.rules
new file mode 100644 (file)
index 0000000..099c4f3
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-104-default-app-policy-missed-rule-alert/firewall.rules
@@ -0,0 +1,6 @@
+accept:hook tcp:all any any -> any any (sid:100;)
+
+# Our PCAP has a GET, so this fast_pattern selects this as a candidate.
+# However, this PCAP does not have a POST, so it never matches.
+# We expect the default policy to take over, which is drop:flow,alert
+accept:hook http1:request_line any any -> any any (http.method; content:"GET"; fast_pattern; content:"POST"; sid:102;)

diff --git a/tests/firewall/ruletype-firewall-104-default-app-policy-missed-rule-alert/suricata.yaml b/tests/firewall/ruletype-firewall-104-default-app-policy-missed-rule-alert/suricata.yaml
new file mode 100644 (file)
index 0000000..af0cb7e
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-104-default-app-policy-missed-rule-alert/suricata.yaml
@@ -0,0 +1,26 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - stats
+        - alert
+        - flow
+        - http
+        - drop:
+            alerts: yes
+            flows: all
+
+firewall:
+  policies:
+    http:
+      request-started: ["accept:hook"]
+      request-line: ["drop:flow", "alert"]

diff --git a/tests/firewall/ruletype-firewall-104-default-app-policy-missed-rule-alert/test.yaml b/tests/firewall/ruletype-firewall-104-default-app-policy-missed-rule-alert/test.yaml
new file mode 100644 (file)
index 0000000..18a4caa
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-104-default-app-policy-missed-rule-alert/test.yaml
@@ -0,0 +1,26 @@
+requires:
+  min-version: 9
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+
+# We see the first drop.
+- filter:
+    count: 1
+    match:
+      event_type: drop
+      pcap_cnt: 4
+      drop.reason: "firewall default app policy"
+
+# Confirm that we see this alert.
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 4
+      alert.signature_id: 2201001