tests: firewall test showing default drop with alert

diff --git a/tests/firewall/ruletype-firewall-103-default-app-policy-drop-alert/README.md b/tests/firewall/ruletype-firewall-103-default-app-policy-drop-alert/README.md
new file mode 100644 (file)
index 0000000..b9b2fa8
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-103-default-app-policy-drop-alert/README.md
@@ -0,0 +1,2 @@
+Test to show that a default policy of "drop:flow,alert" does not result in an
+alert.

diff --git a/tests/firewall/ruletype-firewall-103-default-app-policy-drop-alert/firewall.rules b/tests/firewall/ruletype-firewall-103-default-app-policy-drop-alert/firewall.rules
new file mode 100644 (file)
index 0000000..98760c1
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-103-default-app-policy-drop-alert/firewall.rules
@@ -0,0 +1,4 @@
+accept:hook udp:all any any -> any any (sid:100;)
+
+# Accept DNS requests for dropbox.
+accept:hook dns:request_complete any any -> any any (dns.query; content:"dropbox"; sid:102;)

diff --git a/tests/firewall/ruletype-firewall-103-default-app-policy-drop-alert/input.pcap b/tests/firewall/ruletype-firewall-103-default-app-policy-drop-alert/input.pcap
new file mode 100644 (file)
index 0000000..8e6fe0b
Binary files /dev/null and b/tests/firewall/ruletype-firewall-103-default-app-policy-drop-alert/input.pcap differ

diff --git a/tests/firewall/ruletype-firewall-103-default-app-policy-drop-alert/suricata.yaml b/tests/firewall/ruletype-firewall-103-default-app-policy-drop-alert/suricata.yaml
new file mode 100644 (file)
index 0000000..e2faba2
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-103-default-app-policy-drop-alert/suricata.yaml
@@ -0,0 +1,32 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - stats
+        - alert
+        - flow
+        - dns
+        - drop:
+            flows: all
+
+firewall:
+  policies:
+    dns:
+      # Allow DNS requests to start.
+      request-started: ["accept:hook"]
+
+      # Drop and alert on all DNS requests that are not allowed in
+      # firewall.rules.
+      request-complete: ["drop:flow", "alert"]
+
+      # Accept all responses.
+      response-started: ["accept:flow"]

diff --git a/tests/firewall/ruletype-firewall-103-default-app-policy-drop-alert/test.yaml b/tests/firewall/ruletype-firewall-103-default-app-policy-drop-alert/test.yaml
new file mode 100644 (file)
index 0000000..d83f6a3
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-103-default-app-policy-drop-alert/test.yaml
@@ -0,0 +1,29 @@
+requires:
+  min-version: 9
+
+pcap: input.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+
+- filter:
+    count: 1
+    match:
+      event_type: drop
+      pcap_cnt: 3
+      drop.reason: "firewall default app policy"
+
+- stats:
+    firewall.blocked: 2
+    firewall.accepted: 2
+
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature: "SURICATA FW default app policy"
+
+