tests: cover firewall default accept:tx pipelining

Add a firewall regression test for default app-layer accept:tx policies with
HTTP pipelining.

The pcap contains a full TCP conversation where two HTTP requests are carried
in the same client packet. The firewall defaults accept the first transaction
at request-complete with accept:tx, while a request_line rule should still
inspect and block the second transaction.

The test expects the /foo/ request to produce the drop alert. Current affected
Suricata branches miss that alert because the default accept:tx for the earlier
transaction accepts the packet and bypasses inspection of the later
transaction.

diff --git a/tests/firewall/ruletype-firewall-88-default-accept-tx-pipeline/README.md b/tests/firewall/ruletype-firewall-88-default-accept-tx-pipeline/README.md
new file mode 100644 (file)
index 0000000..976ef5d
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-88-default-accept-tx-pipeline/README.md
@@ -0,0 +1,6 @@
+Test that a default app-layer accept:tx policy at request-complete for one HTTP
+transaction does not bypass firewall inspection of a later pipelined
+transaction in the same packet.
+
+The pcap contains a full TCP conversation with two pipelined HTTP requests in
+one client packet: /bar/ followed by /foo/.

diff --git a/tests/firewall/ruletype-firewall-88-default-accept-tx-pipeline/firewall.rules b/tests/firewall/ruletype-firewall-88-default-accept-tx-pipeline/firewall.rules
new file mode 100644 (file)
index 0000000..67cfecf
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-88-default-accept-tx-pipeline/firewall.rules
@@ -0,0 +1,3 @@
+accept:hook tcp:all any any -> any any (sid:100;)
+
+drop:flow http1:request_line any any -> any any (http.uri; content:"/foo/"; alert; sid:5002;)

diff --git a/tests/firewall/ruletype-firewall-88-default-accept-tx-pipeline/input.pcap b/tests/firewall/ruletype-firewall-88-default-accept-tx-pipeline/input.pcap
new file mode 100644 (file)
index 0000000..4f1bbb5
Binary files /dev/null and b/tests/firewall/ruletype-firewall-88-default-accept-tx-pipeline/input.pcap differ

diff --git a/tests/firewall/ruletype-firewall-88-default-accept-tx-pipeline/suricata.yaml b/tests/firewall/ruletype-firewall-88-default-accept-tx-pipeline/suricata.yaml
new file mode 100644 (file)
index 0000000..f7bf304
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-88-default-accept-tx-pipeline/suricata.yaml
@@ -0,0 +1,35 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - stats
+        - alert
+        - drop
+        - flow
+        - http
+
+firewall:
+  policies:
+    packet-filter: ["accept:hook"]
+    http:
+      request-started: ["accept:hook"]
+      request-line: ["accept:hook"]
+      request-headers: ["accept:hook"]
+      request-body: ["accept:hook"]
+      request-trailer: ["accept:hook"]
+      request-complete: ["accept:tx"]
+      response-started: ["accept:hook"]
+      response-line: ["accept:hook"]
+      response-headers: ["accept:hook"]
+      response-body: ["accept:hook"]
+      response-trailer: ["accept:hook"]
+      response-complete: ["accept:hook"]

diff --git a/tests/firewall/ruletype-firewall-88-default-accept-tx-pipeline/test.yaml b/tests/firewall/ruletype-firewall-88-default-accept-tx-pipeline/test.yaml
new file mode 100644 (file)
index 0000000..7a310e4
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-88-default-accept-tx-pipeline/test.yaml
@@ -0,0 +1,17 @@
+requires:
+  min-version: 9
+
+pcap: input.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5002
+        alert.action: blocked
+        http.url: /foo/