--- /dev/null
+Test packet filter accept:flow still allowing TD matching.
--- /dev/null
+accept:packet arp:all any any -> any any (sid:200;)
+
+accept:hook tcp:all any any <> any 80 (flow:not_established; sid:1021;)
+accept:flow tcp:all any any <> any 80 (flow:established; sid:1023;)
--- /dev/null
+%YAML 1.1
+---
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - stats
+ - alert
--- /dev/null
+alert tcp-pkt any any -> any 80 (flow:to_server,established; content:"GET"; startswith; sid:100001;)
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ # Should see this rule fire once, but it currenty being bypassed.
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 100001
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 10
+ stats.ips.blocked: 0
--- /dev/null
+Test packet filter accept:flow still allowing TD matching.
--- /dev/null
+accept:packet arp:all any any -> any any (sid:200;)
+
+accept:hook tcp:all any any <> any 80 (flow:not_established; sid:1021;)
+accept:hook tcp:all any any <> any 80 (flow:established; sid:1023;)
--- /dev/null
+%YAML 1.1
+---
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - stats
+ - alert
+ - drop
+ - flow
+
+firewall:
+ policies:
+ http:
+ request-started: [ "accept:flow" ]
+ #request-started: [ "accept:flow", "pass:flow" ]
--- /dev/null
+alert http any any -> any 80 (flow:to_server,established; http.method; content:"GET"; startswith; sid:100001;)
+##alert http any any -> any 80 (flow:to_server,established; http.uri; content:"GET"; startswith; sid:100001;)
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+
+checks:
+- filter:
+ # no match expected due to `accept:flow,pass:flow`
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 100001
+- filter:
+ # no match expected due to `accept:flow,pass:flow`
+ count: 0
+ match:
+ event_type: drop
+- filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.ips.accepted: 10
+ stats.ips.blocked: 0
--- /dev/null
+Test packet filter accept:flow still allowing TD matching.
--- /dev/null
+accept:packet arp:all any any -> any any (sid:200;)
+
+accept:hook tcp:all any any <> any 80 (flow:not_established; sid:1021;)
+accept:hook tcp:all any any <> any 80 (flow:established; sid:1023;)
--- /dev/null
+%YAML 1.1
+---
+
+# Global stats configuration
+stats:
+ enabled: yes
+ interval: 8
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular
+ filename: eve.json
+ types:
+ - stats
+ - alert
+ - drop
+ - flow
+
+firewall:
+ policies:
+ http:
+ request-started: [ "accept:foo" ]
--- /dev/null
+alert http any any -> any 80 (flow:to_server,established; http.method; content:"GET"; startswith; sid:100001;)
+##alert http any any -> any 80 (flow:to_server,established; http.uri; content:"GET"; startswith; sid:100001;)
--- /dev/null
+requires:
+ min-version: 9
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+ - --simulate-ips
+ - -k none
+ - -T
+
+exit-code: 1
projects / thirdparty / suricata-verify.git / commitdiff
