tests: test showing defaults taking precedence over rules

diff --git a/tests/firewall/ruletype-firewall-89-defaults-over-drop/README.md b/tests/firewall/ruletype-firewall-89-defaults-over-drop/README.md
new file mode 100644 (file)
index 0000000..1323f7e
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-89-defaults-over-drop/README.md
@@ -0,0 +1,5 @@
+Test that a default app-layer accept:tx policy at request-complete does not
+prevent a later HTTP request-line drop from being applied.
+
+The pcap contains a single full TCP conversation with one complete HTTP request
+and response for /bar/.

diff --git a/tests/firewall/ruletype-firewall-89-defaults-over-drop/firewall.rules b/tests/firewall/ruletype-firewall-89-defaults-over-drop/firewall.rules
new file mode 100644 (file)
index 0000000..feb6b7b
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-89-defaults-over-drop/firewall.rules
@@ -0,0 +1,3 @@
+accept:hook tcp:all any any -> any any (sid:100;)
+
+drop:flow http1:request_line any any -> any any (http.uri; content:"/bar"; alert; sid:5002;)

diff --git a/tests/firewall/ruletype-firewall-89-defaults-over-drop/input.pcap b/tests/firewall/ruletype-firewall-89-defaults-over-drop/input.pcap
new file mode 100644 (file)
index 0000000..ef42a94
Binary files /dev/null and b/tests/firewall/ruletype-firewall-89-defaults-over-drop/input.pcap differ

diff --git a/tests/firewall/ruletype-firewall-89-defaults-over-drop/suricata.yaml b/tests/firewall/ruletype-firewall-89-defaults-over-drop/suricata.yaml
new file mode 100644 (file)
index 0000000..a009691
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-89-defaults-over-drop/suricata.yaml
@@ -0,0 +1,35 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - stats
+        - alert
+        - drop
+        - flow
+        - http
+
+firewall:
+  policies:
+    packet-filter: ["accept:hook"]
+    http:
+      request-started: ["accept:hook"]
+      request-line: ["accept:hook"]
+      request-headers: ["accept:hook"]
+      request-body: ["accept:hook"]
+      request-trailer: ["accept:hook"]
+      request-complete: ["accept:hook"]
+      response-started: ["accept:hook"]
+      response-line: ["accept:hook"]
+      response-headers: ["accept:hook"]
+      response-body: ["accept:hook"]
+      response-trailer: ["accept:hook"]
+      response-complete: ["accept:hook"]

diff --git a/tests/firewall/ruletype-firewall-89-defaults-over-drop/test.yaml b/tests/firewall/ruletype-firewall-89-defaults-over-drop/test.yaml
new file mode 100644 (file)
index 0000000..8eba1cd
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-89-defaults-over-drop/test.yaml
@@ -0,0 +1,25 @@
+requires:
+  min-version: 9
+
+pcap: input.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 5002
+        alert.action: blocked
+        alert.engine: fw
+        pcap_cnt: 4
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 4
+  - stats:
+      ips.blocked: 7