tests: update bug 7725 tests for Suricata 7

Also added a few more cases for disabled config.

Related to (backport ticket 7726)
Bug #7725

diff --git a/tests/bug-7725/README.md b/tests/bug-7725-01/README.md
similarity index 100%
rename from tests/bug-7725/README.md
rename to tests/bug-7725-01/README.md

diff --git a/tests/bug-7725/ip_in_ip.pcap b/tests/bug-7725-01/ip_in_ip.pcap
similarity index 100%
rename from tests/bug-7725/ip_in_ip.pcap
rename to tests/bug-7725-01/ip_in_ip.pcap

diff --git a/tests/bug-7725-01/suricata.yaml b/tests/bug-7725-01/suricata.yaml
new file mode 100644 (file)
index 0000000..92b3f73
--- /dev/null
+++ b/tests/bug-7725-01/suricata.yaml
@@ -0,0 +1,33 @@
+%YAML 1.1
+---
+
+decoder:
+  ipv4:
+    ipip:
+      enabled: true
+      track-parent-flow: true
+
+stats:
+  enabled: yes
+  interval: 8
+
+logging:
+  default-log-level: notice
+  default-output-filter:
+  outputs:
+  - console:
+      enabled: yes
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            alerts: yes
+        - flow
+  - stats:
+      enabled: yes
+      filename: stats.log

diff --git a/tests/bug-7725/test.rules b/tests/bug-7725-01/test.rules
similarity index 100%
rename from tests/bug-7725/test.rules
rename to tests/bug-7725-01/test.rules

diff --git a/tests/bug-7725/test.yaml b/tests/bug-7725-01/test.yaml
similarity index 96%
rename from tests/bug-7725/test.yaml
rename to tests/bug-7725-01/test.yaml
index 10c3fccb4e37703ac2ac9fdb6f7a39e150de993e..980199f3df36fecfc55f323b6ffeb816d353cf6e 100644 (file)
--- a/tests/bug-7725/test.yaml
+++ b/tests/bug-7725-01/test.yaml
@@ -1,10 +1,11 @@
 requires:
-  min-version: 8
+  min-version: 7.0.12
 
 args:
 - -k none
 - --simulate-ips
 - --set stream.midstream=true
+- --runmode=single
 
 checks:
   - filter:

diff --git a/tests/bug-7725-02/README.md b/tests/bug-7725-02/README.md
new file mode 100644 (file)
index 0000000..99fc3f6
--- /dev/null
+++ b/tests/bug-7725-02/README.md
@@ -0,0 +1,13 @@
+# Test
+
+Test that in a scenario where a rule inspects traffic in an IP-in-IP tunnel, the
+engine will not generate alerts if this decoding is not enabled in the configuration
+file.
+
+## PCAP
+
+Shared by reporter.
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/7725

diff --git a/tests/bug-7725-02/ip_in_ip.pcap b/tests/bug-7725-02/ip_in_ip.pcap
new file mode 100644 (file)
index 0000000..7d07a7e
Binary files /dev/null and b/tests/bug-7725-02/ip_in_ip.pcap differ

diff --git a/tests/bug-7725-02/suricata.yaml b/tests/bug-7725-02/suricata.yaml
new file mode 100644 (file)
index 0000000..481c83f
--- /dev/null
+++ b/tests/bug-7725-02/suricata.yaml
@@ -0,0 +1,34 @@
+%YAML 1.1
+---
+
+decoder:
+  ipv4:
+    ipip:
+      enabled: false
+      track-parent-flow: false
+
+stats:
+  enabled: yes
+  interval: 8
+
+logging:
+  default-log-level: notice
+  default-output-filter:
+  outputs:
+  - console:
+      enabled: yes
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            alerts: yes
+        - flow
+        - stats
+  - stats:
+      enabled: yes
+      filename: stats.log

diff --git a/tests/bug-7725-02/test.rules b/tests/bug-7725-02/test.rules
new file mode 100644 (file)
index 0000000..d2ba779
--- /dev/null
+++ b/tests/bug-7725-02/test.rules
@@ -0,0 +1,2 @@
+alert ip any any -> 10.0.0.0/8 any (msg:"IP-in-IP Test rule 1 - outer layer"; classtype:misc-activity; sid:60000000; rev:1;)
+drop ip any any -> 192.168.0.0/16 any (msg:"IP-in-IP Test rule 2 - inner layer"; classtype:misc-activity; sid:60000001; rev:1;)

diff --git a/tests/bug-7725-02/test.yaml b/tests/bug-7725-02/test.yaml
new file mode 100644 (file)
index 0000000..ce93db2
--- /dev/null
+++ b/tests/bug-7725-02/test.yaml
@@ -0,0 +1,60 @@
+requires:
+  min-version: 7.0.12
+  lt-version: 8
+
+args:
+- -k none
+- --simulate-ips
+- --set stream.midstream=true
+- --runmode=single
+
+checks:
+  - filter:
+      count: 6
+      match:
+        event_type: alert
+        alert.signature_id: 60000000
+        pkt_src: wire/pcap
+        proto: IP-in-IP
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 60000001
+        pkt_src: ipv4 tunnel
+        proto: ICMP
+        src_ip: 192.168.0.94
+        dest_ip: 192.168.0.237
+        tunnel.src_ip: 10.0.0.94
+        tunnel.dest_ip: 10.1.0.237
+        tunnel.proto: IP-in-IP
+  - filter:
+      count: 0
+      match:
+        event_type: drop
+        alert.signature_id: 60000001
+        pkt_src: ipv4 tunnel
+        proto: ICMP
+  - filter:
+      count: 0
+      match:
+        event_type: drop
+        pkt_src: ipv4 tunnel
+        proto: ICMP
+  - filter:
+      count: 0
+      match:
+        event_type: flow
+        proto: IP-in-IP
+        src_ip: 10.0.0.94
+        dest_ip: 10.1.0.237
+        flow.alerted: true
+  - filter:
+      count: 0
+      match:
+        event_type: flow
+        proto: ICMP
+        src_ip: 192.168.0.94
+        dest_ip: 192.168.0.237
+        flow.alerted: true
+        flow.action: drop

diff --git a/tests/bug-7725-03/README.md b/tests/bug-7725-03/README.md
new file mode 100644 (file)
index 0000000..99fc3f6
--- /dev/null
+++ b/tests/bug-7725-03/README.md
@@ -0,0 +1,13 @@
+# Test
+
+Test that in a scenario where a rule inspects traffic in an IP-in-IP tunnel, the
+engine will not generate alerts if this decoding is not enabled in the configuration
+file.
+
+## PCAP
+
+Shared by reporter.
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/7725

diff --git a/tests/bug-7725-03/ip_in_ip.pcap b/tests/bug-7725-03/ip_in_ip.pcap
new file mode 100644 (file)
index 0000000..7d07a7e
Binary files /dev/null and b/tests/bug-7725-03/ip_in_ip.pcap differ

diff --git a/tests/bug-7725/suricata.yaml b/tests/bug-7725-03/suricata.yaml
similarity index 96%
rename from tests/bug-7725/suricata.yaml
rename to tests/bug-7725-03/suricata.yaml
index 94adab15f67d025beba042bbbe3971e70c74681a..b8f5bc6dcb7d5d3d745284a67ca7aae20c5463aa 100644 (file)
--- a/tests/bug-7725/suricata.yaml
+++ b/tests/bug-7725-03/suricata.yaml
@@ -22,6 +22,7 @@ outputs:
         - drop:
             alerts: yes
         - flow
+        - stats
   - stats:
       enabled: yes
       filename: stats.log

diff --git a/tests/bug-7725-03/test.rules b/tests/bug-7725-03/test.rules
new file mode 100644 (file)
index 0000000..d2ba779
--- /dev/null
+++ b/tests/bug-7725-03/test.rules
@@ -0,0 +1,2 @@
+alert ip any any -> 10.0.0.0/8 any (msg:"IP-in-IP Test rule 1 - outer layer"; classtype:misc-activity; sid:60000000; rev:1;)
+drop ip any any -> 192.168.0.0/16 any (msg:"IP-in-IP Test rule 2 - inner layer"; classtype:misc-activity; sid:60000001; rev:1;)

diff --git a/tests/bug-7725-03/test.yaml b/tests/bug-7725-03/test.yaml
new file mode 100644 (file)
index 0000000..ce93db2
--- /dev/null
+++ b/tests/bug-7725-03/test.yaml
@@ -0,0 +1,60 @@
+requires:
+  min-version: 7.0.12
+  lt-version: 8
+
+args:
+- -k none
+- --simulate-ips
+- --set stream.midstream=true
+- --runmode=single
+
+checks:
+  - filter:
+      count: 6
+      match:
+        event_type: alert
+        alert.signature_id: 60000000
+        pkt_src: wire/pcap
+        proto: IP-in-IP
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 60000001
+        pkt_src: ipv4 tunnel
+        proto: ICMP
+        src_ip: 192.168.0.94
+        dest_ip: 192.168.0.237
+        tunnel.src_ip: 10.0.0.94
+        tunnel.dest_ip: 10.1.0.237
+        tunnel.proto: IP-in-IP
+  - filter:
+      count: 0
+      match:
+        event_type: drop
+        alert.signature_id: 60000001
+        pkt_src: ipv4 tunnel
+        proto: ICMP
+  - filter:
+      count: 0
+      match:
+        event_type: drop
+        pkt_src: ipv4 tunnel
+        proto: ICMP
+  - filter:
+      count: 0
+      match:
+        event_type: flow
+        proto: IP-in-IP
+        src_ip: 10.0.0.94
+        dest_ip: 10.1.0.237
+        flow.alerted: true
+  - filter:
+      count: 0
+      match:
+        event_type: flow
+        proto: ICMP
+        src_ip: 192.168.0.94
+        dest_ip: 192.168.0.237
+        flow.alerted: true
+        flow.action: drop

diff --git a/tests/bug-7725-04/README.md b/tests/bug-7725-04/README.md
new file mode 100644 (file)
index 0000000..f78c669
--- /dev/null
+++ b/tests/bug-7725-04/README.md
@@ -0,0 +1,13 @@
+# Test
+
+Test that in a scenario where a rule inspects traffic in an IP-in-IP tunnel, the
+engine will properly generate alerts if this decoding is enabled in the configuration
+file, and not set up a new flow for said packets, if this configuration is disabled.
+
+## PCAP
+
+Shared by reporter.
+
+## Redmine ticket
+
+https://redmine.openinfosecfoundation.org/issues/7725

diff --git a/tests/bug-7725-04/ip_in_ip.pcap b/tests/bug-7725-04/ip_in_ip.pcap
new file mode 100644 (file)
index 0000000..7d07a7e
Binary files /dev/null and b/tests/bug-7725-04/ip_in_ip.pcap differ

diff --git a/tests/bug-7725-04/suricata.yaml b/tests/bug-7725-04/suricata.yaml
new file mode 100644 (file)
index 0000000..cc2fb5f
--- /dev/null
+++ b/tests/bug-7725-04/suricata.yaml
@@ -0,0 +1,34 @@
+%YAML 1.1
+---
+
+decoder:
+  ipv4:
+    ipip:
+      enabled: true
+      track-parent-flow: false
+
+stats:
+  enabled: yes
+  interval: 8
+
+logging:
+  default-log-level: notice
+  default-output-filter:
+  outputs:
+  - console:
+      enabled: yes
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert
+        - drop:
+            alerts: yes
+        - flow
+        - stats
+  - stats:
+      enabled: yes
+      filename: stats.log

diff --git a/tests/bug-7725-04/test.rules b/tests/bug-7725-04/test.rules
new file mode 100644 (file)
index 0000000..d2ba779
--- /dev/null
+++ b/tests/bug-7725-04/test.rules
@@ -0,0 +1,2 @@
+alert ip any any -> 10.0.0.0/8 any (msg:"IP-in-IP Test rule 1 - outer layer"; classtype:misc-activity; sid:60000000; rev:1;)
+drop ip any any -> 192.168.0.0/16 any (msg:"IP-in-IP Test rule 2 - inner layer"; classtype:misc-activity; sid:60000001; rev:1;)

diff --git a/tests/bug-7725-04/test.yaml b/tests/bug-7725-04/test.yaml
new file mode 100644 (file)
index 0000000..6a82a30
--- /dev/null
+++ b/tests/bug-7725-04/test.yaml
@@ -0,0 +1,61 @@
+requires:
+  min-version: 7.0.12
+  lt-version: 8
+
+args:
+- -k none
+- --simulate-ips
+- --set stream.midstream=true
+- --runmode=single
+
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 60000000
+        pkt_src: wire/pcap
+        proto: IP-in-IP
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 60000001
+        pkt_src: ipv4 tunnel
+        proto: ICMP
+        src_ip: 192.168.0.94
+        dest_ip: 192.168.0.237
+        tunnel.src_ip: 10.0.0.94
+        tunnel.dest_ip: 10.1.0.237
+        tunnel.proto: IP-in-IP
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        alert.signature_id: 60000001
+        pkt_src: ipv4 tunnel
+        proto: ICMP
+  - filter:
+      count: 2
+      match:
+        event_type: drop
+        pkt_src: ipv4 tunnel
+        proto: ICMP
+  - filter:
+      count: 0
+      match:
+        event_type: flow
+        proto: IP-in-IP
+        src_ip: 10.0.0.94
+        dest_ip: 10.1.0.237
+        flow.alerted: true
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        proto: ICMP
+        src_ip: 192.168.0.94
+        dest_ip: 192.168.0.237
+        flow.alerted: true
+        flow.action: drop