From: Juliana Fajardini Date: Sat, 14 Jun 2025 00:00:54 +0000 (-0300) Subject: tests: update bug 7725 tests for Suricata 7 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=HEAD;p=thirdparty%2Fsuricata-verify.git tests: update bug 7725 tests for Suricata 7 Also added a few more cases for disabled config. Related to (backport ticket 7726) Bug #7725 --- diff --git a/tests/bug-7725/README.md b/tests/bug-7725-01/README.md similarity index 100% rename from tests/bug-7725/README.md rename to tests/bug-7725-01/README.md diff --git a/tests/bug-7725/ip_in_ip.pcap b/tests/bug-7725-01/ip_in_ip.pcap similarity index 100% rename from tests/bug-7725/ip_in_ip.pcap rename to tests/bug-7725-01/ip_in_ip.pcap diff --git a/tests/bug-7725-01/suricata.yaml b/tests/bug-7725-01/suricata.yaml new file mode 100644 index 000000000..92b3f73a4 --- /dev/null +++ b/tests/bug-7725-01/suricata.yaml @@ -0,0 +1,33 @@ +%YAML 1.1 +--- + +decoder: + ipv4: + ipip: + enabled: true + track-parent-flow: true + +stats: + enabled: yes + interval: 8 + +logging: + default-log-level: notice + default-output-filter: + outputs: + - console: + enabled: yes + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert + - drop: + alerts: yes + - flow + - stats: + enabled: yes + filename: stats.log diff --git a/tests/bug-7725/test.rules b/tests/bug-7725-01/test.rules similarity index 100% rename from tests/bug-7725/test.rules rename to tests/bug-7725-01/test.rules diff --git a/tests/bug-7725/test.yaml b/tests/bug-7725-01/test.yaml similarity index 96% rename from tests/bug-7725/test.yaml rename to tests/bug-7725-01/test.yaml index 10c3fccb4..980199f3d 100644 --- a/tests/bug-7725/test.yaml +++ b/tests/bug-7725-01/test.yaml @@ -1,10 +1,11 @@ requires: - min-version: 8 + min-version: 7.0.12 args: - -k none - --simulate-ips - --set stream.midstream=true +- --runmode=single checks: - filter: diff --git a/tests/bug-7725-02/README.md b/tests/bug-7725-02/README.md new file mode 100644 index 000000000..99fc3f66b --- /dev/null +++ b/tests/bug-7725-02/README.md @@ -0,0 +1,13 @@ +# Test + +Test that in a scenario where a rule inspects traffic in an IP-in-IP tunnel, the +engine will not generate alerts if this decoding is not enabled in the configuration +file. + +## PCAP + +Shared by reporter. + +## Redmine ticket + +https://redmine.openinfosecfoundation.org/issues/7725 diff --git a/tests/bug-7725-02/ip_in_ip.pcap b/tests/bug-7725-02/ip_in_ip.pcap new file mode 100644 index 000000000..7d07a7ed2 Binary files /dev/null and b/tests/bug-7725-02/ip_in_ip.pcap differ diff --git a/tests/bug-7725-02/suricata.yaml b/tests/bug-7725-02/suricata.yaml new file mode 100644 index 000000000..481c83f6b --- /dev/null +++ b/tests/bug-7725-02/suricata.yaml @@ -0,0 +1,34 @@ +%YAML 1.1 +--- + +decoder: + ipv4: + ipip: + enabled: false + track-parent-flow: false + +stats: + enabled: yes + interval: 8 + +logging: + default-log-level: notice + default-output-filter: + outputs: + - console: + enabled: yes + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert + - drop: + alerts: yes + - flow + - stats + - stats: + enabled: yes + filename: stats.log diff --git a/tests/bug-7725-02/test.rules b/tests/bug-7725-02/test.rules new file mode 100644 index 000000000..d2ba77930 --- /dev/null +++ b/tests/bug-7725-02/test.rules @@ -0,0 +1,2 @@ +alert ip any any -> 10.0.0.0/8 any (msg:"IP-in-IP Test rule 1 - outer layer"; classtype:misc-activity; sid:60000000; rev:1;) +drop ip any any -> 192.168.0.0/16 any (msg:"IP-in-IP Test rule 2 - inner layer"; classtype:misc-activity; sid:60000001; rev:1;) diff --git a/tests/bug-7725-02/test.yaml b/tests/bug-7725-02/test.yaml new file mode 100644 index 000000000..ce93db28f --- /dev/null +++ b/tests/bug-7725-02/test.yaml @@ -0,0 +1,60 @@ +requires: + min-version: 7.0.12 + lt-version: 8 + +args: +- -k none +- --simulate-ips +- --set stream.midstream=true +- --runmode=single + +checks: + - filter: + count: 6 + match: + event_type: alert + alert.signature_id: 60000000 + pkt_src: wire/pcap + proto: IP-in-IP + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 60000001 + pkt_src: ipv4 tunnel + proto: ICMP + src_ip: 192.168.0.94 + dest_ip: 192.168.0.237 + tunnel.src_ip: 10.0.0.94 + tunnel.dest_ip: 10.1.0.237 + tunnel.proto: IP-in-IP + - filter: + count: 0 + match: + event_type: drop + alert.signature_id: 60000001 + pkt_src: ipv4 tunnel + proto: ICMP + - filter: + count: 0 + match: + event_type: drop + pkt_src: ipv4 tunnel + proto: ICMP + - filter: + count: 0 + match: + event_type: flow + proto: IP-in-IP + src_ip: 10.0.0.94 + dest_ip: 10.1.0.237 + flow.alerted: true + - filter: + count: 0 + match: + event_type: flow + proto: ICMP + src_ip: 192.168.0.94 + dest_ip: 192.168.0.237 + flow.alerted: true + flow.action: drop diff --git a/tests/bug-7725-03/README.md b/tests/bug-7725-03/README.md new file mode 100644 index 000000000..99fc3f66b --- /dev/null +++ b/tests/bug-7725-03/README.md @@ -0,0 +1,13 @@ +# Test + +Test that in a scenario where a rule inspects traffic in an IP-in-IP tunnel, the +engine will not generate alerts if this decoding is not enabled in the configuration +file. + +## PCAP + +Shared by reporter. + +## Redmine ticket + +https://redmine.openinfosecfoundation.org/issues/7725 diff --git a/tests/bug-7725-03/ip_in_ip.pcap b/tests/bug-7725-03/ip_in_ip.pcap new file mode 100644 index 000000000..7d07a7ed2 Binary files /dev/null and b/tests/bug-7725-03/ip_in_ip.pcap differ diff --git a/tests/bug-7725/suricata.yaml b/tests/bug-7725-03/suricata.yaml similarity index 96% rename from tests/bug-7725/suricata.yaml rename to tests/bug-7725-03/suricata.yaml index 94adab15f..b8f5bc6dc 100644 --- a/tests/bug-7725/suricata.yaml +++ b/tests/bug-7725-03/suricata.yaml @@ -22,6 +22,7 @@ outputs: - drop: alerts: yes - flow + - stats - stats: enabled: yes filename: stats.log diff --git a/tests/bug-7725-03/test.rules b/tests/bug-7725-03/test.rules new file mode 100644 index 000000000..d2ba77930 --- /dev/null +++ b/tests/bug-7725-03/test.rules @@ -0,0 +1,2 @@ +alert ip any any -> 10.0.0.0/8 any (msg:"IP-in-IP Test rule 1 - outer layer"; classtype:misc-activity; sid:60000000; rev:1;) +drop ip any any -> 192.168.0.0/16 any (msg:"IP-in-IP Test rule 2 - inner layer"; classtype:misc-activity; sid:60000001; rev:1;) diff --git a/tests/bug-7725-03/test.yaml b/tests/bug-7725-03/test.yaml new file mode 100644 index 000000000..ce93db28f --- /dev/null +++ b/tests/bug-7725-03/test.yaml @@ -0,0 +1,60 @@ +requires: + min-version: 7.0.12 + lt-version: 8 + +args: +- -k none +- --simulate-ips +- --set stream.midstream=true +- --runmode=single + +checks: + - filter: + count: 6 + match: + event_type: alert + alert.signature_id: 60000000 + pkt_src: wire/pcap + proto: IP-in-IP + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 60000001 + pkt_src: ipv4 tunnel + proto: ICMP + src_ip: 192.168.0.94 + dest_ip: 192.168.0.237 + tunnel.src_ip: 10.0.0.94 + tunnel.dest_ip: 10.1.0.237 + tunnel.proto: IP-in-IP + - filter: + count: 0 + match: + event_type: drop + alert.signature_id: 60000001 + pkt_src: ipv4 tunnel + proto: ICMP + - filter: + count: 0 + match: + event_type: drop + pkt_src: ipv4 tunnel + proto: ICMP + - filter: + count: 0 + match: + event_type: flow + proto: IP-in-IP + src_ip: 10.0.0.94 + dest_ip: 10.1.0.237 + flow.alerted: true + - filter: + count: 0 + match: + event_type: flow + proto: ICMP + src_ip: 192.168.0.94 + dest_ip: 192.168.0.237 + flow.alerted: true + flow.action: drop diff --git a/tests/bug-7725-04/README.md b/tests/bug-7725-04/README.md new file mode 100644 index 000000000..f78c6699a --- /dev/null +++ b/tests/bug-7725-04/README.md @@ -0,0 +1,13 @@ +# Test + +Test that in a scenario where a rule inspects traffic in an IP-in-IP tunnel, the +engine will properly generate alerts if this decoding is enabled in the configuration +file, and not set up a new flow for said packets, if this configuration is disabled. + +## PCAP + +Shared by reporter. + +## Redmine ticket + +https://redmine.openinfosecfoundation.org/issues/7725 diff --git a/tests/bug-7725-04/ip_in_ip.pcap b/tests/bug-7725-04/ip_in_ip.pcap new file mode 100644 index 000000000..7d07a7ed2 Binary files /dev/null and b/tests/bug-7725-04/ip_in_ip.pcap differ diff --git a/tests/bug-7725-04/suricata.yaml b/tests/bug-7725-04/suricata.yaml new file mode 100644 index 000000000..cc2fb5ff4 --- /dev/null +++ b/tests/bug-7725-04/suricata.yaml @@ -0,0 +1,34 @@ +%YAML 1.1 +--- + +decoder: + ipv4: + ipip: + enabled: true + track-parent-flow: false + +stats: + enabled: yes + interval: 8 + +logging: + default-log-level: notice + default-output-filter: + outputs: + - console: + enabled: yes + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert + - drop: + alerts: yes + - flow + - stats + - stats: + enabled: yes + filename: stats.log diff --git a/tests/bug-7725-04/test.rules b/tests/bug-7725-04/test.rules new file mode 100644 index 000000000..d2ba77930 --- /dev/null +++ b/tests/bug-7725-04/test.rules @@ -0,0 +1,2 @@ +alert ip any any -> 10.0.0.0/8 any (msg:"IP-in-IP Test rule 1 - outer layer"; classtype:misc-activity; sid:60000000; rev:1;) +drop ip any any -> 192.168.0.0/16 any (msg:"IP-in-IP Test rule 2 - inner layer"; classtype:misc-activity; sid:60000001; rev:1;) diff --git a/tests/bug-7725-04/test.yaml b/tests/bug-7725-04/test.yaml new file mode 100644 index 000000000..6a82a300c --- /dev/null +++ b/tests/bug-7725-04/test.yaml @@ -0,0 +1,61 @@ +requires: + min-version: 7.0.12 + lt-version: 8 + +args: +- -k none +- --simulate-ips +- --set stream.midstream=true +- --runmode=single + + +checks: + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 60000000 + pkt_src: wire/pcap + proto: IP-in-IP + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 60000001 + pkt_src: ipv4 tunnel + proto: ICMP + src_ip: 192.168.0.94 + dest_ip: 192.168.0.237 + tunnel.src_ip: 10.0.0.94 + tunnel.dest_ip: 10.1.0.237 + tunnel.proto: IP-in-IP + - filter: + count: 1 + match: + event_type: drop + alert.signature_id: 60000001 + pkt_src: ipv4 tunnel + proto: ICMP + - filter: + count: 2 + match: + event_type: drop + pkt_src: ipv4 tunnel + proto: ICMP + - filter: + count: 0 + match: + event_type: flow + proto: IP-in-IP + src_ip: 10.0.0.94 + dest_ip: 10.1.0.237 + flow.alerted: true + - filter: + count: 1 + match: + event_type: flow + proto: ICMP + src_ip: 192.168.0.94 + dest_ip: 192.168.0.237 + flow.alerted: true + flow.action: drop