-
Notifications
You must be signed in to change notification settings - Fork 89
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tests: showcase verdict & no action field in test
With the addition of the 'verdict' field, have at least one test that illustrates this, and adjust tests that were affected by that change. Bug #5464
- Loading branch information
1 parent
0a8596b
commit 8c7ced8
Showing
9 changed files
with
156 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# Test and Showcase the Verdict Field in IDS mode | ||
|
||
In IDS mode, the verdict field only makes sense with the `reject` | ||
rule action. | ||
|
||
# Behavior | ||
|
||
As with the `rate_filter` the rule action will change from `alert` to | ||
`reject`, we shall see alerts starting without, then with the `verdict` field. | ||
|
||
# Pcap | ||
|
||
Comes from the test `threshold-config-rate-filter-reject-hostdst`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
alert http any any -> any any (sid: 1000001;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
%YAML 1.1 | ||
--- | ||
|
||
outputs: | ||
- eve-log: | ||
enabled: yes | ||
filetype: regular | ||
filename: eve.json | ||
types: | ||
- alert: | ||
verdict: yes | ||
- drop: | ||
flows: all | ||
alerts: true | ||
verdict: yes | ||
- http | ||
- anomaly | ||
- verdict |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
requires: | ||
min-version: 7 | ||
|
||
pcap: ../threshold/threshold-config-rate-filter-reject-hostdst/input.pcap | ||
|
||
args: | ||
- --set threshold-file=${TEST_DIR}/threshold.config | ||
|
||
checks: | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 1000001 | ||
alert.action: allowed | ||
verdict.action: alert | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 1000001 | ||
alert.action: blocked | ||
verdict.action: alert | ||
verdict.reject-target: source | ||
- filter: | ||
count: 1 | ||
match: | ||
pcap_cnt: 5 | ||
event_type: verdict | ||
verdict.action: alert | ||
- filter: | ||
count: 1 | ||
match: | ||
pcap_cnt: 6 | ||
event_type: verdict | ||
verdict.action: alert | ||
verdict.reject-target: source |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
rate_filter gen_id 1, sig_id 1000001, track by_dst, count 1, seconds 60, new_action reject, timeout 1000 |