diff --git a/tests/bug-4394-pdonly-drop/suricata.yaml b/tests/bug-4394-pdonly-drop/suricata.yaml index 973db9b6e..144a5844c 100644 --- a/tests/bug-4394-pdonly-drop/suricata.yaml +++ b/tests/bug-4394-pdonly-drop/suricata.yaml @@ -13,9 +13,13 @@ outputs: filetype: regular #regular|syslog|unix_dgram|unix_stream|redis filename: eve.json types: - - alert + - alert: + verdict: yes - drop: flows: all alerts: true + verdict: yes - http - anomaly + - verdict + diff --git a/tests/bug-4394-pdonly-drop/test.yaml b/tests/bug-4394-pdonly-drop/test.yaml index bdf2dde15..8b69d3058 100644 --- a/tests/bug-4394-pdonly-drop/test.yaml +++ b/tests/bug-4394-pdonly-drop/test.yaml @@ -8,6 +8,7 @@ args: checks: - filter: + lt-version: 7 count: 1 match: event_type: alert @@ -15,6 +16,7 @@ checks: alert.signature_id: 1 pcap_cnt: 4 - filter: + lt-version: 7 count: 1 match: event_type: alert @@ -22,18 +24,93 @@ checks: alert.signature_id: 2 pcap_cnt: 4 - filter: + min-version: 7 + count: 1 + match: + event_type: alert + alert.signature_id: 1 + pcap_cnt: 4 + verdict.action: drop + - filter: + min-version: 7 + count: 1 + match: + event_type: alert + alert.signature_id: 2 + pcap_cnt: 4 + verdict.action: drop + - filter: + min-version: 7 + count: 1 + match: + event_type: drop + pcap_cnt: 4 + verdict.action: drop + - filter: + min-version: 7 + count: 1 + match: + event_type: drop + pcap_cnt: 5 + verdict.action: drop + - filter: + min-version: 7 + count: 1 + match: + event_type: drop + pcap_cnt: 6 + verdict.action: drop + - filter: + min-version: 7 + count: 1 + match: + event_type: drop + pcap_cnt: 7 + verdict.action: drop + - filter: + min-version: 7 + count: 1 + match: + event_type: drop + pcap_cnt: 8 + verdict.action: drop + - filter: + min-version: 7 + count: 1 + match: + event_type: drop + pcap_cnt: 9 + verdict.action: drop + - filter: + min-version: 7 + count: 1 + match: + event_type: drop + pcap_cnt: 10 + verdict.action: drop + - filter: + min-version: 7 count: 0 match: event_type: alert alert.signature_id: 3 + verdict.action: alert - filter: + lt-version: 7 count: 1 match: event_type: drop alert.action: blocked alert.signature_id: 1 pcap_cnt: 4 + - filter: + lt-version: 7 + count: 1 + match: + event_type: drop + alert.signature_id: 1 + pcap_cnt: 4 - filter: count: 1 match: diff --git a/tests/exception-policy-stream-reassembly-memcap-05/suricata.yaml b/tests/exception-policy-stream-reassembly-memcap-05/suricata.yaml index 758f72085..672eb53bd 100644 --- a/tests/exception-policy-stream-reassembly-memcap-05/suricata.yaml +++ b/tests/exception-policy-stream-reassembly-memcap-05/suricata.yaml @@ -14,3 +14,4 @@ outputs: flows: all # start or all: 'start' logs only a single drop # per flow direction. All logs each dropped pkt. - flow + - anomaly diff --git a/tests/stream-depth-reached-event/test.yaml b/tests/stream-depth-reached-event/test.yaml index 2a293f455..55cc2b009 100644 --- a/tests/stream-depth-reached-event/test.yaml +++ b/tests/stream-depth-reached-event/test.yaml @@ -2,7 +2,9 @@ requires: min-version: 7 args: -- --set stream.reassembly.depth=50 --set outputs.1.eve-log.types.2.anomaly.types.stream=yes +# 'outputs' command-line option might need to be adjusted if a new output type +# is added to eve log. +- --set stream.reassembly.depth=50 --set outputs.1.eve-log.types.3.anomaly.types.stream=yes checks: - filter: diff --git a/tests/verdict-reject-ids/README.md b/tests/verdict-reject-ids/README.md new file mode 100644 index 000000000..012e12f6d --- /dev/null +++ b/tests/verdict-reject-ids/README.md @@ -0,0 +1,13 @@ +# Test and Showcase the Verdict Field in IDS mode + +In IDS mode, the verdict field only makes sense with the `reject` +rule action. + +# Behavior + +As with the `rate_filter` the rule action will change from `alert` to +`reject`, we shall see alerts starting without, then with the `verdict` field. + +# Pcap + +Comes from the test `threshold-config-rate-filter-reject-hostdst`. diff --git a/tests/verdict-reject-ids/input.rules b/tests/verdict-reject-ids/input.rules new file mode 100644 index 000000000..d3721f4f5 --- /dev/null +++ b/tests/verdict-reject-ids/input.rules @@ -0,0 +1 @@ +alert http any any -> any any (sid: 1000001;) diff --git a/tests/verdict-reject-ids/suricata.yaml b/tests/verdict-reject-ids/suricata.yaml new file mode 100644 index 000000000..37d16f871 --- /dev/null +++ b/tests/verdict-reject-ids/suricata.yaml @@ -0,0 +1,18 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert: + verdict: yes + - drop: + flows: all + alerts: true + verdict: yes + - http + - anomaly + - verdict diff --git a/tests/verdict-reject-ids/test.yaml b/tests/verdict-reject-ids/test.yaml new file mode 100644 index 000000000..3de0844b3 --- /dev/null +++ b/tests/verdict-reject-ids/test.yaml @@ -0,0 +1,37 @@ +requires: + min-version: 7 + +pcap: ../threshold/threshold-config-rate-filter-reject-hostdst/input.pcap + +args: +- --set threshold-file=${TEST_DIR}/threshold.config + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000001 + alert.action: allowed + verdict.action: alert + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1000001 + alert.action: blocked + verdict.action: alert + verdict.reject-target: source + - filter: + count: 1 + match: + pcap_cnt: 5 + event_type: verdict + verdict.action: alert + - filter: + count: 1 + match: + pcap_cnt: 6 + event_type: verdict + verdict.action: alert + verdict.reject-target: source diff --git a/tests/verdict-reject-ids/threshold.config b/tests/verdict-reject-ids/threshold.config new file mode 100644 index 000000000..961b1439d --- /dev/null +++ b/tests/verdict-reject-ids/threshold.config @@ -0,0 +1 @@ +rate_filter gen_id 1, sig_id 1000001, track by_dst, count 1, seconds 60, new_action reject, timeout 1000