-
Notifications
You must be signed in to change notification settings - Fork 89
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tests: add tests for verdict in alert and drop
Related to Bug #5464
- Loading branch information
1 parent
02479e2
commit d6e164c
Showing
29 changed files
with
680 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# Test | ||
|
||
Check and showcase alert verdicts when there are ``reject``, ``pass`` and | ||
``drop`` rules. | ||
|
||
# Behavior | ||
|
||
We expect to see ``drop`` and ``alert`` events with info about the ``reject`` | ||
that will happen due to rule 2 for pcap_cnt 1 this is due to ``drop`` and ``reject`` | ||
rules being triggered. For the other packets, we should see drops due to the | ||
flow being dropped as a result of rule 1. | ||
|
||
# Pcap | ||
|
||
Pcap comes from the test detect-app-layer-protocol-02 and is the result of a | ||
curl to www.testmyids.com. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
%YAML 1.1 | ||
--- | ||
|
||
action-order: | ||
- drop | ||
- reject | ||
- alert | ||
- pass | ||
|
||
outputs: | ||
- eve-log: | ||
enabled: yes | ||
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis | ||
filename: eve.json | ||
types: | ||
- alert: | ||
verdict: yes | ||
- drop: | ||
flows: all | ||
alerts: true | ||
verdict: yes | ||
- http | ||
- anomaly | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
drop tcp any any -> any 80 (sid:1; rev:1;) | ||
rejectdst tcp any any -> any 80 (sid:2; rev:1;) | ||
pass tcp any any -> any 80 (sid:3; rev:1;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,147 @@ | ||
requires: | ||
features: | ||
- LIBNET1.1 | ||
|
||
args: | ||
- --simulate-ips | ||
|
||
pcap: ../detect-app-layer-protocol-02/input.pcap | ||
|
||
checks: | ||
# checks for Suricata 6 | ||
- filter: | ||
lt-version: 7 | ||
count: 1 | ||
match: | ||
pcap_cnt: 1 | ||
event_type: drop | ||
alert.action: blocked | ||
alert.signature_id: 1 | ||
- filter: | ||
lt-version: 7 | ||
count: 1 | ||
match: | ||
pcap_cnt: 1 | ||
event_type: alert | ||
alert.action: blocked | ||
alert.signature_id: 1 | ||
- filter: | ||
lt-version: 7 | ||
count: 1 | ||
match: | ||
pcap_cnt: 1 | ||
event_type: alert | ||
alert.action: blocked | ||
alert.signature_id: 2 | ||
|
||
# checks for Suricata 7 | ||
- filter: | ||
min-version: 7 | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 1 | ||
pcap_cnt: 1 | ||
verdict.action: drop | ||
verdict.reject-target: to_server | ||
verdict.reject: ["tcp-reset"] | ||
- filter: | ||
min-version: 7 | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 2 | ||
pcap_cnt: 1 | ||
verdict.action: drop | ||
verdict.reject-target: to_server | ||
verdict.reject: ["tcp-reset"] | ||
- filter: | ||
min-version: 7 | ||
count: 1 | ||
match: | ||
event_type: drop | ||
pcap_cnt: 1 | ||
verdict.action: drop | ||
verdict.reject-target: to_server | ||
verdict.reject: ["tcp-reset"] | ||
- filter: | ||
min-version: 7 | ||
count: 0 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 3 | ||
verdict.action: alert | ||
- filter: | ||
min-version: 7 | ||
count: 1 | ||
match: | ||
event_type: drop | ||
pcap_cnt: 5 | ||
verdict.action: drop | ||
- filter: | ||
min-version: 7 | ||
count: 1 | ||
match: | ||
event_type: drop | ||
pcap_cnt: 6 | ||
verdict.action: drop | ||
- filter: | ||
min-version: 7 | ||
count: 1 | ||
match: | ||
event_type: drop | ||
pcap_cnt: 7 | ||
verdict.action: drop | ||
- filter: | ||
min-version: 7 | ||
count: 1 | ||
match: | ||
event_type: drop | ||
pcap_cnt: 8 | ||
verdict.action: drop | ||
- filter: | ||
min-version: 7 | ||
count: 1 | ||
match: | ||
event_type: drop | ||
pcap_cnt: 9 | ||
verdict.action: drop | ||
- filter: | ||
min-version: 7 | ||
count: 1 | ||
match: | ||
event_type: drop | ||
pcap_cnt: 10 | ||
verdict.action: drop | ||
|
||
# Checks valid for both | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: drop | ||
pcap_cnt: 5 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: drop | ||
pcap_cnt: 6 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: drop | ||
pcap_cnt: 7 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: drop | ||
pcap_cnt: 8 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: drop | ||
pcap_cnt: 9 | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: drop | ||
pcap_cnt: 10 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Test | ||
|
||
Check and showcase alert verdicts when there are ``alert``, ``pass`` and | ||
``drop`` rules. | ||
|
||
# Behavior | ||
|
||
It's expected that Suricata will log out alerts for rules 1 and 3. Rule 2 would | ||
match if the flow weren't already 'passed' when it's triggered and also based on | ||
action order, and rule 4 isn't logged out with packet 4 as it's a 'pass' alert. | ||
|
||
Moreover, when the http transaction is finished, with packet 6 (pcap_cnt: 6), | ||
we should see an alert for rule 1, as it has a higher priority so is queue as an | ||
alert first, but still see the 'pass' verdict for same packet - which also leads | ||
to no alerts or drops for rule 2, that should trigger for packet 6. | ||
|
||
# Pcap | ||
|
||
Pcap comes from the test detect-app-layer-protocol-02 and is the result of a | ||
curl to www.testmyids.com. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
%YAML 1.1 | ||
--- | ||
|
||
action-order: | ||
- alert | ||
- pass | ||
- drop | ||
- reject | ||
|
||
outputs: | ||
- eve-log: | ||
enabled: yes | ||
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis | ||
filename: eve.json | ||
types: | ||
- alert: | ||
verdict: yes | ||
- drop: | ||
flows: all | ||
alerts: true | ||
verdict: yes | ||
- http | ||
- flow | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
alert http any any -> any any (sid:1;) | ||
# won't generate alert output nor a drop, as flow is passed | ||
drop http any any -> any any (content:"OK"; sid:2;) | ||
alert tcp any any -> any any (sid:3;) | ||
# won't generate alert output, as it's a pass rule | ||
pass http any any -> any any (content:"GET"; sid:4;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
requires: | ||
min-version: 7 | ||
|
||
args: | ||
- --simulate-ips | ||
|
||
pcap: ../detect-app-layer-protocol-02/input.pcap | ||
|
||
checks: | ||
- filter: | ||
count: 2 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 3 | ||
verdict.action: alert | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 1 | ||
verdict.action: pass | ||
- filter: | ||
count: 0 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 2 | ||
verdict.action: alert | ||
- filter: | ||
count: 0 | ||
match: | ||
event_type: alert | ||
alert.signature_id: 4 | ||
verdict.action: alert | ||
- filter: | ||
count: 0 | ||
match: | ||
event_type: drop | ||
alert.signature_id: 2 | ||
verdict.action: drop | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: flow | ||
flow.action: pass |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# Test and Showcase the Verdict Field in IPS mode | ||
|
||
Showcase how a given packet may trigger ``alert`` rules and have a ``verdict`` | ||
``drop`` or ``reject`` due to other rules or events. | ||
|
||
# Behavior | ||
|
||
For pcap_cnt 13, we'll see three events related to the same packet, one alert from | ||
an ``alert`` rule (sid: 1), another for a ``drop`` rule (sid: 3) and finally the | ||
``drop`` event. The verdict, in all three cases, will be ``drop``, due to rule | ||
sid 3. | ||
|
||
We should also see ``alert`` and ``drop`` associated with sid 2, which is a | ||
reject rule for the ICMP protocol. | ||
|
||
|
||
# Pcap | ||
|
||
Comes from the test `decode-teredo-01` as it has a good variety of protocols. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
alert http any any -> any any (sid: 1;) | ||
reject icmp any any -> any any (sid:2; rev:1;) | ||
drop http any any -> any any (sid:3;) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
%YAML 1.1 | ||
--- | ||
|
||
outputs: | ||
- eve-log: | ||
enabled: yes | ||
filetype: regular | ||
filename: eve.json | ||
types: | ||
- alert: | ||
verdict: yes | ||
- drop: | ||
flows: all | ||
alerts: true | ||
verdict: yes | ||
- http | ||
- anomaly |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
requires: | ||
min-version: 7 | ||
features: | ||
- LIBNET1.1 | ||
|
||
pcap: ../decode-teredo-01/input.pcap | ||
|
||
args: | ||
- --simulate-ips | ||
|
||
checks: | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
pcap_cnt: 13 | ||
alert.signature_id: 3 | ||
alert.action: blocked | ||
verdict.action: drop | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
pcap_cnt: 13 | ||
alert.signature_id: 1 | ||
alert.action: allowed | ||
verdict.action: drop | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: drop | ||
pcap_cnt: 13 | ||
drop.reason: rules | ||
verdict.action: drop | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: alert | ||
verdict.action: drop | ||
verdict.reject-target: to_client | ||
verdict.reject: [icmp-prohib] | ||
- filter: | ||
count: 1 | ||
match: | ||
event_type: drop | ||
drop.reason: rules | ||
verdict.action: drop | ||
verdict.reject-target: to_client | ||
verdict.reject: [icmp-prohib] |
Oops, something went wrong.