OISF · victorjulien · Jul 14, 2023 · Jul 11, 2023 · Jul 11, 2023
diff --git a/tests/bug-5464-verdict-01/README.md b/tests/bug-5464-verdict-01/README.md
@@ -0,0 +1,16 @@
+# Test
+
+Check and showcase alert verdicts when there are ``reject``, ``pass`` and
+``drop`` rules.
+
+# Behavior
+
+We expect to see ``drop`` and ``alert`` events with info about the ``reject``
+that will happen due to rule 2 for pcap_cnt 1 this is due to ``drop`` and ``reject``
+rules being triggered. For the other packets, we should see drops due to the
+flow being dropped as a result of rule 1.
+
+# Pcap
+
+Pcap comes from the test detect-app-layer-protocol-02 and is the result of a
+curl to www.testmyids.com.
diff --git a/tests/bug-5464-verdict-01/suricata.yaml b/tests/bug-5464-verdict-01/suricata.yaml
@@ -0,0 +1,24 @@
+%YAML 1.1
+---
+
+action-order:
+  - drop
+  - reject
+  - alert
+  - pass
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            verdict: yes
+        - drop:
+            flows: all
+            alerts: true
+            verdict: yes
+        - http
+        - anomaly
+
diff --git a/tests/bug-5464-verdict-01/test.rules b/tests/bug-5464-verdict-01/test.rules
@@ -0,0 +1,3 @@
+drop tcp any any -> any 80 (sid:1; rev:1;)
+rejectdst tcp any any -> any 80 (sid:2; rev:1;)
+pass tcp any any -> any 80 (sid:3; rev:1;)
diff --git a/tests/bug-5464-verdict-01/test.yaml b/tests/bug-5464-verdict-01/test.yaml
@@ -0,0 +1,147 @@
+requires:
+  features:
+    - LIBNET1.1
+
+args:
+- --simulate-ips
+
+pcap:  ../detect-app-layer-protocol-02/input.pcap
+
+checks:
+  # checks for Suricata 6
+  - filter:
+      lt-version: 7
+      count: 1
+      match:
+        pcap_cnt: 1
+        event_type: drop
+        alert.action: blocked
+        alert.signature_id: 1
+  - filter:
+      lt-version: 7
+      count: 1
+      match:
+        pcap_cnt: 1
+        event_type: alert
+        alert.action: blocked
+        alert.signature_id: 1
+  - filter:
+      lt-version: 7
+      count: 1
+      match:
+        pcap_cnt: 1
+        event_type: alert
+        alert.action: blocked
+        alert.signature_id: 2
+
+  # checks for Suricata 7
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        pcap_cnt: 1
+        verdict.action: drop
+        verdict.reject-target: to_server
+        verdict.reject: ["tcp-reset"]
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        pcap_cnt: 1
+        verdict.action: drop
+        verdict.reject-target: to_server
+        verdict.reject: ["tcp-reset"]
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 1
+        verdict.action: drop
+        verdict.reject-target: to_server 
+        verdict.reject: ["tcp-reset"]
+  - filter:
+      min-version: 7
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 3
+        verdict.action: alert
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 5
+        verdict.action: drop
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 6
+        verdict.action: drop
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 7
+        verdict.action: drop
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 8
+        verdict.action: drop
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 9
+        verdict.action: drop
+  - filter:
+      min-version: 7
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 10
+        verdict.action: drop
+
+  # Checks valid for both
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 5
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 6
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 7
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 8
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 9
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 10
diff --git a/tests/bug-5464-verdict-02/README.md b/tests/bug-5464-verdict-02/README.md
@@ -0,0 +1,21 @@
+# Test
+
+Check and showcase alert verdicts when there are ``alert``, ``pass`` and
+``drop`` rules.
+
+# Behavior
+
+It's expected that Suricata will log out alerts for rules 1 and 3. Rule 2 would
+match if the flow weren't already 'passed' when it's triggered and also based on
+action order, and rule 4 isn't logged out with packet 4 as it's a 'pass' alert.
+
+Moreover, when the http transaction is finished, with packet 6 (pcap_cnt: 6),
+we should see an alert for rule 1, as it has a higher priority so is queue as an
+alert first, but still see the 'pass' verdict for same packet - which also leads
+to no alerts or drops for rule 2, that should trigger for packet 6.
+
+# Pcap
+
+Pcap comes from the test detect-app-layer-protocol-02 and is the result of a
+curl to www.testmyids.com.
+
diff --git a/tests/bug-5464-verdict-02/suricata.yaml b/tests/bug-5464-verdict-02/suricata.yaml
@@ -0,0 +1,24 @@
+%YAML 1.1
+---
+
+action-order:
+  - alert
+  - pass
+  - drop
+  - reject
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert:
+            verdict: yes
+        - drop:
+            flows: all
+            alerts: true
+            verdict: yes
+        - http
+        - flow
+
diff --git a/tests/bug-5464-verdict-02/test.rules b/tests/bug-5464-verdict-02/test.rules
@@ -0,0 +1,6 @@
+alert http any any -> any any (sid:1;)
+# won't generate alert output nor a drop, as flow is passed
+drop http any any -> any any (content:"OK"; sid:2;)
+alert tcp any any -> any any (sid:3;)
+# won't generate alert output, as it's a pass rule
+pass http any any -> any any (content:"GET"; sid:4;)
diff --git a/tests/bug-5464-verdict-02/test.yaml b/tests/bug-5464-verdict-02/test.yaml
@@ -0,0 +1,44 @@
+requires:
+  min-version: 7
+
+args:
+- --simulate-ips
+
+pcap:  ../detect-app-layer-protocol-02/input.pcap
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 3
+        verdict.action: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        verdict.action: pass
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        verdict.action: alert
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 4
+        verdict.action: alert
+  - filter:
+      count: 0
+      match:
+        event_type: drop
+        alert.signature_id: 2
+        verdict.action: drop
+  - filter:
+      count: 1
+      match:
+        event_type: flow
+        flow.action: pass
diff --git a/tests/bug-5464-verdict-03/README.md b/tests/bug-5464-verdict-03/README.md
@@ -0,0 +1,19 @@
+# Test and Showcase the Verdict Field in IPS mode
+
+Showcase how a given packet may trigger ``alert`` rules and have a ``verdict``
+``drop`` or ``reject`` due to other rules or events.
+
+# Behavior
+
+For pcap_cnt 13, we'll see three events related to the same packet, one alert from
+an ``alert`` rule (sid: 1), another for a ``drop`` rule (sid: 3) and finally the
+``drop`` event. The verdict, in all three cases, will be ``drop``, due to rule
+sid 3.
+
+We should also see ``alert`` and ``drop`` associated with sid 2, which is a
+reject rule for the ICMP protocol.
+
+
+# Pcap
+
+Comes from the test `decode-teredo-01` as it has a good variety of protocols.
diff --git a/tests/bug-5464-verdict-03/input.rules b/tests/bug-5464-verdict-03/input.rules
@@ -0,0 +1,4 @@
+alert http any any -> any any (sid: 1;)
+reject icmp any any -> any any (sid:2; rev:1;)
+drop http any any -> any any (sid:3;)
+
diff --git a/tests/bug-5464-verdict-03/suricata.yaml b/tests/bug-5464-verdict-03/suricata.yaml
@@ -0,0 +1,17 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert:
+            verdict: yes
+        - drop:
+            flows: all
+            alerts: true
+            verdict: yes
+        - http
+        - anomaly
diff --git a/tests/bug-5464-verdict-03/test.yaml b/tests/bug-5464-verdict-03/test.yaml
@@ -0,0 +1,49 @@
+requires:
+  min-version: 7
+  features:
+    - LIBNET1.1
+
+pcap: ../decode-teredo-01/input.pcap
+
+args:
+- --simulate-ips
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 13
+        alert.signature_id: 3
+        alert.action: blocked
+        verdict.action: drop
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        pcap_cnt: 13
+        alert.signature_id: 1
+        alert.action: allowed
+        verdict.action: drop
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        pcap_cnt: 13
+        drop.reason: rules
+        verdict.action: drop
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        verdict.action: drop
+        verdict.reject-target: to_client
+        verdict.reject: [icmp-prohib]
+  - filter:
+      count: 1
+      match:
+        event_type: drop
+        drop.reason: rules
+        verdict.action: drop
+        verdict.reject-target: to_client
+        verdict.reject: [icmp-prohib]