From 4f8647ec2444c9f26905ab67d2289f50e0439be4 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Wed, 3 Jul 2024 10:29:24 +0200 Subject: [PATCH] tests: ips action test cases --- .../ips-state-actions-test-a-01/suricata.yaml | 136 ++++++++++++++++++ tests/ips-state-actions-test-a-01/test.rules | 5 + tests/ips-state-actions-test-a-01/test.yaml | 25 ++++ .../ips-state-actions-test-a-02/suricata.yaml | 136 ++++++++++++++++++ tests/ips-state-actions-test-a-02/test.rules | 5 + tests/ips-state-actions-test-a-02/test.yaml | 24 ++++ .../ips-state-actions-test-b-01/suricata.yaml | 136 ++++++++++++++++++ tests/ips-state-actions-test-b-01/test.rules | 5 + tests/ips-state-actions-test-b-01/test.yaml | 30 ++++ 9 files changed, 502 insertions(+) create mode 100644 tests/ips-state-actions-test-a-01/suricata.yaml create mode 100644 tests/ips-state-actions-test-a-01/test.rules create mode 100644 tests/ips-state-actions-test-a-01/test.yaml create mode 100644 tests/ips-state-actions-test-a-02/suricata.yaml create mode 100644 tests/ips-state-actions-test-a-02/test.rules create mode 100644 tests/ips-state-actions-test-a-02/test.yaml create mode 100644 tests/ips-state-actions-test-b-01/suricata.yaml create mode 100644 tests/ips-state-actions-test-b-01/test.rules create mode 100644 tests/ips-state-actions-test-b-01/test.yaml diff --git a/tests/ips-state-actions-test-a-01/suricata.yaml b/tests/ips-state-actions-test-a-01/suricata.yaml new file mode 100644 index 000000000..690f93840 --- /dev/null +++ b/tests/ips-state-actions-test-a-01/suricata.yaml @@ -0,0 +1,136 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # payload-length: yes # enable dumping payload length + # packet: yes # enable dumping of packet (without stream segments) + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + # websocket-payload: yes # Requires metadata; enable dumping of WebSocket Payload in Base64 + # websocket-payload-printable: yes # Requires metadata; enable dumping of WebSocket Payload in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + # Enable logging the final action taken on a packet by the engine + # (e.g: the alert may have action 'allowed' but the verdict be + # 'drop' due to another alert. That's the engine's verdict) + # verdict: yes + # app layer frames + - anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is enabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # also enabled. + enabled: yes + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + types: + # decode: no + # stream: no + # applayer: yes + #packethdr: no + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom controls which TLS fields that are included in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4, subjectaltname] + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + # Enable logging the final action taken on a packet by the engine + # (will show more information in case of a drop caused by 'reject') + verdict: yes + - flow + +# Logging configuration. This is not about logging IDS alerts/events, but +# output about what Suricata is doing, like startup messages, errors, etc. +logging: + # The default log level: can be overridden in an output section. + # Note that debug level logging will only be emitted if Suricata was + # compiled with the --enable-debug configure option. + # + # This value is overridden by the SC_LOG_LEVEL env var. + default-log-level: notice + + # The default output format. Optional parameter, should default to + # something reasonable if not provided. Can be overridden in an + # output section. You can leave this out to get the default. + # + # This console log format value can be overridden by the SC_LOG_FORMAT env var. + #default-log-format: "%D: %S: %M" + # + # For the pre-7.0 log format use: + #default-log-format: "[%i] %t [%S] - (%f:%l) <%d> (%n) -- " + + # A regex to filter output. Can be overridden in an output section. + # Defaults to empty (no filter). + # + # This value is overridden by the SC_LOG_OP_FILTER env var. + default-output-filter: + + # Requires libunwind to be available when Suricata is configured and built. + # If a signal unexpectedly terminates Suricata, displays a brief diagnostic + # message with the offending stacktrace if enabled. + #stacktrace-on-signal: on + + # Define your logging outputs. If none are defined, or they are all + # disabled you will get the default: console output. + outputs: + - console: + enabled: yes + # type: json + - file: + enabled: yes + level: info + filename: suricata.log + # format: "[%i - %m] %z %d: %S: %M" + # type: json + - syslog: + enabled: no + facility: local5 + format: "[%i] <%d> -- " + # type: json + +# Set the order of alerts based on actions +# The default order is pass, drop, reject, alert +action-order: + - pass + - drop + - reject + - alert + diff --git a/tests/ips-state-actions-test-a-01/test.rules b/tests/ips-state-actions-test-a-01/test.rules new file mode 100644 index 000000000..c296da5ad --- /dev/null +++ b/tests/ips-state-actions-test-a-01/test.rules @@ -0,0 +1,5 @@ +pass udp any any -> any 6081 (sid:1;) +pass tcp 2a03:b0c0:0002:00d0:0000:0000:0bd3:4001 any -> 2606:2800:0220:0001:0248:1893:25c8:1946 443 (msg:"PASS_CUSTOM_RULE TCP port:443 to support traffic"; flow:established; sid:201000044;) + +pass tcp 2a03:b0c0:0002:00d0::/64 any <> any [[80,443]] (msg:"PASS_HTTP_NOT_ESTABLISHED TCP allow http/https traffic to the established state to allow further inspection"; flow:not_established; sid:201000012;) +drop ip any any -> any any (msg:"drop_strict action"; flow:stateless; sid:2;) diff --git a/tests/ips-state-actions-test-a-01/test.yaml b/tests/ips-state-actions-test-a-01/test.yaml new file mode 100644 index 000000000..bb8acbaf5 --- /dev/null +++ b/tests/ips-state-actions-test-a-01/test.yaml @@ -0,0 +1,25 @@ +pcap: ../tls/tls-certs-alert/input.pcap + +args: + - --set stream.midstream=false + - -k none + +checks: + # drop is applied after app-layer parsing, so getting tls despite dropping + - filter: + count: 1 + match: + event_type: tls + - filter: + count: 13 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: flow + - filter: + count: 0 + match: + event_type: flow + flow.action: "drop" diff --git a/tests/ips-state-actions-test-a-02/suricata.yaml b/tests/ips-state-actions-test-a-02/suricata.yaml new file mode 100644 index 000000000..690f93840 --- /dev/null +++ b/tests/ips-state-actions-test-a-02/suricata.yaml @@ -0,0 +1,136 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # payload-length: yes # enable dumping payload length + # packet: yes # enable dumping of packet (without stream segments) + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + # websocket-payload: yes # Requires metadata; enable dumping of WebSocket Payload in Base64 + # websocket-payload-printable: yes # Requires metadata; enable dumping of WebSocket Payload in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + # Enable logging the final action taken on a packet by the engine + # (e.g: the alert may have action 'allowed' but the verdict be + # 'drop' due to another alert. That's the engine's verdict) + # verdict: yes + # app layer frames + - anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is enabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # also enabled. + enabled: yes + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + types: + # decode: no + # stream: no + # applayer: yes + #packethdr: no + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom controls which TLS fields that are included in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4, subjectaltname] + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + # Enable logging the final action taken on a packet by the engine + # (will show more information in case of a drop caused by 'reject') + verdict: yes + - flow + +# Logging configuration. This is not about logging IDS alerts/events, but +# output about what Suricata is doing, like startup messages, errors, etc. +logging: + # The default log level: can be overridden in an output section. + # Note that debug level logging will only be emitted if Suricata was + # compiled with the --enable-debug configure option. + # + # This value is overridden by the SC_LOG_LEVEL env var. + default-log-level: notice + + # The default output format. Optional parameter, should default to + # something reasonable if not provided. Can be overridden in an + # output section. You can leave this out to get the default. + # + # This console log format value can be overridden by the SC_LOG_FORMAT env var. + #default-log-format: "%D: %S: %M" + # + # For the pre-7.0 log format use: + #default-log-format: "[%i] %t [%S] - (%f:%l) <%d> (%n) -- " + + # A regex to filter output. Can be overridden in an output section. + # Defaults to empty (no filter). + # + # This value is overridden by the SC_LOG_OP_FILTER env var. + default-output-filter: + + # Requires libunwind to be available when Suricata is configured and built. + # If a signal unexpectedly terminates Suricata, displays a brief diagnostic + # message with the offending stacktrace if enabled. + #stacktrace-on-signal: on + + # Define your logging outputs. If none are defined, or they are all + # disabled you will get the default: console output. + outputs: + - console: + enabled: yes + # type: json + - file: + enabled: yes + level: info + filename: suricata.log + # format: "[%i - %m] %z %d: %S: %M" + # type: json + - syslog: + enabled: no + facility: local5 + format: "[%i] <%d> -- " + # type: json + +# Set the order of alerts based on actions +# The default order is pass, drop, reject, alert +action-order: + - pass + - drop + - reject + - alert + diff --git a/tests/ips-state-actions-test-a-02/test.rules b/tests/ips-state-actions-test-a-02/test.rules new file mode 100644 index 000000000..715c99871 --- /dev/null +++ b/tests/ips-state-actions-test-a-02/test.rules @@ -0,0 +1,5 @@ +pass udp any any -> any 6081 (sid:1;) +pass tcp 2a03:b0c0:0002:00d0:0000:0000:0bd3:4001 any <> 2606:2800:0220:0001:0248:1893:25c8:1946 443 (msg:"PASS_CUSTOM_RULE TCP port:443 to support traffic"; flow:established; sid:201000044;) + +pass tcp 2a03:b0c0:0002:00d0::/64 any <> any [[80,443]] (msg:"PASS_HTTP_NOT_ESTABLISHED TCP allow http/https traffic to the established state to allow further inspection"; flow:not_established; sid:201000012;) +drop ip any any -> any any (msg:"drop_strict action"; flow:stateless; sid:2;) diff --git a/tests/ips-state-actions-test-a-02/test.yaml b/tests/ips-state-actions-test-a-02/test.yaml new file mode 100644 index 000000000..a1eefddf5 --- /dev/null +++ b/tests/ips-state-actions-test-a-02/test.yaml @@ -0,0 +1,24 @@ +pcap: ../tls/tls-certs-alert/input.pcap + +args: + - --set stream.midstream=false + - -k none + +checks: + - filter: + count: 1 + match: + event_type: tls + - filter: + count: 0 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: flow + - filter: + count: 0 + match: + event_type: flow + flow.action: "drop" diff --git a/tests/ips-state-actions-test-b-01/suricata.yaml b/tests/ips-state-actions-test-b-01/suricata.yaml new file mode 100644 index 000000000..690f93840 --- /dev/null +++ b/tests/ips-state-actions-test-b-01/suricata.yaml @@ -0,0 +1,136 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # payload-length: yes # enable dumping payload length + # packet: yes # enable dumping of packet (without stream segments) + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + # websocket-payload: yes # Requires metadata; enable dumping of WebSocket Payload in Base64 + # websocket-payload-printable: yes # Requires metadata; enable dumping of WebSocket Payload in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + # Enable logging the final action taken on a packet by the engine + # (e.g: the alert may have action 'allowed' but the verdict be + # 'drop' due to another alert. That's the engine's verdict) + # verdict: yes + # app layer frames + - anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is enabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # also enabled. + enabled: yes + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + types: + # decode: no + # stream: no + # applayer: yes + #packethdr: no + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # custom controls which TLS fields that are included in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4, subjectaltname] + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # per flow direction. All logs each dropped pkt. + # Enable logging the final action taken on a packet by the engine + # (will show more information in case of a drop caused by 'reject') + verdict: yes + - flow + +# Logging configuration. This is not about logging IDS alerts/events, but +# output about what Suricata is doing, like startup messages, errors, etc. +logging: + # The default log level: can be overridden in an output section. + # Note that debug level logging will only be emitted if Suricata was + # compiled with the --enable-debug configure option. + # + # This value is overridden by the SC_LOG_LEVEL env var. + default-log-level: notice + + # The default output format. Optional parameter, should default to + # something reasonable if not provided. Can be overridden in an + # output section. You can leave this out to get the default. + # + # This console log format value can be overridden by the SC_LOG_FORMAT env var. + #default-log-format: "%D: %S: %M" + # + # For the pre-7.0 log format use: + #default-log-format: "[%i] %t [%S] - (%f:%l) <%d> (%n) -- " + + # A regex to filter output. Can be overridden in an output section. + # Defaults to empty (no filter). + # + # This value is overridden by the SC_LOG_OP_FILTER env var. + default-output-filter: + + # Requires libunwind to be available when Suricata is configured and built. + # If a signal unexpectedly terminates Suricata, displays a brief diagnostic + # message with the offending stacktrace if enabled. + #stacktrace-on-signal: on + + # Define your logging outputs. If none are defined, or they are all + # disabled you will get the default: console output. + outputs: + - console: + enabled: yes + # type: json + - file: + enabled: yes + level: info + filename: suricata.log + # format: "[%i - %m] %z %d: %S: %M" + # type: json + - syslog: + enabled: no + facility: local5 + format: "[%i] <%d> -- " + # type: json + +# Set the order of alerts based on actions +# The default order is pass, drop, reject, alert +action-order: + - pass + - drop + - reject + - alert + diff --git a/tests/ips-state-actions-test-b-01/test.rules b/tests/ips-state-actions-test-b-01/test.rules new file mode 100644 index 000000000..b5089e82e --- /dev/null +++ b/tests/ips-state-actions-test-b-01/test.rules @@ -0,0 +1,5 @@ +pass udp any any -> any 6081 (sid:1;) +pass tls 2a03:b0c0:0002:00d0:0000:0000:0bd3:4001 any -> 2606:2800:0220:0001:0248:1893:25c8:1946 443 (msg:"PASS_CUSTOM_RULE TCP port:443 to support traffic"; flow:established; sid:201000044;) + +pass tcp 2a03:b0c0:0002:00d0::/64 any <> any [[80,443]] (msg:"PASS_HTTP_NOT_ESTABLISHED TCP allow http/https traffic to the established state to allow further inspection"; flow:not_established; sid:201000012;) +drop ip any any -> any any (msg:"drop_strict action"; flow:stateless; sid:2;) diff --git a/tests/ips-state-actions-test-b-01/test.yaml b/tests/ips-state-actions-test-b-01/test.yaml new file mode 100644 index 000000000..98fc55fdb --- /dev/null +++ b/tests/ips-state-actions-test-b-01/test.yaml @@ -0,0 +1,30 @@ +pcap: ../tls/tls-certs-alert/input.pcap + +args: + - --set stream.midstream=false + - -k none + +checks: + - filter: + count: 1 + match: + event_type: tls + - filter: + min-version: 7 + count: 13 + match: + event_type: drop + - filter: + lt-version: 7 + count: 0 + match: + event_type: drop + - filter: + count: 1 + match: + event_type: flow + - filter: + count: 0 + match: + event_type: flow + flow.action: "drop"