diff --git a/tests/firewall/firewall-01-tcp-pkt-state-flowbits/README.md b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/README.md new file mode 100644 index 000000000..fb5fe55fd --- /dev/null +++ b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/README.md @@ -0,0 +1,4 @@ +Firewall Tests +============== + +Test 3whs state tracking using flowbits. diff --git a/tests/firewall/firewall-01-tcp-pkt-state-flowbits/suricata.yaml b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/suricata.yaml new file mode 100644 index 000000000..b67886b55 --- /dev/null +++ b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/suricata.yaml @@ -0,0 +1,101 @@ +%YAML 1.1 +--- + +# Global stats configuration +stats: + enabled: yes + # The interval field (in seconds) controls the interval at + # which stats are updated in the log. + interval: 8 + # Add decode events to stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + #decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + # Enable logging the final action taken on a packet by the engine + # (e.g: the alert may have action 'allowed' but the verdict be + # 'drop' due to another alert. That's the engine's verdict) + # verdict: yes + - anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is enabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # also enabled. + enabled: yes + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + types: + # decode: no + # stream: no + # applayer: yes + #packethdr: no + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # ja4 hashes in tls records will never be logged unless + # the following is set to on. (Default off) + # ja4: off + # custom controls which TLS fields that are included in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # EXPERIMENTAL per packet output giving TCP state tracking details + # including internal state, flags, etc. + # This output is experimental, meant for debugging and subject to + # change in both config and output without any notice. + #- stream: + # all: false # log all TCP packets + # event-set: false # log packets that have a decoder/stream event + # state-update: false # log packets triggering a TCP state update + # spurious-retransmission: false # log spurious retransmission packets diff --git a/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.rules b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.rules new file mode 100644 index 000000000..4bc3c6353 --- /dev/null +++ b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.rules @@ -0,0 +1,13 @@ +# allow tcp handshake + +pass tcp any any -> any 443 (flags:S; flow:not_established; flowbits:set,syn; sid:1;) +pass tcp any 443 -> any any (flags:SA; flow:not_established; flowbits:isset,syn; flowbits:set,synack; sid:2;) +pass tcp any any -> any 443 (flags:A; flow:not_established; flowbits:isset,synack; flowbits:unset,syn; flowbits:unset,synack; sid:3;) + +# allow established + +pass tcp any any <> any 443 (flow:established; sid:4;) + +# drop everything else + +drop ip any any -> any any (msg:"Drop all else"; flow:stateless; sid:5;) diff --git a/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.yaml b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.yaml new file mode 100644 index 000000000..e6b9e7dac --- /dev/null +++ b/tests/firewall/firewall-01-tcp-pkt-state-flowbits/test.yaml @@ -0,0 +1,20 @@ +pcap: ../../tls/tls-random/input.pcap + +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 0 + match: + event_type: alert +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: tls + tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS diff --git a/tests/firewall/firewall-02-tcp-pkt-state-flow/README.md b/tests/firewall/firewall-02-tcp-pkt-state-flow/README.md new file mode 100644 index 000000000..809e7b46f --- /dev/null +++ b/tests/firewall/firewall-02-tcp-pkt-state-flow/README.md @@ -0,0 +1,4 @@ +Firewall Tests +============== + +Test 3whs state tracking using flow state. diff --git a/tests/firewall/firewall-02-tcp-pkt-state-flow/suricata.yaml b/tests/firewall/firewall-02-tcp-pkt-state-flow/suricata.yaml new file mode 100644 index 000000000..b67886b55 --- /dev/null +++ b/tests/firewall/firewall-02-tcp-pkt-state-flow/suricata.yaml @@ -0,0 +1,101 @@ +%YAML 1.1 +--- + +# Global stats configuration +stats: + enabled: yes + # The interval field (in seconds) controls the interval at + # which stats are updated in the log. + interval: 8 + # Add decode events to stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + #decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + # Enable logging the final action taken on a packet by the engine + # (e.g: the alert may have action 'allowed' but the verdict be + # 'drop' due to another alert. That's the engine's verdict) + # verdict: yes + - anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is enabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # also enabled. + enabled: yes + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + types: + # decode: no + # stream: no + # applayer: yes + #packethdr: no + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # ja4 hashes in tls records will never be logged unless + # the following is set to on. (Default off) + # ja4: off + # custom controls which TLS fields that are included in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # EXPERIMENTAL per packet output giving TCP state tracking details + # including internal state, flags, etc. + # This output is experimental, meant for debugging and subject to + # change in both config and output without any notice. + #- stream: + # all: false # log all TCP packets + # event-set: false # log packets that have a decoder/stream event + # state-update: false # log packets triggering a TCP state update + # spurious-retransmission: false # log spurious retransmission packets diff --git a/tests/firewall/firewall-02-tcp-pkt-state-flow/test.rules b/tests/firewall/firewall-02-tcp-pkt-state-flow/test.rules new file mode 100644 index 000000000..c536c3c8a --- /dev/null +++ b/tests/firewall/firewall-02-tcp-pkt-state-flow/test.rules @@ -0,0 +1,11 @@ +# allow tcp handshake + +pass tcp any any <> any 443 (flow:not_established; sid:1;) + +# allow established + +pass tcp any any <> any 443 (flow:established; sid:4;) + +# drop everything else + +drop ip any any -> any any (msg:"Drop all else"; flow:stateless; sid:5;) diff --git a/tests/firewall/firewall-02-tcp-pkt-state-flow/test.yaml b/tests/firewall/firewall-02-tcp-pkt-state-flow/test.yaml new file mode 100644 index 000000000..e6b9e7dac --- /dev/null +++ b/tests/firewall/firewall-02-tcp-pkt-state-flow/test.yaml @@ -0,0 +1,20 @@ +pcap: ../../tls/tls-random/input.pcap + +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 0 + match: + event_type: alert +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: tls + tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS diff --git a/tests/firewall/firewall-03-tcp-tls-enforce/README.md b/tests/firewall/firewall-03-tcp-tls-enforce/README.md new file mode 100644 index 000000000..c68749c2e --- /dev/null +++ b/tests/firewall/firewall-03-tcp-tls-enforce/README.md @@ -0,0 +1,4 @@ +Firewall: enforce TLS +===================== + +Rules to allow TCP setup, followed by TLS. Drop all else. diff --git a/tests/firewall/firewall-03-tcp-tls-enforce/suricata.yaml b/tests/firewall/firewall-03-tcp-tls-enforce/suricata.yaml new file mode 100644 index 000000000..b67886b55 --- /dev/null +++ b/tests/firewall/firewall-03-tcp-tls-enforce/suricata.yaml @@ -0,0 +1,101 @@ +%YAML 1.1 +--- + +# Global stats configuration +stats: + enabled: yes + # The interval field (in seconds) controls the interval at + # which stats are updated in the log. + interval: 8 + # Add decode events to stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + #decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + # Enable logging the final action taken on a packet by the engine + # (e.g: the alert may have action 'allowed' but the verdict be + # 'drop' due to another alert. That's the engine's verdict) + # verdict: yes + - anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is enabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # also enabled. + enabled: yes + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + types: + # decode: no + # stream: no + # applayer: yes + #packethdr: no + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # ja4 hashes in tls records will never be logged unless + # the following is set to on. (Default off) + # ja4: off + # custom controls which TLS fields that are included in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # EXPERIMENTAL per packet output giving TCP state tracking details + # including internal state, flags, etc. + # This output is experimental, meant for debugging and subject to + # change in both config and output without any notice. + #- stream: + # all: false # log all TCP packets + # event-set: false # log packets that have a decoder/stream event + # state-update: false # log packets triggering a TCP state update + # spurious-retransmission: false # log spurious retransmission packets diff --git a/tests/firewall/firewall-03-tcp-tls-enforce/test.rules b/tests/firewall/firewall-03-tcp-tls-enforce/test.rules new file mode 100644 index 000000000..435a022b4 --- /dev/null +++ b/tests/firewall/firewall-03-tcp-tls-enforce/test.rules @@ -0,0 +1,11 @@ +# allow tcp handshake + +pass tcp any any <> any 443 (flow:not_established; sid:1;) + +# allow tls + +pass tls any any <> any 443 (flow:established; sid:2;) + +# drop everything else + +drop ip any any -> any any (msg:"Drop all else"; flow:stateless; sid:3;) diff --git a/tests/firewall/firewall-03-tcp-tls-enforce/test.yaml b/tests/firewall/firewall-03-tcp-tls-enforce/test.yaml new file mode 100644 index 000000000..e6b9e7dac --- /dev/null +++ b/tests/firewall/firewall-03-tcp-tls-enforce/test.yaml @@ -0,0 +1,20 @@ +pcap: ../../tls/tls-random/input.pcap + +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 0 + match: + event_type: alert +- filter: + count: 0 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: tls + tls.subject: C=FR, ST=IDF, L=Paris, O=Stamus, CN=SELKS diff --git a/tests/firewall/firewall-04-tls-sni-enforce/README.md b/tests/firewall/firewall-04-tls-sni-enforce/README.md new file mode 100644 index 000000000..52438ecf7 --- /dev/null +++ b/tests/firewall/firewall-04-tls-sni-enforce/README.md @@ -0,0 +1,6 @@ +Firewall: test enforcing TLS with specific SNI +============================================== + +Simple case of testing: +- TCP handshake +- TLS SNI is what is expected diff --git a/tests/firewall/firewall-04-tls-sni-enforce/suricata.yaml b/tests/firewall/firewall-04-tls-sni-enforce/suricata.yaml new file mode 100644 index 000000000..b67886b55 --- /dev/null +++ b/tests/firewall/firewall-04-tls-sni-enforce/suricata.yaml @@ -0,0 +1,101 @@ +%YAML 1.1 +--- + +# Global stats configuration +stats: + enabled: yes + # The interval field (in seconds) controls the interval at + # which stats are updated in the log. + interval: 8 + # Add decode events to stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + #decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + # Enable logging the final action taken on a packet by the engine + # (e.g: the alert may have action 'allowed' but the verdict be + # 'drop' due to another alert. That's the engine's verdict) + # verdict: yes + - anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is enabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # also enabled. + enabled: yes + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + types: + # decode: no + # stream: no + # applayer: yes + #packethdr: no + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # ja4 hashes in tls records will never be logged unless + # the following is set to on. (Default off) + # ja4: off + # custom controls which TLS fields that are included in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # EXPERIMENTAL per packet output giving TCP state tracking details + # including internal state, flags, etc. + # This output is experimental, meant for debugging and subject to + # change in both config and output without any notice. + #- stream: + # all: false # log all TCP packets + # event-set: false # log packets that have a decoder/stream event + # state-update: false # log packets triggering a TCP state update + # spurious-retransmission: false # log spurious retransmission packets diff --git a/tests/firewall/firewall-04-tls-sni-enforce/test.rules b/tests/firewall/firewall-04-tls-sni-enforce/test.rules new file mode 100644 index 000000000..e630972fd --- /dev/null +++ b/tests/firewall/firewall-04-tls-sni-enforce/test.rules @@ -0,0 +1,11 @@ +# allow tcp handshake + +pass tcp any any <> any 443 (flow:not_established; sid:1;) + +# allow tls + +pass tls any any <> any 443 (flow:established; tls.sni; content:"raw.githubusercontent.com"; sid:2;) + +# drop everything else + +drop ip any any -> any any (msg:"Drop all else"; flow:stateless; sid:3;) diff --git a/tests/firewall/firewall-04-tls-sni-enforce/test.yaml b/tests/firewall/firewall-04-tls-sni-enforce/test.yaml new file mode 100644 index 000000000..e6f58dbac --- /dev/null +++ b/tests/firewall/firewall-04-tls-sni-enforce/test.yaml @@ -0,0 +1,31 @@ +pcap: ../../bug-2646-01/input.pcap + +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 0 + match: + event_type: alert +- filter: + count: 1 + match: + event_type: drop + pcap_cnt: 28 + drop.reason: "stream midstream" +- filter: + count: 1 + match: + event_type: drop + pcap_cnt: 29 + drop.reason: "flow drop" +- filter: + count: 2 + match: + event_type: drop +- filter: + count: 1 + match: + event_type: tls diff --git a/tests/firewall/firewall-06-tls-sni-enforce/README.md b/tests/firewall/firewall-06-tls-sni-enforce/README.md new file mode 100644 index 000000000..d3991cfe1 --- /dev/null +++ b/tests/firewall/firewall-06-tls-sni-enforce/README.md @@ -0,0 +1,4 @@ +Firewall: pass TLS only for correct SNI +======================================= + +Test that if the SNI is wrong, the rest of the flow is dropped. diff --git a/tests/firewall/firewall-06-tls-sni-enforce/suricata.yaml b/tests/firewall/firewall-06-tls-sni-enforce/suricata.yaml new file mode 100644 index 000000000..b67886b55 --- /dev/null +++ b/tests/firewall/firewall-06-tls-sni-enforce/suricata.yaml @@ -0,0 +1,101 @@ +%YAML 1.1 +--- + +# Global stats configuration +stats: + enabled: yes + # The interval field (in seconds) controls the interval at + # which stats are updated in the log. + interval: 8 + # Add decode events to stats. + #decoder-events: true + # Decoder event prefix in stats. Has been 'decoder' before, but that leads + # to missing events in the eve.stats records. See issue #2225. + #decoder-events-prefix: "decoder.event" + # Add stream events as stats. + #stream-events: false + +# Configure the type of alert (and other) logging you would like. +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + # payload: yes # enable dumping payload in Base64 + # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log + # payload-printable: yes # enable dumping payload in printable (lossy) format + # packet: yes # enable dumping of packet (without stream segments) + # metadata: no # enable inclusion of app layer metadata with alert. Default yes + # http-body: yes # Requires metadata; enable dumping of HTTP body in Base64 + # http-body-printable: yes # Requires metadata; enable dumping of HTTP body in printable format + + # Enable the logging of tagged packets for rules using the + # "tag" keyword. + tagged-packets: yes + # Enable logging the final action taken on a packet by the engine + # (e.g: the alert may have action 'allowed' but the verdict be + # 'drop' due to another alert. That's the engine's verdict) + # verdict: yes + - anomaly: + # Anomaly log records describe unexpected conditions such + # as truncated packets, packets with invalid IP/UDP/TCP + # length values, and other events that render the packet + # invalid for further processing or describe unexpected + # behavior on an established stream. Networks which + # experience high occurrences of anomalies may experience + # packet processing degradation. + # + # Anomalies are reported for the following: + # 1. Decode: Values and conditions that are detected while + # decoding individual packets. This includes invalid or + # unexpected values for low-level protocol lengths as well + # as stream related events (TCP 3-way handshake issues, + # unexpected sequence number, etc). + # 2. Stream: This includes stream related events (TCP + # 3-way handshake issues, unexpected sequence number, + # etc). + # 3. Application layer: These denote application layer + # specific conditions that are unexpected, invalid or are + # unexpected given the application monitoring state. + # + # By default, anomaly logging is enabled. When anomaly + # logging is enabled, applayer anomaly reporting is + # also enabled. + enabled: yes + # + # Choose one or more types of anomaly logging and whether to enable + # logging of the packet header for packet anomalies. + types: + # decode: no + # stream: no + # applayer: yes + #packethdr: no + - tls: + extended: yes # enable this for extended logging information + # output TLS transaction where the session is resumed using a + # session id + #session-resumption: no + # ja4 hashes in tls records will never be logged unless + # the following is set to on. (Default off) + # ja4: off + # custom controls which TLS fields that are included in eve-log + #custom: [subject, issuer, session_resumed, serial, fingerprint, sni, version, not_before, not_after, certificate, chain, ja3, ja3s, ja4] + - files: + force-magic: no # force logging magic on all logged files + # force logging of checksums, available hash functions are md5, + # sha1 and sha256 + #force-hash: [md5] + - drop: + alerts: yes # log alerts that caused drops + flows: all # start or all: 'start' logs only a single drop + # EXPERIMENTAL per packet output giving TCP state tracking details + # including internal state, flags, etc. + # This output is experimental, meant for debugging and subject to + # change in both config and output without any notice. + #- stream: + # all: false # log all TCP packets + # event-set: false # log packets that have a decoder/stream event + # state-update: false # log packets triggering a TCP state update + # spurious-retransmission: false # log spurious retransmission packets diff --git a/tests/firewall/firewall-06-tls-sni-enforce/test.rules b/tests/firewall/firewall-06-tls-sni-enforce/test.rules new file mode 100644 index 000000000..37e0fc246 --- /dev/null +++ b/tests/firewall/firewall-06-tls-sni-enforce/test.rules @@ -0,0 +1,11 @@ +# allow tcp handshake + +pass tcp any any <> any 443 (flow:not_established; sid:1;) + +# allow tls if the SNI matches, which it won't + +pass tls any any <> any 443 (flow:established; tls.sni; content:"allowed.local"; sid:2;) + +# drop everything else + +drop ip any any -> any any (msg:"Drop all else"; flow:stateless; sid:3;) diff --git a/tests/firewall/firewall-06-tls-sni-enforce/test.yaml b/tests/firewall/firewall-06-tls-sni-enforce/test.yaml new file mode 100644 index 000000000..0c54b3cba --- /dev/null +++ b/tests/firewall/firewall-06-tls-sni-enforce/test.yaml @@ -0,0 +1,41 @@ +pcap: ../../bug-2646-01/input.pcap + +args: +- -k none +- --simulate-ips + +checks: +- filter: + count: 26 + match: + event_type: alert + alert.signature_id: 3 +- filter: + count: 26 + match: + event_type: alert +- filter: + count: 1 + match: + event_type: drop + pcap_cnt: 28 + drop.reason: "stream midstream" +- filter: + count: 1 + match: + event_type: drop + pcap_cnt: 29 + drop.reason: "flow drop" +- filter: + count: 26 + match: + event_type: drop +- filter: + count: 2 + match: + event_type: alert + pkt_src: "stream (flow timeout)" +- filter: + count: 1 + match: + event_type: tls diff --git a/tests/rule-types/rule-types.rules b/tests/rule-types/rule-types.rules index b0520262b..443ec1055 100644 --- a/tests/rule-types/rule-types.rules +++ b/tests/rule-types/rule-types.rules @@ -9,6 +9,7 @@ alert tcp-pkt any any -> any any (msg:"tcp-pkt, anchored content"; content:"abc" alert tcp any any -> any any (msg:"tcp, no content"; sid:301;) alert tcp any any -> any any (msg:"tcp, simple content"; content:"abc"; sid:302;) alert tcp any any -> any any (msg:"tcp, anchored content"; content:"abc"; startswith; sid:303;) +alert tcp !192.168.0.1 any -> any any (msg:"tcp, negated IP address"; sid:304;) alert tcp any any -> any any (msg:"tcp, pd negated"; app-layer-protocol:!http; sid:401;) alert tcp any any -> any any (msg:"tcp, pd positive"; app-layer-protocol:http; sid:402;) @@ -38,3 +39,4 @@ alert tcp any any -> any any (msg:"byte_extract with dce"; dcerpc.stub_data; con alert udp any any -> any any (msg:"UDP with flow direction"; flow:to_server; sid:1001;) +alert pkthdr any any -> any any (msg:"SURICATA IPv6 duplicated Hop-By-Hop Options extension header"; decode-event:ipv6.exthdr_dupl_hh; classtype:protocol-command-decode; sid:1101;) diff --git a/tests/rule-types/test.yaml b/tests/rule-types/test.yaml index ed16f105b..7b00edb4e 100644 --- a/tests/rule-types/test.yaml +++ b/tests/rule-types/test.yaml @@ -160,3 +160,15 @@ checks: match: id: 1001 type: "pkt" + - filter: + filename: rules.json + count: 1 + match: + id: 1101 + type: "de_only" + - filter: + filename: rules.json + count: 1 + match: + id: 304 + type: "like_ip_only"