Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tests: add test for bug 5867 FP drop log events
Bug #5867
- Loading branch information
1 parent
3023b37
commit 9204cf9
Showing
5 changed files
with
67 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# Test | ||
|
||
This test [currently] demonstrates Suricata bug 5867: there are false positive | ||
drop events in the eve logs, for packets that triggered higher priority PASS | ||
rules and DROP rules. | ||
|
||
In the scenario shown in this test, `PASS` has a higher priority in the action | ||
order (as it's the default), so the packet should trigger the PASS rule first, | ||
so the DROP rule should have no effect. Even though the flow continues, the DROP | ||
events are seeing in the log. | ||
|
||
Bug report: https://redmine.openinfosecfoundation.org/issues/5867 | ||
|
||
# Behavior | ||
|
||
This test currently fails, for we should see no DROP events, but we do. | ||
|
||
# Pcap | ||
|
||
Pcap comes from forum post where bug was reported the first time: | ||
https://forum.suricata.io/t/drop-log-false-positive-records-possible-since-6-0-6/3228 | ||
|
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
%YAML 1.1 | ||
--- | ||
|
||
outputs: | ||
- eve-log: | ||
enabled: yes | ||
filename: eve.json | ||
types: | ||
- alert | ||
- anomaly | ||
- drop: | ||
alerts: yes | ||
flows: start | ||
- flow | ||
- smtp | ||
|
||
action-order: | ||
- drop | ||
- pass | ||
- reject | ||
- alert | ||
|
||
exception-policy: ignore | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
pass tcp 172.17.1.0/24 any -> any 225 (msg:"PASS LOCAL NET Port 225::no flags::flow to_server::no thresholds"; flow:to_server; classtype:misc-activity; sid:1000100; rev:1; metadata:created_at 2023_02_07, updated_at 2023_02_07;) | ||
drop tcp 172.17.1.0/24 any -> any 225 (msg:"DROP LOCAL NET Port 225::no flags::flow established to_server::no thresholds"; flow:to_server,established; classtype:misc-activity; sid:1000101; rev:1; metadata:created_at 2023_02_07, updated_at 2023_02_07;) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
requires: | ||
min-version: 6 | ||
args: | ||
- -k none | ||
- --set stream.midstream=true | ||
- --simulate-ips | ||
|
||
checks: | ||
- filter: | ||
count: 1 | ||
match: | ||
dest_ip: 172.17.1.105 | ||
dest_port: 225 | ||
event_type: smtp | ||
- filter: | ||
count: 0 | ||
match: | ||
event_type: drop |