From 5a920146d3cc14797cb29528404d0b5e0974f71e Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Mon, 27 Nov 2023 20:02:11 +0100 Subject: [PATCH 1/2] tls: do not check pcap_cnt as a tls event can come from a flush after setting no_inspection --- tests/community-id-ipv4/test.yaml | 1 - tests/community-id-ipv6/test.yaml | 2 -- 2 files changed, 3 deletions(-) diff --git a/tests/community-id-ipv4/test.yaml b/tests/community-id-ipv4/test.yaml index 436478fd6..647d58375 100644 --- a/tests/community-id-ipv4/test.yaml +++ b/tests/community-id-ipv4/test.yaml @@ -9,7 +9,6 @@ checks: dest_ip: 172.217.14.206 dest_port: 443 event_type: tls - pcap_cnt: 7 proto: TCP src_ip: 172.26.0.39 src_port: 35958 diff --git a/tests/community-id-ipv6/test.yaml b/tests/community-id-ipv6/test.yaml index daf362242..96a056c62 100644 --- a/tests/community-id-ipv6/test.yaml +++ b/tests/community-id-ipv6/test.yaml @@ -9,7 +9,6 @@ checks: dest_ip: 2607:f8b0:400a:0800:0000:0000:0000:200e dest_port: 443 event_type: tls - pcap_cnt: 41 proto: TCP src_ip: 2600:1f13:00f8:d400:03a6:303c:e011:18eb src_port: 60202 @@ -22,7 +21,6 @@ checks: dest_ip: 2001:4860:4860:0000:0000:0000:0000:8888 dest_port: 443 event_type: tls - pcap_cnt: 7 proto: TCP src_ip: 2600:1f13:00f8:d400:03a6:303c:e011:18eb src_port: 33892 From a8e848ed074475c166b2bdb73ead1439f6a84078 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Tue, 5 Dec 2023 09:26:39 +0100 Subject: [PATCH 2/2] exception-policy: fix test to be more robust We do not want to test number of alerts on every pseudo-packets Ticket: 6578 --- tests/exception-policy-simulated-flow-memcap/test.rules | 4 +++- tests/exception-policy-simulated-flow-memcap/test.yaml | 9 +++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/tests/exception-policy-simulated-flow-memcap/test.rules b/tests/exception-policy-simulated-flow-memcap/test.rules index b9d1df2fb..97d3761b9 100644 --- a/tests/exception-policy-simulated-flow-memcap/test.rules +++ b/tests/exception-policy-simulated-flow-memcap/test.rules @@ -1 +1,3 @@ -alert tls any any -> any any (msg:"tls app-proto"; sid:1000001; rev:1;) +# do not test alert for every tls, as there can be additional pseudo-packets +# alert tls any any -> any any (msg:"tls app-proto"; sid:1000001; rev:1;) +alert tls any any -> any any (msg:"Stamus TLS"; tls_cert_issuer; content:"O=Stamus"; sid:1; rev:1;) diff --git a/tests/exception-policy-simulated-flow-memcap/test.yaml b/tests/exception-policy-simulated-flow-memcap/test.yaml index 11632c687..f3fce2ae5 100644 --- a/tests/exception-policy-simulated-flow-memcap/test.yaml +++ b/tests/exception-policy-simulated-flow-memcap/test.yaml @@ -12,10 +12,6 @@ args: - --set flow.memcap-policy=drop-flow checks: - - filter: - count: 97 - match: - event_type: alert - filter: count: 1 match: @@ -30,3 +26,8 @@ checks: match: event_type: stats stats.tcp.midstream_pickups: 1 + - filter: + count: 4 + match: + event_type: alert + alert.signature_id: 1