bypass: verify bypass behavior

Ticket: 6788
OISF · Oct 6, 2024 · 3a09742 · 3a09742
1 parent 694ff40
commit 3a09742
Show file tree

Hide file tree

Showing 15 changed files with 157 additions and 0 deletions.
diff --git a/tests/bypass-depth-disabled/README.md b/tests/bypass-depth-disabled/README.md
@@ -0,0 +1,13 @@
+# Test Description
+
+Tests that no traffic is bypassed even with minimal reassembly depth
+
+## PCAP
+
+Source: https://wiki.wireshark.org/SampleCaptures
+File: dump.pcapng
+
+## Related issues
+
+Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
+https://redmine.openinfosecfoundation.org/issues/6788
diff --git a/tests/bypass-depth-disabled/input.pcap b/tests/bypass-depth-disabled/input.pcap
diff --git a/tests/bypass-depth-disabled/test.yaml b/tests/bypass-depth-disabled/test.yaml
@@ -0,0 +1,18 @@
+requires:
+    min-version: 7
+
+args:
+- -k none
+- --set app-layer.protocols.tls.encryption-handling=full
+- --set app-layer.protocols.ssh.encryption-handling=full
+- --set stream.reassembly.depth=1
+- --set stream.bypass=false
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+  - stats:
+      flow_bypassed.local_pkts: 0
+      flow_bypassed.local_bytes: 0
diff --git a/tests/bypass-depth-enabled/README.md b/tests/bypass-depth-enabled/README.md
@@ -0,0 +1,13 @@
+# Test Description
+
+Tests that traffic is bypassed after reaching the reassembly depth
+
+## PCAP
+
+Source: https://wiki.wireshark.org/SampleCaptures
+File: dump.pcapng
+
+## Related issues
+
+Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
+https://redmine.openinfosecfoundation.org/issues/6788
diff --git a/tests/bypass-depth-enabled/input.pcap b/tests/bypass-depth-enabled/input.pcap
diff --git a/tests/bypass-depth-enabled/test.yaml b/tests/bypass-depth-enabled/test.yaml
@@ -0,0 +1,18 @@
+requires:
+    min-version: 7
+
+args:
+- -k none
+- --set app-layer.protocols.tls.encryption-handling=full
+- --set app-layer.protocols.ssh.encryption-handling=full
+- --set stream.reassembly.depth=1
+- --set stream.bypass=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+  - stats:
+      flow_bypassed.local_pkts: 11
+      flow_bypassed.local_bytes: 6126
diff --git a/tests/bypass-ssh-enabled/README.md b/tests/bypass-ssh-enabled/README.md
@@ -0,0 +1,14 @@
+# Test Description
+
+Tests that the encrypted part of the SSH traffic is bypassed but it should not
+bypass based on the depth
+
+## PCAP
+
+Source: https://www.cloudshark.org/captures/9b72eb8febf9
+File: ssh-server-client.pcapng
+
+## Related issues
+
+Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
+https://redmine.openinfosecfoundation.org/issues/6788
diff --git a/tests/bypass-ssh-enabled/input.pcap b/tests/bypass-ssh-enabled/input.pcap
diff --git a/tests/bypass-ssh-enabled/test.yaml b/tests/bypass-ssh-enabled/test.yaml
@@ -0,0 +1,18 @@
+requires:
+    min-version: 8
+
+args:
+- -k none
+- --set app-layer.protocols.tls.encryption-handling=full
+- --set app-layer.protocols.ssh.encryption-handling=bypass
+- --set stream.reassembly.depth=1MB
+- --set stream.bypass=false
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+  - stats:
+      flow_bypassed.local_pkts: 45
+      flow_bypassed.local_bytes: 3972
diff --git a/tests/bypass-tls-disabled/README.md b/tests/bypass-tls-disabled/README.md
@@ -0,0 +1,13 @@
+# Test Description
+
+Tests that no traffic is bypassed with disabled bypass settings
+
+## PCAP
+
+Source: https://wiki.wireshark.org/SampleCaptures
+File: dump.pcapng
+
+## Related issues
+
+Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
+https://redmine.openinfosecfoundation.org/issues/6788
diff --git a/tests/bypass-tls-disabled/input.pcap b/tests/bypass-tls-disabled/input.pcap
diff --git a/tests/bypass-tls-disabled/test.yaml b/tests/bypass-tls-disabled/test.yaml
@@ -0,0 +1,18 @@
+requires:
+    min-version: 7
+
+args:
+- -k none
+- --set app-layer.protocols.tls.encryption-handling=full
+- --set app-layer.protocols.ssh.encryption-handling=full
+- --set stream.reassembly.depth=1MB
+- --set stream.bypass=false
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+  - stats:
+      flow_bypassed.local_pkts: 0
+      flow_bypassed.local_bytes: 0
diff --git a/tests/bypass-tls-enabled/README.md b/tests/bypass-tls-enabled/README.md
@@ -0,0 +1,14 @@
+# Test Description
+
+Tests that the encrypted part of the traffic is bypassed but it should not
+bypass based on the depth
+
+## PCAP
+
+Source: https://wiki.wireshark.org/SampleCaptures
+File: dump.pcapng
+
+## Related issues
+
+Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
+https://redmine.openinfosecfoundation.org/issues/6788
diff --git a/tests/bypass-tls-enabled/input.pcap b/tests/bypass-tls-enabled/input.pcap
diff --git a/tests/bypass-tls-enabled/test.yaml b/tests/bypass-tls-enabled/test.yaml
@@ -0,0 +1,18 @@
+requires:
+    min-version: 8
+
+args:
+- -k none
+- --set app-layer.protocols.tls.encryption-handling=bypass
+- --set app-layer.protocols.ssh.encryption-handling=full
+- --set stream.reassembly.depth=1MB
+- --set stream.bypass=false
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+  - stats:
+      flow_bypassed.local_pkts: 4
+      flow_bypassed.local_bytes: 275