From 3a097427354db9135f094a8ead3fad6f8e642c53 Mon Sep 17 00:00:00 2001 From: Lukas Sismis Date: Thu, 19 Sep 2024 10:47:15 +0200 Subject: [PATCH] bypass: verify bypass behavior Ticket: 6788 --- tests/bypass-depth-disabled/README.md | 13 +++++++++++++ tests/bypass-depth-disabled/input.pcap | Bin 0 -> 6722 bytes tests/bypass-depth-disabled/test.yaml | 18 ++++++++++++++++++ tests/bypass-depth-enabled/README.md | 13 +++++++++++++ tests/bypass-depth-enabled/input.pcap | Bin 0 -> 6722 bytes tests/bypass-depth-enabled/test.yaml | 18 ++++++++++++++++++ tests/bypass-ssh-enabled/README.md | 14 ++++++++++++++ tests/bypass-ssh-enabled/input.pcap | Bin 0 -> 9592 bytes tests/bypass-ssh-enabled/test.yaml | 18 ++++++++++++++++++ tests/bypass-tls-disabled/README.md | 13 +++++++++++++ tests/bypass-tls-disabled/input.pcap | Bin 0 -> 6722 bytes tests/bypass-tls-disabled/test.yaml | 18 ++++++++++++++++++ tests/bypass-tls-enabled/README.md | 14 ++++++++++++++ tests/bypass-tls-enabled/input.pcap | Bin 0 -> 6722 bytes tests/bypass-tls-enabled/test.yaml | 18 ++++++++++++++++++ 15 files changed, 157 insertions(+) create mode 100644 tests/bypass-depth-disabled/README.md create mode 100644 tests/bypass-depth-disabled/input.pcap create mode 100644 tests/bypass-depth-disabled/test.yaml create mode 100644 tests/bypass-depth-enabled/README.md create mode 100644 tests/bypass-depth-enabled/input.pcap create mode 100644 tests/bypass-depth-enabled/test.yaml create mode 100644 tests/bypass-ssh-enabled/README.md create mode 100644 tests/bypass-ssh-enabled/input.pcap create mode 100644 tests/bypass-ssh-enabled/test.yaml create mode 100644 tests/bypass-tls-disabled/README.md create mode 100644 tests/bypass-tls-disabled/input.pcap create mode 100644 tests/bypass-tls-disabled/test.yaml create mode 100644 tests/bypass-tls-enabled/README.md create mode 100644 tests/bypass-tls-enabled/input.pcap create mode 100644 tests/bypass-tls-enabled/test.yaml diff --git a/tests/bypass-depth-disabled/README.md b/tests/bypass-depth-disabled/README.md new file mode 100644 index 000000000..3d4977267 --- /dev/null +++ b/tests/bypass-depth-disabled/README.md @@ -0,0 +1,13 @@ +# Test Description + +Tests that no traffic is bypassed even with minimal reassembly depth + +## PCAP + +Source: https://wiki.wireshark.org/SampleCaptures +File: dump.pcapng + +## Related issues + +Created with a work to decouple stream.bypass setting from TLS encrypted bypass. +https://redmine.openinfosecfoundation.org/issues/6788 diff --git a/tests/bypass-depth-disabled/input.pcap b/tests/bypass-depth-disabled/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..2791053c45411ea488101f3f5c627df430987e0a GIT binary patch literal 6722 zcmai(1yq#l*2ib)W(JTLh7eJ@bLj5w6hRys0Vx4#P+Gb}8V=GeAp#;LASI!6NK2!@ zd^4QmU7mZ-z29DIuQl(icYgoft8D!etFt3O^$R0x>ZG+;luN+|*d;`WWa0WO|RDxYNr%a&xzX z+dZ^&e?+gNE6q(yLCC|$4dW5ueyhSt(Oj;Oqta8yqB`#!+tC=zy ztAU-VQsq6Y(27Kt`q-pd;lcX*WQ{{q@J+14^c`h_c-)lrj3xM5s5Mu<+RE(;8IPUl zZ>KXkQiC*T-O;uOYzojiCYT2iYtKwpW4$^WI&#&1FAupS=*YTkWYtOwCAO(~nO&mh zwy(d}xxkY7`R?uOH8NZ*O|Ex)rmS_5S(+BTbKF?p2i)6fQ(`(1e*(WHlvVybb)R9@ zNc#=nw+{+(WBu6zLvT!%dTR@(rQ3w^wiQ^ix0c@be5n7?&3~l~8)N`Ra`S6dGwS;~ zI+>mFK^#xLirF)GQE$fx0RS)vkSgsR%qVwU`-b7a4h$^}^4krc70Pw$1f0sPy_*1; zzdU*-NfA`t%T-Kp;rXnGw-?SbVPPfr{+us`DO;{zC<1`8hz0}%rn5>VXhD_q6#Aw6 z)2x9_MqSH~abpdg!jDX2p7p5aXIfJ_tI?;cWX)%(ojj@sQT3Q&RYsH?wPxMt5-8ly z)nHLq$ytP5t0gcJeTz=nuPq$+ES8w$t@^&{sl%jqdwc#BhW8FX94laG*}CFL2gg0-`Wmp zGx?&3Z5eogW+WYzzsF76DTiF%5Vii1NQoro{B3*sqKZ`jq1vKUpjR;H(1unIo8OTK z;Se~LI&YxaS&WdePUs{H;`qGF#Tqvn(`iH|3U=Sn?#SbN#PHN8Ko(D29$Gp(-d}q~ zhC~5@C?I`x?0_~i$Gh;2H_Ot*nKl?SOr%E(^`XZv-duFVn{+gze2iw|0i2KqQ2Be@ z_^==W-!!i9Uq1e9TyPgUPe+bGRQuHZyN}<*Bg0r*A)hMYgUTIBblbK;iMPk&aU{jD z;d-htP;Mdj~tBW?=0x>>}WU*dm07Do=`W64B{TU~4ZU7P~xnSpaH zkq~?flU)lCj}3la^=?f}6Y@G)_k&~VknkGQLr!`COIP8$za*@K!sZqAK|)q$hP`=@w;@y% zq*2>o>539HQvsK{I1BrWy!KP0fS{uKebN~<&hFN;^Tt8#nEmNt>eeR_T$UIs3au}! z3q~$vSjn0gzqrQbS|grsmbI9D&Y5|PCgmIGoP30K5E-@S?;eq8mLm5OfoYTD7TnwC z=t!`EWz6#(qjtf4Sh`n{#1+$SjMn<=t2eiyrbX>@EH4bd8QEVO#)lyPJoljN#N5+QGj4Unvyfxc+BFBsOn z#JVg^))HQvbMQg|zYD6n>~iHv{-b8#p4l7m=Q3X3Y87kEr1$js1fP8Uo{~zm6R6It zaY`0Z7~_6#{Uz5a^xGv(AwRXkV>jGS&wf~439=pbS10dMknD--hU>xR!Z1iOt6~G3 zDBtoe2y{XOs*Vz-yKM%`%$dbh4?yw-jfC$LUOkNIbe-tUtQy$QU*_CVplHQt3evXD zpb6QQU!NZ8*i}=Q^x=~8d5{O6`@l)lhp{nc7jn3CQZ_Thq)7zjdYQa8oB7>YxNb9h zxN`5^`5z`8lHEg19!~)=b#G;-Bsz*CgEkl3*s*r}{_yZkNY1KSUa0%|<$-}FXkMIm zmBCP#M}wf+mN_dCNc(;pem7D(x3)hhThnR2kANW5oQKJ@Kr^>J0rTLe6kG$<#8Q?&-p4 zyt8MEi==&P*ONB)akWv2Pqwq&G0QUkwq5>h7Z*_R^I(X>U0O9}Yb=A|=LY!OK4u>@ z`w0}?=I*-k7zue1_ zPF1v42xXPaA5eRK={aw!D#ITSyR>b+r(QzX+j}_tWtq&#$lF_cqT+mZ zU!~+@*AzR`QRQ{9!Oz+Ga?_uF8p2A=TIeuOIVNA<;1+RNVV*TQOmA5Fc2WY??i@kbFYh`KeJj?Tv3UPX z4!sT7?7_tKn5TE34|}3D^als)@G^Y1)kJs`>cbMvuiNR8tenT5D&1F@XPnoW+Gd|G zRT34aOV6@L+t;7P7wz4_j_4CeX_Dt(b0< zcr2O7l883+;1pF|w@G7DcMeS3f!9HNVEs5|iwT>a?{(sH^2%g(4b;MKve0nWd;>=w zCL8dsd;f5a$f9J{{xK#?nCO#CQiji zQ&UacQQm!A>7JM%wKZ5VZVTi4Q&&4v2e1ipMc{0xVs;?*~~S5aQdhk)k@E%Lq5Y-_(_P8Ty#?rUwPaGB?uByg;L+Z$6c zuVH=#oiDnMD|sNh=YmX~EsV13XAygZeFi@4KF-2usR(EDQhY*lh7(Dr#fULLX3@4d z7pKM*O&ZnNS^Z~TL+3eas6k^bMIq;_cE6XlM^qen%yKs3=8N*R@DUb&9j#}|Bjp%n z#cdFb8GKk}jb;QN^h@cBl2e)idZlBD6@mD`3@u&Q;EP%--2$~36?yv7DAI%EDl{ni z^#Xf!Wk+tKG8-jvEzw1~6xyQVFR`^mATFqhhhc5cVdHE-8DtSw%QA9t9 z?;yr$D-tA378vev>r3jBjL_1T0EjXD`Ki3BP_~j_Uqaa_lBaNgB3RI6kmgmB%ZgwHgJ5{mD`gAnD%w1l6{GyrShxw zdi*mlM2y{-n5(yXi$rH(x=bSBrAe9o6wQd8s<2UImsh%ocD z_(*ZZbWkbpIKOSi!Yxv_qHkjbi1lfJDlkFHA`@DZ+^@KDz?Bir3-(o~K^tj>IOZaF zbyBqfM|URo2ecldziaM#t?E4hS3RjO>uc-OvMgIKQWHiv z#DrVKZhz&B9X-5UXGwG)Quj#m+u$VHlmG=74BXk)S`%K>!nK0G6(daTDc1Owr<8-A z^3z2x)-<+ZU2K$`CQ7-nE)SlMNgCecZEANMaT4-Jp7{gT{L>6v*q=7NlJ+2AXV~&faA>@kj@*91 zJ%nwTS?{w3<1#1rt

9!LIQ0748a|Y?D6ye#g&)CphJlF}88#Qtzxo1TmiFPoA|@ zxk9bFWV1$FMFMV(7@*ZOdMbKsoPqOw2o{2bWTzHY&$ENBU2snY-cMh~^+VH%8xkSb zPjF^ZyN(AtR}-ZQ3f$M16Ch?MHL#$U%$3l4wOYFhx73H87CNXkfcgrb_{Gu~zxwQt zf5xMpQ>HjiYfnN@luP`Rka3~n1e$UnWv^aH0V?!6p3a$0I#4p*5_^WgRO@4(>LtaQu zUFz3tLV%Mc!o5mDQ43|}+N87=M)dmbZ}0PL)ngt)6m@)pD=TLntElsr0#7cf-IxQ* zhi^#;)1{VBkNn`ydq@$fwMjgyXs4d3EW)z3v!%1SK++xQ@K&S*xMvltE1-tBrlb|s z`#SP5MT%V6i0eo?o9~;$jPu==02T~=x2MH!BMZfTJfj-A-wIiq@$3b~IE@tdL3?&k zzJ`RC1=wrCDLd((`h9Q(cWvrc$Qk24Se~<N%X!#)Mq(Ub`YlpCk7@%i2d8AT(4$ zf3v&B?3zO&gR^nxE9fQmeHNN(Qu-)mnz9f*VeUn(%YqsXvd(!vrlVyCGufouv5_K= zC~-oq?didDSNBi3&!0XWlMbqSe~m^=_{L-DT~#iNNG>c>;iTF^#Q{{J{aJce;g;bv zk0f})$t7gxkuX^xU^_NhsEWMX7rV zC64K#{el;3oNQ*nQ~wKoX0m;$hyjPWnV%1-v!lEw=+G7X{et-K+G1E!uNG6Beap$^ zwQ!DV>-8VL8~uINtyq1UVeARzs^m2Gw)1e=D}{gcCsj=Qz zC|0e`SI=j+r7NVn=ZSq?Gs$=hm1BL zwg;L7{ReR60z#K3qKk7w7C&#rq1G+8aH>1IA*i9y0dh9;-)D6s zq&E|(s=v=>yw+}JGvL1+5&Uabhn@4kh>+`>F;mYk;$LGXy}??q^*|8%@jp)gkVIqT z;0Tq!$IakM6@s`SR{SH85(988`S>NbKV;p+5&zUhAkkwUCEKJ;+m?{{t(@C@ug1 literal 0 HcmV?d00001 diff --git a/tests/bypass-depth-disabled/test.yaml b/tests/bypass-depth-disabled/test.yaml new file mode 100644 index 000000000..b2d87263e --- /dev/null +++ b/tests/bypass-depth-disabled/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 7 + +args: +- -k none +- --set app-layer.protocols.tls.encryption-handling=full +- --set app-layer.protocols.ssh.encryption-handling=full +- --set stream.reassembly.depth=1 +- --set stream.bypass=false + +checks: + - filter: + count: 1 + match: + event_type: stats + - stats: + flow_bypassed.local_pkts: 0 + flow_bypassed.local_bytes: 0 diff --git a/tests/bypass-depth-enabled/README.md b/tests/bypass-depth-enabled/README.md new file mode 100644 index 000000000..b052a679a --- /dev/null +++ b/tests/bypass-depth-enabled/README.md @@ -0,0 +1,13 @@ +# Test Description + +Tests that traffic is bypassed after reaching the reassembly depth + +## PCAP + +Source: https://wiki.wireshark.org/SampleCaptures +File: dump.pcapng + +## Related issues + +Created with a work to decouple stream.bypass setting from TLS encrypted bypass. +https://redmine.openinfosecfoundation.org/issues/6788 diff --git a/tests/bypass-depth-enabled/input.pcap b/tests/bypass-depth-enabled/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..2791053c45411ea488101f3f5c627df430987e0a GIT binary patch literal 6722 zcmai(1yq#l*2ib)W(JTLh7eJ@bLj5w6hRys0Vx4#P+Gb}8V=GeAp#;LASI!6NK2!@ zd^4QmU7mZ-z29DIuQl(icYgoft8D!etFt3O^$R0x>ZG+;luN+|*d;`WWa0WO|RDxYNr%a&xzX z+dZ^&e?+gNE6q(yLCC|$4dW5ueyhSt(Oj;Oqta8yqB`#!+tC=zy ztAU-VQsq6Y(27Kt`q-pd;lcX*WQ{{q@J+14^c`h_c-)lrj3xM5s5Mu<+RE(;8IPUl zZ>KXkQiC*T-O;uOYzojiCYT2iYtKwpW4$^WI&#&1FAupS=*YTkWYtOwCAO(~nO&mh zwy(d}xxkY7`R?uOH8NZ*O|Ex)rmS_5S(+BTbKF?p2i)6fQ(`(1e*(WHlvVybb)R9@ zNc#=nw+{+(WBu6zLvT!%dTR@(rQ3w^wiQ^ix0c@be5n7?&3~l~8)N`Ra`S6dGwS;~ zI+>mFK^#xLirF)GQE$fx0RS)vkSgsR%qVwU`-b7a4h$^}^4krc70Pw$1f0sPy_*1; zzdU*-NfA`t%T-Kp;rXnGw-?SbVPPfr{+us`DO;{zC<1`8hz0}%rn5>VXhD_q6#Aw6 z)2x9_MqSH~abpdg!jDX2p7p5aXIfJ_tI?;cWX)%(ojj@sQT3Q&RYsH?wPxMt5-8ly z)nHLq$ytP5t0gcJeTz=nuPq$+ES8w$t@^&{sl%jqdwc#BhW8FX94laG*}CFL2gg0-`Wmp zGx?&3Z5eogW+WYzzsF76DTiF%5Vii1NQoro{B3*sqKZ`jq1vKUpjR;H(1unIo8OTK z;Se~LI&YxaS&WdePUs{H;`qGF#Tqvn(`iH|3U=Sn?#SbN#PHN8Ko(D29$Gp(-d}q~ zhC~5@C?I`x?0_~i$Gh;2H_Ot*nKl?SOr%E(^`XZv-duFVn{+gze2iw|0i2KqQ2Be@ z_^==W-!!i9Uq1e9TyPgUPe+bGRQuHZyN}<*Bg0r*A)hMYgUTIBblbK;iMPk&aU{jD z;d-htP;Mdj~tBW?=0x>>}WU*dm07Do=`W64B{TU~4ZU7P~xnSpaH zkq~?flU)lCj}3la^=?f}6Y@G)_k&~VknkGQLr!`COIP8$za*@K!sZqAK|)q$hP`=@w;@y% zq*2>o>539HQvsK{I1BrWy!KP0fS{uKebN~<&hFN;^Tt8#nEmNt>eeR_T$UIs3au}! z3q~$vSjn0gzqrQbS|grsmbI9D&Y5|PCgmIGoP30K5E-@S?;eq8mLm5OfoYTD7TnwC z=t!`EWz6#(qjtf4Sh`n{#1+$SjMn<=t2eiyrbX>@EH4bd8QEVO#)lyPJoljN#N5+QGj4Unvyfxc+BFBsOn z#JVg^))HQvbMQg|zYD6n>~iHv{-b8#p4l7m=Q3X3Y87kEr1$js1fP8Uo{~zm6R6It zaY`0Z7~_6#{Uz5a^xGv(AwRXkV>jGS&wf~439=pbS10dMknD--hU>xR!Z1iOt6~G3 zDBtoe2y{XOs*Vz-yKM%`%$dbh4?yw-jfC$LUOkNIbe-tUtQy$QU*_CVplHQt3evXD zpb6QQU!NZ8*i}=Q^x=~8d5{O6`@l)lhp{nc7jn3CQZ_Thq)7zjdYQa8oB7>YxNb9h zxN`5^`5z`8lHEg19!~)=b#G;-Bsz*CgEkl3*s*r}{_yZkNY1KSUa0%|<$-}FXkMIm zmBCP#M}wf+mN_dCNc(;pem7D(x3)hhThnR2kANW5oQKJ@Kr^>J0rTLe6kG$<#8Q?&-p4 zyt8MEi==&P*ONB)akWv2Pqwq&G0QUkwq5>h7Z*_R^I(X>U0O9}Yb=A|=LY!OK4u>@ z`w0}?=I*-k7zue1_ zPF1v42xXPaA5eRK={aw!D#ITSyR>b+r(QzX+j}_tWtq&#$lF_cqT+mZ zU!~+@*AzR`QRQ{9!Oz+Ga?_uF8p2A=TIeuOIVNA<;1+RNVV*TQOmA5Fc2WY??i@kbFYh`KeJj?Tv3UPX z4!sT7?7_tKn5TE34|}3D^als)@G^Y1)kJs`>cbMvuiNR8tenT5D&1F@XPnoW+Gd|G zRT34aOV6@L+t;7P7wz4_j_4CeX_Dt(b0< zcr2O7l883+;1pF|w@G7DcMeS3f!9HNVEs5|iwT>a?{(sH^2%g(4b;MKve0nWd;>=w zCL8dsd;f5a$f9J{{xK#?nCO#CQiji zQ&UacQQm!A>7JM%wKZ5VZVTi4Q&&4v2e1ipMc{0xVs;?*~~S5aQdhk)k@E%Lq5Y-_(_P8Ty#?rUwPaGB?uByg;L+Z$6c zuVH=#oiDnMD|sNh=YmX~EsV13XAygZeFi@4KF-2usR(EDQhY*lh7(Dr#fULLX3@4d z7pKM*O&ZnNS^Z~TL+3eas6k^bMIq;_cE6XlM^qen%yKs3=8N*R@DUb&9j#}|Bjp%n z#cdFb8GKk}jb;QN^h@cBl2e)idZlBD6@mD`3@u&Q;EP%--2$~36?yv7DAI%EDl{ni z^#Xf!Wk+tKG8-jvEzw1~6xyQVFR`^mATFqhhhc5cVdHE-8DtSw%QA9t9 z?;yr$D-tA378vev>r3jBjL_1T0EjXD`Ki3BP_~j_Uqaa_lBaNgB3RI6kmgmB%ZgwHgJ5{mD`gAnD%w1l6{GyrShxw zdi*mlM2y{-n5(yXi$rH(x=bSBrAe9o6wQd8s<2UImsh%ocD z_(*ZZbWkbpIKOSi!Yxv_qHkjbi1lfJDlkFHA`@DZ+^@KDz?Bir3-(o~K^tj>IOZaF zbyBqfM|URo2ecldziaM#t?E4hS3RjO>uc-OvMgIKQWHiv z#DrVKZhz&B9X-5UXGwG)Quj#m+u$VHlmG=74BXk)S`%K>!nK0G6(daTDc1Owr<8-A z^3z2x)-<+ZU2K$`CQ7-nE)SlMNgCecZEANMaT4-Jp7{gT{L>6v*q=7NlJ+2AXV~&faA>@kj@*91 zJ%nwTS?{w3<1#1rt

9!LIQ0748a|Y?D6ye#g&)CphJlF}88#Qtzxo1TmiFPoA|@ zxk9bFWV1$FMFMV(7@*ZOdMbKsoPqOw2o{2bWTzHY&$ENBU2snY-cMh~^+VH%8xkSb zPjF^ZyN(AtR}-ZQ3f$M16Ch?MHL#$U%$3l4wOYFhx73H87CNXkfcgrb_{Gu~zxwQt zf5xMpQ>HjiYfnN@luP`Rka3~n1e$UnWv^aH0V?!6p3a$0I#4p*5_^WgRO@4(>LtaQu zUFz3tLV%Mc!o5mDQ43|}+N87=M)dmbZ}0PL)ngt)6m@)pD=TLntElsr0#7cf-IxQ* zhi^#;)1{VBkNn`ydq@$fwMjgyXs4d3EW)z3v!%1SK++xQ@K&S*xMvltE1-tBrlb|s z`#SP5MT%V6i0eo?o9~;$jPu==02T~=x2MH!BMZfTJfj-A-wIiq@$3b~IE@tdL3?&k zzJ`RC1=wrCDLd((`h9Q(cWvrc$Qk24Se~<N%X!#)Mq(Ub`YlpCk7@%i2d8AT(4$ zf3v&B?3zO&gR^nxE9fQmeHNN(Qu-)mnz9f*VeUn(%YqsXvd(!vrlVyCGufouv5_K= zC~-oq?didDSNBi3&!0XWlMbqSe~m^=_{L-DT~#iNNG>c>;iTF^#Q{{J{aJce;g;bv zk0f})$t7gxkuX^xU^_NhsEWMX7rV zC64K#{el;3oNQ*nQ~wKoX0m;$hyjPWnV%1-v!lEw=+G7X{et-K+G1E!uNG6Beap$^ zwQ!DV>-8VL8~uINtyq1UVeARzs^m2Gw)1e=D}{gcCsj=Qz zC|0e`SI=j+r7NVn=ZSq?Gs$=hm1BL zwg;L7{ReR60z#K3qKk7w7C&#rq1G+8aH>1IA*i9y0dh9;-)D6s zq&E|(s=v=>yw+}JGvL1+5&Uabhn@4kh>+`>F;mYk;$LGXy}??q^*|8%@jp)gkVIqT z;0Tq!$IakM6@s`SR{SH85(988`S>NbKV;p+5&zUhAkkwUCEKJ;+m?{{t(@C@ug1 literal 0 HcmV?d00001 diff --git a/tests/bypass-depth-enabled/test.yaml b/tests/bypass-depth-enabled/test.yaml new file mode 100644 index 000000000..2e08530c7 --- /dev/null +++ b/tests/bypass-depth-enabled/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 7 + +args: +- -k none +- --set app-layer.protocols.tls.encryption-handling=full +- --set app-layer.protocols.ssh.encryption-handling=full +- --set stream.reassembly.depth=1 +- --set stream.bypass=true + +checks: + - filter: + count: 1 + match: + event_type: stats + - stats: + flow_bypassed.local_pkts: 11 + flow_bypassed.local_bytes: 6126 diff --git a/tests/bypass-ssh-enabled/README.md b/tests/bypass-ssh-enabled/README.md new file mode 100644 index 000000000..e2f28ad63 --- /dev/null +++ b/tests/bypass-ssh-enabled/README.md @@ -0,0 +1,14 @@ +# Test Description + +Tests that the encrypted part of the SSH traffic is bypassed but it should not +bypass based on the depth + +## PCAP + +Source: https://www.cloudshark.org/captures/9b72eb8febf9 +File: ssh-server-client.pcapng + +## Related issues + +Created with a work to decouple stream.bypass setting from TLS encrypted bypass. +https://redmine.openinfosecfoundation.org/issues/6788 diff --git a/tests/bypass-ssh-enabled/input.pcap b/tests/bypass-ssh-enabled/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..d89f3d136dafa2f07a58ee62f5baca3910ef6608 GIT binary patch literal 9592 zcmbtZ2|Sct`#!@M+gKALilU6hHnOi-QiO&=O7=lznUKnBD`YFZEu<2WsFe1iMM;TD zs#j52B9xMpEUEaP^LX`{NALXp-}gSh-!ae3Gp_r(ulqjtxzCyU%JX?#fCwh8u`vJ$ z@J*b+c9*eZLcj^$qcMhEBa$W(`Ne!-5de$Pe~gLse!q2`%!MA_uLRm)0RXQ)!2d@O z@FLK;=$hPg9X)Qkz9#S5U{x<)-%z4gD9Z}~G9bi5Bm4|uPDUUQG&1rpjBJNSMoKsu z;lhl3`xi!1p%Gqr0F0p1Xh5M9E?WGO>lRQU!KY&+nJi=k4#IakAn8Iho(;bYJh?>W zJ(L09BJx}W0AW?yuwg;b#}T3Q5NrN7gf&=>a1b7l{BFner*=TRIiBL8@{b=*#=7Oo zhQ-c{N`ed^uR}Oqb0A(PLsV4$T?%4|F2qalDgf5-9*uGDCh;qTs;Q=-YOyxVCq$L5rl~D}fU8;nfIeem9C92UbJ&P92P3)tHzbE4u#n4_ zabUWdzCIp#<3|7@ATkN+k20wQ7UF+w!mZ=)R3=9nN3Rd+G4cW+2Wp4Hf@Cx>4s)hx4(N*AAkbldDII>X0 zSggdch?rpUx*UKhhUi+qEKGfdJ%SW@!@>eoL&M;FLoCDy1WsDa#aOuDSX`c9k%*#h zrPc)2eSS3 z1hEL8L6}@L*e5!5{&&P;@D^k-d7=-)2^GN*6?ym$B{g;-tWHG&@PqHrn3Cx$NmR@u zUz|tdIR@vDrW62l6&zP$a7Zxp6imEgw*K=6S^c8H(SskD2RDD?!65X&mfZuEB}c5E z7#6A7pSMSpe+hrLL}Oz$A}{l22i(@WQ{|l& z*ChKynaiFp)&F5Qmtc9J;j}|@9BlZuq-znIKV?W?s5P*V(Vz(geesacUDl=@6y$Jw zQAgsX2yge8s;{=@-G#az*9(rhUH(eC^08NM{r6QVxyMR!6~&^K%5_;&{TzBaRvX_2 zQKfl4H+iyNF42*7`s?6YNz>y$73)0WnQIi9j-Jkx_3n3;PjtMN^GunSm6;jjPu8}# zxt>M*93IGbpE5g2^G|mxHJwL>Z*n%NP=vR0A5x0X@8Qkgb?NS!z7Si-nikrF!Hkts z6#WeAsP`G`I;TIKN68xD5uF~IzAE+9$$;@z5H*T`06VAg3&qakG#97UWj+==M_la6 znf|mmhNw_tS35!?ka^@WbsIBZx>*hG?j+f4)%jBJR7rp=RvY?wO?Up&=QrLLn^@S2 zD}|aA1R0pVao6+w%Q!Z-jZbm`Vi8!zkp&H7;ecZ?I>CY(003*%#kS7q5=F0X1|J!X z(w6I;>ze$p-tSe&eQzKiR}gtxJ)_5ZF!#Lboz<@jHZngS<~oySl9N9CTHka_OHPM0 zVllIlBMTLb1%sW1smTP3ktG1=GbN{`6VoZ{Qx9A5+#B;*m}F-wSMzh@rdTfB2gN~2 z?%xwH?^7$Ow3a@SI&Jkc(|YIF>eBTkl96j88)TF1`4Nk_T8=DWErYG!G8~JT2^J39 z0l2zqhuPiLJEhEWpYF(z+As6QW>oqqRgO<|sCacaQ^#2FTYi+b`mJf3`FR(`E8NH# zEO^IzbmgLxo(Tuv>~X2qLM)#A#l>Nbg8@Nn+%?Ez(i%sLb0M0Vz^YE{>_vHjE`)Wc zjSE=8do-rh2R)J+=1~mJqwyT02qhN5K5DD3+{}dV;nm+T zEQgt!z|L?io(TNlyg&nAW4Kn*;HP7xuPML5dIYh;?|LIn+(x{!;VghF@}ve1a1+qJ z3Ra%ho`hq&JC;@%o|7rEbvrn;WcHX$94nuvG2~0m;<7CZ&bacXc3d>D%HFoB)QWUk zX}eLieerG2D|t)X_SjHZRaGAra8sSc>Cx#A`WD$ms=xLqzWyq{_?SqwtP^cB(3HtI z5FxB{M(M45MBD)v33;Krwe1;m`RejM&AuPiK^NFAD{*JgQ`K$BV0-LiZ*F7neTm^Z zr@}6>Y@#~!cI5j>>0B*+%ZRc+oEDo-1Vz54FkRP3+^H=4N3;x|oacjt(QCre z))Cc(d_kB9PdoaJnc|x@Eaphd-%|8c`k}eBeS_uWY~B!}Z|?1r7qs{*2F{$8a;dCV zwOlu9_&P9r^Xh9SBZLm5b_tF(C^{sW&!qV-_TOi;Et*>{uYc#U9@P&DJAI|@yUIja zNorKwo?cY7@0x+n$$Jem?>|j+mb>-S{%NghU3qF4zu>fQg_=?yTlB9opKt5Z$qfF^ zJiB|;!m0h+OclSX&xE-I=f0yi5*&M?UyW{dq}8T;&9You-|zkG;9{=wb3GDA4+Ms) zD_@A7J{BCl;ej2wx%S9IldGcJx`s-Izs@nWejMumUB9fU_i9B$ab5C^ys<*^>4>j( zW1eUI#43Z59gbJ+&V(X}jOPcM7g@WAzzSvu8u+Xu=+U@Q)(sqI&pOq!aE?7_D^u31yWUfSA zPVDfGUVb?BsmvgiUUNyd=)-08Pa=ev%vEcb*lL6;2lcgDacSp|p6}S;n>td`ZcTVofxoH-m zi?d$O{cz|^jQhLe-)DAZj<^p;q+IGT@z-o-3=GawocWBrr>!teXGZ+x?vQ7uTa{;i z%T>R)l%aFe@8w7N5r$WoU03d`xg%QlJPzjE$?`my_J|S|AX1;T;!){OsU4#a=jrbk zRM6F_X&Jas(fpzft!wB)st#sDRpI^L)rP%0*Q3D}1J;Eic2(7GO{m(q5d$I%Ovhfa zKL}O5h&Z_(;y2{#2vue$M4fa{VETyZuXc+eDzK=tc>)b#{rQw5mIj8k<2P83;qF%S zHLOPC7s8sIz%$ufc3yfUI);Voy)a&n;T~M{Sq+9X#aqeUJYXGsgvOML?MBkXP;t9G z(-!D0hI$S5>AMW#tVU+|Zp&L%vCDJwpqSti&nq>H6#Ntp2j=JeSUniO*IjzXo>`1k zvvi_keV&O*+nr?O&znk~$vU$~k4ob~mIp86qW9Q^xKJEcVvY8kab?Ccf$syG7wlMW zG!llj^|x3QA&vZL01Pf5mNvfdl(rVW@;G4R)hWlo%uC#K?xmT_z72S|e%SQo#f|G{ zU(^&9)6aTHYs^>A_1RN{yl|H#aq6nzi5tuoYxW2)6leOY6XE`Mer0wTEs4FcP{8dGMUEeW1SKo;IO7MU0eib!&+JOF1SEc7>@0*jN^ ze2BLGxpl-u_hr}l4w-q+T1lre*X7roCl;h2OA>E5MwK6n#CcpKR>G)Wg;7mzmxKhd z3t|1#;RTWK9U4=j8b}ksu!4SzMIk3w!4hsz#-Yr%I@YVd3@!3&*i2B9=1_0U-2V%En?{s(;T9 z^-}_hGL+y?vH{}nWp#JD*cGh~Dp-Ewi+uU@BQ;)HA1`l9>k1Q6ZHbfJsZZRmq8(~xVjmhxbev>yxE*|pe(<+rOjUENjz08J4bW(#-FCM zKi-~}?>G8BpcYxO3l-v2t@JS;EpU4ELcQSHCL;d_tX8|0iU!E9{roMB`mFg__nEVU z-->QfHxDFP(R%b>^uNj9(7PmZuH#?HVam5UdQH1J#e4X?KWlZlJd(b0aQ))bwur^6 zXrX_OnhMDPV}aWxn5khbC?fLt@D$lFZ8>^|rKU4rbYJ6ft9ui1Tw5QrRaz9Q9KR@(bH1_%?u70J$ z8Je<`w+UTGQsb8ECs!aAhu#WtI^~DIoWN=nh+`3ov7iX|97%$^D$A{mEIBvjcy+D5 zmKKkP5=GAI5%P}#j!_cEls%18_A89ic7~|n^)^&!unS>5R1)SiTVU4>*OcVnVo?OI zuSkG<%+G{BOX6LPTOu?bRNs#S^u{tCQHUNQL4n;09jJ87UonDj4?fy z;`G?g^w*%k^QdYeSO-`5nm6{%@fh`qlqLiZfP**E6~9#8_I7YyL6*L7hs;_-3|cnb zM))?fVcWJhZ)4V$4Yqn?mcuyu2oKGmk4fx4YEYnFR~Zz+i`dmz<{eFE){~UTuf0mJo9;G#xC2&@0y40Jc-Dk`WwtQJD@k3wY z7P8!MlC8sM*N;jQ$Mida(~kx9>xG%U;`QiwUIVZXVlgARIC-%U^I{1u-(Yoyia;+) zpcnqJbrc4FWCJ0QFp^ex@$1)|HIJ0mF6poDw_H-YTfkW7dA@_1sqKEZyXPGp6zccp zR0wZHmbd1zS!VabjRyN;m~Y`zy)cJA916Ji|Vu4;MdsNlIQzp-uCblBV036KO)P0@KkbA$%LOjP zamy=009aFZt%=1*WUkMDId=Yt(DhU`|BPzZni9cEi?-U4-t#MG2D+y5I$iQ%Po++PM9cIsD;OqY>sGU-Pe(BLiY3US#uv9m|bmj$v7` zNA7PdiZI`k!vK^Yus2z^{8YC>+rxUn1N}1V4vfhve0}(t>qSASlwx>Wnn;=d_5COM za&NBNw>YQ#_B_30Eo7Pgg3U5sKe)GrkqgD?*9i45rr4jzGLh(9{7xT~}+A?FMx zrFr(t*cAnjD3b5gv@YEpy!v9^W$)~plyis8N;aL>kY3$CI$*vbLK#_3f5*`>oS)G0 z26oGI@`UArb^xw4$iEU1m$`J{1f}zKMcqiXnJk&d(OZS&%hW%utKBWHoBy#=Q>?A_@L;m+|$^RLw;3u2YEb5G7ceB>-KEX&_w zQG|}jwE?i9>qG-jsgvQG*WOPX4U;^3f(UKGBL)Sz2Nza6S$y$9zeVDoQiQnuRYv^o zZS#~nXXg)CBg=#_Hp}?P!P7;k9}B17La1LVj9h7E9{?9#h;J%;LY3uWwH1raO1t2) zS@)ZCErn*!!+*h0SBK#68eB{d*FQ|GsTV6wlDM9@+|37BPOs(R)W1_O%eY+`J$%A4 zKin(Oby!@lKe|6FmUpHk7s|aNq>Rln57+;pS(+|V68P=SPQf({$36|;#Gpfe=3aBY zr=BG`XW)tBoE1T=yS=$I#Xsssr4SRRMjlRUxirQEtpSrdUwY{T6N|F|+)ESxd2Yts zqqU3tfO(PnF^rft8D!etFt3O^$R0x>ZG+;luN+|*d;`WWa0WO|RDxYNr%a&xzX z+dZ^&e?+gNE6q(yLCC|$4dW5ueyhSt(Oj;Oqta8yqB`#!+tC=zy ztAU-VQsq6Y(27Kt`q-pd;lcX*WQ{{q@J+14^c`h_c-)lrj3xM5s5Mu<+RE(;8IPUl zZ>KXkQiC*T-O;uOYzojiCYT2iYtKwpW4$^WI&#&1FAupS=*YTkWYtOwCAO(~nO&mh zwy(d}xxkY7`R?uOH8NZ*O|Ex)rmS_5S(+BTbKF?p2i)6fQ(`(1e*(WHlvVybb)R9@ zNc#=nw+{+(WBu6zLvT!%dTR@(rQ3w^wiQ^ix0c@be5n7?&3~l~8)N`Ra`S6dGwS;~ zI+>mFK^#xLirF)GQE$fx0RS)vkSgsR%qVwU`-b7a4h$^}^4krc70Pw$1f0sPy_*1; zzdU*-NfA`t%T-Kp;rXnGw-?SbVPPfr{+us`DO;{zC<1`8hz0}%rn5>VXhD_q6#Aw6 z)2x9_MqSH~abpdg!jDX2p7p5aXIfJ_tI?;cWX)%(ojj@sQT3Q&RYsH?wPxMt5-8ly z)nHLq$ytP5t0gcJeTz=nuPq$+ES8w$t@^&{sl%jqdwc#BhW8FX94laG*}CFL2gg0-`Wmp zGx?&3Z5eogW+WYzzsF76DTiF%5Vii1NQoro{B3*sqKZ`jq1vKUpjR;H(1unIo8OTK z;Se~LI&YxaS&WdePUs{H;`qGF#Tqvn(`iH|3U=Sn?#SbN#PHN8Ko(D29$Gp(-d}q~ zhC~5@C?I`x?0_~i$Gh;2H_Ot*nKl?SOr%E(^`XZv-duFVn{+gze2iw|0i2KqQ2Be@ z_^==W-!!i9Uq1e9TyPgUPe+bGRQuHZyN}<*Bg0r*A)hMYgUTIBblbK;iMPk&aU{jD z;d-htP;Mdj~tBW?=0x>>}WU*dm07Do=`W64B{TU~4ZU7P~xnSpaH zkq~?flU)lCj}3la^=?f}6Y@G)_k&~VknkGQLr!`COIP8$za*@K!sZqAK|)q$hP`=@w;@y% zq*2>o>539HQvsK{I1BrWy!KP0fS{uKebN~<&hFN;^Tt8#nEmNt>eeR_T$UIs3au}! z3q~$vSjn0gzqrQbS|grsmbI9D&Y5|PCgmIGoP30K5E-@S?;eq8mLm5OfoYTD7TnwC z=t!`EWz6#(qjtf4Sh`n{#1+$SjMn<=t2eiyrbX>@EH4bd8QEVO#)lyPJoljN#N5+QGj4Unvyfxc+BFBsOn z#JVg^))HQvbMQg|zYD6n>~iHv{-b8#p4l7m=Q3X3Y87kEr1$js1fP8Uo{~zm6R6It zaY`0Z7~_6#{Uz5a^xGv(AwRXkV>jGS&wf~439=pbS10dMknD--hU>xR!Z1iOt6~G3 zDBtoe2y{XOs*Vz-yKM%`%$dbh4?yw-jfC$LUOkNIbe-tUtQy$QU*_CVplHQt3evXD zpb6QQU!NZ8*i}=Q^x=~8d5{O6`@l)lhp{nc7jn3CQZ_Thq)7zjdYQa8oB7>YxNb9h zxN`5^`5z`8lHEg19!~)=b#G;-Bsz*CgEkl3*s*r}{_yZkNY1KSUa0%|<$-}FXkMIm zmBCP#M}wf+mN_dCNc(;pem7D(x3)hhThnR2kANW5oQKJ@Kr^>J0rTLe6kG$<#8Q?&-p4 zyt8MEi==&P*ONB)akWv2Pqwq&G0QUkwq5>h7Z*_R^I(X>U0O9}Yb=A|=LY!OK4u>@ z`w0}?=I*-k7zue1_ zPF1v42xXPaA5eRK={aw!D#ITSyR>b+r(QzX+j}_tWtq&#$lF_cqT+mZ zU!~+@*AzR`QRQ{9!Oz+Ga?_uF8p2A=TIeuOIVNA<;1+RNVV*TQOmA5Fc2WY??i@kbFYh`KeJj?Tv3UPX z4!sT7?7_tKn5TE34|}3D^als)@G^Y1)kJs`>cbMvuiNR8tenT5D&1F@XPnoW+Gd|G zRT34aOV6@L+t;7P7wz4_j_4CeX_Dt(b0< zcr2O7l883+;1pF|w@G7DcMeS3f!9HNVEs5|iwT>a?{(sH^2%g(4b;MKve0nWd;>=w zCL8dsd;f5a$f9J{{xK#?nCO#CQiji zQ&UacQQm!A>7JM%wKZ5VZVTi4Q&&4v2e1ipMc{0xVs;?*~~S5aQdhk)k@E%Lq5Y-_(_P8Ty#?rUwPaGB?uByg;L+Z$6c zuVH=#oiDnMD|sNh=YmX~EsV13XAygZeFi@4KF-2usR(EDQhY*lh7(Dr#fULLX3@4d z7pKM*O&ZnNS^Z~TL+3eas6k^bMIq;_cE6XlM^qen%yKs3=8N*R@DUb&9j#}|Bjp%n z#cdFb8GKk}jb;QN^h@cBl2e)idZlBD6@mD`3@u&Q;EP%--2$~36?yv7DAI%EDl{ni z^#Xf!Wk+tKG8-jvEzw1~6xyQVFR`^mATFqhhhc5cVdHE-8DtSw%QA9t9 z?;yr$D-tA378vev>r3jBjL_1T0EjXD`Ki3BP_~j_Uqaa_lBaNgB3RI6kmgmB%ZgwHgJ5{mD`gAnD%w1l6{GyrShxw zdi*mlM2y{-n5(yXi$rH(x=bSBrAe9o6wQd8s<2UImsh%ocD z_(*ZZbWkbpIKOSi!Yxv_qHkjbi1lfJDlkFHA`@DZ+^@KDz?Bir3-(o~K^tj>IOZaF zbyBqfM|URo2ecldziaM#t?E4hS3RjO>uc-OvMgIKQWHiv z#DrVKZhz&B9X-5UXGwG)Quj#m+u$VHlmG=74BXk)S`%K>!nK0G6(daTDc1Owr<8-A z^3z2x)-<+ZU2K$`CQ7-nE)SlMNgCecZEANMaT4-Jp7{gT{L>6v*q=7NlJ+2AXV~&faA>@kj@*91 zJ%nwTS?{w3<1#1rt

9!LIQ0748a|Y?D6ye#g&)CphJlF}88#Qtzxo1TmiFPoA|@ zxk9bFWV1$FMFMV(7@*ZOdMbKsoPqOw2o{2bWTzHY&$ENBU2snY-cMh~^+VH%8xkSb zPjF^ZyN(AtR}-ZQ3f$M16Ch?MHL#$U%$3l4wOYFhx73H87CNXkfcgrb_{Gu~zxwQt zf5xMpQ>HjiYfnN@luP`Rka3~n1e$UnWv^aH0V?!6p3a$0I#4p*5_^WgRO@4(>LtaQu zUFz3tLV%Mc!o5mDQ43|}+N87=M)dmbZ}0PL)ngt)6m@)pD=TLntElsr0#7cf-IxQ* zhi^#;)1{VBkNn`ydq@$fwMjgyXs4d3EW)z3v!%1SK++xQ@K&S*xMvltE1-tBrlb|s z`#SP5MT%V6i0eo?o9~;$jPu==02T~=x2MH!BMZfTJfj-A-wIiq@$3b~IE@tdL3?&k zzJ`RC1=wrCDLd((`h9Q(cWvrc$Qk24Se~<N%X!#)Mq(Ub`YlpCk7@%i2d8AT(4$ zf3v&B?3zO&gR^nxE9fQmeHNN(Qu-)mnz9f*VeUn(%YqsXvd(!vrlVyCGufouv5_K= zC~-oq?didDSNBi3&!0XWlMbqSe~m^=_{L-DT~#iNNG>c>;iTF^#Q{{J{aJce;g;bv zk0f})$t7gxkuX^xU^_NhsEWMX7rV zC64K#{el;3oNQ*nQ~wKoX0m;$hyjPWnV%1-v!lEw=+G7X{et-K+G1E!uNG6Beap$^ zwQ!DV>-8VL8~uINtyq1UVeARzs^m2Gw)1e=D}{gcCsj=Qz zC|0e`SI=j+r7NVn=ZSq?Gs$=hm1BL zwg;L7{ReR60z#K3qKk7w7C&#rq1G+8aH>1IA*i9y0dh9;-)D6s zq&E|(s=v=>yw+}JGvL1+5&Uabhn@4kh>+`>F;mYk;$LGXy}??q^*|8%@jp)gkVIqT z;0Tq!$IakM6@s`SR{SH85(988`S>NbKV;p+5&zUhAkkwUCEKJ;+m?{{t(@C@ug1 literal 0 HcmV?d00001 diff --git a/tests/bypass-tls-disabled/test.yaml b/tests/bypass-tls-disabled/test.yaml new file mode 100644 index 000000000..50b493b19 --- /dev/null +++ b/tests/bypass-tls-disabled/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 7 + +args: +- -k none +- --set app-layer.protocols.tls.encryption-handling=full +- --set app-layer.protocols.ssh.encryption-handling=full +- --set stream.reassembly.depth=1MB +- --set stream.bypass=false + +checks: + - filter: + count: 1 + match: + event_type: stats + - stats: + flow_bypassed.local_pkts: 0 + flow_bypassed.local_bytes: 0 diff --git a/tests/bypass-tls-enabled/README.md b/tests/bypass-tls-enabled/README.md new file mode 100644 index 000000000..79f3461c5 --- /dev/null +++ b/tests/bypass-tls-enabled/README.md @@ -0,0 +1,14 @@ +# Test Description + +Tests that the encrypted part of the traffic is bypassed but it should not +bypass based on the depth + +## PCAP + +Source: https://wiki.wireshark.org/SampleCaptures +File: dump.pcapng + +## Related issues + +Created with a work to decouple stream.bypass setting from TLS encrypted bypass. +https://redmine.openinfosecfoundation.org/issues/6788 diff --git a/tests/bypass-tls-enabled/input.pcap b/tests/bypass-tls-enabled/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..2791053c45411ea488101f3f5c627df430987e0a GIT binary patch literal 6722 zcmai(1yq#l*2ib)W(JTLh7eJ@bLj5w6hRys0Vx4#P+Gb}8V=GeAp#;LASI!6NK2!@ zd^4QmU7mZ-z29DIuQl(icYgoft8D!etFt3O^$R0x>ZG+;luN+|*d;`WWa0WO|RDxYNr%a&xzX z+dZ^&e?+gNE6q(yLCC|$4dW5ueyhSt(Oj;Oqta8yqB`#!+tC=zy ztAU-VQsq6Y(27Kt`q-pd;lcX*WQ{{q@J+14^c`h_c-)lrj3xM5s5Mu<+RE(;8IPUl zZ>KXkQiC*T-O;uOYzojiCYT2iYtKwpW4$^WI&#&1FAupS=*YTkWYtOwCAO(~nO&mh zwy(d}xxkY7`R?uOH8NZ*O|Ex)rmS_5S(+BTbKF?p2i)6fQ(`(1e*(WHlvVybb)R9@ zNc#=nw+{+(WBu6zLvT!%dTR@(rQ3w^wiQ^ix0c@be5n7?&3~l~8)N`Ra`S6dGwS;~ zI+>mFK^#xLirF)GQE$fx0RS)vkSgsR%qVwU`-b7a4h$^}^4krc70Pw$1f0sPy_*1; zzdU*-NfA`t%T-Kp;rXnGw-?SbVPPfr{+us`DO;{zC<1`8hz0}%rn5>VXhD_q6#Aw6 z)2x9_MqSH~abpdg!jDX2p7p5aXIfJ_tI?;cWX)%(ojj@sQT3Q&RYsH?wPxMt5-8ly z)nHLq$ytP5t0gcJeTz=nuPq$+ES8w$t@^&{sl%jqdwc#BhW8FX94laG*}CFL2gg0-`Wmp zGx?&3Z5eogW+WYzzsF76DTiF%5Vii1NQoro{B3*sqKZ`jq1vKUpjR;H(1unIo8OTK z;Se~LI&YxaS&WdePUs{H;`qGF#Tqvn(`iH|3U=Sn?#SbN#PHN8Ko(D29$Gp(-d}q~ zhC~5@C?I`x?0_~i$Gh;2H_Ot*nKl?SOr%E(^`XZv-duFVn{+gze2iw|0i2KqQ2Be@ z_^==W-!!i9Uq1e9TyPgUPe+bGRQuHZyN}<*Bg0r*A)hMYgUTIBblbK;iMPk&aU{jD z;d-htP;Mdj~tBW?=0x>>}WU*dm07Do=`W64B{TU~4ZU7P~xnSpaH zkq~?flU)lCj}3la^=?f}6Y@G)_k&~VknkGQLr!`COIP8$za*@K!sZqAK|)q$hP`=@w;@y% zq*2>o>539HQvsK{I1BrWy!KP0fS{uKebN~<&hFN;^Tt8#nEmNt>eeR_T$UIs3au}! z3q~$vSjn0gzqrQbS|grsmbI9D&Y5|PCgmIGoP30K5E-@S?;eq8mLm5OfoYTD7TnwC z=t!`EWz6#(qjtf4Sh`n{#1+$SjMn<=t2eiyrbX>@EH4bd8QEVO#)lyPJoljN#N5+QGj4Unvyfxc+BFBsOn z#JVg^))HQvbMQg|zYD6n>~iHv{-b8#p4l7m=Q3X3Y87kEr1$js1fP8Uo{~zm6R6It zaY`0Z7~_6#{Uz5a^xGv(AwRXkV>jGS&wf~439=pbS10dMknD--hU>xR!Z1iOt6~G3 zDBtoe2y{XOs*Vz-yKM%`%$dbh4?yw-jfC$LUOkNIbe-tUtQy$QU*_CVplHQt3evXD zpb6QQU!NZ8*i}=Q^x=~8d5{O6`@l)lhp{nc7jn3CQZ_Thq)7zjdYQa8oB7>YxNb9h zxN`5^`5z`8lHEg19!~)=b#G;-Bsz*CgEkl3*s*r}{_yZkNY1KSUa0%|<$-}FXkMIm zmBCP#M}wf+mN_dCNc(;pem7D(x3)hhThnR2kANW5oQKJ@Kr^>J0rTLe6kG$<#8Q?&-p4 zyt8MEi==&P*ONB)akWv2Pqwq&G0QUkwq5>h7Z*_R^I(X>U0O9}Yb=A|=LY!OK4u>@ z`w0}?=I*-k7zue1_ zPF1v42xXPaA5eRK={aw!D#ITSyR>b+r(QzX+j}_tWtq&#$lF_cqT+mZ zU!~+@*AzR`QRQ{9!Oz+Ga?_uF8p2A=TIeuOIVNA<;1+RNVV*TQOmA5Fc2WY??i@kbFYh`KeJj?Tv3UPX z4!sT7?7_tKn5TE34|}3D^als)@G^Y1)kJs`>cbMvuiNR8tenT5D&1F@XPnoW+Gd|G zRT34aOV6@L+t;7P7wz4_j_4CeX_Dt(b0< zcr2O7l883+;1pF|w@G7DcMeS3f!9HNVEs5|iwT>a?{(sH^2%g(4b;MKve0nWd;>=w zCL8dsd;f5a$f9J{{xK#?nCO#CQiji zQ&UacQQm!A>7JM%wKZ5VZVTi4Q&&4v2e1ipMc{0xVs;?*~~S5aQdhk)k@E%Lq5Y-_(_P8Ty#?rUwPaGB?uByg;L+Z$6c zuVH=#oiDnMD|sNh=YmX~EsV13XAygZeFi@4KF-2usR(EDQhY*lh7(Dr#fULLX3@4d z7pKM*O&ZnNS^Z~TL+3eas6k^bMIq;_cE6XlM^qen%yKs3=8N*R@DUb&9j#}|Bjp%n z#cdFb8GKk}jb;QN^h@cBl2e)idZlBD6@mD`3@u&Q;EP%--2$~36?yv7DAI%EDl{ni z^#Xf!Wk+tKG8-jvEzw1~6xyQVFR`^mATFqhhhc5cVdHE-8DtSw%QA9t9 z?;yr$D-tA378vev>r3jBjL_1T0EjXD`Ki3BP_~j_Uqaa_lBaNgB3RI6kmgmB%ZgwHgJ5{mD`gAnD%w1l6{GyrShxw zdi*mlM2y{-n5(yXi$rH(x=bSBrAe9o6wQd8s<2UImsh%ocD z_(*ZZbWkbpIKOSi!Yxv_qHkjbi1lfJDlkFHA`@DZ+^@KDz?Bir3-(o~K^tj>IOZaF zbyBqfM|URo2ecldziaM#t?E4hS3RjO>uc-OvMgIKQWHiv z#DrVKZhz&B9X-5UXGwG)Quj#m+u$VHlmG=74BXk)S`%K>!nK0G6(daTDc1Owr<8-A z^3z2x)-<+ZU2K$`CQ7-nE)SlMNgCecZEANMaT4-Jp7{gT{L>6v*q=7NlJ+2AXV~&faA>@kj@*91 zJ%nwTS?{w3<1#1rt

9!LIQ0748a|Y?D6ye#g&)CphJlF}88#Qtzxo1TmiFPoA|@ zxk9bFWV1$FMFMV(7@*ZOdMbKsoPqOw2o{2bWTzHY&$ENBU2snY-cMh~^+VH%8xkSb zPjF^ZyN(AtR}-ZQ3f$M16Ch?MHL#$U%$3l4wOYFhx73H87CNXkfcgrb_{Gu~zxwQt zf5xMpQ>HjiYfnN@luP`Rka3~n1e$UnWv^aH0V?!6p3a$0I#4p*5_^WgRO@4(>LtaQu zUFz3tLV%Mc!o5mDQ43|}+N87=M)dmbZ}0PL)ngt)6m@)pD=TLntElsr0#7cf-IxQ* zhi^#;)1{VBkNn`ydq@$fwMjgyXs4d3EW)z3v!%1SK++xQ@K&S*xMvltE1-tBrlb|s z`#SP5MT%V6i0eo?o9~;$jPu==02T~=x2MH!BMZfTJfj-A-wIiq@$3b~IE@tdL3?&k zzJ`RC1=wrCDLd((`h9Q(cWvrc$Qk24Se~<N%X!#)Mq(Ub`YlpCk7@%i2d8AT(4$ zf3v&B?3zO&gR^nxE9fQmeHNN(Qu-)mnz9f*VeUn(%YqsXvd(!vrlVyCGufouv5_K= zC~-oq?didDSNBi3&!0XWlMbqSe~m^=_{L-DT~#iNNG>c>;iTF^#Q{{J{aJce;g;bv zk0f})$t7gxkuX^xU^_NhsEWMX7rV zC64K#{el;3oNQ*nQ~wKoX0m;$hyjPWnV%1-v!lEw=+G7X{et-K+G1E!uNG6Beap$^ zwQ!DV>-8VL8~uINtyq1UVeARzs^m2Gw)1e=D}{gcCsj=Qz zC|0e`SI=j+r7NVn=ZSq?Gs$=hm1BL zwg;L7{ReR60z#K3qKk7w7C&#rq1G+8aH>1IA*i9y0dh9;-)D6s zq&E|(s=v=>yw+}JGvL1+5&Uabhn@4kh>+`>F;mYk;$LGXy}??q^*|8%@jp)gkVIqT z;0Tq!$IakM6@s`SR{SH85(988`S>NbKV;p+5&zUhAkkwUCEKJ;+m?{{t(@C@ug1 literal 0 HcmV?d00001 diff --git a/tests/bypass-tls-enabled/test.yaml b/tests/bypass-tls-enabled/test.yaml new file mode 100644 index 000000000..ea66a14bc --- /dev/null +++ b/tests/bypass-tls-enabled/test.yaml @@ -0,0 +1,18 @@ +requires: + min-version: 8 + +args: +- -k none +- --set app-layer.protocols.tls.encryption-handling=bypass +- --set app-layer.protocols.ssh.encryption-handling=full +- --set stream.reassembly.depth=1MB +- --set stream.bypass=false + +checks: + - filter: + count: 1 + match: + event_type: stats + - stats: + flow_bypassed.local_pkts: 4 + flow_bypassed.local_bytes: 275