Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verify bypass behavior under different traffic profiles #2078

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions tests/bypass-depth-disabled/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Test Description

Tests that no traffic is bypassed even with minimal reassembly depth

## PCAP

Source: https://wiki.wireshark.org/SampleCaptures
File: dump.pcapng

## Related issues

Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
https://redmine.openinfosecfoundation.org/issues/6788
Binary file added tests/bypass-depth-disabled/input.pcap
Binary file not shown.
18 changes: 18 additions & 0 deletions tests/bypass-depth-disabled/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
requires:
min-version: 7

args:
- -k none
- --set app-layer.protocols.tls.encryption-handling=full
- --set app-layer.protocols.ssh.encryption-handling=full
- --set stream.reassembly.depth=1
- --set stream.bypass=false

checks:
- filter:
count: 1
match:
event_type: stats
- stats:
flow_bypassed.local_pkts: 0
flow_bypassed.local_bytes: 0
13 changes: 13 additions & 0 deletions tests/bypass-depth-enabled/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Test Description

Tests that traffic is bypassed after reaching the reassembly depth

## PCAP

Source: https://wiki.wireshark.org/SampleCaptures
File: dump.pcapng

## Related issues

Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
https://redmine.openinfosecfoundation.org/issues/6788
Binary file added tests/bypass-depth-enabled/input.pcap
Binary file not shown.
18 changes: 18 additions & 0 deletions tests/bypass-depth-enabled/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
requires:
min-version: 7

args:
- -k none
- --set app-layer.protocols.tls.encryption-handling=full
- --set app-layer.protocols.ssh.encryption-handling=full
- --set stream.reassembly.depth=1
- --set stream.bypass=true

checks:
- filter:
count: 1
match:
event_type: stats
- stats:
flow_bypassed.local_pkts: 11
flow_bypassed.local_bytes: 6126
14 changes: 14 additions & 0 deletions tests/bypass-ssh-enabled/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Test Description

Tests that the encrypted part of the SSH traffic is bypassed but it should not
bypass based on the depth

## PCAP

Source: https://www.cloudshark.org/captures/9b72eb8febf9
File: ssh-server-client.pcapng

## Related issues

Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
https://redmine.openinfosecfoundation.org/issues/6788
Binary file added tests/bypass-ssh-enabled/input.pcap
Binary file not shown.
18 changes: 18 additions & 0 deletions tests/bypass-ssh-enabled/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
requires:
min-version: 8

args:
- -k none
- --set app-layer.protocols.tls.encryption-handling=full
- --set app-layer.protocols.ssh.encryption-handling=bypass
- --set stream.reassembly.depth=1MB
- --set stream.bypass=false

checks:
- filter:
count: 1
match:
event_type: stats
- stats:
flow_bypassed.local_pkts: 45
flow_bypassed.local_bytes: 3972
13 changes: 13 additions & 0 deletions tests/bypass-tls-disabled/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Test Description

Tests that no traffic is bypassed with disabled bypass settings

## PCAP

Source: https://wiki.wireshark.org/SampleCaptures
File: dump.pcapng

## Related issues

Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
https://redmine.openinfosecfoundation.org/issues/6788
Binary file added tests/bypass-tls-disabled/input.pcap
Binary file not shown.
18 changes: 18 additions & 0 deletions tests/bypass-tls-disabled/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
requires:
min-version: 7

args:
- -k none
- --set app-layer.protocols.tls.encryption-handling=full
- --set app-layer.protocols.ssh.encryption-handling=full
- --set stream.reassembly.depth=1MB
- --set stream.bypass=false

checks:
- filter:
count: 1
match:
event_type: stats
- stats:
flow_bypassed.local_pkts: 0
flow_bypassed.local_bytes: 0
14 changes: 14 additions & 0 deletions tests/bypass-tls-enabled/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Test Description

Tests that the encrypted part of the traffic is bypassed but it should not
bypass based on the depth

## PCAP

Source: https://wiki.wireshark.org/SampleCaptures
File: dump.pcapng

## Related issues

Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
https://redmine.openinfosecfoundation.org/issues/6788
Binary file added tests/bypass-tls-enabled/input.pcap
Binary file not shown.
18 changes: 18 additions & 0 deletions tests/bypass-tls-enabled/test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
requires:
min-version: 8

args:
- -k none
- --set app-layer.protocols.tls.encryption-handling=bypass
- --set app-layer.protocols.ssh.encryption-handling=full
- --set stream.reassembly.depth=1MB
- --set stream.bypass=false

checks:
- filter:
count: 1
match:
event_type: stats
- stats:
flow_bypassed.local_pkts: 4
flow_bypassed.local_bytes: 275
2 changes: 1 addition & 1 deletion tests/ssh-hassh/test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ features:
- RUST

args:
- -k none --set stream.bypass=yes
- -k none --set stream.bypass=yes --set app-layer.protocols.ssh.encryption-handling=bypass

checks:
# Check that we have the following events in eve.json
Expand Down
Loading