multi-tenant: Basic multi-tenant selector tests

This commit adds basic tests for vlan-selector configurations (including
vlan-tuple, added in 6237)

Issue: 6237

tests/multi-tenant/invalid-vlan-selector-03/classification.config

@@ -0,0 +1 @@
+../vlan-selector-01/classification.config

tests/multi-tenant/invalid-vlan-selector-03/reference.config

@@ -0,0 +1 @@
+../vlan-selector-01/reference.config

tests/multi-tenant/invalid-vlan-selector-03/suricata.yaml

@@ -0,0 +1,7 @@
+%YAML 1.1
+---
+
+classification-file: classification.config
+reference-config-file: reference.config
+
+include: tenant.yaml

tests/multi-tenant/invalid-vlan-selector-03/tenant-1.yaml

@@ -0,0 +1,55 @@
+%YAML 1.1
+---
+
+# Suricata configuration file. In addition to the comments describing all
+# options in this file, full documentation can be found at:
+# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html
+
+##
+## Step 1: Inform Suricata about your network
+##
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+
+rule-files:
+  - tenant.rules
+
+classification-file: classification.config
+reference-config-file: reference.config

tests/multi-tenant/invalid-vlan-selector-03/tenant.rules

@@ -0,0 +1,10 @@
+alert tcp-pkt any any -> any any (msg:"byte extract test 1"; byte_extract:2,0,two1,string,dec; content:"|33 34|"; offset:0; depth:two1; sid:1; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 2"; byte_extract:1,2,two2,string,dec; content:"|33 34|"; offset:8; depth:two2; sid:2; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 3"; byte_extract:1,2,two3,string,dec; byte_extract:1,5,eight,string,dec; content:"|33 34|"; offset:eight; depth:two3; sid:3; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 4"; byte_extract:1,3,sixd1,string,dec; content:"|31 30|"; content:"|33 34|"; distance:sixd1; sid:4; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 5"; byte_extract:1,2,twow,string,dec; byte_extract:1,3,sixd2,string,dec; content:"|31 30|"; content:"|33 34|"; distance:sixd2; within:twow; sid: 5; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 6"; content:"|31 30|"; byte_extract:1,6,three1,relative,string,dec; content:"|36 10|"; offset:three1; depth:2; sid:6; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 7"; byte_extract:1,2,dectwo1,string,dec; content:"|32|"; offset:dectwo1; depth:1; sid:7; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 8"; byte_extract:1,2,dectwo2,string,dec; content:"|32|"; offset:dectwo2; sid:8; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 9"; byte_extract:1,4,hexten; byte_extract:1,0,decone,string,dec; content:"|66|"; offset:hexten; depth:decone; sid:9; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 10"; byte_extract:1,4,two4; content:"|31|"; depth:1; content:"|2e|"; distance:two4;  within:1; sid:10; rev:1;)

tests/multi-tenant/invalid-vlan-selector-03/tenant.yaml

@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+multi-detect:
+    enabled: on
+    default: on
+    selector: vlan-tupleee
+
+    tenants:
+    - id: 1
+      yaml: tenant-1.yaml
+
+    mappings:
+    - vlan-id: 1011
+      tenant-id: 1

tests/multi-tenant/invalid-vlan-selector-03/test.yaml

@@ -0,0 +1,7 @@
+requires:
+    min-version: 7
+
+command: |
+  ${SRCDIR}/src/suricata -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -T
+
+exit-code: 1

tests/multi-tenant/vlan-selector-01/classification.config

@@ -0,0 +1,51 @@
+#
+# config classification:shortname,short description,priority
+#
+
+config classification: not-suspicious,Not Suspicious Traffic,3
+config classification: unknown,Unknown Traffic,3
+config classification: bad-unknown,Potentially Bad Traffic, 2
+config classification: attempted-recon,Attempted Information Leak,2
+config classification: successful-recon-limited,Information Leak,2
+config classification: successful-recon-largescale,Large Scale Information Leak,2
+config classification: attempted-dos,Attempted Denial of Service,2
+config classification: successful-dos,Denial of Service,2
+config classification: attempted-user,Attempted User Privilege Gain,1
+config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
+config classification: successful-user,Successful User Privilege Gain,1
+config classification: attempted-admin,Attempted Administrator Privilege Gain,1
+config classification: successful-admin,Successful Administrator Privilege Gain,1
+
+# NEW CLASSIFICATIONS
+config classification: rpc-portmap-decode,Decode of an RPC Query,2
+config classification: shellcode-detect,Executable code was detected,1
+config classification: string-detect,A suspicious string was detected,3
+config classification: suspicious-filename-detect,A suspicious filename was detected,2
+config classification: suspicious-login,An attempted login using a suspicious username was detected,2
+config classification: system-call-detect,A system call was detected,2
+config classification: tcp-connection,A TCP connection was detected,4
+config classification: trojan-activity,A Network Trojan was detected, 1
+config classification: unusual-client-port-connection,A client was using an unusual port,2
+config classification: network-scan,Detection of a Network Scan,3
+config classification: denial-of-service,Detection of a Denial of Service Attack,2
+config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
+config classification: protocol-command-decode,Generic Protocol Command Decode,3
+config classification: web-application-activity,access to a potentially vulnerable web application,2
+config classification: web-application-attack,Web Application Attack,1
+config classification: misc-activity,Misc activity,3
+config classification: misc-attack,Misc Attack,2
+config classification: icmp-event,Generic ICMP event,3
+config classification: inappropriate-content,Inappropriate Content was Detected,1
+config classification: policy-violation,Potential Corporate Privacy Violation,1
+config classification: default-login-attempt,Attempt to login by a default username and password,2
+
+# Update
+config classification: targeted-activity,Targeted Malicious Activity was Detected,1
+config classification: exploit-kit,Exploit Kit Activity Detected,1
+config classification: external-ip-check,Device Retrieving External IP Address Detected,2
+config classification: domain-c2,Domain Observed Used for C2 Detected,1
+config classification: pup-activity,Possibly Unwanted Program Detected,2
+config classification: credential-theft,Successful Credential Theft Detected,1
+config classification: social-engineering,Possible Social Engineering Attempted,2
+config classification: coin-mining,Crypto Currency Mining Activity Detected,2
+config classification: command-and-control,Malware Command and Control Activity Detected,1

tests/multi-tenant/vlan-selector-01/reference.config

@@ -0,0 +1,26 @@
+# config reference: system URL
+
+config reference: bugtraq   http://www.securityfocus.com/bid/
+config reference: bid	    http://www.securityfocus.com/bid/
+config reference: cve       http://cve.mitre.org/cgi-bin/cvename.cgi?name=
+#config reference: cve       http://cvedetails.com/cve/
+config reference: secunia   http://www.secunia.com/advisories/
+
+#whitehats is unfortunately gone
+config reference: arachNIDS http://www.whitehats.com/info/IDS
+
+config reference: McAfee    http://vil.nai.com/vil/content/v_
+config reference: nessus    http://cgi.nessus.org/plugins/dump.php3?id=
+config reference: url       http://
+config reference: et        http://doc.emergingthreats.net/
+config reference: etpro     http://doc.emergingthreatspro.com/
+config reference: telus     http://
+config reference: osvdb     http://osvdb.org/show/osvdb/
+config reference: threatexpert http://www.threatexpert.com/report.aspx?md5=
+config reference: md5	    http://www.threatexpert.com/report.aspx?md5=
+config reference: exploitdb http://www.exploit-db.com/exploits/
+config reference: openpacket https://www.openpacket.org/capture/grab/
+config reference: securitytracker http://securitytracker.com/id?
+config reference: secunia   http://secunia.com/advisories/
+config reference: xforce    http://xforce.iss.net/xforce/xfdb/
+config reference: msft      http://technet.microsoft.com/security/bulletin/

tests/multi-tenant/vlan-selector-01/suricata.yaml

@@ -0,0 +1,7 @@
+%YAML 1.1
+---
+
+classification-file: classification.config
+reference-config-file: reference.config
+
+include: tenant.yaml

tests/multi-tenant/vlan-selector-01/tenant-1.yaml

@@ -0,0 +1,55 @@
+%YAML 1.1
+---
+
+# Suricata configuration file. In addition to the comments describing all
+# options in this file, full documentation can be found at:
+# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html
+
+##
+## Step 1: Inform Suricata about your network
+##
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+
+rule-files:
+  - tenant.rules
+
+classification-file: classification.config
+reference-config-file: reference.config

tests/multi-tenant/vlan-selector-01/tenant.rules

@@ -0,0 +1,10 @@
+alert tcp-pkt any any -> any any (msg:"byte extract test 1"; byte_extract:2,0,two1,string,dec; content:"|33 34|"; offset:0; depth:two1; sid:1; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 2"; byte_extract:1,2,two2,string,dec; content:"|33 34|"; offset:8; depth:two2; sid:2; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 3"; byte_extract:1,2,two3,string,dec; byte_extract:1,5,eight,string,dec; content:"|33 34|"; offset:eight; depth:two3; sid:3; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 4"; byte_extract:1,3,sixd1,string,dec; content:"|31 30|"; content:"|33 34|"; distance:sixd1; sid:4; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 5"; byte_extract:1,2,twow,string,dec; byte_extract:1,3,sixd2,string,dec; content:"|31 30|"; content:"|33 34|"; distance:sixd2; within:twow; sid: 5; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 6"; content:"|31 30|"; byte_extract:1,6,three1,relative,string,dec; content:"|36 10|"; offset:three1; depth:2; sid:6; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 7"; byte_extract:1,2,dectwo1,string,dec; content:"|32|"; offset:dectwo1; depth:1; sid:7; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 8"; byte_extract:1,2,dectwo2,string,dec; content:"|32|"; offset:dectwo2; sid:8; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 9"; byte_extract:1,4,hexten; byte_extract:1,0,decone,string,dec; content:"|66|"; offset:hexten; depth:decone; sid:9; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 10"; byte_extract:1,4,two4; content:"|31|"; depth:1; content:"|2e|"; distance:two4;  within:1; sid:10; rev:1;)

tests/multi-tenant/vlan-selector-01/tenant.yaml

@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+multi-detect:
+    enabled: on
+    default: on
+    selector: vlan
+
+    tenants:
+    - id: 1
+      yaml: tenant-1.yaml
+
+    mappings:
+    - vlan-id: 1011
+      tenant-id: 1

tests/multi-tenant/vlan-selector-01/test.yaml

@@ -0,0 +1,7 @@
+requires:
+    min-version: 7
+
+command: |
+  ${SRCDIR}/src/suricata -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -T
+
+exit-code: 0

tests/multi-tenant/vlan-tuple-selector-02/classification.config

@@ -0,0 +1 @@
+../vlan-selector-01/classification.config

tests/multi-tenant/vlan-tuple-selector-02/reference.config

@@ -0,0 +1 @@
+../vlan-selector-01/reference.config

tests/multi-tenant/vlan-tuple-selector-02/suricata.yaml

@@ -0,0 +1,7 @@
+%YAML 1.1
+---
+
+classification-file: classification.config
+reference-config-file: reference.config
+
+include: tenant.yaml

tests/multi-tenant/vlan-tuple-selector-02/tenant-1.yaml

@@ -0,0 +1,55 @@
+%YAML 1.1
+---
+
+# Suricata configuration file. In addition to the comments describing all
+# options in this file, full documentation can be found at:
+# https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html
+
+##
+## Step 1: Inform Suricata about your network
+##
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+
+rule-files:
+  - tenant.rules
+
+classification-file: classification.config
+reference-config-file: reference.config

tests/multi-tenant/vlan-tuple-selector-02/tenant.rules

@@ -0,0 +1,10 @@
+alert tcp-pkt any any -> any any (msg:"byte extract test 1"; byte_extract:2,0,two1,string,dec; content:"|33 34|"; offset:0; depth:two1; sid:1; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 2"; byte_extract:1,2,two2,string,dec; content:"|33 34|"; offset:8; depth:two2; sid:2; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 3"; byte_extract:1,2,two3,string,dec; byte_extract:1,5,eight,string,dec; content:"|33 34|"; offset:eight; depth:two3; sid:3; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 4"; byte_extract:1,3,sixd1,string,dec; content:"|31 30|"; content:"|33 34|"; distance:sixd1; sid:4; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 5"; byte_extract:1,2,twow,string,dec; byte_extract:1,3,sixd2,string,dec; content:"|31 30|"; content:"|33 34|"; distance:sixd2; within:twow; sid: 5; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 6"; content:"|31 30|"; byte_extract:1,6,three1,relative,string,dec; content:"|36 10|"; offset:three1; depth:2; sid:6; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 7"; byte_extract:1,2,dectwo1,string,dec; content:"|32|"; offset:dectwo1; depth:1; sid:7; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 8"; byte_extract:1,2,dectwo2,string,dec; content:"|32|"; offset:dectwo2; sid:8; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 9"; byte_extract:1,4,hexten; byte_extract:1,0,decone,string,dec; content:"|66|"; offset:hexten; depth:decone; sid:9; rev:1;)
+alert tcp-pkt any any -> any any (msg:"byte extract test 10"; byte_extract:1,4,two4; content:"|31|"; depth:1; content:"|2e|"; distance:two4;  within:1; sid:10; rev:1;)

tests/multi-tenant/vlan-tuple-selector-02/tenant.yaml

@@ -0,0 +1,15 @@
+%YAML 1.1
+---
+
+multi-detect:
+    enabled: on
+    default: on
+    selector: vlan-tuple
+
+    tenants:
+    - id: 1
+      yaml: tenant-1.yaml
+
+    mappings:
+    - vlan-tuple: [1011, 1000]
+      tenant-id: 1

tests/multi-tenant/vlan-tuple-selector-02/test.yaml

@@ -0,0 +1,7 @@
+requires:
+    min-version: 7
+
+command: |
+  ${SRCDIR}/src/suricata -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -T
+
+exit-code: 0