Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tests: update ips-state-1 test - v2 #1496

Closed
wants to merge 1 commit into from
Closed

tests: update ips-state-1 test - v2 #1496

wants to merge 1 commit into from

Conversation

jufajardini
Copy link
Contributor

This test indicated that there were FP drops for http and that another check was failing, but currently the test passes.

Previous PR: #1227

Changes from previous PR:

  • rebase
  • add more checks
    -- make test fail again, by checking for flow.action: drop for tls flow
  • update README to indicate current test behavior

Question: do we expect to see flow.action set to drop here?

@jufajardini
tests: update ips-state-1 test
8950c54 
This test indicated that there were FP drops for http and that another
check was failing, but currently the test passes.
@jufajardini jufajardini mentioned this pull request Nov 27, 2023
Closed
@jufajardini jufajardini added the question Further information is requested label Nov 27, 2023
@catenacyber
Copy link
Collaborator

Question: do we expect to see flow.action set to drop here?

Looks reasonable.

Disclaimer : I have never used this flow.action field
Can it be set to drop ?
Could you point me to some doc ?

@jufajardini
Copy link
Contributor Author

Question: do we expect to see flow.action set to drop here?

Looks reasonable.

Disclaimer : I have never used this flow.action field Can it be set to drop ?

It can, check for instance https://github.com/OISF/suricata-verify/blob/master/tests/exception-policy-midstream-02/test.yaml#L22

Could you point me to some doc ?

I'm afraid we don't have anything directly, we mention it when explaining Exception Policies, but it's rather indirect: https://docs.suricata.io/en/latest/configuration/exception-policies.html#auto

@catenacyber
Copy link
Collaborator

Thanks.

What means flow.action ?
Is there another field like flow.state that can be set to drop ?

@jufajardini
Copy link
Contributor Author

Thanks.

What means flow.action ? Is there another field like flow.state that can be set to drop ?

From what I understand, flow.action is... the action that the engine applies to the flow, based on rules, exception policies, thresholds... flow.state seems to represent something slightly different to me, a bit closer to connection states? verdict can be verdict.action: drop, but that's linked to packets.

@catenacyber
Copy link
Collaborator

So, my feeling from someone who does not know this part is that flow.action should indeed be set to drop

@jufajardini
Copy link
Contributor Author

So, my feeling from someone who does not know this part is that flow.action should indeed be set to drop

Thanks for helping in figuring out this one!
@victorjulien Would you agree?

@victorjulien victorjulien self-assigned this Jan 4, 2024
@catenacyber
Copy link
Collaborator

Can I help further here ?

@jufajardini jufajardini mentioned this pull request Apr 17, 2024
Closed
@jufajardini
Copy link
Contributor Author

Can I help further here ?

Thanks, I don't know exactly what to do with this check. I've created a new PR with more checks, and kepts the flow.action check, still unsure if this is a possible bug to investigate or not...

@jufajardini
Copy link
Contributor Author

Follow by: #1781

@jufajardini jufajardini deleted the ips-state-1-update/v2 branch September 20, 2024 15:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@victorjulien victorjulien

Labels
question Further information is requested
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jufajardini @catenacyber @victorjulien