From 8e320449f6526267afa6912260584cfe2420c9a6 Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Tue, 14 May 2024 06:47:13 +0200 Subject: [PATCH] github-actions: expand af-packet live test with more unix commands --- .github/workflows/live/afp-ids.sh | 65 +++++++++++++++++++++++++++++- .github/workflows/live/icmp.rules | 1 + .github/workflows/live/icmp2.rules | 2 +- 3 files changed, 66 insertions(+), 2 deletions(-) diff --git a/.github/workflows/live/afp-ids.sh b/.github/workflows/live/afp-ids.sh index 7df2cc81a7..8e27bf9fe8 100755 --- a/.github/workflows/live/afp-ids.sh +++ b/.github/workflows/live/afp-ids.sh @@ -30,6 +30,7 @@ fi RES=0 +export PYTHONPATH=python/ # Get listen interface and "ping" target address IFACE=$(ip r|grep default|awk '{print $5}') echo $IFACE @@ -67,6 +68,20 @@ if [ $SID1CHECK = false ]; then echo "ERROR no alerts for sid 1" RES=1 fi +CHECK=$(jq -c 'select(.alert.signature_id == 222)' ./eve.json | wc -l) +if [ $CHECK -ne 1 ]; then + echo "ERROR alerts count off for sid 222 (datasets)" + RES=1 +fi +JSON=$(python3 python/bin/suricatasc -v -c "dataset-clear ipv4-list ipv4" /var/run/suricata/suricata-command.socket) +echo $JSON + +sleep 5 +CHECK=$(jq -c 'select(.alert.signature_id == 222)' ./eve.json | wc -l) +if [ $CHECK -ne 2 ]; then + echo "ERROR alerts count off for sid 222 (datasets)" + RES=1 +fi echo "SURIPID $SURIPID PINGPID $PINGPID" @@ -74,11 +89,52 @@ echo "SURIPID $SURIPID PINGPID $PINGPID" cp .github/workflows/live/icmp2.rules suricata.rules # trigger the reload -export PYTHONPATH=python/ +JSON=$(python3 python/bin/suricatasc -c "iface-list" /var/run/suricata/suricata-command.socket) +PIFACE=$(echo $JSON | jq -r .message.ifaces[0]) +JSON=$(python3 python/bin/suricatasc -c "iface-stat $PIFACE") +STATSCHECK=$(echo $JSON | jq '.message.pkts > 0') +if [ $STATSCHECK = false ]; then + echo "ERROR unix socket stats check failed" + RES=1 +fi python3 python/bin/suricatasc -c "reload-rules" /var/run/suricata/suricata-command.socket + +JSON=$(python3 python/bin/suricatasc -c "iface-bypassed-stat" /var/run/suricata/suricata-command.socket) +echo $JSON +JSON=$(python3 python/bin/suricatasc -c "capture-mode" /var/run/suricata/suricata-command.socket) +if [ "$(echo $JSON | jq -r .message)" != "AF_PACKET_DEV" ]; then + echo "ERROR unix socket capture mode check failed" + RES=1 +fi +JSON=$(python3 python/bin/suricatasc -c "dump-counters" /var/run/suricata/suricata-command.socket) +STATSCHECK=$(echo $JSON | jq '.message.uptime >= 15') +if [ $STATSCHECK = false ]; then + echo "ERROR unix socket dump-counters uptime check failed" + RES=1 +fi +JSON=$(python3 python/bin/suricatasc -c "memcap-list" /var/run/suricata/suricata-command.socket) +echo $JSON +JSON=$(python3 python/bin/suricatasc -c "running-mode" /var/run/suricata/suricata-command.socket) +echo $JSON +if [ "$(echo $JSON | jq -r .message)" != "$RUNMODE" ]; then + echo "ERROR unix socket runmode check failed" + RES=1 +fi +JSON=$(python3 python/bin/suricatasc -c "version" /var/run/suricata/suricata-command.socket) +echo $JSON +JSON=$(python3 python/bin/suricatasc -c "uptime" /var/run/suricata/suricata-command.socket) +echo $JSON +STATSCHECK=$(echo $JSON | jq '.message >= 15') +if [ $STATSCHECK = false ]; then + echo "ERROR unix socket uptime check failed" + RES=1 +fi sleep 15 +JSON=$(python3 python/bin/suricatasc -c "add-hostbit $GW test 60" /var/run/suricata/suricata-command.socket) +echo $JSON +sleep 15 # check stats and alerts STATSCHECK=$(jq -c 'select(.event_type == "stats")' ./eve.json | tail -n1 | jq '.stats.capture.kernel_packets > 0') if [ $STATSCHECK = false ]; then @@ -90,6 +146,13 @@ if [ $SID2CHECK = false ]; then echo "ERROR no alerts for sid 2" RES=1 fi +JSON=$(python3 python/bin/suricatasc -c "list-hostbit $GW" /var/run/suricata/suricata-command.socket) +CHECK=$(echo $JSON|jq -r .message.hostbits[0].name) +if [ "$CHECK" != "test" ]; then + echo "ERROR hostbit listing failed" + RES=1 +fi +JSON=$(python3 python/bin/suricatasc -c "remove-hostbit $GW test" /var/run/suricata/suricata-command.socket) kill -INT $PINGPID wait $PINGPID diff --git a/.github/workflows/live/icmp.rules b/.github/workflows/live/icmp.rules index c0f94ab545..2003c46531 100644 --- a/.github/workflows/live/icmp.rules +++ b/.github/workflows/live/icmp.rules @@ -1 +1,2 @@ alert icmp any any -> any any (itype:8; sid:1;) +alert icmp any any -> any any (itype:8; ip.dst; dataset:set,ipv4-list,type ipv4; sid:222;) diff --git a/.github/workflows/live/icmp2.rules b/.github/workflows/live/icmp2.rules index f1a0031857..a60be4dbd1 100644 --- a/.github/workflows/live/icmp2.rules +++ b/.github/workflows/live/icmp2.rules @@ -1 +1 @@ -alert icmp any any -> any any (itype:8; sid:2;) +alert icmp any any -> any any (itype:8; hostbits:isset,test,dst; sid:2;)