test: add test to simulate alert queue expand fail - v2

tests/5319-simulate-alert-queue-expand-failure/5319-alert-queue-realloc-failure-01/README.md

@@ -0,0 +1,18 @@
+Test
+====
+
+This test was crafted to check the behavior of the Suricata engine when the
+AlertQueueExpand function fails.
+
+To achieve that, we use the ``--disable-alert-queue-expand`` command-line
+option.
+
+The expected behavior is that the engine will continue to run, logging alerts
+that could not be queued as ``discarded``, and saving the first valid ``DROP``
+signature it sees.
+
+PCAP
+====
+
+Pcap from https://forum.suricata.io/t/suricata-5-0-1-in-ips-mode/94/14
+Test adapted from bug-4663-03 test.

tests/5319-simulate-alert-queue-expand-failure/5319-alert-queue-realloc-failure-01/suricata.yaml

@@ -0,0 +1,25 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: yes
+        - files
+        - http
+        - flow
+        - stats
+
+packet-alert-max: 1
+
+action-order:
+  - pass
+  - alert
+  - drop
+  - reject
+

tests/5319-simulate-alert-queue-expand-failure/5319-alert-queue-realloc-failure-01/test.rules

@@ -0,0 +1,2 @@
+alert tcp any any -> any any (msg:"Alert sig"; sid:1; gid:10000003;)
+drop tcp any any -> any any (msg:"Drop signature!"; sid:2; rev:1;)

tests/5319-simulate-alert-queue-expand-failure/5319-alert-queue-realloc-failure-01/test.yaml

@@ -0,0 +1,25 @@
+requires:
+  features:
+    - HAVE_NSS
+  min-version: 7
+
+args:
+  - --simulate-ips
+  - --simulate-alert-queue-realloc-failure
+
+checks:
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.detect.alert_queue_overflow: 2

tests/5319-simulate-alert-queue-expand-failure/5319-alert-queue-realloc-failure-02/README.md

@@ -0,0 +1,21 @@
+Test
+====
+
+This test was crafted to check the behavior of the Suricata engine when the
+AlertQueueExpand function fails.
+
+To achieve that, we use the ``--simulate-alert-queue-realloc-failure`` command-line
+option.
+
+Behavior
+========
+
+The expected behavior is that the engine will continue to run, logging alerts
+that could not be queued as ``discarded``, and saving the first valid ``DROP``
+signature it sees.
+
+PCAP
+====
+
+Pcap from https://forum.suricata.io/t/suricata-5-0-1-in-ips-mode/94/14
+Test adapted from bug-4663 test.

tests/5319-simulate-alert-queue-expand-failure/5319-alert-queue-realloc-failure-02/suricata.yaml

@@ -0,0 +1,25 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - alert
+        - drop:
+            flows: all
+            alerts: yes
+        - files
+        - http
+        - flow
+        - stats
+
+packet-alert-max: 1
+
+action-order:
+  - pass
+  - alert
+  - drop
+  - reject
+

tests/5319-simulate-alert-queue-expand-failure/5319-alert-queue-realloc-failure-02/test.rules

@@ -0,0 +1,3 @@
+alert tcp any any -> any any (msg:"Alert sig"; sid:1; gid:10000003;)
+drop tcp any any -> any any (msg:"Drop signature!"; sid:2; rev:1;)
+alert tcp any any -> any any (msg:"Sig that won't alert"; sid:3;)

tests/5319-simulate-alert-queue-expand-failure/5319-alert-queue-realloc-failure-02/test.yaml

@@ -0,0 +1,30 @@
+requires:
+  features:
+    - HAVE_NSS
+  min-version: 7
+
+args:
+  - --simulate-ips
+  - --simulate-alert-queue-realloc-failure
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.detect.alert_queue_overflow: 2

tests/5319-simulate-alert-queue-expand-failure/5319-util-action-test-14/README.md

@@ -0,0 +1,19 @@
+This test is copied from util-action-test-14 with minor changes to check that
+Suricata behaves as expected even if there is an alert queue reallocation
+failure.
+
+To achieve that, we simulate the alert queue expansion with
+``simulate-alert-queue-realloc-failure`` command-line arg and we force the alert
+queue max to be 1, since we have a really pcap.
+
+Expected Behavior
+=================
+
+As the DROP and ALERT actions have higher priority, we expect alerts for sids
+1 and 3. But the alert queue size will mean that the ``alert`` signature will be
+discarded.
+
+PCAP
+====
+pcap generated with scapy.
+

tests/5319-simulate-alert-queue-expand-failure/5319-util-action-test-14/suricata.yaml

@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - flow
+        - stats
+
+packet-alert-max: 1
+
+action-order:
+  - alert
+  - drop
+  - reject
+  - pass

tests/5319-simulate-alert-queue-expand-failure/5319-util-action-test-14/test.rules

@@ -0,0 +1,3 @@
+alert tcp any any -> any any (msg:"sig 1"; sid:1;)
+pass tcp any any -> any any (msg:"sig 2"; content:"Hi all"; sid:2;)
+drop tcp any any -> any any (msg:"sig 3"; sid:3;)

tests/5319-simulate-alert-queue-expand-failure/5319-util-action-test-14/test.yaml

@@ -0,0 +1,40 @@
+requires:
+    min-version: 7
+
+args:
+- -k none
+- --simulate-ips
+- --simulate-alert-queue-realloc-failure
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.alerted: true
+      flow.action: drop
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.alerted: true
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 1
+    match:
+        event_type: stats
+        stats.detect.alert_queue_overflow: 2

tests/5319-simulate-alert-queue-expand-failure/5319-util-action-test-14/writepcap.py

@@ -0,0 +1,22 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkt1 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+        Dot1Q(vlan=6)/ \
+        IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80)/"Hi all!\r\n"
+
+pkt2 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+        Dot1Q(vlan=6)/ \
+        IP(dst='192.168.1.5', src='192.168.1.1')/TCP(sport=80, dport=41424)/"Hi all!\r\n"
+
+pkt3 = Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+        Dot1Q(vlan=6)/ \
+        IP(dst='192.168.1.1', src='192.168.1.5')/TCP(sport=41424, dport=80,
+                flags='P''A')/"Hi all!\r\n"
+
+pkts = []
+pkts += pkt1
+pkts += pkt2
+pkts += pkt3
+
+wrpcap('input.pcap', pkts)