Skip to content

tests: check for more ruletypes in firewall mode - v4#3032

Closed
jufajardini wants to merge 3 commits intoOISF:masterfrom
jufajardini:sv-8387-rule-types/v4
Closed

tests: check for more ruletypes in firewall mode - v4#3032
jufajardini wants to merge 3 commits intoOISF:masterfrom
jufajardini:sv-8387-rule-types/v4

Conversation

@jufajardini
Copy link
Copy Markdown
Contributor

@jufajardini jufajardini commented Apr 17, 2026

Follow-up of #3025

  • Rebased, adjusting naming conflict after the last additions to firewalls tests
  • adjusted dns tests, that now need a different dns hook to work, (since the Helper function registers the progress, now), and that now can't be in the same test to have alerts for both (as they're using the same dns hook for different keywords, and thus either I got alert for one, or for the other).

Ticket

Redmine ticket: https://redmine.openinfosecfoundation.org/issues/
https://redmine.openinfosecfoundation.org/issues/8387

yashda and others added 3 commits April 17, 2026 18:00
@yashda @jufajardini
test: check for untested keywords in firewall mode
7080f92 
Add suricata-verify tests for keywords that emit 'has not been tes
for firewall rules' warnings. Tests are consolidated into 3 test cases.

- firewall-keyword-icode: tests icode with ICMP echo traffic
- firewall-keyword-http: tests pcre, urilen, dataset with HTTP traff
- firewall-keyword-tls: tests tls.cert_chain_len with TLS cert chain

These tests validate that the keywords function correctly in firewal
mode and can be used to justify adding SIGMATCH_SUPPORT_FIREWALL to
each keyword in the engine.

Related to
Ticket #8387
@jufajardini
test: check for dns keywords in firewall mode
32f3373 
Based on initial work by Yash Datre
- dns.opcode
- dns.query with datarep

Related to
Ticket #8387
@jufajardini
tests: check tls.cert_chain_len in firewall mode
5dc0d93 
Related to
Ticket #8387
This was referenced Apr 17, 2026
Closed
Closed
victorjulien
victorjulien reviewed Apr 20, 2026
View reviewed changes
Comment thread tests/firewall/ruletype-firewall-56-dns-opcode/firewall.rules
accept:hook udp:all any any -> any any (sid:100;)

# Test dns.opcode: match standard query (opcode 0) and alert
accept:hook dns:request_complete any any -> any any (dns.opcode:0; alert; sid:1;)
Copy link
Copy Markdown
Member

@victorjulien victorjulien Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this ruleset exposes a bug: the absence of a dns:request_started rule should have lead to a default drop, but didn't.

@catenacyber catenacyber mentioned this pull request Apr 22, 2026
Closed
@catenacyber catenacyber added the requires suricata pr Depends on a PR in Suricata label Apr 22, 2026
@catenacyber
Copy link
Copy Markdown
Collaborator

catenacyber commented Apr 22, 2026

Seems replaced by #3039 right ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@victorjulien victorjulien victorjulien left review comments

Assignees

No one assigned

Labels

requires suricata pr Depends on a PR in Suricata

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jufajardini @catenacyber @victorjulien @yashda