tests: add firewall icmp with icode keyword test

Author: victorjulien

tests/firewall/ruletype-firewall-50-ruleset-vs-ping/firewall.rules

@@ -0,0 +1,5 @@
+drop:packet icmp:pre_flow any any -> any any (itype:8; icode:1; sid:100; noalert;)
+accept:packet icmp:all any any -> any any (itype:8; icode:0; msg:"Ping!"; flow:to_server; alert; sid:101;)
+accept:packet icmp:all any any -> any any (itype:0; icode:0; msg:"Pong!"; flow:to_client,established; alert; sid:102;)
+
+# Implicit drop all else

tests/firewall/ruletype-firewall-50-ruleset-vs-ping/icmp-ping-plus-weird-code.pcap

@@ -0,0 +1,63 @@
+%YAML 1.1
+---
+
+vars:
+  # more specific is better for alert accuracy and performance
+  address-groups:
+    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
+    #HOME_NET: "[192.168.0.0/16]"
+    #HOME_NET: "[10.0.0.0/8]"
+    #HOME_NET: "[172.16.0.0/12]"
+    #HOME_NET: "any"
+
+    EXTERNAL_NET: "!$HOME_NET"
+    #EXTERNAL_NET: "any"
+
+    HTTP_SERVERS: "$HOME_NET"
+    SMTP_SERVERS: "$HOME_NET"
+    SQL_SERVERS: "$HOME_NET"
+    DNS_SERVERS: "$HOME_NET"
+    TELNET_SERVERS: "$HOME_NET"
+    AIM_SERVERS: "$EXTERNAL_NET"
+    DC_SERVERS: "$HOME_NET"
+    DNP3_SERVER: "$HOME_NET"
+    DNP3_CLIENT: "$HOME_NET"
+    MODBUS_CLIENT: "$HOME_NET"
+    MODBUS_SERVER: "$HOME_NET"
+    ENIP_CLIENT: "$HOME_NET"
+    ENIP_SERVER: "$HOME_NET"
+
+  port-groups:
+    HTTP_PORTS: "80"
+    SHELLCODE_PORTS: "!80"
+    ORACLE_PORTS: 1521
+    SSH_PORTS: 22
+    DNP3_PORTS: 20000
+    MODBUS_PORTS: 502
+    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+    FTP_PORTS: 21
+    GENEVE_PORTS: 6081
+    VXLAN_PORTS: 4789
+    TEREDO_PORTS: 3544
+    SIP_PORTS: "[5060, 5061]"
+
+# Global stats configuration
+stats:
+  enabled: yes
+  interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - stats
+        - flow
+        - alert
+        - tls:
+            extended: yes     # enable this for extended logging information
+        - drop:
+            alerts: yes      # log alerts that caused drops
+            flows: all       # start or all: 'start' logs only a single drop

tests/firewall/ruletype-firewall-50-ruleset-vs-ping/suricata.yaml

@@ -0,0 +1,38 @@
+requires:
+  min-version: 8
+
+args:
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      pcap_cnt: 1
+      event_type: alert
+      alert.signature_id: 101
+      icmp_type: 8
+      icmp_code: 0
+- filter:
+    count: 1
+    match:
+      pcap_cnt: 3
+      event_type: alert
+      alert.signature_id: 102
+      icmp_type: 0
+      icmp_code: 0
+- filter:
+    count: 1
+    match:
+      pcap_cnt: 2
+      event_type: drop
+      icmp_type: 8
+      icmp_code: 1
+- filter:
+    count: 1
+    match:
+      event_type: flow
+      flow.pkts_toserver: 1
+      flow.pkts_toclient: 1
+      flow.state: "established"
+      flow.alerted: true

tests/firewall/ruletype-firewall-50-ruleset-vs-ping/test.yaml

@@ -0,0 +1,7 @@
+#!/usr/bin/env python
+from scapy.all import *
+pkts = []
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/IP(src="10.0.0.1", dst="1.2.3.4")/ICMP(type=8, code=0, seq=123)
+pkts += Ether(dst='05:04:03:02:01:00', src='00:01:02:03:04:05')/IP(src="10.0.0.1", dst="1.2.3.4")/ICMP(type=8, code=1, seq=321)
+pkts += Ether(src='05:04:03:02:01:00', dst='00:01:02:03:04:05')/IP(dst="10.0.0.1", src="1.2.3.4")/ICMP(type=0, code=0, seq=123)
+wrpcap('icmp-ping-plus-weird-code.pcap', pkts, snaplen=262144)