Hi,
I am trying to create a SuricataVerify test for a stats metric we manually add when packets are dropped. However, I am having a hard time getting the SuricataVerify test to run in IPS mode so that it actually drops the packets. My test is as follows:
requires:
min-version: 5.0.0
args:
- --simulate-ips
checks:
- filter:
count: 1
match:
event_type: stats
- filter:
count: 1
match:
event_type: stats
has-key: stats.decoder.pkts
- filter:
count: 1
match:
event_type: stats
has-key: stats.detect
- filter:
count: 1
match:
event_type: stats
has-key: stats.detect.alert
- filter:
count: 1
match:
event_type: drop
- filter:
count: 1
match:
event_type: stats
has-key: stats.detect.drop_packets
The rules are:
drop icmp any any -> any any (sid:1; rev:1;)
And the PCAP is essentially two servers pinging one another. I will attach a screenshot. The last two tests are failing so it looks like nothing is getting dropped. I am testing this against suricata version 6.0.4 and I have confirmed/manually tested this setup without SuricataVerify so I know it should be passing if the test is running in IPS mode. Any help would be appreciated, thank you!
