SuricataVerify test in IPS mode

Hi,

I am trying to create a SuricataVerify test for a stats metric we manually add when packets are dropped. However, I am having a hard time getting the SuricataVerify test to run in IPS mode so that it actually drops the packets. My test is as follows:

requires:
  min-version: 5.0.0

args:
- --simulate-ips

checks:
- filter:
    count: 1
    match:
      event_type: stats
- filter:
    count: 1
    match:
      event_type: stats
      has-key: stats.decoder.pkts
- filter:
    count: 1
    match:
      event_type: stats
      has-key: stats.detect
- filter:
    count: 1
    match:
      event_type: stats
      has-key: stats.detect.alert
- filter:
    count: 1
    match:
      event_type: drop
- filter:
    count: 1
    match:
      event_type: stats
      has-key: stats.detect.drop_packets

The rules are:

drop icmp any any -> any any (sid:1; rev:1;)

And the PCAP is essentially two servers pinging one another. I will attach a screenshot. The last two tests are failing so it looks like nothing is getting dropped. I am testing this against suricata version 6.0.4 and I have confirmed/manually tested this setup without SuricataVerify so I know it should be passing if the test is running in IPS mode. Any help would be appreciated, thank you!

Screen Shot 2022-06-01 at 8.48.54 AM1906×582 184 KB

The way I’m testing IPS actions is usually a mix of the alert.action field, drop logs and absence of other things, like HTTP records for HTTP traffic.

An example: suricata-verify/test.yaml at master · OISF/suricata-verify · GitHub

Also make sure to inspect the output files from the test output directory to rule out simple errors.