nixpkgs/nixos/tests/suricata.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

82 lines
2.8 KiB
Nix
Raw Normal View History

2024-05-22 12:45:16 +00:00
import ./make-test-python.nix (
{ lib, pkgs, ... }:
{
name = "suricata";
meta.maintainers = with lib.maintainers; [ felbinger ];
nodes = {
ids = {
networking.interfaces.eth1 = {
useDHCP = false;
ipv4.addresses = [
{
address = "192.168.1.2";
prefixLength = 24;
}
];
};
# disable suricata-update because this requires an Internet connection
systemd.services.suricata-update.enable = false;
# install suricata package to make suricatasc program available
environment.systemPackages = with pkgs; [ suricata ];
services.suricata = {
enable = true;
settings = {
vars.address-groups.HOME_NET = "192.168.1.0/24";
unix-command.enabled = true;
outputs = [ { fast.enabled = true; } ];
af-packet = [ { interface = "eth1"; } ];
classification-file = "${pkgs.suricata}/etc/suricata/classification.config";
};
};
# create suricata.rules with the rule to detect the output of the id command
systemd.tmpfiles.rules = [
''f /var/lib/suricata/rules/suricata.rules 644 suricata suricata 0 alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2019_07_26;)''
];
};
helper = {
imports = [ ../modules/profiles/minimal.nix ];
networking.interfaces.eth1 = {
useDHCP = false;
ipv4.addresses = [
{
address = "192.168.1.1";
prefixLength = 24;
}
];
};
services.nginx = {
enable = true;
virtualHosts."localhost".locations = {
"/id/".return = "200 'uid=0(root) gid=0(root) groups=0(root)'";
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
};
};
testScript = ''
start_all()
# check that configuration has been applied correctly with suricatasc
with subtest("suricata configuration test"):
ids.wait_for_unit("suricata.service")
assert '1' in ids.succeed("suricatasc -c 'iface-list' | ${pkgs.jq}/bin/jq .message.count")
# test detection of events based on a static ruleset (output of id command)
with subtest("suricata rule test"):
helper.wait_for_unit("nginx.service")
ids.wait_for_unit("suricata.service")
ids.succeed("curl http://192.168.1.1/id/")
assert "id check returned root [**] [Classification: Potentially Bad Traffic]" in ids.succeed("tail -n 1 /var/log/suricata/fast.log"), "Suricata didn't detect the output of id comment"
'';
}
)