OISF · lukashino · Sep 19, 2024 · Sep 19, 2024
diff --git a/tests/bypass-depth-disabled/README.md b/tests/bypass-depth-disabled/README.md
@@ -0,0 +1,13 @@
+# Test Description
+
+Tests that no traffic is bypassed even with minimal reassembly depth
+
+## PCAP
+
+Source: https://wiki.wireshark.org/SampleCaptures
+File: dump.pcapng
+
+## Related issues
+
+Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
+https://redmine.openinfosecfoundation.org/issues/6788
diff --git a/tests/bypass-depth-disabled/input.pcap b/tests/bypass-depth-disabled/input.pcap
diff --git a/tests/bypass-depth-disabled/test.yaml b/tests/bypass-depth-disabled/test.yaml
@@ -0,0 +1,18 @@
+requires:
+    min-version: 7
+
+args:
+- -k none
+- --set app-layer.protocols.tls.encryption-handling=full
+- --set app-layer.protocols.ssh.encryption-handling=full
+- --set stream.reassembly.depth=1
+- --set stream.bypass=false
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+  - stats:
+      flow_bypassed.local_pkts: 0
+      flow_bypassed.local_bytes: 0
diff --git a/tests/bypass-depth-enabled/README.md b/tests/bypass-depth-enabled/README.md
@@ -0,0 +1,13 @@
+# Test Description
+
+Tests that traffic is bypassed after reaching the reassembly depth
+
+## PCAP
+
+Source: https://wiki.wireshark.org/SampleCaptures
+File: dump.pcapng
+
+## Related issues
+
+Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
+https://redmine.openinfosecfoundation.org/issues/6788
diff --git a/tests/bypass-depth-enabled/input.pcap b/tests/bypass-depth-enabled/input.pcap
diff --git a/tests/bypass-depth-enabled/test.yaml b/tests/bypass-depth-enabled/test.yaml
@@ -0,0 +1,18 @@
+requires:
+    min-version: 7
+
+args:
+- -k none
+- --set app-layer.protocols.tls.encryption-handling=full
+- --set app-layer.protocols.ssh.encryption-handling=full
+- --set stream.reassembly.depth=1
+- --set stream.bypass=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+  - stats:
+      flow_bypassed.local_pkts: 11
+      flow_bypassed.local_bytes: 6126
diff --git a/tests/bypass-ssh-enabled/README.md b/tests/bypass-ssh-enabled/README.md
@@ -0,0 +1,14 @@
+# Test Description
+
+Tests that the encrypted part of the SSH traffic is bypassed but it should not
+bypass based on the depth
+
+## PCAP
+
+Source: https://www.cloudshark.org/captures/9b72eb8febf9
+File: ssh-server-client.pcapng
+
+## Related issues
+
+Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
+https://redmine.openinfosecfoundation.org/issues/6788
diff --git a/tests/bypass-ssh-enabled/input.pcap b/tests/bypass-ssh-enabled/input.pcap
diff --git a/tests/bypass-ssh-enabled/test.yaml b/tests/bypass-ssh-enabled/test.yaml
@@ -0,0 +1,18 @@
+requires:
+    min-version: 8
+
+args:
+- -k none
+- --set app-layer.protocols.tls.encryption-handling=full
+- --set app-layer.protocols.ssh.encryption-handling=bypass
+- --set stream.reassembly.depth=1MB
+- --set stream.bypass=false
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+  - stats:
+      flow_bypassed.local_pkts: 45
+      flow_bypassed.local_bytes: 3972
diff --git a/tests/bypass-tls-disabled/README.md b/tests/bypass-tls-disabled/README.md
@@ -0,0 +1,13 @@
+# Test Description
+
+Tests that no traffic is bypassed with disabled bypass settings
+
+## PCAP
+
+Source: https://wiki.wireshark.org/SampleCaptures
+File: dump.pcapng
+
+## Related issues
+
+Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
+https://redmine.openinfosecfoundation.org/issues/6788
diff --git a/tests/bypass-tls-disabled/input.pcap b/tests/bypass-tls-disabled/input.pcap
diff --git a/tests/bypass-tls-disabled/test.yaml b/tests/bypass-tls-disabled/test.yaml
@@ -0,0 +1,18 @@
+requires:
+    min-version: 7
+
+args:
+- -k none
+- --set app-layer.protocols.tls.encryption-handling=full
+- --set app-layer.protocols.ssh.encryption-handling=full
+- --set stream.reassembly.depth=1MB
+- --set stream.bypass=false
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+  - stats:
+      flow_bypassed.local_pkts: 0
+      flow_bypassed.local_bytes: 0
diff --git a/tests/bypass-tls-enabled/README.md b/tests/bypass-tls-enabled/README.md
@@ -0,0 +1,14 @@
+# Test Description
+
+Tests that the encrypted part of the traffic is bypassed but it should not
+bypass based on the depth
+
+## PCAP
+
+Source: https://wiki.wireshark.org/SampleCaptures
+File: dump.pcapng
+
+## Related issues
+
+Created with a work to decouple stream.bypass setting from TLS encrypted bypass.
+https://redmine.openinfosecfoundation.org/issues/6788
diff --git a/tests/bypass-tls-enabled/input.pcap b/tests/bypass-tls-enabled/input.pcap
diff --git a/tests/bypass-tls-enabled/test.yaml b/tests/bypass-tls-enabled/test.yaml
@@ -0,0 +1,18 @@
+requires:
+    min-version: 8
+
+args:
+- -k none
+- --set app-layer.protocols.tls.encryption-handling=bypass
+- --set app-layer.protocols.ssh.encryption-handling=full
+- --set stream.reassembly.depth=1MB
+- --set stream.bypass=false
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+  - stats:
+      flow_bypassed.local_pkts: 4
+      flow_bypassed.local_bytes: 275
diff --git a/tests/ssh-hassh/test.yaml b/tests/ssh-hassh/test.yaml
@@ -4,7 +4,7 @@ features:
     - RUST
 
 args:
- - -k none --set stream.bypass=yes
+ - -k none --set stream.bypass=yes --set app-layer.protocols.ssh.encryption-handling=bypass
 
 checks:
   # Check that we have the following events in eve.json