nixos/tests/suricata.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / suricata.nix
at 25.11-pre 2.9 kB view raw
 1import ./make-test-python.nix (
 2  { lib, pkgs, ... }:
 3  {
 4    name = "suricata";
 5    meta.maintainers = with lib.maintainers; [ felbinger ];
 6
 7    nodes = {
 8      ids = {
 9        networking.interfaces.eth1 = {
10          useDHCP = false;
11          ipv4.addresses = [
12            {
13              address = "192.168.1.2";
14              prefixLength = 24;
15            }
16          ];
17        };
18
19        # disable suricata-update because this requires an Internet connection
20        systemd.services.suricata-update.enable = false;
21
22        # install suricata package to make suricatasc program available
23        environment.systemPackages = with pkgs; [ suricata ];
24
25        services.suricata = {
26          enable = true;
27          settings = {
28            vars.address-groups.HOME_NET = "192.168.1.0/24";
29            unix-command.enabled = true;
30            outputs = [ { fast.enabled = true; } ];
31            af-packet = [ { interface = "eth1"; } ];
32            classification-file = "${pkgs.suricata}/etc/suricata/classification.config";
33          };
34        };
35
36        # create suricata.rules with the rule to detect the output of the id command
37        systemd.tmpfiles.rules = [
38          ''f /var/lib/suricata/rules/suricata.rules 644 suricata suricata 0 alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2019_07_26;)''
39        ];
40      };
41      helper = {
42        imports = [ ../modules/profiles/minimal.nix ];
43
44        networking.interfaces.eth1 = {
45          useDHCP = false;
46          ipv4.addresses = [
47            {
48              address = "192.168.1.1";
49              prefixLength = 24;
50            }
51          ];
52        };
53
54        services.nginx = {
55          enable = true;
56          virtualHosts."localhost".locations = {
57            "/id/".return = "200 'uid=0(root) gid=0(root) groups=0(root)'";
58          };
59        };
60        networking.firewall.allowedTCPPorts = [ 80 ];
61      };
62    };
63
64    testScript = ''
65      start_all()
66
67      # check that configuration has been applied correctly with suricatasc
68      with subtest("suricata configuration test"):
69          ids.wait_for_unit("suricata.service")
70          assert '1' in ids.succeed("suricatasc -c 'iface-list' | ${pkgs.jq}/bin/jq .message.count")
71
72      # test detection of events based on a static ruleset (output of id command)
73      with subtest("suricata rule test"):
74          helper.wait_for_unit("nginx.service")
75          ids.wait_for_unit("suricata.service")
76
77          ids.succeed("curl http://192.168.1.1/id/")
78          assert "id check returned root [**] [Classification: Potentially Bad Traffic]" in ids.succeed("tail -n 1 /var/log/suricata/fast.log"), "Suricata didn't detect the output of id comment"
79    '';
80  }
81)