tests: detection_filter unique_on IPs - v2

tests/detection_filter-distinct-dstip-higher-threshold/README.md

@@ -0,0 +1,20 @@
+Purpose
+-------
+Validate detection_filter distinct counting with unique_on dst_ip using a higher
+threshold (count 3).
+
+Rule uses count 3, meaning it alerts after seeing more than 3 distinct destination IPs
+for the same source host (track by_src). The PCAP contains ICMP traffic from 10.0.0.1
+to 4 different destination IPs (192.168.1.1 through 192.168.1.4), plus one duplicate,
+so the distinct counter exceeds the threshold (4 > 3) and one alert is expected
+(sid 100027).
+
+Why this matters
+---------------
+Complements the count-1 test by verifying that higher thresholds work correctly:
+the engine must accumulate enough distinct IPs before alerting, and duplicates
+must not inflate the count.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/8250
+
+PCAP: Crafted manually to fit the test.

tests/detection_filter-distinct-dstip-higher-threshold/test.rules

@@ -0,0 +1,2 @@
+## Expect 1 alert after seeing >3 distinct destination IPs (unique_on dst_ip, count 3)
+alert ip any any -> any any (msg:"DF distinct dst_ip higher threshold"; detection_filter: track by_src, count 3, seconds 60, unique_on dst_ip; sid:100027; rev:1;)

tests/detection_filter-distinct-dstip-higher-threshold/test.yaml

@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 100027

tests/detection_filter-distinct-dstip-no-dups/README.md

@@ -0,0 +1,17 @@
+Purpose
+-------
+Validate that detection_filter with unique_on dst_ip does not trigger when
+the number of distinct destination IPs stays below the threshold.
+
+Rule requires 3 distinct destination IPs for the same source host (track by_src).
+The PCAP only has 2 distinct destination IPs, so the threshold is not reached
+and no alerts are expected (sid 100022).
+
+Why this matters
+---------------
+Ensures duplicates or insufficient variety of dst IPs do not produce alerts
+when distinct counting (unique_on dst_ip) is configured with a higher threshold.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/8250
+
+PCAP: Crafted manually to fit the test.

tests/detection_filter-distinct-dstip-no-dups/test.rules

@@ -0,0 +1,2 @@
+## Expect 0 alerts: only 2 distinct dst IPs present but threshold is 3
+alert ip any any -> any any (msg:"DF distinct dst_ip no dup"; detection_filter: track by_src, count 3, seconds 60, unique_on dst_ip; sid:100022; rev:1;)

tests/detection_filter-distinct-dstip-no-dups/test.yaml

@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 100022

tests/detection_filter-distinct-dstip/README.md

@@ -0,0 +1,19 @@
+Purpose
+-------
+Validate detection_filter distinct counting with unique_on dst_ip.
+
+Rule uses count 1, meaning it alerts after seeing more than 1 distinct destination IP
+for the same source host (track by_src). The PCAP contains ICMP traffic from 10.0.0.1
+to 2 different destination IPs (192.168.1.1 and 192.168.1.2), so the distinct counter
+exceeds the threshold (2 > 1) and one alert is expected (sid 100021).
+
+Why this matters
+---------------
+Introduces coverage for detection_filter unique_on dst_ip behavior added in Suricata.
+This test ensures that different dst IPs contribute separately toward the threshold
+while duplicate IPs do not. Uses ICMP to demonstrate that IP-based unique_on works
+with any protocol (unlike port-based unique_on which requires tcp/udp/sctp).
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/8250
+
+PCAP: Crafted manually to fit the test.

tests/detection_filter-distinct-dstip/test.rules

@@ -0,0 +1,2 @@
+## Expect 1 alert after seeing >1 distinct destination IPs (unique_on dst_ip, count 1)
+alert ip any any -> any any (msg:"DF distinct dst_ip"; detection_filter: track by_src, count 1, seconds 60, unique_on dst_ip; sid:100021; rev:1;)

tests/detection_filter-distinct-dstip/test.yaml

@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 100021

tests/detection_filter-distinct-dstip6/README.md

@@ -0,0 +1,18 @@
+Purpose
+-------
+Validate detection_filter distinct counting with unique_on dst_ip for IPv6 addresses.
+
+Rule uses count 1, meaning it alerts after seeing more than 1 distinct destination IPv6
+address for the same source host (track by_src). The PCAP contains ICMPv6 traffic from
+2001:db8::1 to 2 different destination IPs (2001:db8::100 and 2001:db8::101), so the
+distinct counter exceeds the threshold (2 > 1) and one alert is expected (sid 100025).
+
+Why this matters
+---------------
+Ensures that the unique_on dst_ip feature works correctly with IPv6 addresses.
+This validates that the hash table tracking mechanism handles 128-bit IPv6 addresses
+properly.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/8250
+
+PCAP: Crafted manually to fit the test.

tests/detection_filter-distinct-dstip6/test.rules

@@ -0,0 +1,2 @@
+## Expect 1 alert after seeing >1 distinct destination IPv6 addresses (unique_on dst_ip, count 1)
+alert ip any any -> any any (msg:"DF distinct dst_ip IPv6"; detection_filter: track by_src, count 1, seconds 60, unique_on dst_ip; sid:100025; rev:1;)

tests/detection_filter-distinct-dstip6/test.yaml

@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 100025

tests/detection_filter-distinct-srcip-no-dups/README.md

@@ -0,0 +1,17 @@
+Purpose
+-------
+Validate that detection_filter with unique_on src_ip does not trigger when
+the number of distinct source IPs stays below the threshold.
+
+Rule requires 3 distinct source IPs for the same destination host (track by_dst).
+The PCAP only has 2 distinct source IPs, so the threshold is not reached
+and no alerts are expected (sid 100024).
+
+Why this matters
+---------------
+Ensures duplicates or insufficient variety of src IPs do not produce alerts
+when distinct counting (unique_on src_ip) is configured with a higher threshold.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/8250
+
+PCAP: Crafted manually to fit the test.

tests/detection_filter-distinct-srcip-no-dups/test.rules

@@ -0,0 +1,2 @@
+## Expect 0 alerts: only 2 distinct src IPs present but threshold is 3
+alert ip any any -> any any (msg:"DF distinct src_ip no dup"; detection_filter: track by_dst, count 3, seconds 60, unique_on src_ip; sid:100024; rev:1;)

tests/detection_filter-distinct-srcip-no-dups/test.yaml

@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 100024

tests/detection_filter-distinct-srcip/README.md

@@ -0,0 +1,19 @@
+Purpose
+-------
+Validate detection_filter distinct counting with unique_on src_ip.
+
+Rule uses count 1, meaning it alerts after seeing more than 1 distinct source IP
+for the same destination host (track by_dst). The PCAP contains ICMP traffic from
+2 different source IPs (10.0.0.1 and 10.0.0.2) to 192.168.1.100, so the distinct
+counter exceeds the threshold (2 > 1) and one alert is expected (sid 100023).
+
+Why this matters
+---------------
+Introduces coverage for detection_filter unique_on src_ip behavior added in Suricata.
+This test ensures that different src IPs contribute separately toward the threshold
+while duplicate IPs do not. Uses ICMP to demonstrate that IP-based unique_on works
+with any protocol (unlike port-based unique_on which requires tcp/udp/sctp).
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/8250
+
+PCAP: Crafted manually to fit the test.

tests/detection_filter-distinct-srcip/test.rules

@@ -0,0 +1,2 @@
+## Expect 1 alert after seeing >1 distinct source IPs (unique_on src_ip, count 1)
+alert ip any any -> any any (msg:"DF distinct src_ip"; detection_filter: track by_dst, count 1, seconds 60, unique_on src_ip; sid:100023; rev:1;)

tests/detection_filter-distinct-srcip/test.yaml

@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 100023

tests/detection_filter-distinct-srcip6/README.md

@@ -0,0 +1,18 @@
+Purpose
+-------
+Validate detection_filter distinct counting with unique_on src_ip for IPv6 addresses.
+
+Rule uses count 1, meaning it alerts after seeing more than 1 distinct source IPv6
+address for the same destination host (track by_dst). The PCAP contains ICMPv6 traffic
+from 2 different source IPs (2001:db8::1 and 2001:db8::2) to 2001:db8::100, so the
+distinct counter exceeds the threshold (2 > 1) and one alert is expected (sid 100026).
+
+Why this matters
+---------------
+Ensures that the unique_on src_ip feature works correctly with IPv6 addresses.
+This validates that the hash table tracking mechanism handles 128-bit IPv6 addresses
+properly.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/8250
+
+PCAP: Crafted manually to fit the test.

tests/detection_filter-distinct-srcip6/test.rules

@@ -0,0 +1,2 @@
+## Expect 1 alert after seeing >1 distinct source IPv6 addresses (unique_on src_ip, count 1)
+alert ip any any -> any any (msg:"DF distinct src_ip IPv6"; detection_filter: track by_dst, count 1, seconds 60, unique_on src_ip; sid:100026; rev:1;)

tests/detection_filter-distinct-srcip6/test.yaml

@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 100026