rule-grouping: add edge case test

author Shivani Bhardwaj <shivanib134@gmail.com>

Sat, 9 Mar 2024 04:19:13 +0000 (09:49 +0530)

committer Victor Julien <victor@inliniac.net>

Sat, 9 Mar 2024 13:12:11 +0000 (14:12 +0100)
author Shivani Bhardwaj <shivanib134@gmail.com>
Sat, 9 Mar 2024 04:19:13 +0000 (09:49 +0530)
committer Victor Julien <victor@inliniac.net>
Sat, 9 Mar 2024 13:12:11 +0000 (14:12 +0100)
diff --git a/tests/rule-grouping/rule-grouping-9/README.md b/tests/rule-grouping/rule-grouping-9/README.md

new file mode 100644 (file)

index 0000000..e4dbd13
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-9/README.md
@@ -0,0 +1,12 @@
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution when a two port points
+are single as well as the endpoints for a range.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6843
diff --git a/tests/rule-grouping/rule-grouping-9/suricata.yaml b/tests/rule-grouping/rule-grouping-9/suricata.yaml

new file mode 100644 (file)

index 0000000..549defa
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-9/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules-fast-pattern: yes
+  rules: yes
+
+detect:
+  profiling:
+    grouping:
+      dump-to-disk: yes
+      include-rules: yes
+      include-mpm-stats: yes
diff --git a/tests/rule-grouping/rule-grouping-9/test.rules b/tests/rule-grouping/rule-grouping-9/test.rules

new file mode 100644 (file)

index 0000000..b32eb6b
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-9/test.rules
@@ -0,0 +1,3 @@
+alert tcp any any -> any 80 (flow:to_server; content:"abc"; sid:2;)
+alert tcp any any -> any 100 (flow:to_server; content:"abc"; sid:3;)
+alert tcp any any -> any 80:100 (flow:to_server; content:"abc"; sid:4;)
diff --git a/tests/rule-grouping/rule-grouping-9/test.yaml b/tests/rule-grouping/rule-grouping-9/test.yaml

new file mode 100644 (file)

index 0000000..d548965
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-9/test.yaml
@@ -0,0 +1,41 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver.__len: 3
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[0].port: 80
+        tcp.toserver[0].port2: 80
+        tcp.toserver[0].rulegroup.id: 0
+        tcp.toserver[0].rulegroup.rules[0].sig_id: 2
+        tcp.toserver[0].rulegroup.rules[1].sig_id: 4
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[1].port: 100
+        tcp.toserver[1].port2: 100
+        tcp.toserver[1].rulegroup.id: 1
+        tcp.toserver[1].rulegroup.rules[0].sig_id: 3
+        tcp.toserver[1].rulegroup.rules[1].sig_id: 4
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[2].port: 81
+        tcp.toserver[2].port2: 99
+        tcp.toserver[2].rulegroup.id: 2
+        tcp.toserver[2].rulegroup.rules[0].sig_id: 4
+
author	Shivani Bhardwaj <shivanib134@gmail.com>
	Sat, 9 Mar 2024 04:19:13 +0000 (09:49 +0530)
committer	Victor Julien <victor@inliniac.net>
	Sat, 9 Mar 2024 13:12:11 +0000 (14:12 +0100)
tests/rule-grouping/rule-grouping-9/README.md	[new file with mode: 0644]	patch \| blob
tests/rule-grouping/rule-grouping-9/suricata.yaml	[new file with mode: 0644]	patch \| blob
tests/rule-grouping/rule-grouping-9/test.rules	[new file with mode: 0644]	patch \| blob
tests/rule-grouping/rule-grouping-9/test.yaml	[new file with mode: 0644]	patch \| blob