tests: add rule type check for flowbits

Task #6309

diff --git a/tests/rules/flowbits/test.rules b/tests/rules/flowbits/test.rules
new file mode 100644 (file)
index 0000000..bf24dea
--- /dev/null
+++ b/tests/rules/flowbits/test.rules
@@ -0,0 +1,13 @@
+alert ip any any -> any any (msg:"Flowbit set"; flowbits:set,fb1; sid:1;)
+alert ip any any -> any any (msg:"Flowbit set"; flowbits:set,fb2; sid:2;)
+alert ip any any -> any any (msg:"Flowbit isset ored flowbits"; flowbits:isset,fb1|fb2; sid:3;)
+alert ip any any -> any any (msg:"Flowbit isset ored flowbits"; flowbits:isset,fb3|fb1; sid:4;)
+alert ip any any -> any any (msg:"Flowbit isset ored flowbits"; flowbits:isset,fb3|fb4; sid:5;)
+alert ip any any -> any any (msg:"Flowbit isnotset ored flowbits"; flowbits:isnotset,fb5|fb6 ; sid:6;)
+alert ip any any -> any any (msg:"Flowbit isnotset ored flowbits"; flowbits:isnotset, fb1|fb2 ; sid:7;)
+alert ip any any -> any any (msg:"Flowbit unset"; flowbits:unset,fb1; sid:8;)
+alert ip any any -> any any (msg:"Flowbit toggle"; flowbits:toggle,fb1; sid:9;)
+alert ip any any -> any any (msg:"Flowbit isset"; flowbits:isset,fb1; sid:10;)
+alert ip any any -> any any (msg:"Flowbit isset and flowbits"; flowbits:isset,fb1; flowbits:isset,fb2; sid:11;)
+alert ip any any -> any any (msg:"Flowbit isset and flowbits"; flowbits:isset,fb1; flowbits:isset,fb5; sid:12;)
+alert ip any any -> any any (msg:"Flowbit set with noalert"; flowbits:set,fb3; flowbits:noalert; sid:13;)
\ No newline at end of file

diff --git a/tests/rules/flowbits/test.yaml b/tests/rules/flowbits/test.yaml
new file mode 100644 (file)
index 0000000..4e5fd59
--- /dev/null
+++ b/tests/rules/flowbits/test.yaml
@@ -0,0 +1,129 @@
+requires:
+    min-version: 8.0
+    pcap: false
+
+args:
+    - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      lists.postmatch.matches[0].name: "flowbits"
+      lists.postmatch.matches[0].flowbits.cmd: "set"
+      lists.postmatch.matches[0].flowbits.names[0]: "fb1"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 2
+      lists.postmatch.matches[0].name: "flowbits"
+      lists.postmatch.matches[0].flowbits.cmd: "set"
+      lists.postmatch.matches[0].flowbits.names[0]: "fb2"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 3
+      lists.packet.matches[0].name: "flowbits"
+      lists.packet.matches[0].flowbits.cmd: "isset"
+      lists.packet.matches[0].flowbits.names[0]: "fb1"
+      lists.packet.matches[0].flowbits.operator: "or"
+      lists.packet.matches[0].flowbits.names[1]: "fb2"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 4
+      lists.packet.matches[0].name: "flowbits"
+      lists.packet.matches[0].flowbits.cmd: "isset"
+      lists.packet.matches[0].flowbits.names[0]: "fb3"
+      lists.packet.matches[0].flowbits.operator: "or"
+      lists.packet.matches[0].flowbits.names[1]: "fb1"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 5
+      lists.packet.matches[0].name: "flowbits"
+      lists.packet.matches[0].flowbits.cmd: "isset"
+      lists.packet.matches[0].flowbits.names[0]: "fb3"
+      lists.packet.matches[0].flowbits.operator: "or"
+      lists.packet.matches[0].flowbits.names[1]: "fb4"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 6
+      lists.packet.matches[0].name: "flowbits"
+      lists.packet.matches[0].flowbits.cmd: "isnotset"
+      lists.packet.matches[0].flowbits.names[0]: "fb5"
+      lists.packet.matches[0].flowbits.operator: "or"
+      lists.packet.matches[0].flowbits.names[1]: "fb6"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 7
+      lists.packet.matches[0].name: "flowbits"
+      lists.packet.matches[0].flowbits.cmd: "isnotset"
+      lists.packet.matches[0].flowbits.names[0]: "fb1"
+      lists.packet.matches[0].flowbits.operator: "or"
+      lists.packet.matches[0].flowbits.names[1]: "fb2"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 8
+      lists.postmatch.matches[0].name: "flowbits"
+      lists.postmatch.matches[0].flowbits.cmd: "unset"
+      lists.postmatch.matches[0].flowbits.names[0]: "fb1"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 9
+      lists.postmatch.matches[0].name: "flowbits"
+      lists.postmatch.matches[0].flowbits.cmd: "toggle"
+      lists.postmatch.matches[0].flowbits.names[0]: "fb1"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 10
+      lists.packet.matches[0].name: "flowbits"
+      lists.packet.matches[0].flowbits.cmd: "isset"
+      lists.packet.matches[0].flowbits.names[0]: "fb1"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 11
+      lists.packet.matches[0].name: "flowbits"
+      lists.packet.matches[0].flowbits.cmd: "isset"
+      lists.packet.matches[0].flowbits.names[0]: "fb1"
+      lists.packet.matches[1].name: "flowbits"
+      lists.packet.matches[1].flowbits.cmd: "isset"
+      lists.packet.matches[1].flowbits.names[0]: "fb2"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 12
+      lists.packet.matches[0].name: "flowbits"
+      lists.packet.matches[0].flowbits.cmd: "isset"
+      lists.packet.matches[0].flowbits.names[0]: "fb1"
+      lists.packet.matches[1].name: "flowbits"
+      lists.packet.matches[1].flowbits.cmd: "isset"
+      lists.packet.matches[1].flowbits.names[0]: "fb5"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 13
+      flags[4]: "noalert"
+      lists.postmatch.matches[0].name: "flowbits"
+      lists.postmatch.matches[0].flowbits.cmd: "set"
+      lists.postmatch.matches[0].flowbits.names[0]: "fb3"
\ No newline at end of file