--- /dev/null
+# Test Description
+
+ASAN-only
+
+Validate that memory is released for string variables used in Lua scripts
+
+## PCAP
+
+Redmine issue 7466: https://redmine.openinfosecfoundation.org/issues/7466
+
+## Related issues
+
+Configure with `CC="clang" LDFLAGS="-fsanitize=address" CFLAGS="-Wshadow -fsanitize=address -fno-omit-frame-pointer" ./configure`
+Then run with `ASAN_OPTIONS="detect_leaks=1" python3 ../suricata-verify/run.py lua-memleak`
--- /dev/null
+function init (args)
+ local needs = {}
+ needs["http.request_headers"] = tostring(true)
+ return needs
+end
+
+function match(args)
+ SCFlowvarSet("key", 3, "value", 5)
+ return 1
+end
--- /dev/null
+alert http any any -> any any (msg: "Test1"; flow: to_server; lua:test.lua; sid:6677001; rev:1;)
--- /dev/null
+requires:
+ features:
+ - HAVE_LUA
+ lt-version: 8
+
+args:
+- --set security.lua.allow-rules=true
+- --set default-rule-path=${TEST_DIR}
+- -k none
+
+exit-code: 0
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ pcap_cnt: 7
+ proto: TCP
+ src_ip: 192.168.2.3
+ src_port: 39867
+ dest_ip: 209.85.225.105
+ dest_port: 80
+ app_proto: http
+ alert.action: allowed
+ alert.category: ''
+ alert.gid: 1
+ alert.rev: 1
+ alert.severity: 3
+ alert.signature: Test1
+ alert.signature_id: 6677001
+ direction: to_server
+ flow.bytes_toclient: 1624
+ flow.bytes_toserver: 407
+ flow.dest_ip: 209.85.225.105
+ flow.dest_port: 80
+ flow.pkts_toclient: 3
+ flow.pkts_toserver: 4
+ flow.src_ip: 192.168.2.3
+ flow.src_port: 39867
+ http.hostname: www.google.com
+ http.http_content_type: text/html
+ http.http_method: GET
+ http.http_user_agent: Wget/1.11.4
+ http.length: 1201
+ http.protocol: HTTP/1.0
+ http.status: 404
+ http.url: /AllWorkAndNoPlayMakesWillADullBoy
+ metadata.flowvars[0].key: value
+ tx_id: 0
--- /dev/null
+%YAML 1.1
+---
+
+outputs:
+ - eve-log:
+ enabled: yes
+ filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+ filename: eve.json
+ types:
+ - alert:
+ payload: no
+ payload-buffer-size: 4kb
+ payload-printable: no
+ packet: no
+ metadata: no
+ - tls:
+ extended: yes
+
+app-layer:
+ protocols:
+ tls:
+ enabled: yes
+ detection-ports:
+ dp: 443
+
+ ja3-fingerprints: yes
--- /dev/null
+function init(args)
+ local needs = {}
+ needs["tls"] = tostring(true)
+ return needs
+end
+
+function match(args)
+ hash = Ja3SGetHash()
+ if hash == nil then
+ return 0
+ end
+
+ if hash == "5d79edf64e03689ff559a54e9d9487bc" then
+ return 1
+ end
+
+ return 0
+end
--- /dev/null
+function init(args)
+ local needs = {}
+ needs["tls"] = tostring(true)
+ return needs
+end
+
+function match(args)
+ str = Ja3SGetString()
+ if str == nil then
+ return 0
+ end
+
+ if str == "771,49199,65281-0-11-16-23" then
+ return 1
+ end
+
+ return 0
+end
--- /dev/null
+alert tls any any -> any any (msg:"ja3s.hash test"; flow:established,to_client; ja3s.hash; content:"5d79edf64e03689ff559a54e9d9487bc"; sid:1;)
+alert tls any any -> any any (msg:"ja3s.string test"; flow:established,to_client; ja3s.string; content:"771,49199,65281-0-11-16-23"; sid:2;)
+alert tls any any -> any any (msg:"ja3s.hash Lua test"; flow:established,to_client; lua:test-ja3s-hash.lua; sid:3;)
+alert tls any any -> any any (msg:"ja3s.string Lua test"; flow:established,to_client; lua:test-ja3s-string.lua; sid:4;)
--- /dev/null
+pcap: ../../tls/tls-certs-alert/input.pcap
+
+requires:
+ features:
+ - HAVE_LUA
+ - HAVE_JA3
+ lt-version: 8
+
+args:
+ - -k none
+ - --set security.lua.allow-rules=true
+
+checks:
+ # Check that we have the following events in eve.json
+ # 2 - alert events
+ # 1 - tls event
+ - filter:
+ count: 4
+ match:
+ event_type: alert
+ - filter:
+ count: 1
+ match:
+ event_type: tls
+ tls.ja3s.hash: "5d79edf64e03689ff559a54e9d9487bc"
+ tls.ja3s.string: "771,49199,65281-0-11-16-23"
projects / thirdparty / suricata-verify.git / commitdiff
