tests: update datajson to latest code

diff --git a/tests/datajson/datajson-01-ip/test.yaml b/tests/datajson/datajson-01-ip/test.yaml
index 6b2df3d70faa1d40337fe60245d0ed1a755e6328..d0c3ba592a0164372687d02f411a6ac8591dbb5d 100644 (file)
--- a/tests/datajson/datajson-01-ip/test.yaml
+++ b/tests/datajson/datajson-01-ip/test.yaml
@@ -14,4 +14,4 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 1
-        alert.extra.src_ip.test: success
+        alert.context.src_ip.test: success

diff --git a/tests/datajson/datajson-02-multiple/test.yaml b/tests/datajson/datajson-02-multiple/test.yaml
index 68fd479007ba7af7201dc5e03c109c7cb9241ce1..5738beeedd6ceb7e729048a4fde9d4a712242601 100644 (file)
--- a/tests/datajson/datajson-02-multiple/test.yaml
+++ b/tests/datajson/datajson-02-multiple/test.yaml
@@ -14,5 +14,5 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 1
-        alert.extra.src_ip.test: success
-        alert.extra.bad_host.year: 2005
+        alert.context.src_ip.test: success
+        alert.context.bad_host.year: 2005

diff --git a/tests/datajson/datajson-03-jsonline/test.rules b/tests/datajson/datajson-03-jsonline/test.rules
index 378b6a3f9595e5d3200a200b09ebb4525c5a5d6f..106d2c8845ad9b8f0587e3cfbaf9d6c6e2966db6 100644 (file)
--- a/tests/datajson/datajson-03-jsonline/test.rules
+++ b/tests/datajson/datajson-03-jsonline/test.rules
@@ -1 +1 @@
-alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,format jsonline,enrichment_key bad_host,value_key host; ip.src; dataset:isset,src_ip,type ip,load src.lst,format jsonline,enrichment_key src_ip,value_key ip; sid:1;)
+alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,format ndjson,enrichment_key bad_host,value_key host; ip.src; dataset:isset,src_ip,type ip,load src.lst,format ndjson,enrichment_key src_ip,value_key ip; sid:1;)

diff --git a/tests/datajson/datajson-03-jsonline/test.yaml b/tests/datajson/datajson-03-jsonline/test.yaml
index 87e90bdab896bea7a762c2af044a11e2227db07c..1a9107120234a5e1db5a7f91a390e4a20a78da36 100644 (file)
--- a/tests/datajson/datajson-03-jsonline/test.yaml
+++ b/tests/datajson/datajson-03-jsonline/test.yaml
@@ -16,7 +16,7 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 1
-        alert.extra.src_ip.test: success
-        alert.extra.bad_host.year: 2005
-        alert.extra.src_ip.ip: "10.16.1.11"
-        alert.extra.bad_host.host: "www.testmyids.com"
+        alert.context.src_ip.test: success
+        alert.context.bad_host.year: 2005
+        alert.context.src_ip.ip: "10.16.1.11"
+        alert.context.bad_host.host: "www.testmyids.com"

diff --git a/tests/datajson/datajson-04-hashes/test.yaml b/tests/datajson/datajson-04-hashes/test.yaml
index eec1c13c69a901ae7d9c3338c949bfb13ac79d2d..153e8e1144eebce83d6c91da1680bfa4a6e70826 100644 (file)
--- a/tests/datajson/datajson-04-hashes/test.yaml
+++ b/tests/datajson/datajson-04-hashes/test.yaml
@@ -14,10 +14,10 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 1
-        alert.extra.bad_sha.year: 2005
+        alert.context.bad_sha.year: 2005
   - filter:
       count: 1
       match:
         event_type: alert
         alert.signature_id: 2
-        alert.extra.bad_md5.year: 2007
+        alert.context.bad_md5.year: 2007

diff --git a/tests/datajson/datajson-05-duplicate/test.yaml b/tests/datajson/datajson-05-duplicate/test.yaml
index 68fd479007ba7af7201dc5e03c109c7cb9241ce1..5738beeedd6ceb7e729048a4fde9d4a712242601 100644 (file)
--- a/tests/datajson/datajson-05-duplicate/test.yaml
+++ b/tests/datajson/datajson-05-duplicate/test.yaml
@@ -14,5 +14,5 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 1
-        alert.extra.src_ip.test: success
-        alert.extra.bad_host.year: 2005
+        alert.context.src_ip.test: success
+        alert.context.bad_host.year: 2005

diff --git a/tests/datajson/datajson-06-remove-key/test.rules b/tests/datajson/datajson-06-remove-key/test.rules
index f5a613861cc2f0d27ddbdcf615725ccb4550624d..329e7ccd328174fa7f57ae0b7bf58755b021772e 100644 (file)
--- a/tests/datajson/datajson-06-remove-key/test.rules
+++ b/tests/datajson/datajson-06-remove-key/test.rules
@@ -1 +1 @@
-alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,format jsonline,enrichment_key bad_host,remove_key, value_key host; ip.src; dataset:isset,src_ip,type ip,load src.lst,format jsonline,enrichment_key src_ip,value_key ip, remove_key; sid:1;)
+alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,format ndjson,enrichment_key bad_host,remove_key, value_key host; ip.src; dataset:isset,src_ip,type ip,load src.lst,format ndjson,enrichment_key src_ip,value_key ip, remove_key; sid:1;)

diff --git a/tests/datajson/datajson-06-remove-key/test.yaml b/tests/datajson/datajson-06-remove-key/test.yaml
index 13c495ee2445c8ac85bf5ec284a032d51c5ce808..bb1772b8131258926d987bfccee1772a34932a9a 100644 (file)
--- a/tests/datajson/datajson-06-remove-key/test.yaml
+++ b/tests/datajson/datajson-06-remove-key/test.yaml
@@ -16,20 +16,20 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 1
-        alert.extra.src_ip.test: success
-        alert.extra.bad_host.year: 2005
+        alert.context.src_ip.test: success
+        alert.context.bad_host.year: 2005
   - filter:
       count: 0
       match:
         event_type: alert
         alert.signature_id: 1
-        alert.extra.src_ip.test: success
-        alert.extra.src_ip.ip: 10.16.1.11
-        alert.extra.bad_host.year: 2005
+        alert.context.src_ip.test: success
+        alert.context.src_ip.ip: 10.16.1.11
+        alert.context.bad_host.year: 2005
   - filter:
       count: 0
       match:
         event_type: alert
         alert.signature_id: 1
-        alert.extra.src_ip.test: success
-        alert.extra.bad_host.host: www.testmyids.com
+        alert.context.src_ip.test: success
+        alert.context.bad_host.host: www.testmyids.com

diff --git a/tests/datajson/datajson-09-jsonformat/test.yaml b/tests/datajson/datajson-09-jsonformat/test.yaml
index 0a102d314bd3663d188b17caa2a3f9e8e651585a..1131e8b48fb653da41c2d3dc1bcde2b66ad50343 100644 (file)
--- a/tests/datajson/datajson-09-jsonformat/test.yaml
+++ b/tests/datajson/datajson-09-jsonformat/test.yaml
@@ -14,27 +14,27 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 1
-        alert.extra.src_ip.test: success
-        alert.extra.bad_host.year: 2005
+        alert.context.src_ip.test: success
+        alert.context.bad_host.year: 2005
   - filter:
       count: 1
       match:
         event_type: alert
         alert.signature_id: 2
-        alert.extra.src_ip.test: success
-        alert.extra.dbad_host.year: 2005
+        alert.context.src_ip.test: success
+        alert.context.dbad_host.year: 2005
   - filter:
       count: 1
       match:
         event_type: alert
         alert.signature_id: 3
-        alert.extra.src_ip.test: success
-        alert.extra.nbad_host.year: 2005
+        alert.context.src_ip.test: success
+        alert.context.nbad_host.year: 2005
   - filter:
       count: 1
       match:
         event_type: alert
         alert.signature_id: 4
-        alert.extra.src_ip.test: success
-        alert.extra.nkbad_host.year: 2005
-        alert.extra.nkbad_host.host.domain: testmyids.com
+        alert.context.src_ip.test: success
+        alert.context.nkbad_host.year: 2005
+        alert.context.nkbad_host.host.domain: testmyids.com

diff --git a/tests/datajson/datajson-10-remove-nested-key/test.rules b/tests/datajson/datajson-10-remove-nested-key/test.rules
index 7b9d012fc07e080545e8f1fe3fa8643c9da1192b..3810aa448f2611c7b79ebce95f1dd44cb94303b1 100644 (file)
--- a/tests/datajson/datajson-10-remove-nested-key/test.rules
+++ b/tests/datajson/datajson-10-remove-nested-key/test.rules
@@ -1 +1 @@
-alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,format jsonline,enrichment_key bad_host,value_key ioc.host,remove_key; ip.src; dataset:isset,src_ip,type ip,load src.lst,format jsonline,enrichment_key src_ip,value_key ip; sid:1;)
+alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,format ndjson,enrichment_key bad_host,value_key ioc.host,remove_key; ip.src; dataset:isset,src_ip,type ip,load src.lst,format ndjson,enrichment_key src_ip,value_key ip; sid:1;)

diff --git a/tests/datajson/datajson-10-remove-nested-key/test.yaml b/tests/datajson/datajson-10-remove-nested-key/test.yaml
index e256f8885176e5177b9766dd5dd4c3a5e48389b1..0931da2b928ff9bcb3fb580e394a82cafedb3d8d 100644 (file)
--- a/tests/datajson/datajson-10-remove-nested-key/test.yaml
+++ b/tests/datajson/datajson-10-remove-nested-key/test.yaml
@@ -16,15 +16,15 @@ checks:
       match:
         event_type: alert
         alert.signature_id: 1
-        alert.extra.src_ip.test: success
-        alert.extra.bad_host.year: 2005
-        alert.extra.src_ip.ip: "10.16.1.11"
+        alert.context.src_ip.test: success
+        alert.context.bad_host.year: 2005
+        alert.context.src_ip.ip: "10.16.1.11"
   - filter:
       count: 0
       match:
         event_type: alert
         alert.signature_id: 1
-        alert.extra.src_ip.test: success
-        alert.extra.bad_host.year: 2005
-        alert.extra.src_ip.ip: "10.16.1.11"
-        alert.extra.bad_host.host: "www.testmyids.com"
+        alert.context.src_ip.test: success
+        alert.context.bad_host.year: 2005
+        alert.context.src_ip.ip: "10.16.1.11"
+        alert.context.bad_host.host: "www.testmyids.com"

diff --git a/tests/detect-pcre/detect-pcre-06/test.rules b/tests/detect-pcre/detect-pcre-06/test.rules
index 608d6c2eda1ce4c178c21f54dbca12593b4ba454..036d79e7b5b1e79c7cde2a5d13ac329d04ba2feb 100644 (file)
--- a/tests/detect-pcre/detect-pcre-06/test.rules
+++ b/tests/detect-pcre/detect-pcre-06/test.rules
@@ -1,5 +1,5 @@
 alert http any any -> any any (http.user_agent; pcre:"/^(?P<alert_ua>[a-zA-Z]+)/"; priority:1; sid:1;)
-alert http any any -> any any (http.user_agent; pcre:"/^([a-zA-Z]+).*Ubuntu\/(\d+\.\d).*Firefox\/(.*)/ ,alert:user_agent, flow:ubuntu, pkt:firefox"; sid:2;)
+alert http any any -> any any (http.user_agent; pcre:"/^([a-zA-Z]+).*Ubuntu\/(\d+\.\d).*Firefox\/(.*)/,alert:user_agent, flow:ubuntu, pkt:firefox"; sid:2;)
 # Shouldn't match
 alert http any any -> any any (msg:"pcre flowvar http header, user-agent, no match"; content:"User-Agent: "; http_header; pcre:"/(?P<alert_ua>.*)\r\n/HR"; content:"xyz"; http_header; priority:1; sid:3;)
 alert http any any -> any any (msg:"pcre flowvar http header, server, no match"; content:"Server: "; http_header; pcre:"/(?P<alert_ua>.*)\r\n/HR"; content:"xyz"; http_header; priority:3; sid:4;)

diff --git a/tests/detect-pcre/detect-pcre-06/test.yaml b/tests/detect-pcre/detect-pcre-06/test.yaml
index 080d8d7c4bad64a962dbfc238035a732f69f8dfd..6b0540ef394128ef890a327c7c2bc630353babdb 100644 (file)
--- a/tests/detect-pcre/detect-pcre-06/test.yaml
+++ b/tests/detect-pcre/detect-pcre-06/test.yaml
@@ -20,13 +20,13 @@ checks:
     match:
       event_type: alert
       alert.signature_id: 1
-      alert.extra.ua: Mozilla
+      alert.context.ua: Mozilla
 - filter:
     count: 1
     match:
       event_type: alert
       alert.signature_id: 2
-      alert.extra.user_agent: Mozilla
+      alert.context.user_agent: Mozilla
       metadata.flowvars[0].ubuntu: "8.1"
       metadata.pktvars[0].firefox: "3.0.13"
 - filter: