detect/datasets: adds test for unset operation

author Philippe Antoine <pantoine@oisf.net>

Mon, 12 Aug 2024 08:18:04 +0000 (10:18 +0200)

committer Victor Julien <victor@inliniac.net>

Wed, 16 Oct 2024 09:22:58 +0000 (11:22 +0200)
author Philippe Antoine <pantoine@oisf.net>
Mon, 12 Aug 2024 08:18:04 +0000 (10:18 +0200)
committer Victor Julien <victor@inliniac.net>
Wed, 16 Oct 2024 09:22:58 +0000 (11:22 +0200)
diff --git a/tests/datasets-10-unset/README.md b/tests/datasets-10-unset/README.md

new file mode 100644 (file)

index 0000000..79dba68
--- /dev/null
+++ b/tests/datasets-10-unset/README.md
@@ -0,0 +1,20 @@
+Test Description
+================
+
+This test demonstrates the unset operation for datasets.
+
+PCAP
+====
+
+Running as server `python3 -m http.server 8001`
+And as clients
+```
+curl -A "useragent1" http://127.0.0.1:8001/toto
+curl -A "useragent2" http://127.0.0.1:8001/toto
+curl -A "useragent1" http://127.0.0.1:8001/tata
+```
+
+Related tickets
+===============
+
+https://redmine.openinfosecfoundation.org/issues/7195
diff --git a/tests/datasets-10-unset/expected/after.csv b/tests/datasets-10-unset/expected/after.csv

new file mode 100644 (file)

index 0000000..778bdbf
--- /dev/null
+++ b/tests/datasets-10-unset/expected/after.csv
@@ -0,0 +1 @@
+dXNlcmFnZW50Mg==
diff --git a/tests/datasets-10-unset/test.rules b/tests/datasets-10-unset/test.rules

new file mode 100644 (file)

index 0000000..378bdbb
--- /dev/null
+++ b/tests/datasets-10-unset/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (http.uri; content: "/toto"; http.user_agent; dataset:set,ua-seen,type string,save after.csv; sid:1;)
+alert http any any -> any any (http.uri; content: "/tata"; http.user_agent; dataset:unset,ua-seen,type string,save after.csv; sid:2;)
diff --git a/tests/datasets-10-unset/test.yaml b/tests/datasets-10-unset/test.yaml

new file mode 100644 (file)

index 0000000..8f9603b
--- /dev/null
+++ b/tests/datasets-10-unset/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  min-version: 7
+
+args:
+  - --data-dir=${OUTPUT_DIR} -k none --runmode single
+
+checks:
+# 2 sets and 1 unset alerts
+  - filter:
+      count: 2
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - file-compare:
+      filename: after.csv
+      expected: expected/after.csv
diff --git a/tests/datasets-10-unset/unset.pcap b/tests/datasets-10-unset/unset.pcap

new file mode 100644 (file)

index 0000000..c637e59

Binary files /dev/null and b/tests/datasets-10-unset/unset.pcap differ
author	Philippe Antoine <pantoine@oisf.net>
	Mon, 12 Aug 2024 08:18:04 +0000 (10:18 +0200)
committer	Victor Julien <victor@inliniac.net>
	Wed, 16 Oct 2024 09:22:58 +0000 (11:22 +0200)
tests/datasets-10-unset/README.md	[new file with mode: 0644]	patch \| blob
tests/datasets-10-unset/expected/after.csv	[new file with mode: 0644]	patch \| blob
tests/datasets-10-unset/test.rules	[new file with mode: 0644]	patch \| blob
tests/datasets-10-unset/test.yaml	[new file with mode: 0644]	patch \| blob
tests/datasets-10-unset/unset.pcap	[new file with mode: 0644]	patch \| blob