Support string checks for JSON lists with the new __contains operator that
checks whether a string is contained within a list.
Example
- JSON list: "ftp":{"reply":["Opening BINARY mode data connection for temp.txt (1164 bytes).","Transfer complete."], }
- Check: ftp.reply.__contains: 'Transfer complete.'
# Check if a string ends with an expected value
engine.message.__endswith: "the end of a string"
+ # Check if a string is contained within a JSON list.
+ # Eg. "ftp":{"reply":["Opening BINARY mode data connection for temp.txt (1164 bytes).","Transfer complete."], }
+ ftp.reply.__contains: 'Transfer complete.'
+
- shell:
# A simple shell check. If the command exits with a non-0 exit code the
# check will fail. The script is run in the output directory of the
return len(obj)
except:
return -1
- if part in ["__find", "__startswith", "__endswith"]:
+ if part in ["__contains", "__find", "__startswith", "__endswith"]:
# Return full object, caller will handle the special match logic.
break
name = None
if key.endswith("__find"):
if val.find(expected) < 0:
return False
+ elif key.endswith("__contains"):
+ if not expected in val:
+ return False
elif key.endswith("__startswith"):
if not val.startswith(expected):
return False
projects / thirdparty / suricata-verify.git / commitdiff
