http: add lua lib detection tests

diff --git a/tests/lua-detect-http-01/README.md b/tests/lua-detect-http-01/README.md
new file mode 100644 (file)
index 0000000..6ec44e0
--- /dev/null
+++ b/tests/lua-detect-http-01/README.md
@@ -0,0 +1 @@
+Test Lua detection of HTTP methods via library.

diff --git a/tests/lua-detect-http-01/http-lua.rules b/tests/lua-detect-http-01/http-lua.rules
new file mode 100644 (file)
index 0000000..77272f0
--- /dev/null
+++ b/tests/lua-detect-http-01/http-lua.rules
@@ -0,0 +1,4 @@
+alert http any any -> any any (msg: "Test HTTP Lua request.line"; lua: test-request-line.lua; sid:1;)
+alert http any any -> any any (msg: "Test HTTP Lua request.headers.raw"; lua: test-request-headers-raw.lua; flow:to_server; sid:2;)
+alert http any any -> any any (msg: "Test HTTP Lua response.body"; lua: test-response-body.lua; sid:3;)
+alert http any any -> any any (msg: "Test HTTP Lua response-headers-raw"; lua: test-response-headers-raw.lua; flow:to_client; sid:4;)

diff --git a/tests/lua-detect-http-01/suricata.yaml b/tests/lua-detect-http-01/suricata.yaml
new file mode 100644 (file)
index 0000000..51af22d
--- /dev/null
+++ b/tests/lua-detect-http-01/suricata.yaml
@@ -0,0 +1,4 @@
+%YAML 1.1
+---
+
+include: ../../etc/suricata-4.0.3.yaml

diff --git a/tests/lua-detect-http-01/test-request-headers-raw.lua b/tests/lua-detect-http-01/test-request-headers-raw.lua
new file mode 100644 (file)
index 0000000..f3e47a3
--- /dev/null
+++ b/tests/lua-detect-http-01/test-request-headers-raw.lua
@@ -0,0 +1,22 @@
+-- simple http match on request_headers_raw module
+local packet = require "suricata.packet"
+local http = require("suricata.http")
+
+function init (args)
+    local needs = {}
+    needs["http.request_headers.raw"] = tostring(true)
+    return needs
+end
+
+function match(args)
+    local tx = http.get_tx()
+    http_request_headers_raw, err = tx:request_headers_raw()
+
+    if #http_request_headers_raw > 0 then
+        if http_request_headers_raw:find("User%-Agent: curl") then
+            return 1
+        end
+    end
+
+    return 0
+end

diff --git a/tests/lua-detect-http-01/test-request-line.lua b/tests/lua-detect-http-01/test-request-line.lua
new file mode 100644 (file)
index 0000000..ee71eba
--- /dev/null
+++ b/tests/lua-detect-http-01/test-request-line.lua
@@ -0,0 +1,22 @@
+-- simple http match on request_line module
+local http = require("suricata.http")
+
+function init (args)
+    local needs = {}
+    needs["http.request_line"] = tostring(true)
+    return needs
+end
+
+function match(args)
+    local tx, err = http.get_tx()
+    http_request_line, err = tx:request_line()
+
+    if #http_request_line > 0 then
+        --GET /base64-hello-world.txt HTTP/1.1
+        if http_request_line:find("^GET") then
+            return 1
+        end
+    end
+
+    return 0
+end

diff --git a/tests/lua-detect-http-01/test-response-body.lua b/tests/lua-detect-http-01/test-response-body.lua
new file mode 100644 (file)
index 0000000..7ca6f62
--- /dev/null
+++ b/tests/lua-detect-http-01/test-response-body.lua
@@ -0,0 +1,23 @@
+-- simple http match on response_body module
+local http = require("suricata.http")
+
+function init (args)
+    local needs = {}
+    needs["http.response_body"] = tostring(true)
+    return needs
+end
+
+function match(args)
+    local tx, err = http.get_tx()
+    http_response_body, err = tx:response_body()
+    if http_response_body ~= nil then
+        for i = 1,#http_response_body,1
+        do
+            if http_response_body[i]:find("^SGVsbG8gV29ybGQu") then
+                return 1
+            end
+        end
+    end
+
+    return 0
+end

diff --git a/tests/lua-detect-http-01/test-response-headers-raw.lua b/tests/lua-detect-http-01/test-response-headers-raw.lua
new file mode 100644 (file)
index 0000000..625c119
--- /dev/null
+++ b/tests/lua-detect-http-01/test-response-headers-raw.lua
@@ -0,0 +1,22 @@
+-- simple http match on response_headers_raw module
+local packet = require "suricata.packet"
+local http = require("suricata.http")
+
+function init (args)
+    local needs = {}
+    needs["http.response_headers.raw"] = tostring(true)
+    return needs
+end
+
+function match(args)
+    local tx = http.get_tx()
+    http_response_headers_raw, err = tx:response_headers_raw()
+
+    if #http_response_headers_raw > 0 then
+        if http_response_headers_raw:find("^Server: nginx/1.6.3") then
+            return 1
+        end
+    end
+
+    return 0
+end

diff --git a/tests/lua-detect-http-01/test.yaml b/tests/lua-detect-http-01/test.yaml
new file mode 100644 (file)
index 0000000..7411be9
--- /dev/null
+++ b/tests/lua-detect-http-01/test.yaml
@@ -0,0 +1,28 @@
+requires:
+  features:
+    - HAVE_LUA
+  min-version: 8
+
+pcap: ../lua-output-http/input.pcap
+
+args:
+  - --set security.lua.allow-rules=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 4
+