tests: add flowbits engine-analysis test

Especially to illustrate the engine-analysis report on flowbit rules
statefulness changes based on another flowbit rule.

Related to
Task #7456

diff --git a/tests/rules/flowbit-engine-analysis/test.rules b/tests/rules/flowbit-engine-analysis/test.rules
new file mode 100644 (file)
index 0000000..b0f0085
--- /dev/null
+++ b/tests/rules/flowbit-engine-analysis/test.rules
@@ -0,0 +1,21 @@
+alert http any any -> any any (msg:"Setting flowbit fb1 - app-tx rule";content:"testmyids.com";http_header;flowbits:set,fb1;noalert;sid:1;rev:1;)
+alert http any any -> any any (msg:"Flowbit fb6 set - app-tx rule"; flowbits:set,fb6; content:"POST";http_header; sid:2;)
+alert http any any -> any any (msg:"Flowbit fb4 set - app-tx rule"; flowbits:set,fb4; noalert;content:"GET";http_header; sid:3;)
+alert ip any any -> any any (msg:"Flowbit fb1 isset - pkt rule"; flowbits:isset,fb1; sid:4;)
+alert http any any -> any any (msg:"Setting flowbit fb2 - app_tx rule";http.uri;content:"something";flowbits:set,fb2;sid:5;)
+alert ip any any -> any any (msg:"Is-Setting flowbit fb2 - pkt rule";flowbits:isset,fb2;sid:6;)
+alert tcp any any -> any any (msg:"Is-Setting flowbit fb2, fb1 - stream rule";content:"something";flowbits:isset,fb2; flowbits:isset,fb1; sid:7;)
+alert http any any -> any any (msg:"Setting flowbit fb3 - stream rule";content:"wwnotginh";flowbits:set,fb3;sid:8;rev:1;)
+alert tcp-pkt any any -> any any (msg:"Is-Setting flowbit fb3 - pkt rule";content:"something";flowbits:isset,fb3;sid:9;)
+alert tcp any any -> any any (msg:"Flowbit isnotset ored flowbits - pkt rule"; flowbits:isnotset, fb1|fb3 ; sid:10;)
+alert tcp-pkt any any -> any any (msg:"Flowbit isset ored flowbits - pkt rule"; flowbits:isset,fb1|fb2|fb3; sid:11;)
+alert tcp any any -> any any (msg:"Flowbit isset ored flowbits - pkt rule"; flowbits:isset,fb2|fb1|fb4; sid:12;)
+alert tcp-pkt any any -> any any (msg:"Flowbit fb4 isset - pkt rule"; flowbits:isset,fb4; sid:13;)
+alert tcp any any -> any any (msg:"Flowbit fb6 isset - pkt rule"; flowbits:isset,fb6; sid:14;)
+alert http any any -> any any (msg:"Flowbit fb5 set - app-tx rule";http.stat_code;content:"200";flowbits:set,fb5;sid:15;)
+alert tcp-pkt any any -> any any (msg:"Flowbit isset ored flowbits - pkt rule"; flowbits:isset,fb5|fb6; sid:16;)
+alert tcp any any -> any any (msg:"stream rule byte_extract with dce and flowbits"; byte_extract:4,0,var,dce; byte_test:4,>,var,4,little; flowbits:set,fb7; flowbits:isset,fb4; sid:17;)
+alert http any any -> any any (msg:"Flowbit fb4 isset app-tx rule"; flowbits:isset,fb4; http.header; content:"testmyids"; sid:18;)
+alert tcp any any -> any 443 (flow: to_server; content:"abc"; flowbits:set,tls_error; sid:19; msg:"Allow TLS error handling (outgoing packet) with simple content - stream rule";)
+alert http any any -> any any (msg:"http, anchored content -  pkt-stream rule"; flowbits:isset,fb1; content:"abc"; depth:30; sid:20;)
+alert http any any -> any any (msg:"http, anchored content - pkt-stream rule"; flowbits:isset,tls_error; content:"abc"; depth:30; sid:21;)

diff --git a/tests/rules/flowbit-engine-analysis/test.yaml b/tests/rules/flowbit-engine-analysis/test.yaml
new file mode 100644 (file)
index 0000000..a163c8e
--- /dev/null
+++ b/tests/rules/flowbit-engine-analysis/test.yaml
@@ -0,0 +1,191 @@
+requires:
+  min-version: 8
+  pcap: false
+args:
+- --engine-analysis
+
+checks:
+# check 1
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 1
+        type: "app_tx"
+        not-has-key: dependencies
+# check 2
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 2
+        type: "app_tx"
+        not-has-key: dependencies
+# check 3
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 3
+        type: "app_tx"
+        not-has-key: dependencies
+# check 4
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 4
+        type: "pkt"
+        dependencies.flowbits.upstream.state_modifying_rules.sids[0]: 1
+        dependencies.flowbits.upstream.state_modifying_rules.names[0]: fb1
+# check 5
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 5
+        type: "app_tx"
+        not-has-key: dependencies
+# check 6
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 6
+        type: "pkt"
+        dependencies.flowbits.upstream.state_modifying_rules.sids[0]: 5
+        dependencies.flowbits.upstream.state_modifying_rules.names[0]: fb2
+# check 7
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 7
+        type: "stream"
+        dependencies.flowbits.upstream.state_modifying_rules.sids[0]: 1
+        dependencies.flowbits.upstream.state_modifying_rules.sids[1]: 5
+        dependencies.flowbits.upstream.state_modifying_rules.names[0]: fb1
+        dependencies.flowbits.upstream.state_modifying_rules.names[1]: fb2
+# check 8
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 8
+        type: "stream"
+        not-has-key: dependencies
+# check 9
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 9
+        type: "pkt"
+        not-has-key: dependencies
+# check 10
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 10
+        type: "pkt"
+        not-has-key: dependencies
+# check 11
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 11
+        type: "pkt"
+        dependencies.flowbits.upstream.state_modifying_rules.sids[0]: 1
+        dependencies.flowbits.upstream.state_modifying_rules.sids[1]: 5
+        dependencies.flowbits.upstream.state_modifying_rules.names[0]: fb1
+        dependencies.flowbits.upstream.state_modifying_rules.names[1]: fb2
+# check 12
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 12
+        type: "pkt"
+        dependencies.flowbits.upstream.state_modifying_rules.sids[0]: 1
+        dependencies.flowbits.upstream.state_modifying_rules.sids[1]: 5
+        dependencies.flowbits.upstream.state_modifying_rules.names[0]: fb1
+        dependencies.flowbits.upstream.state_modifying_rules.names[1]: fb2
+# check 13
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 13
+        type: "pkt"
+        not-has-key: dependencies
+# check 14
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 14
+        type: "pkt"
+        dependencies.flowbits.upstream.state_modifying_rules.sids[0]: 2
+        dependencies.flowbits.upstream.state_modifying_rules.names[0]: fb6
+# check 15
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 15
+        type: "app_tx"
+        not-has-key: dependencies
+# check 16
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 16
+        type: "pkt"
+        dependencies.flowbits.upstream.state_modifying_rules.sids[0]: 2
+        dependencies.flowbits.upstream.state_modifying_rules.sids[1]: 15
+        dependencies.flowbits.upstream.state_modifying_rules.names[0]: fb6
+        dependencies.flowbits.upstream.state_modifying_rules.names[1]: fb5
+# check 17
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 17
+        type: "stream"
+        not-has-key: dependencies
+# check 18
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 18
+        type: "app_tx"
+        not-has-key: dependencies
+# check 19
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 19
+        type: "stream"
+        not-has-key: dependencies
+# check 20
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 20
+        type: "pkt_stream"
+        dependencies.flowbits.upstream.state_modifying_rules.sids[0]: 1
+        dependencies.flowbits.upstream.state_modifying_rules.names[0]: fb1
+# check 21
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 21
+        type: "pkt_stream"
+        not-has-key: dependencies