--- /dev/null
+Test that the configuration option to allow absolute dataset filenames
+in rules works.
--- /dev/null
+%YAML 1.1
+---
+
+datasets:
+ rules:
+ allow-absolute-filenames: true
+
+logging:
+ outputs:
+ - file:
+ enabled: yes
+ filename: eve.json
+ type: json
--- /dev/null
+alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen, type string, state /tmp/dns-seen.txt; sid:1; rev:1;)
+alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen-save, type string, save /tmp/dns-seen-save.txt; sid:2; rev:1;)
+alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen-parent, type string, state /tmp/../tmp/dns-seen.txt; sid:3; rev:1;)
--- /dev/null
+pcap: ../../datasets/datasets-parent-path/one-packet.pcap
+
+requires:
+ lt-version: 8
+
+args:
+ - -vvv
+
+# Due to differences between user-mode and system-mode, these rules
+# will actually fail. Instead we're testing to make sure we got past
+# the check for absolute filenames.
+exit-code: 1
+
+checks:
+ - filter:
+ count: 1
+ match:
+ engine.message: "Allowing absolute filename for dataset rule: /tmp/dns-seen.txt"
+ - filter:
+ count: 1
+ match:
+ engine.message: "Allowing absolute filename for dataset rule: /tmp/dns-seen-save.txt"
+ - filter:
+ count: 1
+ match:
+ engine.message: "Allowing absolute filename for dataset rule: /tmp/../tmp/dns-seen.txt"
--- /dev/null
+Test that the configuration option to allow absolute dataset filenames
+in rules works.
--- /dev/null
+%YAML 1.1
+---
+
+datasets:
+ rules:
+ allow-absolute-filenames: true
+
+logging:
+ outputs:
+ - file:
+ enabled: yes
+ filename: eve.json
+ type: json
--- /dev/null
+alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen, type string, state C:\Windows\Temp\dns-seen.txt; sid:1; rev:1;)
+alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen-save, type string, save C:\Windows\Temp\dns-seen-save.txt; sid:2; rev:1;)
+alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen-parent, type string, state C:\Windows\Temp\..\Temp\dns-seen2.txt; sid:3; rev:1;)
--- /dev/null
+pcap: ../../datasets/datasets-parent-path/one-packet.pcap
+
+requires:
+ min-version: 8
+ lambda: sys.platform == "win32"
+
+args:
+ - -vvv
+
+checks:
+ - filter:
+ filename: eve.json
+ count: 3
+ match:
+ engine.message.__startswith: "Allowing absolute filename for dataset rule"
+ - filter:
+ filename: eve.json
+ count: 1
+ match:
+ engine.message.__startswith: "Allowing absolute filename for dataset rule"
+ engine.message.__endswith: "dns-seen.txt"
+ - filter:
+ filename: eve.json
+ count: 1
+ match:
+ engine.message.__startswith: "Allowing absolute filename for dataset rule"
+ engine.message.__endswith: "dns-seen-save.txt"
+ - filter:
+ filename: eve.json
+ count: 1
+ match:
+ engine.message.__startswith: "Allowing absolute filename for dataset rule"
+ engine.message.__endswith: "dns-seen2.txt"
pcap: ../../datasets/datasets-parent-path/one-packet.pcap
+# this needs at least Suricata 8 and based on the absolute path will not work on Windows
+requires:
+ min-version: 8
+ lambda: sys.platform != "win32"
+
args:
- -vvv
-# Due to differences between user-mode and system-mode, these rules
-# will actually fail. Instead we're testing to make sure we got past
-# the check for absolute filenames.
-exit-code: 1
-
checks:
- filter:
count: 1
projects / thirdparty / suricata-verify.git / commitdiff
