From: Victor Julien Date: Fri, 11 Apr 2025 18:23:04 +0000 (+0200) Subject: tests: bring back 7 support for lua tests X-Git-Tag: suricata-7.0.11~91 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2ef46e7262664b352c760ac55125229ddb30f24d;p=thirdparty%2Fsuricata-verify.git tests: bring back 7 support for lua tests --- diff --git a/tests/lua-memleak-pre8/README.md b/tests/lua-memleak-pre8/README.md new file mode 100644 index 000000000..cda04bfa7 --- /dev/null +++ b/tests/lua-memleak-pre8/README.md @@ -0,0 +1,14 @@ +# Test Description + +ASAN-only + +Validate that memory is released for string variables used in Lua scripts + +## PCAP + +Redmine issue 7466: https://redmine.openinfosecfoundation.org/issues/7466 + +## Related issues + +Configure with `CC="clang" LDFLAGS="-fsanitize=address" CFLAGS="-Wshadow -fsanitize=address -fno-omit-frame-pointer" ./configure` +Then run with `ASAN_OPTIONS="detect_leaks=1" python3 ../suricata-verify/run.py lua-memleak` diff --git a/tests/lua-memleak-pre8/input.pcap b/tests/lua-memleak-pre8/input.pcap new file mode 100644 index 000000000..1b4ffc446 Binary files /dev/null and b/tests/lua-memleak-pre8/input.pcap differ diff --git a/tests/lua-memleak-pre8/test.lua b/tests/lua-memleak-pre8/test.lua new file mode 100644 index 000000000..141014c1b --- /dev/null +++ b/tests/lua-memleak-pre8/test.lua @@ -0,0 +1,10 @@ +function init (args) + local needs = {} + needs["http.request_headers"] = tostring(true) + return needs +end + +function match(args) + SCFlowvarSet("key", 3, "value", 5) + return 1 +end diff --git a/tests/lua-memleak-pre8/test.rules b/tests/lua-memleak-pre8/test.rules new file mode 100644 index 000000000..844ac631e --- /dev/null +++ b/tests/lua-memleak-pre8/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg: "Test1"; flow: to_server; lua:test.lua; sid:6677001; rev:1;) diff --git a/tests/lua-memleak-pre8/test.yaml b/tests/lua-memleak-pre8/test.yaml new file mode 100644 index 000000000..3a28362d0 --- /dev/null +++ b/tests/lua-memleak-pre8/test.yaml @@ -0,0 +1,50 @@ +requires: + features: + - HAVE_LUA + lt-version: 8 + +args: +- --set security.lua.allow-rules=true +- --set default-rule-path=${TEST_DIR} +- -k none + +exit-code: 0 + +checks: +- filter: + count: 1 + match: + event_type: alert + pcap_cnt: 7 + proto: TCP + src_ip: 192.168.2.3 + src_port: 39867 + dest_ip: 209.85.225.105 + dest_port: 80 + app_proto: http + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 1 + alert.severity: 3 + alert.signature: Test1 + alert.signature_id: 6677001 + direction: to_server + flow.bytes_toclient: 1624 + flow.bytes_toserver: 407 + flow.dest_ip: 209.85.225.105 + flow.dest_port: 80 + flow.pkts_toclient: 3 + flow.pkts_toserver: 4 + flow.src_ip: 192.168.2.3 + flow.src_port: 39867 + http.hostname: www.google.com + http.http_content_type: text/html + http.http_method: GET + http.http_user_agent: Wget/1.11.4 + http.length: 1201 + http.protocol: HTTP/1.0 + http.status: 404 + http.url: /AllWorkAndNoPlayMakesWillADullBoy + metadata.flowvars[0].key: value + tx_id: 0 diff --git a/tests/tls/tls-ja3s-pre8/suricata.yaml b/tests/tls/tls-ja3s-pre8/suricata.yaml new file mode 100644 index 000000000..282e8ae60 --- /dev/null +++ b/tests/tls/tls-ja3s-pre8/suricata.yaml @@ -0,0 +1,26 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular #regular|syslog|unix_dgram|unix_stream|redis + filename: eve.json + types: + - alert: + payload: no + payload-buffer-size: 4kb + payload-printable: no + packet: no + metadata: no + - tls: + extended: yes + +app-layer: + protocols: + tls: + enabled: yes + detection-ports: + dp: 443 + + ja3-fingerprints: yes diff --git a/tests/tls/tls-ja3s-pre8/test-ja3s-hash.lua b/tests/tls/tls-ja3s-pre8/test-ja3s-hash.lua new file mode 100644 index 000000000..791afa779 --- /dev/null +++ b/tests/tls/tls-ja3s-pre8/test-ja3s-hash.lua @@ -0,0 +1,18 @@ +function init(args) + local needs = {} + needs["tls"] = tostring(true) + return needs +end + +function match(args) + hash = Ja3SGetHash() + if hash == nil then + return 0 + end + + if hash == "5d79edf64e03689ff559a54e9d9487bc" then + return 1 + end + + return 0 +end diff --git a/tests/tls/tls-ja3s-pre8/test-ja3s-string.lua b/tests/tls/tls-ja3s-pre8/test-ja3s-string.lua new file mode 100644 index 000000000..2ea8b0d80 --- /dev/null +++ b/tests/tls/tls-ja3s-pre8/test-ja3s-string.lua @@ -0,0 +1,18 @@ +function init(args) + local needs = {} + needs["tls"] = tostring(true) + return needs +end + +function match(args) + str = Ja3SGetString() + if str == nil then + return 0 + end + + if str == "771,49199,65281-0-11-16-23" then + return 1 + end + + return 0 +end diff --git a/tests/tls/tls-ja3s-pre8/test.rules b/tests/tls/tls-ja3s-pre8/test.rules new file mode 100644 index 000000000..a5b259bc4 --- /dev/null +++ b/tests/tls/tls-ja3s-pre8/test.rules @@ -0,0 +1,4 @@ +alert tls any any -> any any (msg:"ja3s.hash test"; flow:established,to_client; ja3s.hash; content:"5d79edf64e03689ff559a54e9d9487bc"; sid:1;) +alert tls any any -> any any (msg:"ja3s.string test"; flow:established,to_client; ja3s.string; content:"771,49199,65281-0-11-16-23"; sid:2;) +alert tls any any -> any any (msg:"ja3s.hash Lua test"; flow:established,to_client; lua:test-ja3s-hash.lua; sid:3;) +alert tls any any -> any any (msg:"ja3s.string Lua test"; flow:established,to_client; lua:test-ja3s-string.lua; sid:4;) diff --git a/tests/tls/tls-ja3s-pre8/test.yaml b/tests/tls/tls-ja3s-pre8/test.yaml new file mode 100644 index 000000000..65a1606e9 --- /dev/null +++ b/tests/tls/tls-ja3s-pre8/test.yaml @@ -0,0 +1,26 @@ +pcap: ../../tls/tls-certs-alert/input.pcap + +requires: + features: + - HAVE_LUA + - HAVE_JA3 + lt-version: 8 + +args: + - -k none + - --set security.lua.allow-rules=true + +checks: + # Check that we have the following events in eve.json + # 2 - alert events + # 1 - tls event + - filter: + count: 4 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: tls + tls.ja3s.hash: "5d79edf64e03689ff559a54e9d9487bc" + tls.ja3s.string: "771,49199,65281-0-11-16-23"