From: Jeff Lucovsky Date: Fri, 28 Mar 2025 16:57:20 +0000 (-0400) Subject: tests: Support list checks X-Git-Tag: suricata-7.0.11~99 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bfd2b30ab6005ebd5b7fa573cfcd7e92f0f7ff07;p=thirdparty%2Fsuricata-verify.git tests: Support list checks Support string checks for JSON lists with the new __contains operator that checks whether a string is contained within a list. Example - JSON list: "ftp":{"reply":["Opening BINARY mode data connection for temp.txt (1164 bytes).","Transfer complete."], } - Check: ftp.reply.__contains: 'Transfer complete.' --- diff --git a/README.md b/README.md index 3e5b0bf76..74a5d6e25 100644 --- a/README.md +++ b/README.md @@ -177,6 +177,10 @@ checks: # Check if a string ends with an expected value engine.message.__endswith: "the end of a string" + # Check if a string is contained within a JSON list. + # Eg. "ftp":{"reply":["Opening BINARY mode data connection for temp.txt (1164 bytes).","Transfer complete."], } + ftp.reply.__contains: 'Transfer complete.' + - shell: # A simple shell check. If the command exits with a non-0 exit code the # check will fail. The script is run in the output directory of the diff --git a/run.py b/run.py index 8cc3484f5..51f9235f2 100755 --- a/run.py +++ b/run.py @@ -399,7 +399,7 @@ def find_value(name, obj): return len(obj) except: return -1 - if part in ["__find", "__startswith", "__endswith"]: + if part in ["__contains", "__find", "__startswith", "__endswith"]: # Return full object, caller will handle the special match logic. break name = None @@ -573,6 +573,9 @@ class FilterCheck: if key.endswith("__find"): if val.find(expected) < 0: return False + elif key.endswith("__contains"): + if not expected in val: + return False elif key.endswith("__startswith"): if not val.startswith(expected): return False