From: Juliana Fajardini Date: Fri, 20 Dec 2024 02:02:22 +0000 (-0300) Subject: tests: add flowbits engine-analysis test X-Git-Tag: suricata-7.0.9~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fc6b39f9cd8baae15d15c31fe77f4c5fe3669c69;p=thirdparty%2Fsuricata-verify.git tests: add flowbits engine-analysis test Especially to illustrate the engine-analysis report on flowbit rules statefulness changes based on another flowbit rule. Related to Task #7456 --- diff --git a/tests/rules/flowbit-engine-analysis/test.rules b/tests/rules/flowbit-engine-analysis/test.rules new file mode 100644 index 000000000..b0f0085a3 --- /dev/null +++ b/tests/rules/flowbit-engine-analysis/test.rules @@ -0,0 +1,21 @@ +alert http any any -> any any (msg:"Setting flowbit fb1 - app-tx rule";content:"testmyids.com";http_header;flowbits:set,fb1;noalert;sid:1;rev:1;) +alert http any any -> any any (msg:"Flowbit fb6 set - app-tx rule"; flowbits:set,fb6; content:"POST";http_header; sid:2;) +alert http any any -> any any (msg:"Flowbit fb4 set - app-tx rule"; flowbits:set,fb4; noalert;content:"GET";http_header; sid:3;) +alert ip any any -> any any (msg:"Flowbit fb1 isset - pkt rule"; flowbits:isset,fb1; sid:4;) +alert http any any -> any any (msg:"Setting flowbit fb2 - app_tx rule";http.uri;content:"something";flowbits:set,fb2;sid:5;) +alert ip any any -> any any (msg:"Is-Setting flowbit fb2 - pkt rule";flowbits:isset,fb2;sid:6;) +alert tcp any any -> any any (msg:"Is-Setting flowbit fb2, fb1 - stream rule";content:"something";flowbits:isset,fb2; flowbits:isset,fb1; sid:7;) +alert http any any -> any any (msg:"Setting flowbit fb3 - stream rule";content:"wwnotginh";flowbits:set,fb3;sid:8;rev:1;) +alert tcp-pkt any any -> any any (msg:"Is-Setting flowbit fb3 - pkt rule";content:"something";flowbits:isset,fb3;sid:9;) +alert tcp any any -> any any (msg:"Flowbit isnotset ored flowbits - pkt rule"; flowbits:isnotset, fb1|fb3 ; sid:10;) +alert tcp-pkt any any -> any any (msg:"Flowbit isset ored flowbits - pkt rule"; flowbits:isset,fb1|fb2|fb3; sid:11;) +alert tcp any any -> any any (msg:"Flowbit isset ored flowbits - pkt rule"; flowbits:isset,fb2|fb1|fb4; sid:12;) +alert tcp-pkt any any -> any any (msg:"Flowbit fb4 isset - pkt rule"; flowbits:isset,fb4; sid:13;) +alert tcp any any -> any any (msg:"Flowbit fb6 isset - pkt rule"; flowbits:isset,fb6; sid:14;) +alert http any any -> any any (msg:"Flowbit fb5 set - app-tx rule";http.stat_code;content:"200";flowbits:set,fb5;sid:15;) +alert tcp-pkt any any -> any any (msg:"Flowbit isset ored flowbits - pkt rule"; flowbits:isset,fb5|fb6; sid:16;) +alert tcp any any -> any any (msg:"stream rule byte_extract with dce and flowbits"; byte_extract:4,0,var,dce; byte_test:4,>,var,4,little; flowbits:set,fb7; flowbits:isset,fb4; sid:17;) +alert http any any -> any any (msg:"Flowbit fb4 isset app-tx rule"; flowbits:isset,fb4; http.header; content:"testmyids"; sid:18;) +alert tcp any any -> any 443 (flow: to_server; content:"abc"; flowbits:set,tls_error; sid:19; msg:"Allow TLS error handling (outgoing packet) with simple content - stream rule";) +alert http any any -> any any (msg:"http, anchored content - pkt-stream rule"; flowbits:isset,fb1; content:"abc"; depth:30; sid:20;) +alert http any any -> any any (msg:"http, anchored content - pkt-stream rule"; flowbits:isset,tls_error; content:"abc"; depth:30; sid:21;) diff --git a/tests/rules/flowbit-engine-analysis/test.yaml b/tests/rules/flowbit-engine-analysis/test.yaml new file mode 100644 index 000000000..a163c8e10 --- /dev/null +++ b/tests/rules/flowbit-engine-analysis/test.yaml @@ -0,0 +1,191 @@ +requires: + min-version: 8 + pcap: false +args: +- --engine-analysis + +checks: +# check 1 + - filter: + filename: rules.json + count: 1 + match: + id: 1 + type: "app_tx" + not-has-key: dependencies +# check 2 + - filter: + filename: rules.json + count: 1 + match: + id: 2 + type: "app_tx" + not-has-key: dependencies +# check 3 + - filter: + filename: rules.json + count: 1 + match: + id: 3 + type: "app_tx" + not-has-key: dependencies +# check 4 + - filter: + filename: rules.json + count: 1 + match: + id: 4 + type: "pkt" + dependencies.flowbits.upstream.state_modifying_rules.sids[0]: 1 + dependencies.flowbits.upstream.state_modifying_rules.names[0]: fb1 +# check 5 + - filter: + filename: rules.json + count: 1 + match: + id: 5 + type: "app_tx" + not-has-key: dependencies +# check 6 + - filter: + filename: rules.json + count: 1 + match: + id: 6 + type: "pkt" + dependencies.flowbits.upstream.state_modifying_rules.sids[0]: 5 + dependencies.flowbits.upstream.state_modifying_rules.names[0]: fb2 +# check 7 + - filter: + filename: rules.json + count: 1 + match: + id: 7 + type: "stream" + dependencies.flowbits.upstream.state_modifying_rules.sids[0]: 1 + dependencies.flowbits.upstream.state_modifying_rules.sids[1]: 5 + dependencies.flowbits.upstream.state_modifying_rules.names[0]: fb1 + dependencies.flowbits.upstream.state_modifying_rules.names[1]: fb2 +# check 8 + - filter: + filename: rules.json + count: 1 + match: + id: 8 + type: "stream" + not-has-key: dependencies +# check 9 + - filter: + filename: rules.json + count: 1 + match: + id: 9 + type: "pkt" + not-has-key: dependencies +# check 10 + - filter: + filename: rules.json + count: 1 + match: + id: 10 + type: "pkt" + not-has-key: dependencies +# check 11 + - filter: + filename: rules.json + count: 1 + match: + id: 11 + type: "pkt" + dependencies.flowbits.upstream.state_modifying_rules.sids[0]: 1 + dependencies.flowbits.upstream.state_modifying_rules.sids[1]: 5 + dependencies.flowbits.upstream.state_modifying_rules.names[0]: fb1 + dependencies.flowbits.upstream.state_modifying_rules.names[1]: fb2 +# check 12 + - filter: + filename: rules.json + count: 1 + match: + id: 12 + type: "pkt" + dependencies.flowbits.upstream.state_modifying_rules.sids[0]: 1 + dependencies.flowbits.upstream.state_modifying_rules.sids[1]: 5 + dependencies.flowbits.upstream.state_modifying_rules.names[0]: fb1 + dependencies.flowbits.upstream.state_modifying_rules.names[1]: fb2 +# check 13 + - filter: + filename: rules.json + count: 1 + match: + id: 13 + type: "pkt" + not-has-key: dependencies +# check 14 + - filter: + filename: rules.json + count: 1 + match: + id: 14 + type: "pkt" + dependencies.flowbits.upstream.state_modifying_rules.sids[0]: 2 + dependencies.flowbits.upstream.state_modifying_rules.names[0]: fb6 +# check 15 + - filter: + filename: rules.json + count: 1 + match: + id: 15 + type: "app_tx" + not-has-key: dependencies +# check 16 + - filter: + filename: rules.json + count: 1 + match: + id: 16 + type: "pkt" + dependencies.flowbits.upstream.state_modifying_rules.sids[0]: 2 + dependencies.flowbits.upstream.state_modifying_rules.sids[1]: 15 + dependencies.flowbits.upstream.state_modifying_rules.names[0]: fb6 + dependencies.flowbits.upstream.state_modifying_rules.names[1]: fb5 +# check 17 + - filter: + filename: rules.json + count: 1 + match: + id: 17 + type: "stream" + not-has-key: dependencies +# check 18 + - filter: + filename: rules.json + count: 1 + match: + id: 18 + type: "app_tx" + not-has-key: dependencies +# check 19 + - filter: + filename: rules.json + count: 1 + match: + id: 19 + type: "stream" + not-has-key: dependencies +# check 20 + - filter: + filename: rules.json + count: 1 + match: + id: 20 + type: "pkt_stream" + dependencies.flowbits.upstream.state_modifying_rules.sids[0]: 1 + dependencies.flowbits.upstream.state_modifying_rules.names[0]: fb1 +# check 21 + - filter: + filename: rules.json + count: 1 + match: + id: 21 + type: "pkt_stream" + not-has-key: dependencies