From: Jason Ish <jason.ish@oisf.net>
Date: Thu, 24 Apr 2025 18:14:55 +0000 (-0600)
Subject: tests: update for new suricata.flowvar lib; test flowvar set
X-Git-Tag: suricata-7.0.11~77
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2467%2Fhead;p=thirdparty%2Fsuricata-verify.git

tests: update for new suricata.flowvar lib; test flowvar set
---

diff --git a/tests/lua-memleak/test.lua b/tests/lua-memleak/test.lua
index 91f7d38c6..35d3d56cc 100644
--- a/tests/lua-memleak/test.lua
+++ b/tests/lua-memleak/test.lua
@@ -1,9 +1,15 @@
+local flowvarlib = require("suricata.flowvar")
+
 function init (args)
-    local needs = {}
-    return needs
+    flowvarlib.register("key")
+    return {}
+end
+
+function thread_init (args)
+    var = flowvarlib.get("key")
 end
 
 function match(args)
-    SCFlowvarSet("key", 3, "value", 5)
+    var:set("value", 5)
     return 1
 end
diff --git a/tests/lua-scflowvarget/README.md b/tests/lua/lua-scflowvarget/README.md
similarity index 100%
rename from tests/lua-scflowvarget/README.md
rename to tests/lua/lua-scflowvarget/README.md
diff --git a/tests/lua-scflowvarget/input.pcap b/tests/lua/lua-scflowvarget/input.pcap
similarity index 100%
rename from tests/lua-scflowvarget/input.pcap
rename to tests/lua/lua-scflowvarget/input.pcap
diff --git a/tests/lua-scflowvarget/suricata.yaml b/tests/lua/lua-scflowvarget/suricata.yaml
similarity index 100%
rename from tests/lua-scflowvarget/suricata.yaml
rename to tests/lua/lua-scflowvarget/suricata.yaml
diff --git a/tests/lua/lua-scflowvarget/test.lua b/tests/lua/lua-scflowvarget/test.lua
new file mode 100644
index 000000000..dce2391aa
--- /dev/null
+++ b/tests/lua/lua-scflowvarget/test.lua
@@ -0,0 +1,25 @@
+local flowvar = require("suricata.flowvar")
+
+function init (args)
+    return {}
+end
+
+function thread_init (args)
+    testvar = flowvar.get("TestVar")
+end
+
+function match(args)
+    print "Before loading Variable"
+    local value = testvar:value()
+    if value == nil then
+       print("TestVar has no value")
+       return 0
+    end
+
+    if value ~= "/zib100/zib100.json?origin=orf.at HTTP/1.1" then
+       print("TestVar has wrong value")
+       return 0
+    end
+
+    return 1
+end
diff --git a/tests/lua-scflowvarget/test.rules b/tests/lua/lua-scflowvarget/test.rules
similarity index 100%
rename from tests/lua-scflowvarget/test.rules
rename to tests/lua/lua-scflowvarget/test.rules
diff --git a/tests/lua/lua-scflowvarget/test.yaml b/tests/lua/lua-scflowvarget/test.yaml
new file mode 100644
index 000000000..0c23a0a70
--- /dev/null
+++ b/tests/lua/lua-scflowvarget/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  min-version: 8.0.0
+
+args:
+ - -k none
+ - --set security.lua.allow-rules=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        metadata.flowvars[0].TestVar: "/zib100/zib100.json?origin=orf.at HTTP/1.1"
diff --git a/tests/lua/lua-scflowvarset/README.md b/tests/lua/lua-scflowvarset/README.md
new file mode 100644
index 000000000..c3dc7bbdf
--- /dev/null
+++ b/tests/lua/lua-scflowvarset/README.md
@@ -0,0 +1 @@
+Test setting and getting a flowvar from Lua.
diff --git a/tests/lua/lua-scflowvarset/getflowvar.lua b/tests/lua/lua-scflowvarset/getflowvar.lua
new file mode 100644
index 000000000..ce61c5444
--- /dev/null
+++ b/tests/lua/lua-scflowvarset/getflowvar.lua
@@ -0,0 +1,19 @@
+local flowvarlib = require("suricata.flowvar")
+
+function init()
+   return {}
+end
+
+function thread_init()
+   flowvar = flowvarlib.get("test_var")
+end
+
+function match()
+   local value = flowvar:value()
+   if value == "foobar" then
+      return 1
+   else
+      print("flowvar does not have expected value")
+      return 0
+   end
+end
diff --git a/tests/lua/lua-scflowvarset/input.pcap b/tests/lua/lua-scflowvarset/input.pcap
new file mode 100644
index 000000000..b763c97a4
Binary files /dev/null and b/tests/lua/lua-scflowvarset/input.pcap differ
diff --git a/tests/lua/lua-scflowvarset/setflowvar.lua b/tests/lua/lua-scflowvarset/setflowvar.lua
new file mode 100644
index 000000000..a10875565
--- /dev/null
+++ b/tests/lua/lua-scflowvarset/setflowvar.lua
@@ -0,0 +1,23 @@
+local flowvarlib = require("suricata.flowvar")
+
+function init()
+   local flowvar = flowvarlib.register("test_var")
+   return {}
+end
+
+function thread_init()
+   flowvar = flowvarlib.get("test_var")
+end
+
+function match()
+   local value = flowvar:value()
+   if value ~= nil then
+      print("flowvar value should be nil")
+      return 0
+   end
+
+   local value = "foobar"
+   flowvar:set(value, string.len(value))
+
+   return 1
+end
diff --git a/tests/lua/lua-scflowvarset/suricata.yaml b/tests/lua/lua-scflowvarset/suricata.yaml
new file mode 100644
index 000000000..c25db4ecf
--- /dev/null
+++ b/tests/lua/lua-scflowvarset/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - flow
+        - http
diff --git a/tests/lua/lua-scflowvarset/test.rules b/tests/lua/lua-scflowvarset/test.rules
new file mode 100644
index 000000000..93b104b41
--- /dev/null
+++ b/tests/lua/lua-scflowvarset/test.rules
@@ -0,0 +1,5 @@
+#alert http any any -> any any (msg: "Test"; http.request_line; pcre: "^/GET (.*)$/G, flow:TestVar"; flowbits: set, flowtestvar; noalert; sid:6677000; rev:1;)
+
+
+alert http any any -> any any (http.request_line; content: "GET"; lua: setflowvar.lua; sid:1;)
+alert http any any -> any any (http.response_header; content: "Apache"; lua: getflowvar.lua; sid:2;)
diff --git a/tests/lua/lua-scflowvarset/test.yaml b/tests/lua/lua-scflowvarset/test.yaml
new file mode 100644
index 000000000..60c256cbe
--- /dev/null
+++ b/tests/lua/lua-scflowvarset/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 8.0.0
+
+args:
+ - -k none
+ - --set security.lua.allow-rules=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        metadata.flowvars[0].test_var: foobar
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        metadata.flowvars[0].test_var: foobar
diff --git a/tests/pre8/lua-scflowvarget/README.md b/tests/pre8/lua-scflowvarget/README.md
new file mode 100644
index 000000000..6c252afbb
--- /dev/null
+++ b/tests/pre8/lua-scflowvarget/README.md
@@ -0,0 +1,17 @@
+To test that SCFlowvarGet (lua) doesn't always return nil.
+
+The original issue emerged due to a lua detection script that used a single rule to set up
+a flow variable and match on it. 
+
+The problem is that during detection, the steps happen in this order:
+- pattern matching
+- lua script execution
+- setting flow variables as part of post match
+
+So, a workaround is to have 2 rules:
+- one that does the pattern matching and setting the flow var
+- another second one that does the Lua script
+
+This test works based on that.
+
+Pcap provided by Chris Knott at https://redmine.openinfosecfoundation.org/issues/2094
diff --git a/tests/pre8/lua-scflowvarget/input.pcap b/tests/pre8/lua-scflowvarget/input.pcap
new file mode 100644
index 000000000..b763c97a4
Binary files /dev/null and b/tests/pre8/lua-scflowvarget/input.pcap differ
diff --git a/tests/pre8/lua-scflowvarget/suricata.yaml b/tests/pre8/lua-scflowvarget/suricata.yaml
new file mode 100644
index 000000000..51b7cb333
--- /dev/null
+++ b/tests/pre8/lua-scflowvarget/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - flow
+
diff --git a/tests/lua-scflowvarget/test.lua b/tests/pre8/lua-scflowvarget/test.lua
similarity index 100%
rename from tests/lua-scflowvarget/test.lua
rename to tests/pre8/lua-scflowvarget/test.lua
diff --git a/tests/pre8/lua-scflowvarget/test.rules b/tests/pre8/lua-scflowvarget/test.rules
new file mode 100644
index 000000000..cbbcc6418
--- /dev/null
+++ b/tests/pre8/lua-scflowvarget/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (msg: "Test"; http.request_line; pcre: "^/GET (.*)$/G, flow:TestVar"; flowbits: set, flowtestvar; noalert; sid:6677000; rev:1;)
+alert http any any -> any any (msg: "Test2"; flow: to_server; lua:test.lua; flowbits: isset, flowtestvar; sid:6677001; rev:1;)
diff --git a/tests/lua-scflowvarget/test.yaml b/tests/pre8/lua-scflowvarget/test.yaml
similarity index 94%
rename from tests/lua-scflowvarget/test.yaml
rename to tests/pre8/lua-scflowvarget/test.yaml
index d4ac6a513..63f45532c 100644
--- a/tests/lua-scflowvarget/test.yaml
+++ b/tests/pre8/lua-scflowvarget/test.yaml
@@ -1,5 +1,6 @@
 requires:
   min-version: 7.0.0
+  lt-version: 8
   features:
     - HAVE_LUA