From 7af326da17edb4df8d6a963ae96d1d924b140871 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Sat, 29 Mar 2025 08:48:38 +0100 Subject: [PATCH] tests: datajson remove_key tests --- tests/datajson/datajson-03-jsonline/test.yaml | 2 ++ .../datajson/datajson-06-remove-key/host.lst | 2 ++ tests/datajson/datajson-06-remove-key/src.lst | 2 ++ .../datajson-06-remove-key/test.rules | 1 + .../datajson/datajson-06-remove-key/test.yaml | 35 +++++++++++++++++++ .../datajson-10-remove-nested-key/host.lst | 2 ++ .../datajson-10-remove-nested-key/src.lst | 2 ++ .../datajson-10-remove-nested-key/test.rules | 1 + .../datajson-10-remove-nested-key/test.yaml | 30 ++++++++++++++++ 9 files changed, 77 insertions(+) create mode 100644 tests/datajson/datajson-06-remove-key/host.lst create mode 100644 tests/datajson/datajson-06-remove-key/src.lst create mode 100644 tests/datajson/datajson-06-remove-key/test.rules create mode 100644 tests/datajson/datajson-06-remove-key/test.yaml create mode 100644 tests/datajson/datajson-10-remove-nested-key/host.lst create mode 100644 tests/datajson/datajson-10-remove-nested-key/src.lst create mode 100644 tests/datajson/datajson-10-remove-nested-key/test.rules create mode 100644 tests/datajson/datajson-10-remove-nested-key/test.yaml diff --git a/tests/datajson/datajson-03-jsonline/test.yaml b/tests/datajson/datajson-03-jsonline/test.yaml index 971905519..87e90bdab 100644 --- a/tests/datajson/datajson-03-jsonline/test.yaml +++ b/tests/datajson/datajson-03-jsonline/test.yaml @@ -18,3 +18,5 @@ checks: alert.signature_id: 1 alert.extra.src_ip.test: success alert.extra.bad_host.year: 2005 + alert.extra.src_ip.ip: "10.16.1.11" + alert.extra.bad_host.host: "www.testmyids.com" diff --git a/tests/datajson/datajson-06-remove-key/host.lst b/tests/datajson/datajson-06-remove-key/host.lst new file mode 100644 index 000000000..2956f3804 --- /dev/null +++ b/tests/datajson/datajson-06-remove-key/host.lst @@ -0,0 +1,2 @@ +{"host": "testmyids.com", "context":"gold old test", "year": 2005} +{"host": "www.testmyids.com", "context":"gold old test", "year": 2005} diff --git a/tests/datajson/datajson-06-remove-key/src.lst b/tests/datajson/datajson-06-remove-key/src.lst new file mode 100644 index 000000000..d1f55c6ac --- /dev/null +++ b/tests/datajson/datajson-06-remove-key/src.lst @@ -0,0 +1,2 @@ +{"ip": "10.16.1.11", "test": "success", "context":3} +{"ip": "10.16.1.12", "test": "fail", "context":4} diff --git a/tests/datajson/datajson-06-remove-key/test.rules b/tests/datajson/datajson-06-remove-key/test.rules new file mode 100644 index 000000000..f5a613861 --- /dev/null +++ b/tests/datajson/datajson-06-remove-key/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,format jsonline,enrichment_key bad_host,remove_key, value_key host; ip.src; dataset:isset,src_ip,type ip,load src.lst,format jsonline,enrichment_key src_ip,value_key ip, remove_key; sid:1;) diff --git a/tests/datajson/datajson-06-remove-key/test.yaml b/tests/datajson/datajson-06-remove-key/test.yaml new file mode 100644 index 000000000..13c495ee2 --- /dev/null +++ b/tests/datajson/datajson-06-remove-key/test.yaml @@ -0,0 +1,35 @@ +requires: + min-version: 8 + +pcap: ../datajson-01-ip/input.pcap + +args: + - -k none --set datasets.enabled=yes + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + alert.extra.src_ip.test: success + alert.extra.bad_host.year: 2005 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 + alert.extra.src_ip.test: success + alert.extra.src_ip.ip: 10.16.1.11 + alert.extra.bad_host.year: 2005 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 + alert.extra.src_ip.test: success + alert.extra.bad_host.host: www.testmyids.com diff --git a/tests/datajson/datajson-10-remove-nested-key/host.lst b/tests/datajson/datajson-10-remove-nested-key/host.lst new file mode 100644 index 000000000..dba2b0f87 --- /dev/null +++ b/tests/datajson/datajson-10-remove-nested-key/host.lst @@ -0,0 +1,2 @@ +{"ioc": {"host": "testmyids.com"}, "context":"gold old test", "year": 2005} +{"ioc": {"host": "www.testmyids.com"}, "context":"gold old test", "year": 2005} diff --git a/tests/datajson/datajson-10-remove-nested-key/src.lst b/tests/datajson/datajson-10-remove-nested-key/src.lst new file mode 100644 index 000000000..d1f55c6ac --- /dev/null +++ b/tests/datajson/datajson-10-remove-nested-key/src.lst @@ -0,0 +1,2 @@ +{"ip": "10.16.1.11", "test": "success", "context":3} +{"ip": "10.16.1.12", "test": "fail", "context":4} diff --git a/tests/datajson/datajson-10-remove-nested-key/test.rules b/tests/datajson/datajson-10-remove-nested-key/test.rules new file mode 100644 index 000000000..7b9d012fc --- /dev/null +++ b/tests/datajson/datajson-10-remove-nested-key/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,format jsonline,enrichment_key bad_host,value_key ioc.host,remove_key; ip.src; dataset:isset,src_ip,type ip,load src.lst,format jsonline,enrichment_key src_ip,value_key ip; sid:1;) diff --git a/tests/datajson/datajson-10-remove-nested-key/test.yaml b/tests/datajson/datajson-10-remove-nested-key/test.yaml new file mode 100644 index 000000000..e256f8885 --- /dev/null +++ b/tests/datajson/datajson-10-remove-nested-key/test.yaml @@ -0,0 +1,30 @@ +requires: + min-version: 8 + +pcap: ../datajson-01-ip/input.pcap + +args: + - -k none --set datasets.enabled=yes + +checks: + - filter: + count: 1 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + alert.extra.src_ip.test: success + alert.extra.bad_host.year: 2005 + alert.extra.src_ip.ip: "10.16.1.11" + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 1 + alert.extra.src_ip.test: success + alert.extra.bad_host.year: 2005 + alert.extra.src_ip.ip: "10.16.1.11" + alert.extra.bad_host.host: "www.testmyids.com" -- 2.47.3