From 9e0b906a71c58f43b11e9f0e042aa2ca7b123949 Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Sat, 7 Jun 2025 09:49:20 -0400 Subject: [PATCH] test/rule: Check buffer consistency when using variables Issue: 7549 --- tests/bug-7549-01/README.md | 2 ++ tests/bug-7549-01/input.pcap | Bin 0 -> 1215 bytes tests/bug-7549-01/test.rules | 1 + tests/bug-7549-01/test.yaml | 9 +++++++++ tests/bug-7549-02/README.md | 2 ++ tests/bug-7549-02/test.rules | 1 + tests/bug-7549-02/test.yaml | 11 +++++++++++ 7 files changed, 26 insertions(+) create mode 100644 tests/bug-7549-01/README.md create mode 100644 tests/bug-7549-01/input.pcap create mode 100644 tests/bug-7549-01/test.rules create mode 100644 tests/bug-7549-01/test.yaml create mode 100644 tests/bug-7549-02/README.md create mode 100644 tests/bug-7549-02/test.rules create mode 100644 tests/bug-7549-02/test.yaml diff --git a/tests/bug-7549-01/README.md b/tests/bug-7549-01/README.md new file mode 100644 index 000000000..8a7d78d3f --- /dev/null +++ b/tests/bug-7549-01/README.md @@ -0,0 +1,2 @@ +Test to ensure that a variable usage is confined to one list. This test creates a variable +with byte_extract and tries to use it when associated with a different buffer. diff --git a/tests/bug-7549-01/input.pcap b/tests/bug-7549-01/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..6ee4ea7ef0b38bdeabe7dff864cf597047e88937 GIT binary patch literal 1215 zc-noFPfXKL9LL|rM5va4?!ZCxaUnwNx(yW4G?Ot9lo+R(dU1r=J-3FgZMFy7E@lz% zpa$Hx~VD-BwexpOF{dl*k2Ufe&PiWQ2NAd#!SX zQ5hWtH%6CQu4RC}ID2SkCw-r*k5Qer2J27xV66p~TEg=% zs=www7YFMRYd<4C`G@%5Z`Boe&B8o(w>-@7ycK2>n#@m?hslVW5BKzV+w%CkipPAe l2|Ru%dVIX=(J39=%j2r$@lJ)uJW%^{jo`7Z=+V!pe*rtdZFv9y literal 0 Hc-jL100001 diff --git a/tests/bug-7549-01/test.rules b/tests/bug-7549-01/test.rules new file mode 100644 index 000000000..972fe11b5 --- /dev/null +++ b/tests/bug-7549-01/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"byte_jump varname test sig"; content:"hi there"; byte_extract:1,4,rpkt_len; http.connection;byte_jump:rpkt_len,0; isdataat:1; classtype:bad-unknown; sid:1;) diff --git a/tests/bug-7549-01/test.yaml b/tests/bug-7549-01/test.yaml new file mode 100644 index 000000000..4c17099fb --- /dev/null +++ b/tests/bug-7549-01/test.yaml @@ -0,0 +1,9 @@ +requires: + min-version: 8 + +checks: + - shell: + args: grep "Unknown byte_extract var seen.*rpkt_len" stderr | wc -l | xargs + expect: 1 + +exit-code: 1 diff --git a/tests/bug-7549-02/README.md b/tests/bug-7549-02/README.md new file mode 100644 index 000000000..dc8404df8 --- /dev/null +++ b/tests/bug-7549-02/README.md @@ -0,0 +1,2 @@ +Test to ensure that a variable usage is confined to one list. This test creates a variable +with byte_extract and tries to use it when associated with the same buffer. diff --git a/tests/bug-7549-02/test.rules b/tests/bug-7549-02/test.rules new file mode 100644 index 000000000..ea235c279 --- /dev/null +++ b/tests/bug-7549-02/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"byte_jump varname test sig"; content:"hi there"; byte_extract:1,4,rpkt_len; byte_jump:rpkt_len,0; isdataat:1; classtype:bad-unknown; sid:1;) diff --git a/tests/bug-7549-02/test.yaml b/tests/bug-7549-02/test.yaml new file mode 100644 index 000000000..f2fcc2f52 --- /dev/null +++ b/tests/bug-7549-02/test.yaml @@ -0,0 +1,11 @@ +pcap: ../bug-7549-01/input.pcap + +requires: + min-version: 8 + +checks: + - shell: + args: grep "Unknown byte_extract var seen.*rpkt_len" stderr | wc -l | xargs + expect: 0 + +exit-code: 0 -- 2.47.3