From dd55c1ebe5e140c869b7bb3fd0f586e2cebca8a3 Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@oisf.net>
Date: Wed, 3 Apr 2024 20:13:18 -0300
Subject: [PATCH] tests: add checks for hiding zero counter stats

Task #5976
---
 tests/feature-5976-zero-stats-01/README.md    | 12 ++++++
 .../feature-5976-zero-stats-01/suricata.yaml  | 39 +++++++++++++++++++
 tests/feature-5976-zero-stats-01/test.rules   |  5 +++
 tests/feature-5976-zero-stats-01/test.yaml    | 25 ++++++++++++
 tests/feature-5976-zero-stats-02/README.md    | 12 ++++++
 .../feature-5976-zero-stats-02/suricata.yaml  | 20 ++++++++++
 tests/feature-5976-zero-stats-02/test.yaml    | 12 ++++++
 7 files changed, 125 insertions(+)
 create mode 100644 tests/feature-5976-zero-stats-01/README.md
 create mode 100644 tests/feature-5976-zero-stats-01/suricata.yaml
 create mode 100644 tests/feature-5976-zero-stats-01/test.rules
 create mode 100644 tests/feature-5976-zero-stats-01/test.yaml
 create mode 100644 tests/feature-5976-zero-stats-02/README.md
 create mode 100644 tests/feature-5976-zero-stats-02/suricata.yaml
 create mode 100644 tests/feature-5976-zero-stats-02/test.yaml

diff --git a/tests/feature-5976-zero-stats-01/README.md b/tests/feature-5976-zero-stats-01/README.md
new file mode 100644
index 000000000..bbf7ea485
--- /dev/null
+++ b/tests/feature-5976-zero-stats-01/README.md
@@ -0,0 +1,12 @@
+# Test
+
+Showcase engine behavior when stats counters that are zero are hidden from the
+eve log stats event.
+
+## PCAP
+
+Reused from `tls-certs-alert` test.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/5976
diff --git a/tests/feature-5976-zero-stats-01/suricata.yaml b/tests/feature-5976-zero-stats-01/suricata.yaml
new file mode 100644
index 000000000..38d096d87
--- /dev/null
+++ b/tests/feature-5976-zero-stats-01/suricata.yaml
@@ -0,0 +1,39 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - alert:
+            tagged-packets: yes
+        - anomaly:
+            enabled: yes
+            types:
+              decode: no
+              stream: yes
+              applayer: yes
+        - tls:
+            extended: yes
+        - drop:
+            alerts: yes
+            flows: all
+        - stats:
+            totals: yes
+            threads: no
+            deltas: no
+            zero-valued-counters: false
+        - flow
+  - stats:
+      enabled: yes
+      filename: stats.log
+
+action-order:
+  - pass
+  - drop
+  - reject
+  - alert
diff --git a/tests/feature-5976-zero-stats-01/test.rules b/tests/feature-5976-zero-stats-01/test.rules
new file mode 100644
index 000000000..da4a536f4
--- /dev/null
+++ b/tests/feature-5976-zero-stats-01/test.rules
@@ -0,0 +1,5 @@
+pass tls any any -> any any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted"; flow:to_server,established; sid:1;)
+drop tls any any -> any any (msg:"not matching any TLS allowlisted Domain"; flow:to_server,established; sid:2; rev:1;)
+
+# matches packet 4, but should not alert due to memcap drop
+alert tcp any any -> any any (seq:3964863680; ack:2403674603; dsize:214; sid:3;)
diff --git a/tests/feature-5976-zero-stats-01/test.yaml b/tests/feature-5976-zero-stats-01/test.yaml
new file mode 100644
index 000000000..a60c16de1
--- /dev/null
+++ b/tests/feature-5976-zero-stats-01/test.yaml
@@ -0,0 +1,25 @@
+requires:
+  min-version: 8
+pcap: ../tls/tls-certs-alert/input.pcap
+args:
+- --simulate-ips
+- -k none
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        has-key: stats.decoder.pkts
+        not-has-key: stats.decoder.invalid
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        has-key: stats.ips.accepted
+        not-has-key: stats.ips.rejected
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        has-key: stats.tcp.sessions
+        not-has-key: stats.tcp.active_sessions
diff --git a/tests/feature-5976-zero-stats-02/README.md b/tests/feature-5976-zero-stats-02/README.md
new file mode 100644
index 000000000..3f51df728
--- /dev/null
+++ b/tests/feature-5976-zero-stats-02/README.md
@@ -0,0 +1,12 @@
+# Test
+
+Showcase engine behavior when stats counters that are zero are hidden from the
+eve log stats event.
+
+## PCAP
+
+Reused from `bug-3519` test.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/5976
diff --git a/tests/feature-5976-zero-stats-02/suricata.yaml b/tests/feature-5976-zero-stats-02/suricata.yaml
new file mode 100644
index 000000000..b2b93b69e
--- /dev/null
+++ b/tests/feature-5976-zero-stats-02/suricata.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+stats:
+  enabled: yes
+  interval: 8
+
+outputs:
+  - eve-log:
+      enabled: yes
+      types:
+        - stats:
+            totals: yes
+            threads: no
+            deltas: no
+            zero-valued-counters: false
+        - flow
+  - stats:
+      enabled: yes
+      filename: stats.log
diff --git a/tests/feature-5976-zero-stats-02/test.yaml b/tests/feature-5976-zero-stats-02/test.yaml
new file mode 100644
index 000000000..51f2a9466
--- /dev/null
+++ b/tests/feature-5976-zero-stats-02/test.yaml
@@ -0,0 +1,12 @@
+requires:
+  min-version: 8
+
+pcap: ../bug-3519/input.pcap
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        has-key: stats.decoder.ipv4
+        not-has-key: stats.decoder.ipv6
-- 
2.47.2