tests: add datasets tests

diff --git a/tests/datarep-01/datarep.rules b/tests/datarep-01/datarep.rules
new file mode 100644 (file)
index 0000000..7fc15e2
--- /dev/null
+++ b/tests/datarep-01/datarep.rules
@@ -0,0 +1 @@
+alert dns any any -> any any (dns.query; datarep:dns_string, >, 200, load dns_string.rep, type string; sid:1;)

diff --git a/tests/datarep-01/dns_string.rep b/tests/datarep-01/dns_string.rep
new file mode 100644 (file)
index 0000000..aedc6d3
--- /dev/null
+++ b/tests/datarep-01/dns_string.rep
@@ -0,0 +1 @@
+Z29vZ2xlLmNvbQ==,255

diff --git a/tests/datarep-01/input.pcap b/tests/datarep-01/input.pcap
new file mode 100644 (file)
index 0000000..d5171ff
Binary files /dev/null and b/tests/datarep-01/input.pcap differ

diff --git a/tests/datarep-01/test.yaml b/tests/datarep-01/test.yaml
new file mode 100644 (file)
index 0000000..851e03f
--- /dev/null
+++ b/tests/datarep-01/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1

diff --git a/tests/datarep-01/writepcap.py b/tests/datarep-01/writepcap.py
new file mode 100755 (executable)
index 0000000..2860576
--- /dev/null
+++ b/tests/datarep-01/writepcap.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='255.255.255.255', src='192.168.0.1')/UDP(dport=53)/DNS(rd=1, qd=DNSQR(qname='google.com'))
+
+wrpcap('input.pcap', pkts)

diff --git a/tests/datarep-02/datarep.rules b/tests/datarep-02/datarep.rules
new file mode 100644 (file)
index 0000000..37b6177
--- /dev/null
+++ b/tests/datarep-02/datarep.rules
@@ -0,0 +1,3 @@
+alert dns any any -> any any (dns.query; to_md5; datarep:dns_md5, >, 200, load dns_md5.rep, type md5; sid:1;)
+alert dns any any -> any any (dns.query; to_sha256; datarep:dns_sha256, >, 200, load dns_sha256.rep, type sha256; sid:2;)
+alert dns any any -> any any (dns.query; datarep:dns_string, >, 200, load dns_string.rep, type string; sid:3;)

diff --git a/tests/datarep-02/dns_md5.rep b/tests/datarep-02/dns_md5.rep
new file mode 100644 (file)
index 0000000..9e19224
--- /dev/null
+++ b/tests/datarep-02/dns_md5.rep
@@ -0,0 +1,2 @@
+1d5920f4b44b27a802bd77c4f0536f5a,255
+5ababd603b22780302dd8d83498e5172,100

diff --git a/tests/datarep-02/dns_sha256.rep b/tests/datarep-02/dns_sha256.rep
new file mode 100644 (file)
index 0000000..f49c2eb
--- /dev/null
+++ b/tests/datarep-02/dns_sha256.rep
@@ -0,0 +1,2 @@
+d4c9d9027326271a89ce51fcaf328ed673f17be33469ff979e8ab8dd501e664f,255
+a379a6f6eeafb9a55e378c118034e2751e682fab9f2d30ab13d2125586ce1947,100

diff --git a/tests/datarep-02/dns_string.rep b/tests/datarep-02/dns_string.rep
new file mode 100644 (file)
index 0000000..aedc6d3
--- /dev/null
+++ b/tests/datarep-02/dns_string.rep
@@ -0,0 +1 @@
+Z29vZ2xlLmNvbQ==,255

diff --git a/tests/datarep-02/input.pcap b/tests/datarep-02/input.pcap
new file mode 100644 (file)
index 0000000..d5171ff
Binary files /dev/null and b/tests/datarep-02/input.pcap differ

diff --git a/tests/datarep-02/test.yaml b/tests/datarep-02/test.yaml
new file mode 100644 (file)
index 0000000..af62a2a
--- /dev/null
+++ b/tests/datarep-02/test.yaml
@@ -0,0 +1,30 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+    - HAVE_NSS
+  files:
+    - src/datasets.c
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 3
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3

diff --git a/tests/datarep-02/writepcap.py b/tests/datarep-02/writepcap.py
new file mode 100755 (executable)
index 0000000..2860576
--- /dev/null
+++ b/tests/datarep-02/writepcap.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='255.255.255.255', src='192.168.0.1')/UDP(dport=53)/DNS(rd=1, qd=DNSQR(qname='google.com'))
+
+wrpcap('input.pcap', pkts)

diff --git a/tests/datasets-01/check.sh b/tests/datasets-01/check.sh
new file mode 100755 (executable)
index 0000000..8bedbf3
--- /dev/null
+++ b/tests/datasets-01/check.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec cmp datasets.csv ${TEST_DIR}/expected/datasets.csv

diff --git a/tests/datasets-01/expected/datasets.csv b/tests/datasets-01/expected/datasets.csv
new file mode 100644 (file)
index 0000000..3961eb8
--- /dev/null
+++ b/tests/datasets-01/expected/datasets.csv
@@ -0,0 +1 @@
+Y3VybC83LjQzLjA=

diff --git a/tests/datasets-01/input.pcap b/tests/datasets-01/input.pcap
new file mode 100644 (file)
index 0000000..8fb6832
Binary files /dev/null and b/tests/datasets-01/input.pcap differ

diff --git a/tests/datasets-01/test.rules b/tests/datasets-01/test.rules
new file mode 100644 (file)
index 0000000..bc5e1a2
--- /dev/null
+++ b/tests/datasets-01/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (http.user_agent; dataset:set,ua-seen,type string,save datasets.csv; sid:1;)

diff --git a/tests/datasets-01/test.yaml b/tests/datasets-01/test.yaml
new file mode 100644 (file)
index 0000000..efc1700
--- /dev/null
+++ b/tests/datasets-01/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  files:
+    - src/datasets.c
+
+command: |
+  ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config"    \
+      --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR}         \
+      -c "${SRCDIR}/suricata.yaml" -r ${TEST_DIR}/input.pcap -S ${TEST_DIR}/test.rules  \
+      --data-dir="${OUTPUT_DIR}"

diff --git a/tests/datasets-02-load/datasets.csv b/tests/datasets-02-load/datasets.csv
new file mode 100644 (file)
index 0000000..3961eb8
--- /dev/null
+++ b/tests/datasets-02-load/datasets.csv
@@ -0,0 +1 @@
+Y3VybC83LjQzLjA=

diff --git a/tests/datasets-02-load/input.pcap b/tests/datasets-02-load/input.pcap
new file mode 100644 (file)
index 0000000..8fb6832
Binary files /dev/null and b/tests/datasets-02-load/input.pcap differ

diff --git a/tests/datasets-02-load/test.rules b/tests/datasets-02-load/test.rules
new file mode 100644 (file)
index 0000000..7cd7d67
--- /dev/null
+++ b/tests/datasets-02-load/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (http.user_agent; dataset:isset,ua-seen,type string,load datasets.csv; sid:1;)
+alert http any any -> any any (http.user_agent; dataset:isnotset,ua-seen,type string,load datasets.csv; sid:2;)

diff --git a/tests/datasets-02-load/test.yaml b/tests/datasets-02-load/test.yaml
new file mode 100644 (file)
index 0000000..29765d4
--- /dev/null
+++ b/tests/datasets-02-load/test.yaml
@@ -0,0 +1,24 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 2

diff --git a/tests/datasets-03-set/input.pcap b/tests/datasets-03-set/input.pcap
new file mode 100644 (file)
index 0000000..790a6a1
Binary files /dev/null and b/tests/datasets-03-set/input.pcap differ

diff --git a/tests/datasets-03-set/test.rules b/tests/datasets-03-set/test.rules
new file mode 100644 (file)
index 0000000..1d99df9
--- /dev/null
+++ b/tests/datasets-03-set/test.rules
@@ -0,0 +1 @@
+alert dns any any -> any any (dns.query; dataset:set,dns-seen, type string; sid:1;)

diff --git a/tests/datasets-03-set/test.yaml b/tests/datasets-03-set/test.yaml
new file mode 100644 (file)
index 0000000..851e03f
--- /dev/null
+++ b/tests/datasets-03-set/test.yaml
@@ -0,0 +1,19 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1

diff --git a/tests/datasets-03-set/writepcap.py b/tests/datasets-03-set/writepcap.py
new file mode 100755 (executable)
index 0000000..f5a1b7a
--- /dev/null
+++ b/tests/datasets-03-set/writepcap.py
@@ -0,0 +1,16 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/UDP(dport=53)/DNS(id=1, rd=1, qd=DNSQR(qname='example.com'))
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/UDP(dport=53)/DNS(id=2, rd=1, qd=DNSQR(qname='example.com'))
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/UDP(dport=53)/DNS(id=3, rd=1, qd=DNSQR(qname='example.com'))
+
+wrpcap('input.pcap', pkts)

diff --git a/tests/datasets-04-http-dns/input.pcap b/tests/datasets-04-http-dns/input.pcap
new file mode 100644 (file)
index 0000000..9a8aaa7
Binary files /dev/null and b/tests/datasets-04-http-dns/input.pcap differ

diff --git a/tests/datasets-04-http-dns/test.rules b/tests/datasets-04-http-dns/test.rules
new file mode 100644 (file)
index 0000000..b5d9d1c
--- /dev/null
+++ b/tests/datasets-04-http-dns/test.rules
@@ -0,0 +1,2 @@
+alert dns any any -> any any (dns.query; dataset:set,dns-seen, type string; sid:1;)
+alert http any any -> any any (http.host; dataset:set,dns-seen, type string; sid:2;)

diff --git a/tests/datasets-04-http-dns/test.yaml b/tests/datasets-04-http-dns/test.yaml
new file mode 100644 (file)
index 0000000..20be413
--- /dev/null
+++ b/tests/datasets-04-http-dns/test.yaml
@@ -0,0 +1,24 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 0

diff --git a/tests/datasets-04-http-dns/writepcap.py b/tests/datasets-04-http-dns/writepcap.py
new file mode 100755 (executable)
index 0000000..c43f4cc
--- /dev/null
+++ b/tests/datasets-04-http-dns/writepcap.py
@@ -0,0 +1,13 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/UDP(dport=53)/DNS(id=1, rd=1, qd=DNSQR(qname='example.com'))
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"
+
+wrpcap('input.pcap', pkts)

diff --git a/tests/datasets-05-state/check.sh b/tests/datasets-05-state/check.sh
new file mode 100755 (executable)
index 0000000..97d6dce
--- /dev/null
+++ b/tests/datasets-05-state/check.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+exec cmp ${OUTPUT_DIR}/state.csv ${TEST_DIR}/expected/state.csv

diff --git a/tests/datasets-05-state/expected/state.csv b/tests/datasets-05-state/expected/state.csv
new file mode 100644 (file)
index 0000000..de003fe
--- /dev/null
+++ b/tests/datasets-05-state/expected/state.csv
@@ -0,0 +1 @@
+ZXhhbXBsZS5jb20=

diff --git a/tests/datasets-05-state/input.pcap b/tests/datasets-05-state/input.pcap
new file mode 100644 (file)
index 0000000..790a6a1
Binary files /dev/null and b/tests/datasets-05-state/input.pcap differ

diff --git a/tests/datasets-05-state/test.rules b/tests/datasets-05-state/test.rules
new file mode 100644 (file)
index 0000000..7b8d560
--- /dev/null
+++ b/tests/datasets-05-state/test.rules
@@ -0,0 +1 @@
+alert dns any any -> any any (dns.query; dataset:set,dns-seen, type string, state state.csv; sid:1;)

diff --git a/tests/datasets-05-state/test.yaml b/tests/datasets-05-state/test.yaml
new file mode 100644 (file)
index 0000000..dddcc00
--- /dev/null
+++ b/tests/datasets-05-state/test.yaml
@@ -0,0 +1,11 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+command: |
+  ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config"    \
+      --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR}         \
+      -c "${SRCDIR}/suricata.yaml" -r ${TEST_DIR}/input.pcap -S ${TEST_DIR}/test.rules  \
+      --data-dir="${OUTPUT_DIR}"

diff --git a/tests/datasets-05-state/writepcap.py b/tests/datasets-05-state/writepcap.py
new file mode 100755 (executable)
index 0000000..f5a1b7a
--- /dev/null
+++ b/tests/datasets-05-state/writepcap.py
@@ -0,0 +1,16 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/UDP(dport=53)/DNS(id=1, rd=1, qd=DNSQR(qname='example.com'))
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/UDP(dport=53)/DNS(id=2, rd=1, qd=DNSQR(qname='example.com'))
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/UDP(dport=53)/DNS(id=3, rd=1, qd=DNSQR(qname='example.com'))
+
+wrpcap('input.pcap', pkts)