detect-flowbits: add tests

Task: 4911

diff --git a/tests/detect-flowbits/README.md b/tests/detect-flowbits/README.md
new file mode 100644 (file)
index 0000000..45750ac
--- /dev/null
+++ b/tests/detect-flowbits/README.md
@@ -0,0 +1 @@
+Tests the flowbits actions/options

diff --git a/tests/detect-flowbits/input.pcap b/tests/detect-flowbits/input.pcap
new file mode 100644 (file)
index 0000000..49593f3
Binary files /dev/null and b/tests/detect-flowbits/input.pcap differ

diff --git a/tests/detect-flowbits/test.rules b/tests/detect-flowbits/test.rules
new file mode 100644 (file)
index 0000000..2cca926
--- /dev/null
+++ b/tests/detect-flowbits/test.rules
@@ -0,0 +1,11 @@
+alert ip any any -> any any (msg:"Flowbit set"; flowbits:set,fb1; sid:1;)
+alert ip any any -> any any (msg:"Flowbit set"; flowbits:set,fb2; sid:2;)
+alert ip any any -> any any (msg:"Flowbit isset ored flowbits"; flowbits:isset,fb3|fb4; sid:3;)
+alert ip any any -> any any (msg:"Flowbit isset ored flowbits"; flowbits:isset,fb1|fb5; sid:5;)
+alert ip any any -> any any (msg:"Flowbit isnotset ored flowbits"; flowbits:isnotset, fb1|fb2 ; sid:6;)
+alert ip any any -> any any (msg:"Flowbit unset"; flowbits:unset,fb1; sid:7;)
+alert ip any any -> any any (msg:"Flowbit set"; flowbits:noalert; flowbits:toggle,fb1; content:"GET "; sid:8;)
+alert ip any any -> any any (msg:"Flowbit isset"; flowbits:isset,fb1; sid:9;)
+alert ip any any -> any any (msg:"Noalert"; flowbits:noalert; content:"GET "; sid:10;)
+alert ip any any -> any any (msg:"isset option"; flowbits:isset,fbt; content:"GET "; sid:11;)
+alert ip any any -> any any (msg:"Flowbit isset and flowbits"; flowbits:isset,fb1; flowbits:isset,fb2; sid:12;)

diff --git a/tests/detect-flowbits/test.yaml b/tests/detect-flowbits/test.yaml
new file mode 100644 (file)
index 0000000..75a653d
--- /dev/null
+++ b/tests/detect-flowbits/test.yaml
@@ -0,0 +1,70 @@
+requires:
+  min-version: 6
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 5
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 6
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 7
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 8
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 9
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 10
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 12

diff --git a/tests/detect-flowbits/writepcap.py b/tests/detect-flowbits/writepcap.py
new file mode 100644 (file)
index 0000000..fe7a0b1
--- /dev/null
+++ b/tests/detect-flowbits/writepcap.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"GET /one/ HTTP/1.1\r\nHost: one.example.org\r\n\r\n"
+
+wrpcap('input.pcap', pkts)