]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c165d5b)
eve-metadata: update for recent changes
authorJason Ish <ish@unx.ca>
Thu, 25 Jan 2018 22:26:44 +0000 (16:26 -0600)
committerJason Ish <ish@unx.ca>
Thu, 25 Jan 2018 22:26:44 +0000 (16:26 -0600)
tests/eve-metadata/check.sh [deleted file] patch | blob | blame | history
tests/eve-metadata/test.rules patch | blob | blame | history
tests/eve-metadata/test.yaml patch | blob | blame | history

diff --git a/tests/eve-metadata/check.sh b/tests/eve-metadata/check.sh
deleted file mode 100755 (executable)
index 32df158..0000000
--- a/tests/eve-metadata/check.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#! /bin/sh
-
-# Test the flow record metadata.
-test $(cat ./eve.json | \
-    jq -c 'select(.event_type == "flow")' | \
-    jq -c .metadata.flowbits[0]) == \"traffic/label/cli-http\"
-
-# Test the alert record metadata.
-test $(cat ./eve.json | \
-    jq -c 'select(.event_type == "alert")' | \
-    jq -c .metadata.flowbits[0]) == \"traffic/label/cli-http\"
-
-# Test the netflow records. We should have 2 of those, so do a line
-# count on netflow records with the required flowbit.
-test $(cat ./eve.json | \
-    jq -c 'select(.event_type == "netflow")' | \
-    jq -c 'select(.metadata.flowbits[0] == "traffic/label/cli-http")' |\
-    wc -l | xargs) -eq 2
-
diff --git a/tests/eve-metadata/test.rules b/tests/eve-metadata/test.rules
index 7af6749423ebadd9680b270959e7d5f7a827dbe2..df6f7f9607ccaacc2f68c3940aa4df4e62d19a10 100644 (file)
--- a/tests/eve-metadata/test.rules
+++ b/tests/eve-metadata/test.rules
@@ -1,9 +1,12 @@
 # Silly rule to set the flowbit "traffic/label/cli-http" on
 # the curl user-agent.
-alert http any any -> any any (content:"curl"; http_user_agent; flowbits:set,traffic/label/cli-http; sid:1; rev:1;)
+alert http any any -> any any (content:"curl"; http_user_agent; flowbits:set,traffic/label/cli-http; flowbits:set,traffic/id/curl; flowbits:set,junkbit; sid:1; rev:1;)
 
 # Capture the UID as a pktvar.
-alert http any any -> any any (pcre:"/uid=(\d+)/, pkt:uid";  noalert; sid:2; rev:1;)
+alert http any any -> any any (pcre:"/uid=(\d+)\(([^)]+)\)/, pkt:uid, pkt:username"; noalert; sid:2; rev:1;)
 
 # Capture the GID as a flowvar.
 alert http any any -> any any (pcre:"/gid=(\d+)/, flow:gid"; noalert; sid:3; rev:1;)
+
+# Capture the GID as a flowvar.
+alert http any any -> any any (pcre:"/gid=(\d+)/, flow:gid"; noalert; sid:4; rev:1;)
diff --git a/tests/eve-metadata/test.yaml b/tests/eve-metadata/test.yaml
index fdf622aa4b6edd702cc5450e5d9080ab8e3e8f86..8b832e46d6e9da3ceb0058e4922dac5bffb1111e 100644 (file)
--- a/tests/eve-metadata/test.yaml
+++ b/tests/eve-metadata/test.yaml
@@ -11,24 +11,25 @@ checks:
       count: 1
       match:
         event_type: flow
-        metadata.flowbits[0]: traffic/label/cli-http
-        metadata.flowvars.gid: "0"
+        traffic.id[0]: curl
+        traffic.label[0]: cli-http
 
   - filter:
       count: 1
       match:
         event_type: alert
-        metadata.flowbits[0]: traffic/label/cli-http
+        traffic.id[0]: curl
+        traffic.label[0]: cli-http
 
   - filter:
       count: 2
       match:
         event_type: netflow
-        metadata.flowbits[0]: traffic/label/cli-http
+        traffic.label[0]: cli-http
         
   - filter:
       count: 1
       match:
         event_type: metadata
         metadata.pktvars[0].uid: "0"
-        metadata.flowvars.gid: "0"
+        metadata.flowvars[0].gid: "0"
Mirror of https://github.com/OISF/suricata-verify.git