lua: Test SCRule* functions for match scripts

diff --git a/tests/lua-match-scrule/README.md b/tests/lua-match-scrule/README.md
new file mode 100644 (file)
index 0000000..872ec68
--- /dev/null
+++ b/tests/lua-match-scrule/README.md
@@ -0,0 +1 @@
+Tests Lua's SCRule functions for match scripts.

diff --git a/tests/lua-match-scrule/input.pcap b/tests/lua-match-scrule/input.pcap
new file mode 100644 (file)
index 0000000..8fb6832
Binary files /dev/null and b/tests/lua-match-scrule/input.pcap differ

diff --git a/tests/lua-match-scrule/lua-scrule-action.lua b/tests/lua-match-scrule/lua-scrule-action.lua
new file mode 100644 (file)
index 0000000..5718071
--- /dev/null
+++ b/tests/lua-match-scrule/lua-scrule-action.lua
@@ -0,0 +1,14 @@
+function init(args)
+    local needs = {}
+    return needs
+end
+
+function match(args)
+    action = SCRuleAction()
+
+    if action == "alert" then
+        return 1
+    else
+        return 0
+    end
+end

diff --git a/tests/lua-match-scrule/lua-scrule-class.lua b/tests/lua-match-scrule/lua-scrule-class.lua
new file mode 100644 (file)
index 0000000..d963328
--- /dev/null
+++ b/tests/lua-match-scrule/lua-scrule-class.lua
@@ -0,0 +1,14 @@
+function init(args)
+    local needs = {}
+    return needs
+end
+
+function match(args)
+    msg, prio = SCRuleClass()
+
+    if msg == "Potentially Bad Traffic" and prio == 2 then
+        return 1
+    else
+        return 0
+    end
+end

diff --git a/tests/lua-match-scrule/lua-scrule-ids.lua b/tests/lua-match-scrule/lua-scrule-ids.lua
new file mode 100644 (file)
index 0000000..8931161
--- /dev/null
+++ b/tests/lua-match-scrule/lua-scrule-ids.lua
@@ -0,0 +1,14 @@
+function init(args)
+    local needs = {}
+    return needs
+end
+
+function match(args)
+    sid, rev, gid = SCRuleIds()
+
+    if sid == 1 and rev == 7 and gid == 1 then
+        return 1
+    else
+        return 0
+    end
+end

diff --git a/tests/lua-match-scrule/lua-scrule-msg.lua b/tests/lua-match-scrule/lua-scrule-msg.lua
new file mode 100644 (file)
index 0000000..71757e3
--- /dev/null
+++ b/tests/lua-match-scrule/lua-scrule-msg.lua
@@ -0,0 +1,14 @@
+function init(args)
+    local needs = {}
+    return needs
+end
+
+function match(args)
+    msg = SCRuleMsg()
+
+    if msg == "FOO" then
+        return 1
+    else
+        return 0
+    end
+end

diff --git a/tests/lua-match-scrule/suricata.yaml b/tests/lua-match-scrule/suricata.yaml
new file mode 100644 (file)
index 0000000..e27e996
--- /dev/null
+++ b/tests/lua-match-scrule/suricata.yaml
@@ -0,0 +1,4 @@
+%YAML 1.1
+---
+
+include: ../../etc/suricata-4.0.3.yaml
\ No newline at end of file

diff --git a/tests/lua-match-scrule/test.rules b/tests/lua-match-scrule/test.rules
new file mode 100644 (file)
index 0000000..ee3294c
--- /dev/null
+++ b/tests/lua-match-scrule/test.rules
@@ -0,0 +1,8 @@
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-ids.lua; sid:1; rev:7;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-ids.lua; sid:2; rev:7;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-action.lua; sid:3; rev:7;)
+drop ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-action.lua; sid:4; rev:7;)
+alert ip any any -> any any (msg:"FOO"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-msg.lua; sid:5; rev:7;)
+alert ip any any -> any any (msg:"BAR"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-msg.lua; sid:6; rev:7;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-class.lua; sid:7; rev:7;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:not-suspicious; lua:lua-scrule-class.lua; sid:8; rev:7;)

diff --git a/tests/lua-match-scrule/test.yaml b/tests/lua-match-scrule/test.yaml
new file mode 100644 (file)
index 0000000..c1d12a1
--- /dev/null
+++ b/tests/lua-match-scrule/test.yaml
@@ -0,0 +1,38 @@
+requires:
+  min-version: 7
+  features:
+    - HAVE_LUA
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 3
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 5
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 6
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 7
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 8