]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 04bfff2)
test/entropy: Basic entropy keyword test 2403/head
authorJeff Lucovsky <jlucovsky@oisf.net>
Mon, 13 Jan 2025 13:49:50 +0000 (08:49 -0500)
committerVictor Julien <victor@inliniac.net>
Tue, 1 Apr 2025 19:11:11 +0000 (21:11 +0200)
This commit adds a basic test of the entropy keyword.

tests/entropy/entropy-01/README.md [new file with mode: 0644] patch | blob
tests/entropy/entropy-01/input.pcap [new file with mode: 0644] patch | blob
tests/entropy/entropy-01/test.rules [new file with mode: 0644] patch | blob
tests/entropy/entropy-01/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/entropy/entropy-01/README.md b/tests/entropy/entropy-01/README.md
new file mode 100644 (file)
index 0000000..c1924f9
--- /dev/null
+++ b/tests/entropy/entropy-01/README.md
@@ -0,0 +1 @@
+This test checks the entropy keyword with a comparison against HTTP file data.
diff --git a/tests/entropy/entropy-01/input.pcap b/tests/entropy/entropy-01/input.pcap
new file mode 100644 (file)
index 0000000..c84b2df
Binary files /dev/null and b/tests/entropy/entropy-01/input.pcap differ
diff --git a/tests/entropy/entropy-01/test.rules b/tests/entropy/entropy-01/test.rules
new file mode 100644 (file)
index 0000000..308d9ca
--- /dev/null
+++ b/tests/entropy/entropy-01/test.rules
@@ -0,0 +1,12 @@
+# The entropy value is 4.137370175000773
+alert http any any -> any any (msg:"entropy simple test"; file.data; entropy: value > 4; sid:1;)
+alert http any any -> any any (msg:"entropy simple test"; file.data; entropy: value >= 4; sid:2;)
+alert http any any -> any any (msg:"entropy simple test"; file.data; entropy: value >= 5; sid:3;)
+alert http any any -> any any (msg:"entropy simple test"; file.data; entropy: value 4-5; sid:4;)
+alert http any any -> any any (msg:"entropy simple test"; file.data; entropy: value !4-5; sid:5;)
+alert http any any -> any any (msg:"entropy simple test"; file.data; entropy: value < 4; sid:6;)
+alert http any any -> any any (msg:"entropy simple test"; file.data; entropy: value != 4; sid:7;)
+alert http any any -> any any (msg:"entropy simple test"; file.data; entropy: value = 4; sid:8;)
+# The entropy value is 4.150007324019584
+alert http any any -> any any (msg:"entropy simple test"; file.data; entropy: offset 10, value > 4.14; sid:10;)
+
diff --git a/tests/entropy/entropy-01/test.yaml b/tests/entropy/entropy-01/test.yaml
new file mode 100644 (file)
index 0000000..5fcc51c
--- /dev/null
+++ b/tests/entropy/entropy-01/test.yaml
@@ -0,0 +1,49 @@
+requires:
+  min-version: 8
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 3
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 4
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 5
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 6
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 7
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 8
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 10
Mirror of https://github.com/OISF/suricata-verify.git