datasets: add tests for string memcap

Ticket 3910

diff --git a/tests/datasets-memcap-01/README.md b/tests/datasets-memcap-01/README.md
new file mode 100644 (file)
index 0000000..02cfd46
--- /dev/null
+++ b/tests/datasets-memcap-01/README.md
@@ -0,0 +1,14 @@
+Test Description
+================
+
+This test demonstrates that the memcap settings DO NOT take the string length into account in 7.0.x or below.
+
+PCAP
+====
+
+Comes from existing test `flowbit-oring`.
+
+Related tickets
+===============
+
+https://redmine.openinfosecfoundation.org/issues/3910

diff --git a/tests/datasets-memcap-01/datasets.csv b/tests/datasets-memcap-01/datasets.csv
new file mode 100644 (file)
index 0000000..3961eb8
--- /dev/null
+++ b/tests/datasets-memcap-01/datasets.csv
@@ -0,0 +1 @@
+Y3VybC83LjQzLjA=

diff --git a/tests/datasets-memcap-01/test.rules b/tests/datasets-memcap-01/test.rules
new file mode 100644 (file)
index 0000000..6bce440
--- /dev/null
+++ b/tests/datasets-memcap-01/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (http.user_agent; dataset:isset,ua-seen,type string,load datasets.csv,memcap 88074,hashsize 1; sid:1;)

diff --git a/tests/datasets-memcap-01/test.yaml b/tests/datasets-memcap-01/test.yaml
new file mode 100644 (file)
index 0000000..ec09db4
--- /dev/null
+++ b/tests/datasets-memcap-01/test.yaml
@@ -0,0 +1,18 @@
+pcap: ../flowbit-oring/input.pcap
+
+requires:
+  lt-version: 8
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1

diff --git a/tests/datasets-memcap-02/README.md b/tests/datasets-memcap-02/README.md
new file mode 100644 (file)
index 0000000..3f48a8a
--- /dev/null
+++ b/tests/datasets-memcap-02/README.md
@@ -0,0 +1,14 @@
+Test Description
+================
+
+This test demonstrates that the memcap settings take the string length into account in 8.0.x.
+
+PCAP
+====
+
+Comes from existing test `flowbit-oring`.
+
+Related tickets
+===============
+
+https://redmine.openinfosecfoundation.org/issues/3910

diff --git a/tests/datasets-memcap-02/datasets.csv b/tests/datasets-memcap-02/datasets.csv
new file mode 100644 (file)
index 0000000..3961eb8
--- /dev/null
+++ b/tests/datasets-memcap-02/datasets.csv
@@ -0,0 +1 @@
+Y3VybC83LjQzLjA=

diff --git a/tests/datasets-memcap-02/test.rules b/tests/datasets-memcap-02/test.rules
new file mode 100644 (file)
index 0000000..6bce440
--- /dev/null
+++ b/tests/datasets-memcap-02/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (http.user_agent; dataset:isset,ua-seen,type string,load datasets.csv,memcap 88074,hashsize 1; sid:1;)

diff --git a/tests/datasets-memcap-02/test.yaml b/tests/datasets-memcap-02/test.yaml
new file mode 100644 (file)
index 0000000..98d60f3
--- /dev/null
+++ b/tests/datasets-memcap-02/test.yaml
@@ -0,0 +1,16 @@
+pcap: ../flowbit-oring/input.pcap
+
+requires:
+  min-version: 8
+  os: linux
+  arch: x86_64
+
+exit-code: 1
+
+args:
+ - -k none
+
+checks:
+    - shell:
+        args: grep "dataset too large for set memcap" suricata.log | wc -l
+        expect: 1