lua: adds test about ScFlowVarGet

cf redmine 2094

diff --git a/tests/lua-scflowvarget/README.md b/tests/lua-scflowvarget/README.md
new file mode 100644 (file)
index 0000000..6c252af
--- /dev/null
+++ b/tests/lua-scflowvarget/README.md
@@ -0,0 +1,17 @@
+To test that SCFlowvarGet (lua) doesn't always return nil.
+
+The original issue emerged due to a lua detection script that used a single rule to set up
+a flow variable and match on it. 
+
+The problem is that during detection, the steps happen in this order:
+- pattern matching
+- lua script execution
+- setting flow variables as part of post match
+
+So, a workaround is to have 2 rules:
+- one that does the pattern matching and setting the flow var
+- another second one that does the Lua script
+
+This test works based on that.
+
+Pcap provided by Chris Knott at https://redmine.openinfosecfoundation.org/issues/2094

diff --git a/tests/lua-scflowvarget/input.pcap b/tests/lua-scflowvarget/input.pcap
new file mode 100644 (file)
index 0000000..b763c97
Binary files /dev/null and b/tests/lua-scflowvarget/input.pcap differ

diff --git a/tests/lua-scflowvarget/suricata.yaml b/tests/lua-scflowvarget/suricata.yaml
new file mode 100644 (file)
index 0000000..51b7cb3
--- /dev/null
+++ b/tests/lua-scflowvarget/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - flow
+

diff --git a/tests/lua-scflowvarget/test.lua b/tests/lua-scflowvarget/test.lua
new file mode 100644 (file)
index 0000000..38e49ac
--- /dev/null
+++ b/tests/lua-scflowvarget/test.lua
@@ -0,0 +1,18 @@
+function init (args)
+    local needs = {}
+    needs["http.request_headers"] = tostring(true)
+    needs["flowvar"] = {"TestVar"}
+    return needs
+end
+
+function match(args)
+    print "Before loading Variable"
+    testVar = ScFlowvarGet(0);
+    if testVar then
+      print "testVar is set"
+    else
+      print "testVar is not set"
+      return 0
+    end
+    return 1
+end

diff --git a/tests/lua-scflowvarget/test.rules b/tests/lua-scflowvarget/test.rules
new file mode 100644 (file)
index 0000000..cbbcc64
--- /dev/null
+++ b/tests/lua-scflowvarget/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (msg: "Test"; http.request_line; pcre: "^/GET (.*)$/G, flow:TestVar"; flowbits: set, flowtestvar; noalert; sid:6677000; rev:1;)
+alert http any any -> any any (msg: "Test2"; flow: to_server; lua:test.lua; flowbits: isset, flowtestvar; sid:6677001; rev:1;)

diff --git a/tests/lua-scflowvarget/test.yaml b/tests/lua-scflowvarget/test.yaml
new file mode 100644 (file)
index 0000000..9332b9f
--- /dev/null
+++ b/tests/lua-scflowvarget/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 7.0.0
+  features:
+    - HAVE_LUA
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        metadata.flowvars[0].TestVar: "/zib100/zib100.json?origin=orf.at HTTP/1.1"