--- /dev/null
+Test that the configuration option to allow absolute dataset filenames
+in rules works.
--- /dev/null
+%YAML 1.1
+---
+
+datasets:
+ rules:
+ allow-absolute-filenames: true
+
+logging:
+ outputs:
+ - file:
+ enabled: yes
+ filename: eve.json
+ type: json
--- /dev/null
+alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen, type string, state /tmp/dns-seen.txt; sid:1; rev:1;)
+alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen-save, type string, save /tmp/dns-seen-save.txt; sid:2; rev:1;)
+alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen-parent, type string, state /tmp/../tmp/dns-seen.txt; sid:3; rev:1;)
--- /dev/null
+args:
+ - -vvv
+
+# Due to differences between user-mode and system-mode, these rules
+# will actually fail. Instead we're testing to make sure we got past
+# the check for absolute filenames.
+exit-code: 1
+
+checks:
+ - filter:
+ count: 1
+ match:
+ engine.message: "Allowing absolute filename for dataset rule: /tmp/dns-seen.txt"
+ - filter:
+ count: 1
+ match:
+ engine.message: "Allowing absolute filename for dataset rule: /tmp/dns-seen-save.txt"
+ - filter:
+ count: 1
+ match:
+ engine.message: "Allowing absolute filename for dataset rule: /tmp/../tmp/dns-seen.txt"
--- /dev/null
+Test that a dataset rule trying to use an absolute path results in an
+initialization error.
--- /dev/null
+%YAML 1.1
+---
+
+logging:
+ outputs:
+ - file:
+ enabled: yes
+ filename: eve.json
+ type: json
--- /dev/null
+alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen, type string, state /dns-seen.txt; sid:1; rev:1;)
+alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen-save, type string, save /dns-seen-save.txt; sid:2; rev:1;)
--- /dev/null
+exit-code: 1
+
+checks:
+ - filter:
+ count: 1
+ match:
+ engine.message: "Absolute paths not allowed: /dns-seen.txt"
+ - filter:
+ count: 1
+ match:
+ engine.message: "Absolute paths not allowed: /dns-seen-save.txt"
--- /dev/null
+Test that a dataset rule trying to traverse into a parent directory
+results in an initialization error.
--- /dev/null
+%YAML 1.1
+---
+
+logging:
+ outputs:
+ - file:
+ enabled: yes
+ filename: eve.json
+ type: json
--- /dev/null
+alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen, type string, state ../dns-seen.txt; sid:1; rev:1;)
+alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen-1, type string, state namespace/../dns-seen-1.txt; sid:1; rev:2;)
+alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen-save, type string, save namespace/../dns-seen-save.txt; sid:1; rev:2;)
--- /dev/null
+exit-code: 1
+
+checks:
+ - filter:
+ count: 1
+ match:
+ engine.message: "Directory traversals not allowed: ../dns-seen.txt"
+ - filter:
+ count: 1
+ match:
+ engine.message: "Directory traversals not allowed: namespace/../dns-seen-1.txt"
+ - filter:
+ count: 1
+ match:
+ engine.message: "Directory traversals not allowed: namespace/../dns-seen-save.txt"
projects / thirdparty / suricata-verify.git / commitdiff
