tests: add rule types check

diff --git a/tests/rule-types/rule-types.rules b/tests/rule-types/rule-types.rules
new file mode 100644 (file)
index 0000000..b052026
--- /dev/null
+++ b/tests/rule-types/rule-types.rules
@@ -0,0 +1,40 @@
+alert tcp-stream any any -> any any (msg:"tcp-stream, no content"; sid:101;)
+alert tcp-stream any any -> any any (msg:"tcp-stream, simple content"; content:"abc"; sid:102;)
+alert tcp-stream any any -> any any (msg:"tcp-stream, anchored content"; content:"abc"; startswith; sid:103;)
+
+alert tcp-pkt any any -> any any (msg:"tcp-pkt, no content"; sid:201;)
+alert tcp-pkt any any -> any any (msg:"tcp-pkt, simple content"; content:"abc"; sid:202;)
+alert tcp-pkt any any -> any any (msg:"tcp-pkt, anchored content"; content:"abc"; startswith; sid:203;)
+
+alert tcp any any -> any any (msg:"tcp, no content"; sid:301;)
+alert tcp any any -> any any (msg:"tcp, simple content"; content:"abc"; sid:302;)
+alert tcp any any -> any any (msg:"tcp, anchored content"; content:"abc"; startswith; sid:303;)
+
+alert tcp any any -> any any (msg:"tcp, pd negated"; app-layer-protocol:!http; sid:401;)
+alert tcp any any -> any any (msg:"tcp, pd positive"; app-layer-protocol:http; sid:402;)
+
+alert tcp any any -> any any (msg:"http, pos event"; app-layer-event:http.file_name_too_long; sid:501;)
+#alert tcp any any -> any any (msg:"http, neg event"; app-layer-event:!http.file_name_too_long; sid:502;)
+# TODO fix
+#alert tcp any any -> any any (msg:"http, unknown event"; app-layer-event:http.non_existing_event; sid:503;)
+
+alert http any any -> any any (msg:"http, no content"; sid:601;)
+alert http any any -> any any (msg:"http, simple content"; content:"abc"; sid:602;)
+alert http any any -> any any (msg:"http, anchored content"; content:"abc"; startswith; sid:603;)
+
+alert tcp any any -> any any (msg:"ttl"; ttl:123; sid:701;)
+alert tcp any any -> any any (msg:"ttl"; ttl:123; flow:established; sid:702;)
+alert tcp any any -> any any (msg:"ttl"; ttl:123; flow:not_established; sid:703;)
+alert tcp any any -> any any (msg:"ttl"; ttl:123; flow:stateless; sid:704;)
+alert tcp any any -> any any (msg:"ttl"; ttl:123; prefilter; flow:stateless; sid:705;)
+alert tcp any any -> any any (msg:"ttl"; ttl:123; flow:stateless; prefilter; sid:706;)
+
+alert http any any -> any any (uricontent:"abc"; sid:801;)
+alert http any any -> any any (content:"abc"; http_uri; sid:802;)
+alert http any any -> any any (http.uri; content:"abc"; sid:803;)
+
+alert tcp any any -> any any (msg:"byte_extract with dce"; byte_extract:4,0,var,dce; byte_test:4,>,var,4,little; sid:901;)
+alert tcp any any -> any any (msg:"byte_extract with dce"; dcerpc.stub_data; content:"abc"; byte_extract:4,0,var,relative; byte_test:4,>,var,4,little; sid:902;)
+
+alert udp any any -> any any (msg:"UDP with flow direction"; flow:to_server; sid:1001;)
+

diff --git a/tests/rule-types/test.yaml b/tests/rule-types/test.yaml
new file mode 100644 (file)
index 0000000..ed16f10
--- /dev/null
+++ b/tests/rule-types/test.yaml
@@ -0,0 +1,162 @@
+requires:
+  min-version: 7
+  pcap: false
+args:
+- --engine-analysis
+checks:
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 101
+        type: "ip_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 102
+        type: "stream"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 201
+        type: "ip_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 202
+        type: "pkt"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 203
+        type: "pkt"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 301
+        type: "ip_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 302
+        type: "stream"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 303
+        type: "pkt_stream"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 401
+        type: "pd_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 402
+        type: "pd_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 501
+        type: "app_tx"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 601
+        type: "app_layer"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 602
+        type: "stream"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 603
+        type: "pkt_stream"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 701
+        type: "pkt"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 702
+        type: "pkt"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 703
+        type: "pkt"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 704
+        type: "pkt"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 705
+        type: "pkt"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 706
+        type: "pkt"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 801
+        type: "app_tx"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 802
+        type: "app_tx"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 803
+        type: "app_tx"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 901
+        type: "stream"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 902
+        type: "app_tx"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 1001
+        type: "pkt"