]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 430223c)
detect-bytemath: add tests
authorHaleema Khan <hsadia538@gmail.com>
Mon, 24 Oct 2022 15:05:32 +0000 (20:05 +0500)
committerJason Ish <jason.ish@oisf.net>
Wed, 7 Dec 2022 21:30:36 +0000 (15:30 -0600)
Ticket: #5589

tests/detect-bytemath-add-04/README.md [new file with mode: 0644] patch | blob
tests/detect-bytemath-add-04/input.pcap [new file with mode: 0644] patch | blob
tests/detect-bytemath-add-04/test.rules [new file with mode: 0644] patch | blob
tests/detect-bytemath-add-04/test.yaml [new file with mode: 0644] patch | blob
tests/detect-bytemath-sub-03/README.md [new file with mode: 0644] patch | blob
tests/detect-bytemath-sub-03/input.pcap [new file with mode: 0644] patch | blob
tests/detect-bytemath-sub-03/test.rules [new file with mode: 0644] patch | blob
tests/detect-bytemath-sub-03/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/detect-bytemath-add-04/README.md b/tests/detect-bytemath-add-04/README.md
new file mode 100644 (file)
index 0000000..9909a51
--- /dev/null
+++ b/tests/detect-bytemath-add-04/README.md
@@ -0,0 +1,11 @@
+Description
+===========
+Test byte_math payload keyword.
+
+PCAP
+====
+PCAP comes from the suricata verify test[detect-bytemath-01]
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5589
\ No newline at end of file
diff --git a/tests/detect-bytemath-add-04/input.pcap b/tests/detect-bytemath-add-04/input.pcap
new file mode 100644 (file)
index 0000000..4a18a07
Binary files /dev/null and b/tests/detect-bytemath-add-04/input.pcap differ
diff --git a/tests/detect-bytemath-add-04/test.rules b/tests/detect-bytemath-add-04/test.rules
new file mode 100644 (file)
index 0000000..37648a3
--- /dev/null
+++ b/tests/detect-bytemath-add-04/test.rules
@@ -0,0 +1,9 @@
+alert tcp any any -> any any (ipv4.hdr; byte_extract: 1, 0, extracted_val, relative;byte_math: bytes 1, offset 1, oper +, rvalue extracted_val, result var;byte_test: 2, <, var, 2;msg:\
+"Byte extract and byte math with byte test verification\
+";sid:1;)
+alert tcp any any -> any any (ipv4.hdr; byte_extract: 1, 0, extracted_val, relative;byte_math: bytes 1, offset 1, oper +, rvalue extracted_val, result var;byte_test: 2, !=, var, 2;msg:\
+"Byte extract and byte math with byte test verification\
+";sid:2;)
+alert tcp any any -> any any (ipv4.hdr; byte_extract: 1, 0, extracted_val, relative;byte_math: bytes 1, offset 1, oper +, rvalue extracted_val, result var;byte_test: 2, >, var, 11;msg:\
+"Byte extract and byte math with byte test verification\
+";sid:3;)
\ No newline at end of file
diff --git a/tests/detect-bytemath-add-04/test.yaml b/tests/detect-bytemath-add-04/test.yaml
new file mode 100644 (file)
index 0000000..d6b300c
--- /dev/null
+++ b/tests/detect-bytemath-add-04/test.yaml
@@ -0,0 +1,20 @@
+requires:
+   files:
+       - src/detect-bytemath.c
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
\ No newline at end of file
diff --git a/tests/detect-bytemath-sub-03/README.md b/tests/detect-bytemath-sub-03/README.md
new file mode 100644 (file)
index 0000000..9909a51
--- /dev/null
+++ b/tests/detect-bytemath-sub-03/README.md
@@ -0,0 +1,11 @@
+Description
+===========
+Test byte_math payload keyword.
+
+PCAP
+====
+PCAP comes from the suricata verify test[detect-bytemath-01]
+
+Redmine ticket
+==============
+https://redmine.openinfosecfoundation.org/issues/5589
\ No newline at end of file
diff --git a/tests/detect-bytemath-sub-03/input.pcap b/tests/detect-bytemath-sub-03/input.pcap
new file mode 100644 (file)
index 0000000..4a18a07
Binary files /dev/null and b/tests/detect-bytemath-sub-03/input.pcap differ
diff --git a/tests/detect-bytemath-sub-03/test.rules b/tests/detect-bytemath-sub-03/test.rules
new file mode 100644 (file)
index 0000000..ca44a00
--- /dev/null
+++ b/tests/detect-bytemath-sub-03/test.rules
@@ -0,0 +1,9 @@
+alert tcp any any -> any any (ipv4.hdr; byte_extract: 1, 0, extracted_val, relative;byte_math: bytes 1, offset 1, oper -, rvalue extracted_val, result var;byte_test: 1, <, var, 9;msg:\
+"Byte extract and byte math with byte test verification\
+";sid:1;)
+alert tcp any any -> any any (ipv4.hdr; byte_extract: 1, 0, extracted_val, relative;byte_math: bytes 1, offset 1, oper -, rvalue extracted_val, result var;byte_test: 1,!=, var, 9;msg:\
+"Byte extract and byte math with byte test verification\
+";sid:2;)
+alert tcp any any -> any any (ipv4.hdr; byte_extract: 1, 0, extracted_val, relative;byte_math: bytes 1, offset 0, oper -, rvalue extracted_val, result var;byte_test: 1,>, var, 0;msg:\
+"Byte extract and byte math with byte test verification\
+";sid:3;)
\ No newline at end of file
diff --git a/tests/detect-bytemath-sub-03/test.yaml b/tests/detect-bytemath-sub-03/test.yaml
new file mode 100644 (file)
index 0000000..d6b300c
--- /dev/null
+++ b/tests/detect-bytemath-sub-03/test.yaml
@@ -0,0 +1,20 @@
+requires:
+   files:
+       - src/detect-bytemath.c
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
\ No newline at end of file
Mirror of https://github.com/OISF/suricata-verify.git