This commit adds tests with a rules that uses an nbyte variable name.
Issue: 6105
--- /dev/null
+alert tcp any any -> any any (msg:"byte_jump varname test sig"; flow:to_server,established; content:"|00 00 00|"; byte_extract:1,4,rpkt_len,relative; byte_jump:rpkt_len,0,relative; isdataat:1,relative; classtype:bad-unknown; sid:1;)
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
--- /dev/null
+alert tcp any any -> any any (msg:"byte_jump invalid varname test sig"; flow:to_server,established; content:"|00 00 00|"; byte_extract:1,4,rpkt_len2,relative; byte_jump:no_var,0,relative; isdataat:1,relative; classtype:bad-unknown; sid:2;)
--- /dev/null
+requires:
+ min-version: 7
+
+ # No pcap required.
+ pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+ - shell:
+ args: grep "Unknown byte_extract var seen in byte_jump - no_var" suricata.log | wc -l | xargs
+ expect: 1
+
+exit-code: 1
+
projects / thirdparty / suricata-verify.git / commitdiff
