]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 163752a)
tests: flowbit prefilter tests
authorVictor Julien <victor@inliniac.net>
Mon, 13 Jun 2022 06:08:25 +0000 (08:08 +0200)
committerVictor Julien <victor@inliniac.net>
Thu, 3 Apr 2025 08:05:43 +0000 (10:05 +0200)
26 files changed:
tests/flowbits-prefilter-01/flowbit-prefilter.rules [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-01/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-02-auto/flowbit-prefilter-tx.rules [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-02-auto/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-03/flowbit-prefilter.rules [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-03/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-04-pkt-auto/flowbit-prefilter.rules [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-04-pkt-auto/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-05-onedir/flowbit-prefilter.rules [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-05-onedir/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-06-opdir/flowbit-prefilter.rules [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-06-opdir/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-07-tx-onedir/flowbit-prefilter-tx.rules [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-07-tx-onedir/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-08-tx-opdir/flowbit-prefilter-tx.rules [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-08-tx-opdir/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-09-iponly-onedir/flowbit-prefilter.rules [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-09-iponly-onedir/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-10-iponly-opdir/flowbit-prefilter.rules [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-10-iponly-opdir/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-11-pkt-auto/flowbit-prefilter.rules [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-11-pkt-auto/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-12-toggle/flowbit-prefilter.rules [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-12-toggle/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-13-tx-onedir-toggle/flowbit-prefilter-tx.rules [new file with mode: 0644] patch | blob
tests/flowbits-prefilter-13-tx-onedir-toggle/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/flowbits-prefilter-01/flowbit-prefilter.rules b/tests/flowbits-prefilter-01/flowbit-prefilter.rules
new file mode 100644 (file)
index 0000000..ac7f95b
--- /dev/null
+++ b/tests/flowbits-prefilter-01/flowbit-prefilter.rules
@@ -0,0 +1,10 @@
+alert tcp any any -> any any (flow:to_client; content:"HTTP"; flowbits:set,common1; flowbits:set,common2; sid:11;)
+alert tcp any any -> any any (dsize:10; flowbits:set,never; flowbits:set,common2; sid:12;)
+alert tcp any any -> any any (flowbits:isset,never; sid:21;)
+alert tcp any any -> any any (flowbits:isset,common2; prefilter; dsize:259; sid:22;)
+alert tcp any any -> any any (flowbits:isset,never; prefilter; dsize:10; sid:23;)
+alert tcp any any -> any any (flowbits:isset,common1; prefilter; dsize:11; sid:24;)
+alert tcp any any -> any any (flowbits:isset,common1; prefilter; ack:3308437468; sid:25;)
+alert tcp any any -> any any (priority:10; dsize:11; sid:31;)
+alert tcp any any -> any any (priority:10; dsize:10; sid:32;)
+alert tcp any any -> any any (priority:10; ack:3308437468; sid:33;)
diff --git a/tests/flowbits-prefilter-01/test.yaml b/tests/flowbits-prefilter-01/test.yaml
new file mode 100644 (file)
index 0000000..5e035b0
--- /dev/null
+++ b/tests/flowbits-prefilter-01/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 8
+
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 22
diff --git a/tests/flowbits-prefilter-02-auto/flowbit-prefilter-tx.rules b/tests/flowbits-prefilter-02-auto/flowbit-prefilter-tx.rules
new file mode 100644 (file)
index 0000000..453ac9b
--- /dev/null
+++ b/tests/flowbits-prefilter-02-auto/flowbit-prefilter-tx.rules
@@ -0,0 +1,10 @@
+alert tcp any any -> any any (flow:to_client; http.response_line; content:"HTTP"; flowbits:set,rare; flowbits:set,common; sid:11;)
+alert tcp any any -> any any (http.request_line; content:"ABC"; flowbits:set,never; flowbits:set,common; sid:12;)
+alert tcp any any -> any any (flowbits:isset,never; sid:21;)
+alert tcp any any -> any any (flowbits:isset,common; http.stat_code; content:"200"; sid:22;)
+alert tcp any any -> any any (flowbits:isset,never; http.stat_code; content:"200";  sid:23;)
+alert tcp any any -> any any (flowbits:isset,rare; http.stat_code; content:"201"; sid:24;)
+alert tcp any any -> any any (flowbits:isset,rare; http.stat_code; content:"200"; sid:25;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"202";  sid:31;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"201";  sid:32;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"200";  sid:33;)
diff --git a/tests/flowbits-prefilter-02-auto/test.yaml b/tests/flowbits-prefilter-02-auto/test.yaml
new file mode 100644 (file)
index 0000000..d859933
--- /dev/null
+++ b/tests/flowbits-prefilter-02-auto/test.yaml
@@ -0,0 +1,35 @@
+requires:
+  min-version: 8
+
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+  - --set detect.prefilter.default=auto
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 22
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 25
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 33
diff --git a/tests/flowbits-prefilter-03/flowbit-prefilter.rules b/tests/flowbits-prefilter-03/flowbit-prefilter.rules
new file mode 100644 (file)
index 0000000..241295b
--- /dev/null
+++ b/tests/flowbits-prefilter-03/flowbit-prefilter.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (flow:to_server; content:"GET"; flowbits:set,abc; sid:1;)
+alert tcp any any -> any any (flow:to_client; content:"HTTP"; flowbits:isset,abc; prefilter; sid:2;)
diff --git a/tests/flowbits-prefilter-03/test.yaml b/tests/flowbits-prefilter-03/test.yaml
new file mode 100644 (file)
index 0000000..eff05ff
--- /dev/null
+++ b/tests/flowbits-prefilter-03/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 8
+
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 4
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 2
diff --git a/tests/flowbits-prefilter-04-pkt-auto/flowbit-prefilter.rules b/tests/flowbits-prefilter-04-pkt-auto/flowbit-prefilter.rules
new file mode 100644 (file)
index 0000000..288d272
--- /dev/null
+++ b/tests/flowbits-prefilter-04-pkt-auto/flowbit-prefilter.rules
@@ -0,0 +1,10 @@
+alert tcp any any -> any any (flow:to_client; content:"HTTP"; flowbits:set,rare; flowbits:set,common; sid:11;)
+alert tcp any any -> any any (dsize:81; flowbits:set,common; sid:12;)
+alert tcp any any -> any any (flowbits:isset,never; sid:21;)
+alert tcp any any -> any any (flowbits:isset,common; dsize:259; sid:22;)
+alert tcp any any -> any any (flowbits:isset,never; dsize:10; sid:23;)
+alert tcp any any -> any any (flowbits:isset,rare; dsize:11; sid:24;)
+alert tcp any any -> any any (flowbits:isset,rare; ack:3308437468; sid:25;)
+alert tcp any any -> any any (priority:10; dsize:11; sid:31;)
+alert tcp any any -> any any (priority:10; dsize:10; sid:32;)
+alert tcp any any -> any any (priority:10; ack:3308437468; sid:33;)
diff --git a/tests/flowbits-prefilter-04-pkt-auto/test.yaml b/tests/flowbits-prefilter-04-pkt-auto/test.yaml
new file mode 100644 (file)
index 0000000..f7cbee5
--- /dev/null
+++ b/tests/flowbits-prefilter-04-pkt-auto/test.yaml
@@ -0,0 +1,23 @@
+requires:
+  min-version: 8
+
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+  - --set detect.prefilter.default=auto
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 22
diff --git a/tests/flowbits-prefilter-05-onedir/flowbit-prefilter.rules b/tests/flowbits-prefilter-05-onedir/flowbit-prefilter.rules
new file mode 100644 (file)
index 0000000..baaef1d
--- /dev/null
+++ b/tests/flowbits-prefilter-05-onedir/flowbit-prefilter.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> any any (flow:to_client; dsize:259; flowbits:set,size; sid:1;)
+alert tcp any any -> any any (flowbits:isset,size; prefilter; sid:2;)
diff --git a/tests/flowbits-prefilter-05-onedir/test.yaml b/tests/flowbits-prefilter-05-onedir/test.yaml
new file mode 100644 (file)
index 0000000..21f1557
--- /dev/null
+++ b/tests/flowbits-prefilter-05-onedir/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 8
+
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 2
diff --git a/tests/flowbits-prefilter-06-opdir/flowbit-prefilter.rules b/tests/flowbits-prefilter-06-opdir/flowbit-prefilter.rules
new file mode 100644 (file)
index 0000000..38e0fde
--- /dev/null
+++ b/tests/flowbits-prefilter-06-opdir/flowbit-prefilter.rules
@@ -0,0 +1,4 @@
+# packet 6 to client
+alert tcp any any -> any any (flow:to_client; dsize:259; flowbits:set,size; sid:1;)
+# packet 7 to server
+alert tcp any any -> any any (flow:to_server; tcp.flags:A; tcp.ack:2548486954; flowbits:isset,size; prefilter; sid:2;)
diff --git a/tests/flowbits-prefilter-06-opdir/test.yaml b/tests/flowbits-prefilter-06-opdir/test.yaml
new file mode 100644 (file)
index 0000000..1109bdf
--- /dev/null
+++ b/tests/flowbits-prefilter-06-opdir/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 8
+
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 7
+      alert.signature_id: 2
diff --git a/tests/flowbits-prefilter-07-tx-onedir/flowbit-prefilter-tx.rules b/tests/flowbits-prefilter-07-tx-onedir/flowbit-prefilter-tx.rules
new file mode 100644 (file)
index 0000000..2580f75
--- /dev/null
+++ b/tests/flowbits-prefilter-07-tx-onedir/flowbit-prefilter-tx.rules
@@ -0,0 +1,10 @@
+alert tcp any any -> any any (flow:to_client; http.response_line; content:"HTTP"; flowbits:set,rare; flowbits:set,common; sid:11;)
+alert tcp any any -> any any (http.request_line; content:"ABC"; flowbits:set,never; flowbits:set,common; sid:12;)
+alert tcp any any -> any any (flowbits:isset,never; sid:21;)
+alert tcp any any -> any any (flowbits:isset,common; prefilter; http.stat_code; content:"200"; sid:22;)
+alert tcp any any -> any any (flowbits:isset,never; prefilter; http.stat_code; content:"200";  sid:23;)
+alert tcp any any -> any any (flowbits:isset,rare; prefilter; http.stat_code; content:"201"; sid:24;)
+alert tcp any any -> any any (flowbits:isset,rare; prefilter; http.stat_code; content:"200"; sid:25;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"202";  sid:31;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"201";  sid:32;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"200";  sid:33;)
diff --git a/tests/flowbits-prefilter-07-tx-onedir/test.yaml b/tests/flowbits-prefilter-07-tx-onedir/test.yaml
new file mode 100644 (file)
index 0000000..c9ee3b5
--- /dev/null
+++ b/tests/flowbits-prefilter-07-tx-onedir/test.yaml
@@ -0,0 +1,34 @@
+requires:
+  min-version: 8
+
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 22
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 25
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 33
diff --git a/tests/flowbits-prefilter-08-tx-opdir/flowbit-prefilter-tx.rules b/tests/flowbits-prefilter-08-tx-opdir/flowbit-prefilter-tx.rules
new file mode 100644 (file)
index 0000000..322f362
--- /dev/null
+++ b/tests/flowbits-prefilter-08-tx-opdir/flowbit-prefilter-tx.rules
@@ -0,0 +1,10 @@
+alert tcp any any -> any any (http.request_line; content:"HTTP"; flowbits:set,common; sid:11;)
+alert tcp any any -> any any (http.request_line; content:"ABC"; flowbits:set,rare; flowbits:set,common; sid:12;)
+alert tcp any any -> any any (flowbits:isset,never; sid:21;)
+alert tcp any any -> any any (flowbits:isset,common; prefilter; http.stat_code; content:"200"; sid:22;)
+alert tcp any any -> any any (flowbits:isset,never; prefilter; http.stat_code; content:"200";  sid:23;)
+alert tcp any any -> any any (flowbits:isset,rare; prefilter; http.stat_code; content:"201"; sid:24;)
+alert tcp any any -> any any (flowbits:isset,rare; prefilter; http.stat_code; content:"200"; sid:25;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"202";  sid:31;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"201";  sid:32;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"200";  sid:33;)
diff --git a/tests/flowbits-prefilter-08-tx-opdir/test.yaml b/tests/flowbits-prefilter-08-tx-opdir/test.yaml
new file mode 100644 (file)
index 0000000..ef603c8
--- /dev/null
+++ b/tests/flowbits-prefilter-08-tx-opdir/test.yaml
@@ -0,0 +1,32 @@
+requires:
+  min-version: 8
+
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 4
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 22
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 23
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 25
diff --git a/tests/flowbits-prefilter-09-iponly-onedir/flowbit-prefilter.rules b/tests/flowbits-prefilter-09-iponly-onedir/flowbit-prefilter.rules
new file mode 100644 (file)
index 0000000..ff690dd
--- /dev/null
+++ b/tests/flowbits-prefilter-09-iponly-onedir/flowbit-prefilter.rules
@@ -0,0 +1,2 @@
+alert tcp 82.165.177.154 any -> any any (flowbits:set,set_by_iponly; sid:1;)
+alert tcp any any -> any any (flow:to_client; dsize:259; flowbits:isset,set_by_iponly; prefilter; sid:2;)
diff --git a/tests/flowbits-prefilter-09-iponly-onedir/test.yaml b/tests/flowbits-prefilter-09-iponly-onedir/test.yaml
new file mode 100644 (file)
index 0000000..424e9ff
--- /dev/null
+++ b/tests/flowbits-prefilter-09-iponly-onedir/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 8
+
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 2
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 2
diff --git a/tests/flowbits-prefilter-10-iponly-opdir/flowbit-prefilter.rules b/tests/flowbits-prefilter-10-iponly-opdir/flowbit-prefilter.rules
new file mode 100644 (file)
index 0000000..f48f021
--- /dev/null
+++ b/tests/flowbits-prefilter-10-iponly-opdir/flowbit-prefilter.rules
@@ -0,0 +1,2 @@
+alert tcp any any -> 82.165.177.154 any (flowbits:set,set_by_iponly; sid:1;)
+alert tcp any any -> any any (flow:to_client; dsize:259; flowbits:isset,set_by_iponly; prefilter; sid:2;)
diff --git a/tests/flowbits-prefilter-10-iponly-opdir/test.yaml b/tests/flowbits-prefilter-10-iponly-opdir/test.yaml
new file mode 100644 (file)
index 0000000..a48b42a
--- /dev/null
+++ b/tests/flowbits-prefilter-10-iponly-opdir/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 8
+
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 1
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 2
diff --git a/tests/flowbits-prefilter-11-pkt-auto/flowbit-prefilter.rules b/tests/flowbits-prefilter-11-pkt-auto/flowbit-prefilter.rules
new file mode 100644 (file)
index 0000000..652560e
--- /dev/null
+++ b/tests/flowbits-prefilter-11-pkt-auto/flowbit-prefilter.rules
@@ -0,0 +1,10 @@
+alert tcp any any -> any any (flow:to_client; content:"HTTP"; flowbits:set,rare; flowbits:set,common; sid:11;)
+alert tcp any any -> any any (dsize:10; flowbits:set,never; flowbits:set,common; sid:12;)
+alert tcp any any -> any any (flowbits:isset,never; sid:21;)
+alert tcp any any -> any any (flowbits:isset,common; dsize:259; sid:22;)
+alert tcp any any -> any any (flowbits:isset,never; dsize:10; sid:23;)
+alert tcp any any -> any any (flowbits:isset,rare; dsize:11; sid:24;)
+alert tcp any any -> any any (flowbits:isset,rare; ack:3308437468; sid:25;)
+alert tcp any any -> any any (priority:10; dsize:11; sid:31;)
+alert tcp any any -> any any (priority:10; dsize:10; sid:32;)
+alert tcp any any -> any any (priority:10; ack:3308437468; sid:33;)
diff --git a/tests/flowbits-prefilter-11-pkt-auto/test.yaml b/tests/flowbits-prefilter-11-pkt-auto/test.yaml
new file mode 100644 (file)
index 0000000..f7cbee5
--- /dev/null
+++ b/tests/flowbits-prefilter-11-pkt-auto/test.yaml
@@ -0,0 +1,23 @@
+requires:
+  min-version: 8
+
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+  - --set detect.prefilter.default=auto
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 22
diff --git a/tests/flowbits-prefilter-12-toggle/flowbit-prefilter.rules b/tests/flowbits-prefilter-12-toggle/flowbit-prefilter.rules
new file mode 100644 (file)
index 0000000..72692c0
--- /dev/null
+++ b/tests/flowbits-prefilter-12-toggle/flowbit-prefilter.rules
@@ -0,0 +1,10 @@
+alert tcp any any -> any any (flow:to_client; content:"HTTP"; flowbits:toggle,rare; flowbits:toggle,common; sid:11;)
+alert tcp any any -> any any (dsize:10; flowbits:set,never; flowbits:toggle,common; sid:12;)
+alert tcp any any -> any any (flowbits:isset,never; sid:21;)
+alert tcp any any -> any any (flowbits:isset,common; prefilter; dsize:259; sid:22;)
+alert tcp any any -> any any (flowbits:isset,never; prefilter; dsize:10; sid:23;)
+alert tcp any any -> any any (flowbits:isset,rare; prefilter; dsize:11; sid:24;)
+alert tcp any any -> any any (flowbits:isset,rare; prefilter; ack:3308437468; sid:25;)
+alert tcp any any -> any any (priority:10; dsize:11; sid:31;)
+alert tcp any any -> any any (priority:10; dsize:10; sid:32;)
+alert tcp any any -> any any (priority:10; ack:3308437468; sid:33;)
diff --git a/tests/flowbits-prefilter-12-toggle/test.yaml b/tests/flowbits-prefilter-12-toggle/test.yaml
new file mode 100644 (file)
index 0000000..5e035b0
--- /dev/null
+++ b/tests/flowbits-prefilter-12-toggle/test.yaml
@@ -0,0 +1,22 @@
+requires:
+  min-version: 8
+
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 22
diff --git a/tests/flowbits-prefilter-13-tx-onedir-toggle/flowbit-prefilter-tx.rules b/tests/flowbits-prefilter-13-tx-onedir-toggle/flowbit-prefilter-tx.rules
new file mode 100644 (file)
index 0000000..8308e54
--- /dev/null
+++ b/tests/flowbits-prefilter-13-tx-onedir-toggle/flowbit-prefilter-tx.rules
@@ -0,0 +1,10 @@
+alert tcp any any -> any any (flow:to_client; http.response_line; content:"HTTP"; flowbits:toggle,rare; flowbits:toggle,common; sid:11;)
+alert tcp any any -> any any (http.request_line; content:"ABC"; flowbits:toggle,never; flowbits:toggle,common; sid:12;)
+alert tcp any any -> any any (flowbits:isset,never; sid:21;)
+alert tcp any any -> any any (flowbits:isset,common; prefilter; http.stat_code; content:"200"; sid:22;)
+alert tcp any any -> any any (flowbits:isset,never; prefilter; http.stat_code; content:"200";  sid:23;)
+alert tcp any any -> any any (flowbits:isset,rare; prefilter; http.stat_code; content:"201"; sid:24;)
+alert tcp any any -> any any (flowbits:isset,rare; prefilter; http.stat_code; content:"200"; sid:25;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"202";  sid:31;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"201";  sid:32;)
+alert tcp any any -> any any (priority:10; http.stat_code; content:"200";  sid:33;)
diff --git a/tests/flowbits-prefilter-13-tx-onedir-toggle/test.yaml b/tests/flowbits-prefilter-13-tx-onedir-toggle/test.yaml
new file mode 100644 (file)
index 0000000..c9ee3b5
--- /dev/null
+++ b/tests/flowbits-prefilter-13-tx-onedir-toggle/test.yaml
@@ -0,0 +1,34 @@
+requires:
+  min-version: 8
+
+pcap: ../flowbit-oring/input.pcap
+
+args:
+  - -k none
+  - --simulate-ips
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 11
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 22
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 25
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      pcap_cnt: 6
+      alert.signature_id: 33
Mirror of https://github.com/OISF/suricata-verify.git