+++ /dev/null
-#!/bin/sh
-
-exec cmp ${OUTPUT_DIR}/state.csv ${TEST_DIR}/expected/state.csv
--set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} \
-c "${SRCDIR}/suricata.yaml" -r ${TEST_DIR}/input.pcap -S ${TEST_DIR}/test.rules \
--data-dir="${OUTPUT_DIR}"
+
+checks:
+ - file-compare:
+ filename: state.csv
+ expected: expected/state.csv
+++ /dev/null
-#!/bin/sh
-if grep -q "Warning: Rule requires file-store but the output file-store is not enabled." $OUTPUT_DIR/rules_analysis.txt; then
- echo "Pattern found in rules_analysis.txt"
- exit 1
-fi
${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" \
--set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} \
-c "${TEST_DIR}/suricata.yaml" -S ${TEST_DIR}/test.rules --engine-analysis
+
+checks:
+ - shell:
+ args: |
+ grep -v -q "Warning: Rule requires file-store but the output file-store is not enabled." rules_analysis.txt
+++ /dev/null
-#!/bin/sh
-if ! grep -q "Warning: Rule requires file-store but the output file-store is not enabled." $OUTPUT_DIR/rules_analysis.txt; then
- echo "Pattern not found"
- exit 1
-fi
-exit 0
${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" \
--set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} \
-c "${TEST_DIR}/suricata.yaml" -S ${TEST_DIR}/test.rules --engine-analysis
+
+checks:
+ - shell:
+ args: |
+ grep -q "Warning: Rule requires file-store but the output file-store is not enabled." rules_analysis.txt
+++ /dev/null
-#!/bin/sh
-if grep '\[ERRCODE: SC_WARN_ALERT_CONFIG(324)\] - One or more rule(s) depends on the file-store output log which is not enabled. Enable the output "file-store"' $OUTPUT_DIR/stdout; then
- echo "pattern found in stdout"
- exit 1
-fi
min-version: 5.0.1
features:
- HAVE_NSS
+
+checks:
+ - shell:
+ args: |
+ grep -v '\[ERRCODE: SC_WARN_ALERT_CONFIG(324)\] - One or more rule(s) depends on the file-store output log which is not enabled. Enable the output "file-store"' stdout
+++ /dev/null
-#!/bin/sh
-if ! grep -q 'One or more rule(s) depends on the file-store output log which is not enabled. Enable the output "file-store"' $OUTPUT_DIR/stdout; then
- echo "pattern not found"
- exit 1
-fi
-exit 0
min-version: 6.0
features:
- HAVE_NSS
+
+checks:
+ - shell:
+ args: grep -q 'One or more rule(s) depends on the file-store output log which is not enabled. Enable the output "file-store"' stdout
+++ /dev/null
-#! /bin/sh
-
-. ${TOPDIR}/util/functions.sh
-
-# Should have 4 DNP3 data match alerts.
-n=$(grep "DNP3 Data match" eve.json | wc -l | xargs)
-assert_eq 4 "$n" "bad event count"
-
-exit 0
requires:
features:
- HAVE_LIBJANSSON
+
+checks:
+ - filter:
+ count: 4
+ match:
+ event_type: alert
+ alert.signature_id: 4
+++ /dev/null
-#! /bin/sh
-
-. ${TOPDIR}/util/functions.sh
-
-# Should have one alert sid 1.
-n=$(jq_count eve.json 'select(.alert.signature_id == 1)')
-assert_eq 1 "$n" "sig id 1"
-
-# Should have one alert sid 2.
-n=$(jq_count eve.json 'select(.alert.signature_id == 2)')
-assert_eq 1 "$n" "sig id 1"
-
-exit 0
requires:
features:
- HAVE_LIBJANSSON
+
+checks:
+ - filter:
+ count: 1
+ match:
+ alert.signature_id: 1
+ - filter:
+ count: 1
+ match:
+ alert.signature_id: 2
+++ /dev/null
-#! /bin/sh
-
-. ${TOPDIR}/util/functions.sh
-
-# 4 queries.
-n=$(jq_count eve.json 'select(.dns.type == "query")')
-assert_eq 4 "$n" "queries"
-
-# 5 answers.
-n=$(jq_count eve.json 'select(.dns.type == "answer")')
-assert_eq 5 "$n" "answers"
features:
- HAVE_LIBJANSSON
lt-version: 7
+
+checks:
+ - filter:
+ count: 4
+ match:
+ dns.type: query
+ - filter:
+ count: 5
+ match:
+ dns.type: answer
+++ /dev/null
-#! /bin/sh
-
-# Expect 9 dns records.
-n=$(cat dns.json | jq -c 'select(.event_type == "dns")' | wc -l | xargs)
-if test $n -ne 9; then
- echo "failed: expected 9 dns events, got $n"
- exit 1
-fi
-
-# 4 are queries.
-n=$(cat dns.json | jq -c 'select(.event_type == "dns") | select(.dns.type == "query")' | wc -l | xargs)
-if test $n -ne 4; then
- echo "failed: expected 4 dns queries, got $n"
- exit 1
-fi
-
-# 4 are queries.
-n=$(cat dns.json | jq -c 'select(.event_type == "dns") | select(.dns.type == "answer")' | wc -l | xargs)
-if test $n -ne 5; then
- echo "failed: expected 5 dns answers, got $n"
- exit 1
-fi
lt-version: 6
features:
- HAVE_LIBJANSSON
+
+checks:
+ - filter:
+ count: 9
+ filename: dns.json
+ match:
+ event_type: dns
+ - filter:
+ count: 4
+ filename: dns.json
+ match:
+ event_type: dns
+ dns.type: query
+ - filter:
+ count: 5
+ filename: dns.json
+ match:
+ event_type: dns
+ dns.type: answer
+++ /dev/null
-#! /bin/sh
-
-. ${TOPDIR}/util/functions.sh
-
-# One query for suricon.net.
-n=$(jq_count eve.json 'select(.dns.type == "query") | select(.dns.rrname == "suricon.net")')
-assert_eq 1 "$n" "request"
-
-# One answer with rdata of 181.224.138.142.
-n=$(jq_count eve.json 'select(.dns.type == "answer") | select(.dns.rdata == "181.224.138.142")')
-assert_eq 1 "$n" "response"
-
features:
- HAVE_LIBJANSSON
lt-version: 7
+
+checks:
+ - filter:
+ count: 1
+ match:
+ dns.type: query
+ dns.rrname: suricon.net
+ - filter:
+ count: 1
+ match:
+ dns.type: answer
+ dns.rdata: "181.224.138.142"
+++ /dev/null
-#! /bin/sh
-
-count=$(cat eve.json | jq -c 'select(.dns.type=="query")' | wc -l | xargs)
-if [ "${count}" -ne 20 ]; then
- echo "error: expected 20 queries, got ${count}"
- exit 1
-fi
-
-count=$(cat eve.json | jq -c 'select(.dns.type=="answer")' | wc -l | xargs)
-if [ "${count}" -ne 40 ]; then
- echo "error: expected 40 answers, got ${count}"
- exit 1
-fi
-
-exit 0
features:
- HAVE_LIBJANSSON
lt-version: 7
+
+checks:
+ - filter:
+ count: 20
+ match:
+ dns.type: query
+ - filter:
+ count: 40
+ match:
+ dns.type: answer
+++ /dev/null
-#! /bin/sh
-
-. ${TOPDIR}/util/functions.sh
-
-n=$(jq_count eve.json 'select(.dns.rrtype == "AAAA")')
-assert_eq 2 $n "expected 2 aaaa records"
-
-n=$(jq_count eve.json 'select(.dns.rrtype != "AAAA")')
-assert_eq 0 $n "expected 0 non-aaaa records"
-
-exit 0
-
features:
- HAVE_LIBJANSSON
lt-version: 7
+
+checks:
+ # There should only be AAAA DNS records.
+ - filter:
+ count: 2
+ match:
+ dns.rrtype: AAAA
+ - filter:
+ count: 2
+ match:
+ event_type: dns
+++ /dev/null
-#! /bin/sh
-
-. ${TOPDIR}/util/functions.sh
-
-# Should be no answers.
-n=$(jq_count eve.json 'select(.event_type == "dns") | select(.dns.type != "answer")')
-assert_eq 0 $n "only answers expected"
-
-exit 0
-
features:
- HAVE_LIBJANSSON
lt-version: 7
+
+checks:
+ - filter:
+ count: 18
+ match:
+ event_type: dns
+ - filter:
+ count: 18
+ match:
+ dns.type: answer
+++ /dev/null
-#! /bin/sh
-
-. ${TOPDIR}/util/functions.sh
-
-n=$(jq_count eve.json 'select(.dns.rrtype != "MX")')
-assert_eq 0 $n "only expected mx records"
-
-exit 0
-
features:
- HAVE_LIBJANSSON
lt-version: 7
+
+checks:
+ - filter:
+ count: 6
+ match:
+ dns.rrtype: MX
+ - filter:
+ count: 6
+ match:
+ event_type: dns
+++ /dev/null
-#! /bin/sh
-
-. ${TOPDIR}/util/functions.sh
-
-# Should be no answers.
-n=$(jq_count eve.json 'select(.event_type == "dns") | select(.dns.type != "query")')
-assert_eq 0 $n "only queries expected"
-
-exit 0
-
features:
- HAVE_LIBJANSSON
lt-version: 7
+
+checks:
+ # Check to verify that all DNS records are query only,
+ # and no responses.
+ - filter:
+ count: 3
+ match:
+ event_type: dns
+ - filter:
+ count: 3
+ match:
+ event_type: dns
+ dns.type: query
+++ /dev/null
-#! /bin/sh
-
-tcp=$(cat eve.json | \
- jq -c 'select(.event_type == "stats") | .stats.decoder.tcp')
-test "${tcp}" = "7"
min-version: 4.1.0
features:
- HAVE_LIBJANSSON
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: stats
+ stats.decoder.tcp: 7
+++ /dev/null
-#! /bin/sh
-
-set -e
-
-if ! grep -q "Query TX 0d4f \[\*\*\] block.dropbox.com \[\*\*\] A \[\*\*\] 10.16.1.11:49697 -> 10.16.1.1:53" lua-dns.log; then
- echo "failed to find query for block.dropbox.com"
- exit 1
-fi
-
-if ! cat lua-dns.log | \
- grep "Response" | \
- grep "client-cf.dropbox.com" | \
- grep "52.85.112.21" > /dev/null;
-then
- echo "failed to find response for client-cf.dropbox.com"
- exit 1
-fi
-
-if ! cat lua-dns.log | \
- grep "Response TX 62b2" | \
- grep "NXDOMAIN" > /dev/null;
-then
- echo "failed to find NXDOMAIN error"
- exit 1
-fi
-
-if ! cat lua-dns.log | grep "SOA" > /dev/null; then
- echo "failed find SOA response record"
- exit 1
-fi
-
-exit 0
requires:
features:
- HAVE_LUA
+
+checks:
+ - shell:
+ args: grep -q "Query TX 0d4f \[\*\*\] block.dropbox.com \[\*\*\] A \[\*\*\] 10.16.1.11:49697 -> 10.16.1.1:53" lua-dns.log
+ - shell:
+ args: cat lua-dns.log | grep Response | grep client-cf.dropbox.com | wc -l
+ expect: 2
+ - shell:
+ args: cat lua-dns.log | grep "Response TX 62b2" | grep NXDOMAIN | wc -l
+ expect: 1
+ - shell:
+ args: grep SOA lua-dns.log | wc -l
+ expect: 1
+++ /dev/null
-#! /bin/sh
-
-exec cmp http_lua.log ${TEST_DIR}/expected/http_lua.log
requires:
features:
- HAVE_LUA
+
+checks:
+ - file-compare:
+ filename: http_lua.log
+ expected: expected/http_lua.log
+++ /dev/null
-#! /bin/sh
-
-exec grep -q 'FROM <gurpartap@patriots.in> TO {<raj_deol2002in@yahoo.co.in>}' \
- smtp_lua.log
requires:
features:
- HAVE_LUA
+
+checks:
+ - shell:
+ args: grep -q 'FROM <gurpartap@patriots.in> TO {<raj_deol2002in@yahoo.co.in>}' smtp_lua.log
+++ /dev/null
-#! /bin/sh
-
-. ${TOPDIR}/util/functions.sh
-
-filename=$(cat eve.json | jq -c .fileinfo.filename)
-assert_eq '"eicar.com"' "$filename" "bad filename"
-
-exit 0
requires:
features:
- HAVE_LIBJANSSON
+
+checks:
+ - filter:
+ count: 1
+ match:
+ fileinfo.filename: eicar.com
+++ /dev/null
-#! /bin/sh
-
-exec cmp ${TEST_DIR}/expected/log.pcap.1444144603 log.pcap.1444144603
--- /dev/null
+checks:
+ - file-compare:
+ filename: log.pcap.1444144603
+ expected: expected/log.pcap.1444144603
+++ /dev/null
-#! /bin/sh
-
-failed=no
-
-# We should get a "SURICATA Applayer Mismatch protocol both
-# directions" alert.
-n=$(cat eve.json | \
- jq -c 'select(.alert.signature_id == 2260000)' | \
- wc -l | xargs)
-if [ "$n" != 1 ]; then
- echo "expected 1 event with SID 2260000"
- failed=yes
-fi
-
-# We should have a flow event with app_proto = http and app_proto_tc = ssh.
-n=$(cat eve.json | \
- jq -c 'select(.event_type == "flow") | select(.app_proto == "http") | select(.app_proto_tc == "ssh")' | \
- wc -l | xargs)
-if [ "$n" != 1 ]; then
- echo "expected 1 event with app_proto http and app_proto_tc ssh"
- failed=yes
-fi
-
-if [ "${failed}" = "yes" ]; then
- exit 1
-fi
-
-exit 0
-
requires:
features:
- HAVE_LIBJANSSON
+
+checks:
+ - filter:
+ count: 1
+ match:
+ alert.signature_id: 2260000
+ - filter:
+ count: 1
+ match:
+ event_type: flow
+ app_proto: http
+ app_proto_tc: ssh
+++ /dev/null
-#! /usr/bin/env bash
-
-# Check for a single alert.
-n=$(cat eve.json | jq -c 'select(.event_type == "alert")' | wc -l | xargs)
-if test "${n}" -ne 1; then
- echo "expected 1 event, found ${n}"
- exit 1
-fi
-
-exit 0
requires:
features:
- HAVE_LIBJANSSON
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+++ /dev/null
-#! /usr/bin/env bash
-
-# Check for 1 tls event.
-n=$(cat eve.json | jq -c 'select(.event_type == "tls")' | wc -l | xargs)
-if test "${n}" -ne 1; then
- echo "expected 1 event, got $n"
- exit 1
-fi
-
-exit 0
-
-
requires:
features:
- HAVE_LIBJANSSON
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: tls
+++ /dev/null
-#! /usr/bin/env bash
-
-# Check for 1 tls event.
-n=$(cat eve.json | jq -c 'select(.event_type == "tls")' | wc -l | xargs)
-if test "${n}" -ne 1; then
- echo "expected 1 event, got $n"
- exit 1
-fi
-
-exit 0
-
-
requires:
features:
- HAVE_LIBJANSSON
+
+checks:
+ - filter:
+ count: 1
+ match:
+ event_type: tls
projects / thirdparty / suricata-verify.git / commitdiff
