]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7a82af2)
lua: Test byte_extract access from match scripts
authorBenjamin Wilkins <benjamin.wilkins@uwaterloo.ca>
Tue, 9 Nov 2021 21:00:13 +0000 (16:00 -0500)
committerVictor Julien <victor@inliniac.net>
Tue, 13 Sep 2022 09:56:05 +0000 (11:56 +0200)
tests/lua-byte-extract/README.md [new file with mode: 0644] patch | blob
tests/lua-byte-extract/input.pcap [new file with mode: 0644] patch | blob
tests/lua-byte-extract/lua-byte-extract.lua [new file with mode: 0644] patch | blob
tests/lua-byte-extract/lua-byte-math.lua [new file with mode: 0644] patch | blob
tests/lua-byte-extract/suricata.yaml [new file with mode: 0644] patch | blob
tests/lua-byte-extract/test.rules [new file with mode: 0644] patch | blob
tests/lua-byte-extract/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/lua-byte-extract/README.md b/tests/lua-byte-extract/README.md
new file mode 100644 (file)
index 0000000..dfcc27a
--- /dev/null
+++ b/tests/lua-byte-extract/README.md
@@ -0,0 +1 @@
+Tests Lua's accessing variables from byte_extract and byte_math in lua match scripts.
diff --git a/tests/lua-byte-extract/input.pcap b/tests/lua-byte-extract/input.pcap
new file mode 100644 (file)
index 0000000..8fb6832
Binary files /dev/null and b/tests/lua-byte-extract/input.pcap differ
diff --git a/tests/lua-byte-extract/lua-byte-extract.lua b/tests/lua-byte-extract/lua-byte-extract.lua
new file mode 100644 (file)
index 0000000..fcc0901
--- /dev/null
+++ b/tests/lua-byte-extract/lua-byte-extract.lua
@@ -0,0 +1,16 @@
+function init(args)
+    local needs = {}
+    needs["bytevar"] = {"var1", "var2"}
+    return needs
+end
+
+function match(args)
+    local var1 = SCByteVarGet(0)
+    local var2 = SCByteVarGet(1)
+
+    if string.pack(">i4", var1) == "HTTP" and string.pack(">i4", var2) == "/1.1" then
+        return 1
+    else 
+        return 0
+    end
+end
diff --git a/tests/lua-byte-extract/lua-byte-math.lua b/tests/lua-byte-extract/lua-byte-math.lua
new file mode 100644 (file)
index 0000000..bd66c4b
--- /dev/null
+++ b/tests/lua-byte-extract/lua-byte-math.lua
@@ -0,0 +1,15 @@
+function init(args)
+    local needs = {}
+    needs["bytevar"] = {"var2"}
+    return needs
+end
+
+function match(args)
+    local var2 = SCByteVarGet(0)
+
+    if string.pack(">i4", var2) == "HTTP" then
+        return 1
+    else
+        return 0
+    end
+end
diff --git a/tests/lua-byte-extract/suricata.yaml b/tests/lua-byte-extract/suricata.yaml
new file mode 100644 (file)
index 0000000..e27e996
--- /dev/null
+++ b/tests/lua-byte-extract/suricata.yaml
@@ -0,0 +1,4 @@
+%YAML 1.1
+---
+
+include: ../../etc/suricata-4.0.3.yaml
\ No newline at end of file
diff --git a/tests/lua-byte-extract/test.rules b/tests/lua-byte-extract/test.rules
new file mode 100644 (file)
index 0000000..5774d73
--- /dev/null
+++ b/tests/lua-byte-extract/test.rules
@@ -0,0 +1,2 @@
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; byte_extract:4,0,var1; byte_extract:4,4,var2; lua:lua-byte-extract.lua; sid:1; rev:7;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; byte_math: bytes 4, offset 0, oper +, rvalue 0, result var2; lua:lua-byte-math.lua; sid:2; rev:7;)
diff --git a/tests/lua-byte-extract/test.yaml b/tests/lua-byte-extract/test.yaml
new file mode 100644 (file)
index 0000000..d6197b5
--- /dev/null
+++ b/tests/lua-byte-extract/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - HAVE_LUA
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 2
+
Mirror of https://github.com/OISF/suricata-verify.git