tests: datajson remove_key tests

diff --git a/tests/datajson/datajson-03-jsonline/test.yaml b/tests/datajson/datajson-03-jsonline/test.yaml
index 9719055195df99cebdc1b053ad2b32e176844021..87e90bdab896bea7a762c2af044a11e2227db07c 100644 (file)
--- a/tests/datajson/datajson-03-jsonline/test.yaml
+++ b/tests/datajson/datajson-03-jsonline/test.yaml
@@ -18,3 +18,5 @@ checks:
         alert.signature_id: 1
         alert.extra.src_ip.test: success
         alert.extra.bad_host.year: 2005
+        alert.extra.src_ip.ip: "10.16.1.11"
+        alert.extra.bad_host.host: "www.testmyids.com"

diff --git a/tests/datajson/datajson-06-remove-key/host.lst b/tests/datajson/datajson-06-remove-key/host.lst
new file mode 100644 (file)
index 0000000..2956f38
--- /dev/null
+++ b/tests/datajson/datajson-06-remove-key/host.lst
@@ -0,0 +1,2 @@
+{"host": "testmyids.com", "context":"gold old test", "year": 2005}
+{"host": "www.testmyids.com", "context":"gold old test", "year": 2005}

diff --git a/tests/datajson/datajson-06-remove-key/src.lst b/tests/datajson/datajson-06-remove-key/src.lst
new file mode 100644 (file)
index 0000000..d1f55c6
--- /dev/null
+++ b/tests/datajson/datajson-06-remove-key/src.lst
@@ -0,0 +1,2 @@
+{"ip": "10.16.1.11", "test": "success", "context":3}
+{"ip": "10.16.1.12", "test": "fail", "context":4}

diff --git a/tests/datajson/datajson-06-remove-key/test.rules b/tests/datajson/datajson-06-remove-key/test.rules
new file mode 100644 (file)
index 0000000..f5a6138
--- /dev/null
+++ b/tests/datajson/datajson-06-remove-key/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,format jsonline,enrichment_key bad_host,remove_key, value_key host; ip.src; dataset:isset,src_ip,type ip,load src.lst,format jsonline,enrichment_key src_ip,value_key ip, remove_key; sid:1;)

diff --git a/tests/datajson/datajson-06-remove-key/test.yaml b/tests/datajson/datajson-06-remove-key/test.yaml
new file mode 100644 (file)
index 0000000..13c495e
--- /dev/null
+++ b/tests/datajson/datajson-06-remove-key/test.yaml
@@ -0,0 +1,35 @@
+requires:
+  min-version: 8
+
+pcap: ../datajson-01-ip/input.pcap
+
+args:
+ - -k none --set datasets.enabled=yes
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.extra.src_ip.test: success
+        alert.extra.bad_host.year: 2005
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.extra.src_ip.test: success
+        alert.extra.src_ip.ip: 10.16.1.11
+        alert.extra.bad_host.year: 2005
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.extra.src_ip.test: success
+        alert.extra.bad_host.host: www.testmyids.com

diff --git a/tests/datajson/datajson-10-remove-nested-key/host.lst b/tests/datajson/datajson-10-remove-nested-key/host.lst
new file mode 100644 (file)
index 0000000..dba2b0f
--- /dev/null
+++ b/tests/datajson/datajson-10-remove-nested-key/host.lst
@@ -0,0 +1,2 @@
+{"ioc": {"host": "testmyids.com"}, "context":"gold old test", "year": 2005}
+{"ioc": {"host": "www.testmyids.com"}, "context":"gold old test", "year": 2005}

diff --git a/tests/datajson/datajson-10-remove-nested-key/src.lst b/tests/datajson/datajson-10-remove-nested-key/src.lst
new file mode 100644 (file)
index 0000000..d1f55c6
--- /dev/null
+++ b/tests/datajson/datajson-10-remove-nested-key/src.lst
@@ -0,0 +1,2 @@
+{"ip": "10.16.1.11", "test": "success", "context":3}
+{"ip": "10.16.1.12", "test": "fail", "context":4}

diff --git a/tests/datajson/datajson-10-remove-nested-key/test.rules b/tests/datajson/datajson-10-remove-nested-key/test.rules
new file mode 100644 (file)
index 0000000..7b9d012
--- /dev/null
+++ b/tests/datajson/datajson-10-remove-nested-key/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,format jsonline,enrichment_key bad_host,value_key ioc.host,remove_key; ip.src; dataset:isset,src_ip,type ip,load src.lst,format jsonline,enrichment_key src_ip,value_key ip; sid:1;)

diff --git a/tests/datajson/datajson-10-remove-nested-key/test.yaml b/tests/datajson/datajson-10-remove-nested-key/test.yaml
new file mode 100644 (file)
index 0000000..e256f88
--- /dev/null
+++ b/tests/datajson/datajson-10-remove-nested-key/test.yaml
@@ -0,0 +1,30 @@
+requires:
+  min-version: 8
+
+pcap: ../datajson-01-ip/input.pcap
+
+args:
+ - -k none --set datasets.enabled=yes
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.extra.src_ip.test: success
+        alert.extra.bad_host.year: 2005
+        alert.extra.src_ip.ip: "10.16.1.11"
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        alert.extra.src_ip.test: success
+        alert.extra.bad_host.year: 2005
+        alert.extra.src_ip.ip: "10.16.1.11"
+        alert.extra.bad_host.host: "www.testmyids.com"