Add ability to match on the length of an array.

By using the "magic" key value of __len, a match can be done
on the length of an array. For example:

  - filter:
      count: 1
      match:
        event_type: http
        http.response_headers.__len: 9

This does rely on us never using __len as an actual object
key, so is a bit of a hack.

diff --git a/README.md b/README.md
index 29751920ea823dc0cea6d73c2d3d969be37e7a6c..00124f09780ee433bb032a3ace437404e75c8060 100644 (file)
--- a/README.md
+++ b/README.md
@@ -28,12 +28,8 @@ Or to run a single test:
 
 - Optional: Create a suricata.yaml in the test directory.
 
-    Note: You may want to add something like:
-    ```
-    include: ../../etc/suricata-4.0.3.yaml
-    ```
-    to the top and then just make the necessary overrides in the tests
-    suricata.yaml.
+    Its usually OK to just add the bits of YAML required to enable
+    features for the test.
 
        If the test directory does not include a suricata.yaml, the one
     found in your build directory will be used.
@@ -112,6 +108,9 @@ checks:
                
                # Example match on array item:
                alert.metadata.tag[0]: "tag1"
+
+        # Example match on the length of an array.
+        alert.metadata.tag.__len: 3
                
                # Check that a field exists:
                has-key: alert.rule

diff --git a/run.py b/run.py
index a0d2b4ff14e81e9198eb88215761d2483cf8684b..002d1ad212f1e1cbd018f7beff32515da8bb8ec6 100755 (executable)
--- a/run.py
+++ b/run.py
@@ -224,6 +224,15 @@ def find_value(name, obj):
     """
     parts = name.split(".")
     for part in parts:
+
+        if part == "__len":
+            # Get the length of the object. Return -1 if the object is
+            # not a type that has a length (numbers).
+            try:
+                return len(obj)
+            except:
+                return -1
+
         name = None
         index = None
         m = re.match("^(.*)\[(\d+)\]$", part)