]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c54bfe3)
flowbits: add tests for invalid flowbit cmd combinations 2883/head
authorShivani Bhardwaj <shivanib134@gmail.com>
Fri, 20 Jun 2025 12:08:34 +0000 (17:38 +0530)
committerVictor Julien <vjulien@oisf.net>
Thu, 22 Jan 2026 09:13:30 +0000 (09:13 +0000)
Bug 7772
Bug 7773
Bug 7774
Bug 7817
Bug 7818
Bug 8166

36 files changed:
tests/flowbits-invalid-01/suricata.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-01/test.rules [new file with mode: 0644] patch | blob
tests/flowbits-invalid-01/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-02/suricata.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-02/test.rules [new file with mode: 0644] patch | blob
tests/flowbits-invalid-02/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-03/suricata.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-03/test.rules [new file with mode: 0644] patch | blob
tests/flowbits-invalid-03/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-04/suricata.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-04/test.rules [new file with mode: 0644] patch | blob
tests/flowbits-invalid-04/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-05/suricata.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-05/test.rules [new file with mode: 0644] patch | blob
tests/flowbits-invalid-05/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-06/suricata.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-06/test.rules [new file with mode: 0644] patch | blob
tests/flowbits-invalid-06/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-07/suricata.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-07/test.rules [new file with mode: 0644] patch | blob
tests/flowbits-invalid-07/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-08/suricata.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-08/test.rules [new file with mode: 0644] patch | blob
tests/flowbits-invalid-08/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-09/suricata.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-09/test.rules [new file with mode: 0644] patch | blob
tests/flowbits-invalid-09/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-10/suricata.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-10/test.rules [new file with mode: 0644] patch | blob
tests/flowbits-invalid-10/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-11/suricata.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-11/test.rules [new file with mode: 0644] patch | blob
tests/flowbits-invalid-11/test.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-12/suricata.yaml [new file with mode: 0644] patch | blob
tests/flowbits-invalid-12/test.rules [new file with mode: 0644] patch | blob
tests/flowbits-invalid-12/test.yaml [new file with mode: 0644] patch | blob

diff --git a/tests/flowbits-invalid-01/suricata.yaml b/tests/flowbits-invalid-01/suricata.yaml
new file mode 100644 (file)
index 0000000..fb8c821
--- /dev/null
+++ b/tests/flowbits-invalid-01/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules: yes
+
+logging:
+  outputs:
+    - file:
+        enabled: yes
+        filename: eve.json
+        type: json
diff --git a/tests/flowbits-invalid-01/test.rules b/tests/flowbits-invalid-01/test.rules
new file mode 100644 (file)
index 0000000..95b4009
--- /dev/null
+++ b/tests/flowbits-invalid-01/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "Illegal flowbit set + isset combination"; http.method; content:"GET"; flowbits:set,fb1; flowbits:isset,fb1; sid:111;)
diff --git a/tests/flowbits-invalid-01/test.yaml b/tests/flowbits-invalid-01/test.yaml
new file mode 100644 (file)
index 0000000..af4c897
--- /dev/null
+++ b/tests/flowbits-invalid-01/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 9
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      count: 1
+      match:
+        log_level: Warning
+        engine.message: "inconsequential flowbit command combination in the same signature: set and isset"
diff --git a/tests/flowbits-invalid-02/suricata.yaml b/tests/flowbits-invalid-02/suricata.yaml
new file mode 100644 (file)
index 0000000..fb8c821
--- /dev/null
+++ b/tests/flowbits-invalid-02/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules: yes
+
+logging:
+  outputs:
+    - file:
+        enabled: yes
+        filename: eve.json
+        type: json
diff --git a/tests/flowbits-invalid-02/test.rules b/tests/flowbits-invalid-02/test.rules
new file mode 100644 (file)
index 0000000..b061b55
--- /dev/null
+++ b/tests/flowbits-invalid-02/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "Illegal flowbit unset + isnotset combination"; http.method; content:"GET"; flowbits:unset,fb1; flowbits:isnotset,fb1; sid:111;)
diff --git a/tests/flowbits-invalid-02/test.yaml b/tests/flowbits-invalid-02/test.yaml
new file mode 100644 (file)
index 0000000..9da6b8b
--- /dev/null
+++ b/tests/flowbits-invalid-02/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 9
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      count: 1
+      match:
+        log_level: Warning
+        engine.message: "inconsequential flowbit command combination in the same signature: unset and isnotset"
diff --git a/tests/flowbits-invalid-03/suricata.yaml b/tests/flowbits-invalid-03/suricata.yaml
new file mode 100644 (file)
index 0000000..fb8c821
--- /dev/null
+++ b/tests/flowbits-invalid-03/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules: yes
+
+logging:
+  outputs:
+    - file:
+        enabled: yes
+        filename: eve.json
+        type: json
diff --git a/tests/flowbits-invalid-03/test.rules b/tests/flowbits-invalid-03/test.rules
new file mode 100644 (file)
index 0000000..94eaea1
--- /dev/null
+++ b/tests/flowbits-invalid-03/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "Illegal flowbit set + toggle combination"; http.method; content:"GET"; flowbits:set,fb1; flowbits:toggle,fb1; sid:111;)
diff --git a/tests/flowbits-invalid-03/test.yaml b/tests/flowbits-invalid-03/test.yaml
new file mode 100644 (file)
index 0000000..1969a12
--- /dev/null
+++ b/tests/flowbits-invalid-03/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 9
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      count: 1
+      match:
+        log_level: Warning
+        engine.message: "inconsequential flowbit command combination in the same signature: set and toggle"
diff --git a/tests/flowbits-invalid-04/suricata.yaml b/tests/flowbits-invalid-04/suricata.yaml
new file mode 100644 (file)
index 0000000..fb8c821
--- /dev/null
+++ b/tests/flowbits-invalid-04/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules: yes
+
+logging:
+  outputs:
+    - file:
+        enabled: yes
+        filename: eve.json
+        type: json
diff --git a/tests/flowbits-invalid-04/test.rules b/tests/flowbits-invalid-04/test.rules
new file mode 100644 (file)
index 0000000..b5ecfc5
--- /dev/null
+++ b/tests/flowbits-invalid-04/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "Illegal flowbit isset + isnot combination"; http.method; content:"GET"; flowbits:isset,fb1; flowbits:isnotset,fb1; sid:111;)
diff --git a/tests/flowbits-invalid-04/test.yaml b/tests/flowbits-invalid-04/test.yaml
new file mode 100644 (file)
index 0000000..92ada61
--- /dev/null
+++ b/tests/flowbits-invalid-04/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 9
+
+pcap: false
+
+exit-code: 1
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      count: 1
+      match:
+        log_level: Error
+        engine.message: "invalid flowbit command combination in the same signature: isset and isnotset"
diff --git a/tests/flowbits-invalid-05/suricata.yaml b/tests/flowbits-invalid-05/suricata.yaml
new file mode 100644 (file)
index 0000000..fb8c821
--- /dev/null
+++ b/tests/flowbits-invalid-05/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules: yes
+
+logging:
+  outputs:
+    - file:
+        enabled: yes
+        filename: eve.json
+        type: json
diff --git a/tests/flowbits-invalid-05/test.rules b/tests/flowbits-invalid-05/test.rules
new file mode 100644 (file)
index 0000000..27c6546
--- /dev/null
+++ b/tests/flowbits-invalid-05/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "Illegal flowbit set + unset combination"; http.method; content:"GET"; flowbits:set,fb1; flowbits:unset,fb1; sid:111;)
diff --git a/tests/flowbits-invalid-05/test.yaml b/tests/flowbits-invalid-05/test.yaml
new file mode 100644 (file)
index 0000000..5b7af88
--- /dev/null
+++ b/tests/flowbits-invalid-05/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 9
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      count: 1
+      match:
+        log_level: Warning
+        engine.message: "inconsequential flowbit command combination in the same signature: set and unset"
diff --git a/tests/flowbits-invalid-06/suricata.yaml b/tests/flowbits-invalid-06/suricata.yaml
new file mode 100644 (file)
index 0000000..fb8c821
--- /dev/null
+++ b/tests/flowbits-invalid-06/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules: yes
+
+logging:
+  outputs:
+    - file:
+        enabled: yes
+        filename: eve.json
+        type: json
diff --git a/tests/flowbits-invalid-06/test.rules b/tests/flowbits-invalid-06/test.rules
new file mode 100644 (file)
index 0000000..e1d5bc5
--- /dev/null
+++ b/tests/flowbits-invalid-06/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "Illegal flowbit unset + toggle combination"; http.method; content:"GET"; flowbits:unset,fb1; flowbits:toggle,fb1; sid:111;)
diff --git a/tests/flowbits-invalid-06/test.yaml b/tests/flowbits-invalid-06/test.yaml
new file mode 100644 (file)
index 0000000..159cddf
--- /dev/null
+++ b/tests/flowbits-invalid-06/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 9
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      count: 1
+      match:
+        log_level: Warning
+        engine.message: "inconsequential flowbit command combination in the same signature: unset and toggle"
diff --git a/tests/flowbits-invalid-07/suricata.yaml b/tests/flowbits-invalid-07/suricata.yaml
new file mode 100644 (file)
index 0000000..fb8c821
--- /dev/null
+++ b/tests/flowbits-invalid-07/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules: yes
+
+logging:
+  outputs:
+    - file:
+        enabled: yes
+        filename: eve.json
+        type: json
diff --git a/tests/flowbits-invalid-07/test.rules b/tests/flowbits-invalid-07/test.rules
new file mode 100644 (file)
index 0000000..1c17702
--- /dev/null
+++ b/tests/flowbits-invalid-07/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "Illegal flowbit isset + set combination"; http.method; content:"GET"; flowbits:isset,fb1; flowbits:set,fb1; sid:111;)
diff --git a/tests/flowbits-invalid-07/test.yaml b/tests/flowbits-invalid-07/test.yaml
new file mode 100644 (file)
index 0000000..79bbd14
--- /dev/null
+++ b/tests/flowbits-invalid-07/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 9
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      count: 1
+      match:
+        log_level: Warning
+        engine.message: "inconsequential flowbit command combination in the same signature: isset and set"
diff --git a/tests/flowbits-invalid-08/suricata.yaml b/tests/flowbits-invalid-08/suricata.yaml
new file mode 100644 (file)
index 0000000..fb8c821
--- /dev/null
+++ b/tests/flowbits-invalid-08/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules: yes
+
+logging:
+  outputs:
+    - file:
+        enabled: yes
+        filename: eve.json
+        type: json
diff --git a/tests/flowbits-invalid-08/test.rules b/tests/flowbits-invalid-08/test.rules
new file mode 100644 (file)
index 0000000..b281a6d
--- /dev/null
+++ b/tests/flowbits-invalid-08/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "Illegal flowbit isnotset + unset combination"; http.method; content:"GET"; flowbits:isnotset,fb1; flowbits:unset,fb1; sid:111;)
diff --git a/tests/flowbits-invalid-08/test.yaml b/tests/flowbits-invalid-08/test.yaml
new file mode 100644 (file)
index 0000000..ab19acc
--- /dev/null
+++ b/tests/flowbits-invalid-08/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 9
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      count: 1
+      match:
+        log_level: Warning
+        engine.message: "inconsequential flowbit command combination in the same signature: isnotset and unset"
diff --git a/tests/flowbits-invalid-09/suricata.yaml b/tests/flowbits-invalid-09/suricata.yaml
new file mode 100644 (file)
index 0000000..fb8c821
--- /dev/null
+++ b/tests/flowbits-invalid-09/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules: yes
+
+logging:
+  outputs:
+    - file:
+        enabled: yes
+        filename: eve.json
+        type: json
diff --git a/tests/flowbits-invalid-09/test.rules b/tests/flowbits-invalid-09/test.rules
new file mode 100644 (file)
index 0000000..76318bc
--- /dev/null
+++ b/tests/flowbits-invalid-09/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "Illegal flowbit toggle + set combination"; http.method; content:"GET"; flowbits:toggle,fb1; flowbits:set,fb1; sid:111;)
diff --git a/tests/flowbits-invalid-09/test.yaml b/tests/flowbits-invalid-09/test.yaml
new file mode 100644 (file)
index 0000000..5475b05
--- /dev/null
+++ b/tests/flowbits-invalid-09/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 9
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      count: 1
+      match:
+        log_level: Warning
+        engine.message: "inconsequential flowbit command combination in the same signature: toggle and set"
diff --git a/tests/flowbits-invalid-10/suricata.yaml b/tests/flowbits-invalid-10/suricata.yaml
new file mode 100644 (file)
index 0000000..fb8c821
--- /dev/null
+++ b/tests/flowbits-invalid-10/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules: yes
+
+logging:
+  outputs:
+    - file:
+        enabled: yes
+        filename: eve.json
+        type: json
diff --git a/tests/flowbits-invalid-10/test.rules b/tests/flowbits-invalid-10/test.rules
new file mode 100644 (file)
index 0000000..e638a07
--- /dev/null
+++ b/tests/flowbits-invalid-10/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "Illegal flowbit isnotset + isset combination"; http.method; content:"GET"; flowbits:isnotset,fb1; flowbits:isset,fb1; sid:111;)
diff --git a/tests/flowbits-invalid-10/test.yaml b/tests/flowbits-invalid-10/test.yaml
new file mode 100644 (file)
index 0000000..92ada61
--- /dev/null
+++ b/tests/flowbits-invalid-10/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 9
+
+pcap: false
+
+exit-code: 1
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      count: 1
+      match:
+        log_level: Error
+        engine.message: "invalid flowbit command combination in the same signature: isset and isnotset"
diff --git a/tests/flowbits-invalid-11/suricata.yaml b/tests/flowbits-invalid-11/suricata.yaml
new file mode 100644 (file)
index 0000000..fb8c821
--- /dev/null
+++ b/tests/flowbits-invalid-11/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules: yes
+
+logging:
+  outputs:
+    - file:
+        enabled: yes
+        filename: eve.json
+        type: json
diff --git a/tests/flowbits-invalid-11/test.rules b/tests/flowbits-invalid-11/test.rules
new file mode 100644 (file)
index 0000000..46fbcc5
--- /dev/null
+++ b/tests/flowbits-invalid-11/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "Illegal flowbit unset + set combination"; http.method; content:"GET"; flowbits:unset,fb1; flowbits:set,fb1; sid:111;)
diff --git a/tests/flowbits-invalid-11/test.yaml b/tests/flowbits-invalid-11/test.yaml
new file mode 100644 (file)
index 0000000..3b05932
--- /dev/null
+++ b/tests/flowbits-invalid-11/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 9
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      count: 1
+      match:
+        log_level: Warning
+        engine.message: "inconsequential flowbit command combination in the same signature: unset and set"
diff --git a/tests/flowbits-invalid-12/suricata.yaml b/tests/flowbits-invalid-12/suricata.yaml
new file mode 100644 (file)
index 0000000..fb8c821
--- /dev/null
+++ b/tests/flowbits-invalid-12/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules: yes
+
+logging:
+  outputs:
+    - file:
+        enabled: yes
+        filename: eve.json
+        type: json
diff --git a/tests/flowbits-invalid-12/test.rules b/tests/flowbits-invalid-12/test.rules
new file mode 100644 (file)
index 0000000..fd4961c
--- /dev/null
+++ b/tests/flowbits-invalid-12/test.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg: "Illegal flowbit toggle + unset combination"; http.method; content:"GET"; flowbits:toggle,fb1; flowbits:unset,fb1; sid:111;)
diff --git a/tests/flowbits-invalid-12/test.yaml b/tests/flowbits-invalid-12/test.yaml
new file mode 100644 (file)
index 0000000..860fdd2
--- /dev/null
+++ b/tests/flowbits-invalid-12/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 9
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      count: 1
+      match:
+        log_level: Warning
+        engine.message: "inconsequential flowbit command combination in the same signature: toggle and unset"
Mirror of https://github.com/OISF/suricata-verify.git