dataset/rep: add tests for error conditions

diff --git a/tests/datasets/datarep-bad-datarep-string/datarep.rules b/tests/datasets/datarep-bad-datarep-string/datarep.rules
new file mode 100644 (file)
index 0000000..7fc15e2
--- /dev/null
+++ b/tests/datasets/datarep-bad-datarep-string/datarep.rules
@@ -0,0 +1 @@
+alert dns any any -> any any (dns.query; datarep:dns_string, >, 200, load dns_string.rep, type string; sid:1;)

diff --git a/tests/datasets/datarep-bad-datarep-string/dns_string.rep b/tests/datasets/datarep-bad-datarep-string/dns_string.rep
new file mode 100644 (file)
index 0000000..e7da6df
--- /dev/null
+++ b/tests/datasets/datarep-bad-datarep-string/dns_string.rep
@@ -0,0 +1 @@
+Z29vZ2xlLm;NvbQ==,1

diff --git a/tests/datasets/datarep-bad-datarep-string/suricata.yaml b/tests/datasets/datarep-bad-datarep-string/suricata.yaml
new file mode 100644 (file)
index 0000000..bb94cf5
--- /dev/null
+++ b/tests/datasets/datarep-bad-datarep-string/suricata.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+# Logging configuration.  This is not about logging IDS alerts/events, but
+# output about what Suricata is doing, like startup messages, errors, etc.
+logging:
+  default-log-level: notice
+  outputs:
+  - console:
+      enabled: yes
+      # type: json
+  - file:
+      enabled: yes
+      level: info
+      filename: suricata.json
+      type: json
+  - syslog:
+      enabled: no
+      facility: local5
+      format: "[%i] <%d> -- "

diff --git a/tests/datasets/datarep-bad-datarep-string/test.yaml b/tests/datasets/datarep-bad-datarep-string/test.yaml
new file mode 100644 (file)
index 0000000..3ba4d10
--- /dev/null
+++ b/tests/datasets/datarep-bad-datarep-string/test.yaml
@@ -0,0 +1,22 @@
+pcap: ../../flowbit-oring/input.pcap
+
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none
+
+exit-code: 1
+
+checks:
+  - filter:
+      min-version: 8
+      filename: suricata.json
+      count: 1
+      match:
+        log_level: "Error"
+        event_type: "engine"
+        engine.message.__find: "bad base64 encoding dns_string"

diff --git a/tests/datasets/datarep-bad-datarep-value/datarep.rules b/tests/datasets/datarep-bad-datarep-value/datarep.rules
new file mode 100644 (file)
index 0000000..7fc15e2
--- /dev/null
+++ b/tests/datasets/datarep-bad-datarep-value/datarep.rules
@@ -0,0 +1 @@
+alert dns any any -> any any (dns.query; datarep:dns_string, >, 200, load dns_string.rep, type string; sid:1;)

diff --git a/tests/datasets/datarep-bad-datarep-value/dns_string.rep b/tests/datasets/datarep-bad-datarep-value/dns_string.rep
new file mode 100644 (file)
index 0000000..179cfc8
--- /dev/null
+++ b/tests/datasets/datarep-bad-datarep-value/dns_string.rep
@@ -0,0 +1 @@
+Z29vZ2xlLmNvbQ==,-1

diff --git a/tests/datasets/datarep-bad-datarep-value/suricata.yaml b/tests/datasets/datarep-bad-datarep-value/suricata.yaml
new file mode 100644 (file)
index 0000000..bb94cf5
--- /dev/null
+++ b/tests/datasets/datarep-bad-datarep-value/suricata.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+# Logging configuration.  This is not about logging IDS alerts/events, but
+# output about what Suricata is doing, like startup messages, errors, etc.
+logging:
+  default-log-level: notice
+  outputs:
+  - console:
+      enabled: yes
+      # type: json
+  - file:
+      enabled: yes
+      level: info
+      filename: suricata.json
+      type: json
+  - syslog:
+      enabled: no
+      facility: local5
+      format: "[%i] <%d> -- "

diff --git a/tests/datasets/datarep-bad-datarep-value/test.yaml b/tests/datasets/datarep-bad-datarep-value/test.yaml
new file mode 100644 (file)
index 0000000..20b06fc
--- /dev/null
+++ b/tests/datasets/datarep-bad-datarep-value/test.yaml
@@ -0,0 +1,22 @@
+pcap: ../../flowbit-oring/input.pcap
+
+requires:
+  features:
+    - HAVE_LIBJANSSON
+  files:
+    - src/datasets.c
+
+args:
+ - -k none
+
+exit-code: 1
+
+checks:
+  - filter:
+      min-version: 8
+      filename: suricata.json
+      count: 1
+      match:
+        log_level: "Error"
+        event_type: "engine"
+        engine.message.__find: "invalid datarep value dns_string"

diff --git a/tests/datasets/datarep-datasets-mix/datasets.csv b/tests/datasets/datarep-datasets-mix/datasets.csv
new file mode 100644 (file)
index 0000000..83907f1
--- /dev/null
+++ b/tests/datasets/datarep-datasets-mix/datasets.csv
@@ -0,0 +1,2 @@
+Y3VybC83LjQzLjA=
+YmxhaA==,1

diff --git a/tests/datasets/datarep-datasets-mix/suricata.yaml b/tests/datasets/datarep-datasets-mix/suricata.yaml
new file mode 100644 (file)
index 0000000..bb94cf5
--- /dev/null
+++ b/tests/datasets/datarep-datasets-mix/suricata.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+# Logging configuration.  This is not about logging IDS alerts/events, but
+# output about what Suricata is doing, like startup messages, errors, etc.
+logging:
+  default-log-level: notice
+  outputs:
+  - console:
+      enabled: yes
+      # type: json
+  - file:
+      enabled: yes
+      level: info
+      filename: suricata.json
+      type: json
+  - syslog:
+      enabled: no
+      facility: local5
+      format: "[%i] <%d> -- "

diff --git a/tests/datasets/datarep-datasets-mix/test.rules b/tests/datasets/datarep-datasets-mix/test.rules
new file mode 100644 (file)
index 0000000..7cd7d67
--- /dev/null
+++ b/tests/datasets/datarep-datasets-mix/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (http.user_agent; dataset:isset,ua-seen,type string,load datasets.csv; sid:1;)
+alert http any any -> any any (http.user_agent; dataset:isnotset,ua-seen,type string,load datasets.csv; sid:2;)

diff --git a/tests/datasets/datarep-datasets-mix/test.yaml b/tests/datasets/datarep-datasets-mix/test.yaml
new file mode 100644 (file)
index 0000000..977046e
--- /dev/null
+++ b/tests/datasets/datarep-datasets-mix/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../../flowbit-oring/input.pcap
+
+requires:
+  min-version: 8
+
+args:
+ - -k none
+
+exit-code: 1
+
+checks:
+  - filter:
+      min-version: 8
+      filename: suricata.json
+      count: 1
+      match:
+        log_level: "Error"
+        event_type: "engine"
+        engine.message.__find: "Cannot mix dataset and datarep values for set ua-seen"

diff --git a/tests/datasets/datasets-datarep-mix/datarep.rules b/tests/datasets/datasets-datarep-mix/datarep.rules
new file mode 100644 (file)
index 0000000..7fc15e2
--- /dev/null
+++ b/tests/datasets/datasets-datarep-mix/datarep.rules
@@ -0,0 +1 @@
+alert dns any any -> any any (dns.query; datarep:dns_string, >, 200, load dns_string.rep, type string; sid:1;)

diff --git a/tests/datasets/datasets-datarep-mix/dns_string.rep b/tests/datasets/datasets-datarep-mix/dns_string.rep
new file mode 100644 (file)
index 0000000..49fe379
--- /dev/null
+++ b/tests/datasets/datasets-datarep-mix/dns_string.rep
@@ -0,0 +1,2 @@
+Z29vZ2xlLmNvbQ==,1
+YmxhaA==

diff --git a/tests/datasets/datasets-datarep-mix/suricata.yaml b/tests/datasets/datasets-datarep-mix/suricata.yaml
new file mode 100644 (file)
index 0000000..bb94cf5
--- /dev/null
+++ b/tests/datasets/datasets-datarep-mix/suricata.yaml
@@ -0,0 +1,20 @@
+%YAML 1.1
+---
+
+# Logging configuration.  This is not about logging IDS alerts/events, but
+# output about what Suricata is doing, like startup messages, errors, etc.
+logging:
+  default-log-level: notice
+  outputs:
+  - console:
+      enabled: yes
+      # type: json
+  - file:
+      enabled: yes
+      level: info
+      filename: suricata.json
+      type: json
+  - syslog:
+      enabled: no
+      facility: local5
+      format: "[%i] <%d> -- "

diff --git a/tests/datasets/datasets-datarep-mix/test.yaml b/tests/datasets/datasets-datarep-mix/test.yaml
new file mode 100644 (file)
index 0000000..3eac846
--- /dev/null
+++ b/tests/datasets/datasets-datarep-mix/test.yaml
@@ -0,0 +1,19 @@
+pcap: ../../flowbit-oring/input.pcap
+
+requires:
+  min-version: 8
+
+args:
+ - -k none
+
+exit-code: 1
+
+checks:
+  - filter:
+      min-version: 8
+      filename: suricata.json
+      count: 1
+      match:
+        log_level: "Error"
+        event_type: "engine"
+        engine.message.__find: "Cannot mix dataset and datarep values for set dns_string"