test: Add byte_math tests

This commit adds tests for the byte_math keyword. The test is simple
and complements the unit tests added with the Suricata pr.

diff --git a/tests/detect-bytemath-01/input.pcap b/tests/detect-bytemath-01/input.pcap
new file mode 100644 (file)
index 0000000..4a18a07
Binary files /dev/null and b/tests/detect-bytemath-01/input.pcap differ

diff --git a/tests/detect-bytemath-01/test.rules b/tests/detect-bytemath-01/test.rules
new file mode 100644 (file)
index 0000000..9e9aa75
--- /dev/null
+++ b/tests/detect-bytemath-01/test.rules
@@ -0,0 +1,4 @@
+alert tcp any any -> any any (msg:"Byte-math test"; \
+    ipv4.hdr; byte_math:bytes 1, offset 1, oper <<, rvalue 2, result result_val; \
+    tcp.hdr; byte_test: 1, =, 0x88, 1, relative; \
+    sid:1;)

diff --git a/tests/detect-bytemath-01/test.yaml b/tests/detect-bytemath-01/test.yaml
new file mode 100644 (file)
index 0000000..e27bf86
--- /dev/null
+++ b/tests/detect-bytemath-01/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  min-version: 6
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1

diff --git a/tests/detect-bytemath-02/test.rules b/tests/detect-bytemath-02/test.rules
new file mode 100644 (file)
index 0000000..27c31f1
--- /dev/null
+++ b/tests/detect-bytemath-02/test.rules
@@ -0,0 +1,4 @@
+alert tcp any any -> any any (msg:"Byte-math test w/no prev match"; \
+    ipv4.hdr; byte_math:bytes 1, offset 1, oper <<, rvalue 2, result result_val, relative; \
+    tcp.hdr; byte_test: 1, =, 0x88, 1, relative; \
+    sid:1;)

diff --git a/tests/detect-bytemath-02/test.yaml b/tests/detect-bytemath-02/test.yaml
new file mode 100644 (file)
index 0000000..ca9b911
--- /dev/null
+++ b/tests/detect-bytemath-02/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  min-version: 6
+  pcap: false
+
+exit-code: 1
+
+args:
+    - --engine-analysis
+
+checks:
+  - shell:
+      args: grep -o "relative specified without previous pattern match" suricata.log | wc -l | xargs
+      expect: 1

diff --git a/tests/test-bad-byte-extract-rule-1/test.yaml b/tests/test-bad-byte-extract-rule-1/test.yaml
index 004036e8add28c89ac581fc118ad0b529d98207e..a1aefedc5062c7e00f72601ef2f5e6160b931638 100644 (file)
--- a/tests/test-bad-byte-extract-rule-1/test.yaml
+++ b/tests/test-bad-byte-extract-rule-1/test.yaml
@@ -1,5 +1,5 @@
 requires:
-  min-version: 5.0.0
+  min-version: 6
 
   features:
     - HAVE_LIBJANSSON
@@ -14,7 +14,7 @@ checks:
       count: 1
       match:
         event_type: engine
-        engine.message: "unknown byte_extract var seen in depth - d."
+        engine.message: "unknown byte_ keyword var seen in depth - d."
 
   - filter:
       count: 1

diff --git a/tests/test-bad-byte-extract-rule-2/test.yaml b/tests/test-bad-byte-extract-rule-2/test.yaml
index 306e1d758cf5a308fce05a401b865a55703175a7..e7bfcdfedfd59484852c9cc9e4b841ee47f28f6d 100644 (file)
--- a/tests/test-bad-byte-extract-rule-2/test.yaml
+++ b/tests/test-bad-byte-extract-rule-2/test.yaml
@@ -1,5 +1,5 @@
 requires:
-  min-version: 5.0.0
+  min-version: 5
 
   features:
     - HAVE_LIBJANSSON

diff --git a/tests/test-bad-byte-extract-rule-3/eve.json b/tests/test-bad-byte-extract-rule-3/eve.json
new file mode 100644 (file)
index 0000000..aa71d91
--- /dev/null
+++ b/tests/test-bad-byte-extract-rule-3/eve.json
@@ -0,0 +1,40 @@
+{"timestamp":"2020-06-07T21:15:31.170962+0000","log_level":"Notice","event_type":"engine","engine":{"message":"This is Suricata version 4.1.0-dev (rev 32990c9ad)"}}
+{"timestamp":"2020-06-07T21:15:31.171398+0000","log_level":"Info","event_type":"engine","engine":{"message":"CPUs\/cores online: 2"}}
+{"timestamp":"2020-06-07T21:15:31.179917+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":307,"error":"SC_ERR_SMB_CONFIG","message":"no SMB TCP config found, enabling SMB detection on port 445."}}
+{"timestamp":"2020-06-07T21:15:31.183113+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":240,"error":"SC_ERR_DNS_CONFIG","message":"no DNS UDP config found, enabling DNS detection on port 53."}}
+{"timestamp":"2020-06-07T21:15:31.183282+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":240,"error":"SC_ERR_DNS_CONFIG","message":"no DNS TCP config found, enabling DNS detection on port 53."}}
+{"timestamp":"2020-06-07T21:15:31.197576+0000","log_level":"Info","event_type":"engine","engine":{"message":"No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'"}}
+{"timestamp":"2020-06-07T21:15:31.219781+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":261,"error":"SC_WARN_NO_STATS_LOGGERS","message":"stats are enabled but no loggers are active"}}
+{"timestamp":"2020-06-07T21:15:31.220772+0000","log_level":"Info","event_type":"engine","engine":{"message":"Added \"42\" classification types from the classification file"}}
+{"timestamp":"2020-06-07T21:15:31.220967+0000","log_level":"Info","event_type":"engine","engine":{"message":"Added \"19\" reference types from the reference.config file"}}
+{"timestamp":"2020-06-07T21:15:31.221365+0000","log_level":"Error","event_type":"engine","engine":{"error_code":39,"error":"SC_ERR_INVALID_SIGNATURE","message":"unknown byte_extract var seen in depth - d\n"}}
+{"timestamp":"2020-06-07T21:15:31.221461+0000","log_level":"Error","event_type":"engine","engine":{"error_code":39,"error":"SC_ERR_INVALID_SIGNATURE","message":"error parsing signature \"alert tcp any any -> any any (msg:\"Byte_Extract Example Using depth\"; content:\"Alice\"; depth:d; byte_extract:2,1,size; content:\"Bob\"; sid:1111;)\" from file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/test.rules at line 1"}}
+{"timestamp":"2020-06-07T21:15:31.221578+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":43,"error":"SC_ERR_NO_RULES_LOADED","message":"1 rule files specified, but no rule was loaded at all!"}}
+{"timestamp":"2020-06-07T21:15:31.221749+0000","log_level":"Info","event_type":"engine","engine":{"message":"Threshold config parsed: 0 rule(s) found"}}
+{"timestamp":"2020-06-07T21:15:31.222071+0000","log_level":"Info","event_type":"engine","engine":{"message":"0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only"}}
+{"timestamp":"2020-06-07T21:15:31.227159+0000","log_level":"Info","event_type":"engine","engine":{"message":"Checking file or directory \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/"}}
+{"timestamp":"2020-06-07T21:15:31.227479+0000","log_level":"Info","event_type":"engine","engine":{"message":"Argument \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/ was a directory"}}
+{"timestamp":"2020-06-07T21:15:31.253874+0000","log_level":"Notice","event_type":"engine","engine":{"message":"all 3 packet processing threads, 2 management threads initialized, engine started."}}
+{"timestamp":"2020-06-07T21:15:31.254027+0000","log_level":"Info","event_type":"engine","engine":{"message":"Starting directory run for \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/"}}
+{"timestamp":"2020-06-07T21:15:31.254116+0000","log_level":"Info","event_type":"engine","engine":{"message":"Processing pcaps directory \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/, files must be newer than 0 and older than 18446744073709550616"}}
+{"timestamp":"2020-06-07T21:15:31.254266+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/eve.json\" at 1591564531251"}}
+{"timestamp":"2020-06-07T21:15:31.254327+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/test.yaml\" at 1591564527947"}}
+{"timestamp":"2020-06-07T21:15:31.254369+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/.test.yaml.swp\" at 1591564527951"}}
+{"timestamp":"2020-06-07T21:15:31.254426+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/suricata.yaml\" at 1562592701002"}}
+{"timestamp":"2020-06-07T21:15:31.254468+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/test.rules\" at 1562592701002"}}
+{"timestamp":"2020-06-07T21:15:31.254636+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}}
+{"timestamp":"2020-06-07T21:15:31.254687+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/suricata.yaml, skipping"}}
+{"timestamp":"2020-06-07T21:15:31.254779+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}}
+{"timestamp":"2020-06-07T21:15:31.254807+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/test.rules, skipping"}}
+{"timestamp":"2020-06-07T21:15:31.254869+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}}
+{"timestamp":"2020-06-07T21:15:31.254896+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/test.yaml, skipping"}}
+{"timestamp":"2020-06-07T21:15:31.254956+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}}
+{"timestamp":"2020-06-07T21:15:31.254984+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/.test.yaml.swp, skipping"}}
+{"timestamp":"2020-06-07T21:15:31.255056+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}}
+{"timestamp":"2020-06-07T21:15:31.255096+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/eve.json, skipping"}}
+{"timestamp":"2020-06-07T21:15:31.255127+0000","log_level":"Info","event_type":"engine","engine":{"message":"Directory run mode complete"}}
+{"timestamp":"2020-06-07T21:15:31.264063+0000","log_level":"Notice","event_type":"engine","engine":{"message":"Signal Received.  Stopping engine."}}
+{"timestamp":"2020-06-07T21:15:31.279036+0000","log_level":"Info","event_type":"engine","engine":{"message":"time elapsed 0.056s"}}
+{"timestamp":"2020-06-07T21:15:31.286147+0000","log_level":"Notice","event_type":"engine","engine":{"message":"Pcap-file module read 0 files, 0 packets, 0 bytes"}}
+{"timestamp":"2020-06-07T21:15:31.288407+0000","log_level":"Info","event_type":"engine","engine":{"message":"Alerts: 0"}}
+{"timestamp":"2020-06-07T21:15:31.302139+0000","log_level":"Info","event_type":"engine","engine":{"message":"cleaning up signature grouping structure... complete"}}

diff --git a/tests/test-bad-byte-extract-rule-3/suricata.yaml b/tests/test-bad-byte-extract-rule-3/suricata.yaml
new file mode 100644 (file)
index 0000000..dcaae57
--- /dev/null
+++ b/tests/test-bad-byte-extract-rule-3/suricata.yaml
@@ -0,0 +1,10 @@
+%YAML 1.1
+---
+
+logging:
+  default-log-level: info
+  outputs:
+  - file:
+      enabled: yes
+      filename: eve.json
+      type: json

diff --git a/tests/test-bad-byte-extract-rule-3/test.rules b/tests/test-bad-byte-extract-rule-3/test.rules
new file mode 100644 (file)
index 0000000..ede6581
--- /dev/null
+++ b/tests/test-bad-byte-extract-rule-3/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"Byte_Extract Example Using depth"; content:"Alice"; depth:d; byte_extract:2,1,size; content:"Bob"; sid:1111;)

diff --git a/tests/test-bad-byte-extract-rule-3/test.yaml b/tests/test-bad-byte-extract-rule-3/test.yaml
new file mode 100644 (file)
index 0000000..3df194c
--- /dev/null
+++ b/tests/test-bad-byte-extract-rule-3/test.yaml
@@ -0,0 +1,24 @@
+requires:
+  version: 5
+  lt-version: 6
+
+  features:
+    - HAVE_LIBJANSSON
+
+command: |
+  ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -r ${TEST_DIR}/ -S ${TEST_DIR}/test.rules
+
+checks:
+  # check that we have the following entres in eve.json
+  # match 1 specific rule load failure reason
+  - filter:
+      count: 1
+      match:
+        event_type: engine
+        engine.message: "unknown byte_extract var seen in depth - d."
+
+  - filter:
+      count: 1
+      match:
+        event_type: engine
+        engine.error: "SC_ERR_NO_RULES_LOADED"