tests/dsize Suricata version 7 and later tests

This commit adds a test for Suricata 7 and later with the new dsize
validation logic. A new error message indicating the actual and expected
dsize value is emitted when there's a mismatch.

diff --git a/tests/test-bad-content-dsize-rule-2/suricata.yaml b/tests/test-bad-content-dsize-rule-2/suricata.yaml
new file mode 100644 (file)
index 0000000..dcaae57
--- /dev/null
+++ b/tests/test-bad-content-dsize-rule-2/suricata.yaml
@@ -0,0 +1,10 @@
+%YAML 1.1
+---
+
+logging:
+  default-log-level: info
+  outputs:
+  - file:
+      enabled: yes
+      filename: eve.json
+      type: json

diff --git a/tests/test-bad-content-dsize-rule-2/test.rules b/tests/test-bad-content-dsize-rule-2/test.rules
new file mode 100644 (file)
index 0000000..f5cd807
--- /dev/null
+++ b/tests/test-bad-content-dsize-rule-2/test.rules
@@ -0,0 +1 @@
+alert udp any any -> any any (msg:"TEST SUCCESFUL - Content Greater than Dsize INVALID combination "; dsize:10; content:"thisstringisgreaterthan10bytes"; sid:6666662; rev:1;)

diff --git a/tests/test-bad-content-dsize-rule-2/test.yaml b/tests/test-bad-content-dsize-rule-2/test.yaml
new file mode 100644 (file)
index 0000000..4a4af61
--- /dev/null
+++ b/tests/test-bad-content-dsize-rule-2/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  version: 7
+
+command: |
+  ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -r ${TEST_DIR}/ -S ${TEST_DIR}/test.rules
+
+checks:
+  # check that we have the following entries in eve.json
+  # match 1 specific rule load failure reason
+  - filter:
+      count: 1
+      match:
+        event_type: engine
+        engine.message: "signature can't match as required content length 30 exceeds dsize value 10"
+
+  - filter:
+      count: 1
+      match:
+        event_type: engine
+        engine.error: "SC_ERR_NO_RULES_LOADED"

diff --git a/tests/test-bad-content-dsize-rule-3/suricata.yaml b/tests/test-bad-content-dsize-rule-3/suricata.yaml
new file mode 100644 (file)
index 0000000..dcaae57
--- /dev/null
+++ b/tests/test-bad-content-dsize-rule-3/suricata.yaml
@@ -0,0 +1,10 @@
+%YAML 1.1
+---
+
+logging:
+  default-log-level: info
+  outputs:
+  - file:
+      enabled: yes
+      filename: eve.json
+      type: json

diff --git a/tests/test-bad-content-dsize-rule-3/test.rules b/tests/test-bad-content-dsize-rule-3/test.rules
new file mode 100644 (file)
index 0000000..22e7651
--- /dev/null
+++ b/tests/test-bad-content-dsize-rule-3/test.rules
@@ -0,0 +1 @@
+alert ip any any -> any  any (msg:"dsize -- negated content requires more content";dsize:16; content:"abcdef"; startswith; content:!"a"; distance:0; content:"789"; distance:0; content:!"c"; distance:1; within:10;sid:5;)

diff --git a/tests/test-bad-content-dsize-rule-3/test.yaml b/tests/test-bad-content-dsize-rule-3/test.yaml
new file mode 100644 (file)
index 0000000..0613203
--- /dev/null
+++ b/tests/test-bad-content-dsize-rule-3/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  version: 7
+
+command: |
+  ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/etc/classification.config" --set reference-config-file="${SRCDIR}/etc/reference.config" -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -r ${TEST_DIR}/ -S ${TEST_DIR}/test.rules
+
+checks:
+  # check that we have the following entries in eve.json
+  # match 1 specific rule load failure reason
+  - filter:
+      count: 1
+      match:
+        event_type: engine
+        engine.message: "signature can't match as required content length 20 exceeds dsize value 16"
+
+  - filter:
+      count: 1
+      match:
+        event_type: engine
+        engine.error: "SC_ERR_NO_RULES_LOADED"

diff --git a/tests/test-bad-dsize-offset-rule-2/suricata.yaml b/tests/test-bad-dsize-offset-rule-2/suricata.yaml
new file mode 100644 (file)
index 0000000..dcaae57
--- /dev/null
+++ b/tests/test-bad-dsize-offset-rule-2/suricata.yaml
@@ -0,0 +1,10 @@
+%YAML 1.1
+---
+
+logging:
+  default-log-level: info
+  outputs:
+  - file:
+      enabled: yes
+      filename: eve.json
+      type: json

diff --git a/tests/test-bad-dsize-offset-rule-2/test.rules b/tests/test-bad-dsize-offset-rule-2/test.rules
new file mode 100644 (file)
index 0000000..72e469f
--- /dev/null
+++ b/tests/test-bad-dsize-offset-rule-2/test.rules
@@ -0,0 +1 @@
+alert udp any any -> any any (msg:"TEST SUCCESSFUL - dsize/offset INVALID combination "; dsize:50; content:"AA"; offset:100; sid:6666661; rev:1;)

diff --git a/tests/test-bad-dsize-offset-rule-2/test.yaml b/tests/test-bad-dsize-offset-rule-2/test.yaml
new file mode 100644 (file)
index 0000000..d3d485d
--- /dev/null
+++ b/tests/test-bad-dsize-offset-rule-2/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  version: 7
+
+command: |
+  ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -r ${TEST_DIR}/ -S ${TEST_DIR}/test.rules
+
+checks:
+  # check that we have the following entries in eve.json
+  # match 1 specific rule load failure reason
+  - filter:
+      count: 1
+      match:
+        event_type: engine
+        engine.message: "signature can't match as required content length 102 exceeds dsize value 50"
+
+  - filter:
+      count: 1
+      match:
+        event_type: engine
+        engine.error: "SC_ERR_NO_RULES_LOADED"

diff --git a/tests/test-bad-dsize-range-offset-rule-2/suricata.yaml b/tests/test-bad-dsize-range-offset-rule-2/suricata.yaml
new file mode 100644 (file)
index 0000000..dcaae57
--- /dev/null
+++ b/tests/test-bad-dsize-range-offset-rule-2/suricata.yaml
@@ -0,0 +1,10 @@
+%YAML 1.1
+---
+
+logging:
+  default-log-level: info
+  outputs:
+  - file:
+      enabled: yes
+      filename: eve.json
+      type: json

diff --git a/tests/test-bad-dsize-range-offset-rule-2/test.rules b/tests/test-bad-dsize-range-offset-rule-2/test.rules
new file mode 100644 (file)
index 0000000..7bbe446
--- /dev/null
+++ b/tests/test-bad-dsize-range-offset-rule-2/test.rules
@@ -0,0 +1 @@
+alert udp any any -> any any (msg:"TEST SUCCESFUL - dsize/offset INVALID combination "; dsize:5<>10; content:"AAAA"; offset:8; sid:6666665; rev:1;)

diff --git a/tests/test-bad-dsize-range-offset-rule-2/test.yaml b/tests/test-bad-dsize-range-offset-rule-2/test.yaml
new file mode 100644 (file)
index 0000000..74e366c
--- /dev/null
+++ b/tests/test-bad-dsize-range-offset-rule-2/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 7
+
+command: |
+  ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -r ${TEST_DIR}/ -S ${TEST_DIR}/test.rules
+
+checks:
+  # check that we have the following entries in eve.json
+  # match 1 specific rule load failure reason
+  - filter:
+      count: 1
+      match:
+        event_type: engine
+        engine.message: "signature can't match as required content length 12 exceeds dsize value 10"
+
+  - filter:
+      count: 1
+      match:
+        event_type: engine
+        engine.error: "SC_ERR_NO_RULES_LOADED"

diff --git a/tests/test-bad-dsize-range-rule-2/suricata.yaml b/tests/test-bad-dsize-range-rule-2/suricata.yaml
new file mode 100644 (file)
index 0000000..dcaae57
--- /dev/null
+++ b/tests/test-bad-dsize-range-rule-2/suricata.yaml
@@ -0,0 +1,10 @@
+%YAML 1.1
+---
+
+logging:
+  default-log-level: info
+  outputs:
+  - file:
+      enabled: yes
+      filename: eve.json
+      type: json

diff --git a/tests/test-bad-dsize-range-rule-2/test.rules b/tests/test-bad-dsize-range-rule-2/test.rules
new file mode 100644 (file)
index 0000000..64b71f8
--- /dev/null
+++ b/tests/test-bad-dsize-range-rule-2/test.rules
@@ -0,0 +1 @@
+alert udp any any -> any any (msg:"TEST SUCCESFUL - dsize with range INVALID combination "; dsize:5<>10; content:"thisstringisgreaterthan10bytes"; sid:6666664; rev:1;)

diff --git a/tests/test-bad-dsize-range-rule-2/test.yaml b/tests/test-bad-dsize-range-rule-2/test.yaml
new file mode 100644 (file)
index 0000000..073955f
--- /dev/null
+++ b/tests/test-bad-dsize-range-rule-2/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 7
+
+command: |
+  ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -r ${TEST_DIR}/ -S ${TEST_DIR}/test.rules
+
+checks:
+  # check that we have the following entries in eve.json
+  # match 1 specific rule load failure reason
+  - filter:
+      count: 1
+      match:
+        event_type: engine
+        engine.message: "signature can't match as required content length 30 exceeds dsize value 10"
+
+  - filter:
+      count: 1
+      match:
+        event_type: engine
+        engine.error: "SC_ERR_NO_RULES_LOADED"