]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5bc918b)
detect/bypass: add test for detect-bypass
authorModupe Falodun <falodunmodupeola@gmail.com>
Thu, 27 Jan 2022 22:11:42 +0000 (23:11 +0100)
committerVictor Julien <victor@inliniac.net>
Sat, 29 Jan 2022 16:10:30 +0000 (17:10 +0100)
Task: 4911

tests/detect-bypass/README.md [new file with mode: 0644] patch | blob
tests/detect-bypass/input.pcap [new file with mode: 0644] patch | blob
tests/detect-bypass/test.rules [new file with mode: 0644] patch | blob
tests/detect-bypass/test.yaml [new file with mode: 0644] patch | blob
tests/detect-bypass/writepcap.py [new file with mode: 0644] patch | blob

diff --git a/tests/detect-bypass/README.md b/tests/detect-bypass/README.md
new file mode 100644 (file)
index 0000000..4fc59c1
--- /dev/null
+++ b/tests/detect-bypass/README.md
@@ -0,0 +1 @@
+Tests the bypass keyword
diff --git a/tests/detect-bypass/input.pcap b/tests/detect-bypass/input.pcap
new file mode 100644 (file)
index 0000000..9529572
Binary files /dev/null and b/tests/detect-bypass/input.pcap differ
diff --git a/tests/detect-bypass/test.rules b/tests/detect-bypass/test.rules
new file mode 100644 (file)
index 0000000..77f9fbb
--- /dev/null
+++ b/tests/detect-bypass/test.rules
@@ -0,0 +1,3 @@
+alert tcp any any -> any any (bypass; content:"GET "; sid:1;)
+alert http any any -> any any (http.response_body; bypass; content:"message"; sid:2;)
+alert http any any -> any any (http.host; bypass; content:"message"; sid:3;)
diff --git a/tests/detect-bypass/test.yaml b/tests/detect-bypass/test.yaml
new file mode 100644 (file)
index 0000000..dadaa55
--- /dev/null
+++ b/tests/detect-bypass/test.yaml
@@ -0,0 +1,27 @@
+args:
+- --set stream.midstream=true
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: flow
+- filter:
+    count: 1
+    match:
+      event_type: stats
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
diff --git a/tests/detect-bypass/writepcap.py b/tests/detect-bypass/writepcap.py
new file mode 100644 (file)
index 0000000..e1551f4
--- /dev/null
+++ b/tests/detect-bypass/writepcap.py
@@ -0,0 +1,12 @@
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"GET /index.html HTTP/1.0\r\nHost: This is a dummy message body\r\nUser-Agent: www.openinfosecfoundation.org\r\nContent-Type: text/html\r\n\r\n";
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+    Dot1Q(vlan=6)/ \
+    IP(dst='5.6.7.8', src='1.2.3.4')/TCP(sport=80, dport=6666, flags='P''A')/"HTTP/1.0 200 ok\r\nContent-Type: text/html\r\nContent-Length: 7\r\n\r\nmessage";
+wrpcap('input.pcap', pkts)
Mirror of https://github.com/OISF/suricata-verify.git