tests: add invalid semicolon usage

Signed-off-by: jason taylor <jtfas90@gmail.com>

diff --git a/tests/test-bad-depth-distance-rule-1/test.yaml b/tests/test-bad-depth-distance-rule-1/test.yaml
index 5aaee4d133ac6ce14a5b57b5a82111728b536391..1e675c1fc4afbf7ad68c456ddcff73510c443c5f 100644 (file)
--- a/tests/test-bad-depth-distance-rule-1/test.yaml
+++ b/tests/test-bad-depth-distance-rule-1/test.yaml
@@ -12,7 +12,7 @@ checks:
       count: 1
       match:
         event_type: engine
-        engine.message: "can't use a relative keyword like within\/distance with a absolute relative keyword like depth\/offset for the same content."
+        engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content."
 
   - filter:
       count: 1

diff --git a/tests/test-bad-depth-distance-rule-2/test.yaml b/tests/test-bad-depth-distance-rule-2/test.yaml
index 5aaee4d133ac6ce14a5b57b5a82111728b536391..1e675c1fc4afbf7ad68c456ddcff73510c443c5f 100644 (file)
--- a/tests/test-bad-depth-distance-rule-2/test.yaml
+++ b/tests/test-bad-depth-distance-rule-2/test.yaml
@@ -12,7 +12,7 @@ checks:
       count: 1
       match:
         event_type: engine
-        engine.message: "can't use a relative keyword like within\/distance with a absolute relative keyword like depth\/offset for the same content."
+        engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content."
 
   - filter:
       count: 1

diff --git a/tests/test-bad-depth-rule-1/test.yaml b/tests/test-bad-depth-rule-1/test.yaml
index 67bddd68bd6a7fba76eaafe232fe54ac5889e579..8e32a142f32ad3a39eab1ad5cd6b7bc4b0078843 100644 (file)
--- a/tests/test-bad-depth-rule-1/test.yaml
+++ b/tests/test-bad-depth-rule-1/test.yaml
@@ -12,7 +12,7 @@ checks:
       count: 1
       match:
         event_type: engine
-        engine.message: "depth needs preceding content, uricontent option, http_client_body, http_server_body, http_header option, http_raw_header option, http_method option, http_cookie, http_raw_uri, http_stat_msg, http_stat_code, http_user_agent, http_host, http_raw_host or file_data\/dce_stub_data sticky buffer options"
+        engine.message: "depth needs preceding content, uricontent option, http_client_body, http_server_body, http_header option, http_raw_header option, http_method option, http_cookie, http_raw_uri, http_stat_msg, http_stat_code, http_user_agent, http_host, http_raw_host or file_data/dce_stub_data sticky buffer options"
 
   - filter:
       count: 1

diff --git a/tests/test-bad-depth-within-rule-1/test.yaml b/tests/test-bad-depth-within-rule-1/test.yaml
index 5aaee4d133ac6ce14a5b57b5a82111728b536391..1e675c1fc4afbf7ad68c456ddcff73510c443c5f 100644 (file)
--- a/tests/test-bad-depth-within-rule-1/test.yaml
+++ b/tests/test-bad-depth-within-rule-1/test.yaml
@@ -12,7 +12,7 @@ checks:
       count: 1
       match:
         event_type: engine
-        engine.message: "can't use a relative keyword like within\/distance with a absolute relative keyword like depth\/offset for the same content."
+        engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content."
 
   - filter:
       count: 1

diff --git a/tests/test-bad-depth-within-rule-2/test.yaml b/tests/test-bad-depth-within-rule-2/test.yaml
index 67bddd68bd6a7fba76eaafe232fe54ac5889e579..8e32a142f32ad3a39eab1ad5cd6b7bc4b0078843 100644 (file)
--- a/tests/test-bad-depth-within-rule-2/test.yaml
+++ b/tests/test-bad-depth-within-rule-2/test.yaml
@@ -12,7 +12,7 @@ checks:
       count: 1
       match:
         event_type: engine
-        engine.message: "depth needs preceding content, uricontent option, http_client_body, http_server_body, http_header option, http_raw_header option, http_method option, http_cookie, http_raw_uri, http_stat_msg, http_stat_code, http_user_agent, http_host, http_raw_host or file_data\/dce_stub_data sticky buffer options"
+        engine.message: "depth needs preceding content, uricontent option, http_client_body, http_server_body, http_header option, http_raw_header option, http_method option, http_cookie, http_raw_uri, http_stat_msg, http_stat_code, http_user_agent, http_host, http_raw_host or file_data/dce_stub_data sticky buffer options"
 
   - filter:
       count: 1

diff --git a/tests/test-bad-offset-distance-rule-1/test.yaml b/tests/test-bad-offset-distance-rule-1/test.yaml
index 5aaee4d133ac6ce14a5b57b5a82111728b536391..1e675c1fc4afbf7ad68c456ddcff73510c443c5f 100644 (file)
--- a/tests/test-bad-offset-distance-rule-1/test.yaml
+++ b/tests/test-bad-offset-distance-rule-1/test.yaml
@@ -12,7 +12,7 @@ checks:
       count: 1
       match:
         event_type: engine
-        engine.message: "can't use a relative keyword like within\/distance with a absolute relative keyword like depth\/offset for the same content."
+        engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content."
 
   - filter:
       count: 1

diff --git a/tests/test-bad-offset-offset-rule-1/test.yaml b/tests/test-bad-offset-offset-rule-1/test.yaml
index b9e74fac10b6a02205d3f888c24f42c1cb5c4139..acb9806248565d8773a35ff19236ebf4372fe314 100644 (file)
--- a/tests/test-bad-offset-offset-rule-1/test.yaml
+++ b/tests/test-bad-offset-offset-rule-1/test.yaml
@@ -12,7 +12,7 @@ checks:
       count: 1
       match:
         event_type: engine
-        engine.message: "can't use multiple offsets for the same content."
+        engine.message: "can't use multiple offsets for the same content. "
 
   - filter:
       count: 1

diff --git a/tests/test-bad-offset-within-rule-1/test.yaml b/tests/test-bad-offset-within-rule-1/test.yaml
index 5aaee4d133ac6ce14a5b57b5a82111728b536391..1e675c1fc4afbf7ad68c456ddcff73510c443c5f 100644 (file)
--- a/tests/test-bad-offset-within-rule-1/test.yaml
+++ b/tests/test-bad-offset-within-rule-1/test.yaml
@@ -12,7 +12,7 @@ checks:
       count: 1
       match:
         event_type: engine
-        engine.message: "can't use a relative keyword like within\/distance with a absolute relative keyword like depth\/offset for the same content."
+        engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content."
 
   - filter:
       count: 1

diff --git a/tests/test-bad-semicolon-rule-2/suricata.yaml b/tests/test-bad-semicolon-rule-2/suricata.yaml
new file mode 100644 (file)
index 0000000..dcaae57
--- /dev/null
+++ b/tests/test-bad-semicolon-rule-2/suricata.yaml
@@ -0,0 +1,10 @@
+%YAML 1.1
+---
+
+logging:
+  default-log-level: info
+  outputs:
+  - file:
+      enabled: yes
+      filename: eve.json
+      type: json

diff --git a/tests/test-bad-semicolon-rule-2/test.rules b/tests/test-bad-semicolon-rule-2/test.rules
new file mode 100644 (file)
index 0000000..0829587
--- /dev/null
+++ b/tests/test-bad-semicolon-rule-2/test.rules
@@ -0,0 +1 @@
+alert udp any any -> any any (msg:"TEST SUCCESFULL - Too Many Semicolons INVALID combination "; content:"AA"; content:"BB";; within:5; sid:6666668; rev:1;)

diff --git a/tests/test-bad-semicolon-rule-2/test.yaml b/tests/test-bad-semicolon-rule-2/test.yaml
new file mode 100644 (file)
index 0000000..39ac12e
--- /dev/null
+++ b/tests/test-bad-semicolon-rule-2/test.yaml
@@ -0,0 +1,21 @@
+requires:
+  features:
+    - HAVE_LIBJANSSON
+
+command: |
+  ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -r ${TEST_DIR}/ -S ${TEST_DIR}/test.rules
+
+checks:
+  # check that we have the following entres in eve.json
+  # match 1 specific rule load failure reason
+  - filter:
+      count: 1
+      match:
+        event_type: engine
+        engine.message: "unknown rule keyword ''."
+
+  - filter:
+      count: 1
+      match:
+        event_type: engine
+        engine.error: "SC_ERR_NO_RULES_LOADED"