# Find a substring in a field
engine.message.__find: script failed
+ # Check if a string starts with an expected value
+ engine.message.__startswith: "This is the start of the string"
+
+ # Check if a string ends with an expected value
+ engine.message.__endswith: "the end of a string"
+
- shell:
# A simple shell check. If the command exits with a non-0 exit code the
# check will fail. The script is run in the output directory of the
return len(obj)
except:
return -1
- if part == "__find":
- # Return full obj on __find and do a substring find in caller
- # where the expected is also available
+ if part in ["__find", "__startswith", "__endswith"]:
+ # Return full object, caller will handle the special match logic.
break
name = None
index = None
return False
else:
val = find_value(key, event)
- if val != expected:
- if key.endswith("__find"):
- if val.find(expected) != -1:
- return True
+ if key.endswith("__find"):
+ if val.find(expected) < 0:
+ return False
+ elif key.endswith("__startswith"):
+ if not val.startswith(expected):
+ return False
+ elif key.endswith("__endswith"):
+ if not val.endswith(expected):
+ return False
+ elif val != expected:
if str(val) == str(expected):
print("Different types but same string", type(val), val, type(expected), expected)
- return False
return False
return True
projects / thirdparty / suricata-verify.git / commitdiff
