--- /dev/null
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for single point
+and a range separated by a gap.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6881
--- /dev/null
+%YAML 1.1
+---
+
+engine-analysis:
+ rules-fast-pattern: yes
+ rules: yes
+
+detect:
+ profiling:
+ grouping:
+ dump-to-disk: yes
+ include-rules: yes
+ include-mpm-stats: yes
--- /dev/null
+alert tcp any any -> any 80 (flow:to_server; content:"abc"; sid:1;)
+alert tcp any any -> any 100:120 (flow:to_server; content:"abc"; sid:2;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver.__len: 2
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[0].port: 80
+ tcp.toserver[0].port2: 80
+ tcp.toserver[0].rulegroup.id: 0
+ tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[1].port: 100
+ tcp.toserver[1].port2: 120
+ tcp.toserver[1].rulegroup.id: 1
+ tcp.toserver[1].rulegroup.rules[0].sig_id: 2
--- /dev/null
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for a range
+and a single point separated by a gap.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
--- /dev/null
+%YAML 1.1
+---
+
+engine-analysis:
+ rules-fast-pattern: yes
+ rules: yes
+
+detect:
+ profiling:
+ grouping:
+ dump-to-disk: yes
+ include-rules: yes
+ include-mpm-stats: yes
--- /dev/null
+alert tcp any any -> any 80:120 (flow:to_server; content:"abc"; sid:1;)
+alert tcp any any -> any 150 (flow:to_server; content:"abc"; sid:2;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver.__len: 2
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[0].port: 80
+ tcp.toserver[0].port2: 120
+ tcp.toserver[0].rulegroup.id: 0
+ tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[1].port: 150
+ tcp.toserver[1].port2: 150
+ tcp.toserver[1].rulegroup.id: 1
+ tcp.toserver[1].rulegroup.rules[0].sig_id: 2
--- /dev/null
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for a small range
+cut by a single port.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
--- /dev/null
+%YAML 1.1
+---
+
+engine-analysis:
+ rules-fast-pattern: yes
+ rules: yes
+
+detect:
+ profiling:
+ grouping:
+ dump-to-disk: yes
+ include-rules: yes
+ include-mpm-stats: yes
--- /dev/null
+alert tcp any 1024: -> any 80:120 (flow:to_server; content:"abc"; sid:1;)
+alert tcp any 1024: -> any 100 (flow:to_server; content:"abc"; sid:2;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver.__len: 3
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[1].port: 80
+ tcp.toserver[1].port2: 99
+ tcp.toserver[1].rulegroup.id: 1
+ tcp.toserver[1].rulegroup.rules[0].sig_id: 1
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[0].port: 100
+ tcp.toserver[0].port2: 100
+ tcp.toserver[0].rulegroup.id: 0
+ tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+ tcp.toserver[0].rulegroup.rules[1].sig_id: 2
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[2].port: 101
+ tcp.toserver[2].port2: 120
+ tcp.toserver[2].rulegroup.id: 1
+ tcp.toserver[2].rulegroup.rules[0].sig_id: 1
--- /dev/null
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for small ranges
+with a point overlap only.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
--- /dev/null
+%YAML 1.1
+---
+
+engine-analysis:
+ rules-fast-pattern: yes
+ rules: yes
+
+detect:
+ profiling:
+ grouping:
+ dump-to-disk: yes
+ include-rules: yes
+ include-mpm-stats: yes
--- /dev/null
+alert tcp any 1024: -> any 80:100 (flow:to_server; content:"abc"; sid:2;)
+alert tcp any 1024: -> any 100:120 (flow:to_server; content:"abc"; sid:3;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver.__len: 3
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[0].port: 100
+ tcp.toserver[0].port2: 100
+ tcp.toserver[0].rulegroup.id: 0
+ tcp.toserver[0].rulegroup.rules[0].sig_id: 2
+ tcp.toserver[0].rulegroup.rules[1].sig_id: 3
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[1].port: 80
+ tcp.toserver[1].port2: 99
+ tcp.toserver[1].rulegroup.id: 1
+ tcp.toserver[1].rulegroup.rules[0].sig_id: 2
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[2].port: 101
+ tcp.toserver[2].port2: 120
+ tcp.toserver[2].rulegroup.id: 2
+ tcp.toserver[2].rulegroup.rules[0].sig_id: 3
+
--- /dev/null
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for disjointed ranges
+but with overlaps within them.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
--- /dev/null
+%YAML 1.1
+---
+
+engine-analysis:
+ rules-fast-pattern: yes
+ rules: yes
+
+detect:
+ profiling:
+ grouping:
+ dump-to-disk: yes
+ include-rules: yes
+ include-mpm-stats: yes
--- /dev/null
+alert tcp any any -> any 80:120 (flow:to_server; content:"abc"; sid:1;)
+alert tcp any 1024: -> any 100:110 (flow:to_server; content:"abc"; sid:2;)
+alert tcp any 1024: -> any 150:250 (flow:to_server; content:"abc"; sid:3;)
+alert tcp any any -> any 200:220 (flow:to_server; content:"abc"; sid:4;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver.__len: 6
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[0].port: 100
+ tcp.toserver[0].port2: 110
+ tcp.toserver[0].rulegroup.id: 0
+ tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+ tcp.toserver[0].rulegroup.rules[1].sig_id: 2
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[1].port: 200
+ tcp.toserver[1].port2: 220
+ tcp.toserver[1].rulegroup.id: 1
+ tcp.toserver[1].rulegroup.rules[0].sig_id: 3
+ tcp.toserver[1].rulegroup.rules[1].sig_id: 4
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[2].port: 80
+ tcp.toserver[2].port2: 99
+ tcp.toserver[2].rulegroup.id: 2
+ tcp.toserver[2].rulegroup.rules[0].sig_id: 1
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[3].port: 111
+ tcp.toserver[3].port2: 120
+ tcp.toserver[3].rulegroup.id: 2
+ tcp.toserver[3].rulegroup.rules[0].sig_id: 1
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[4].port: 150
+ tcp.toserver[4].port2: 199
+ tcp.toserver[4].rulegroup.id: 3
+ tcp.toserver[4].rulegroup.rules[0].sig_id: 3
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[5].port: 221
+ tcp.toserver[5].port2: 250
+ tcp.toserver[5].rulegroup.id: 3
+ tcp.toserver[5].rulegroup.rules[0].sig_id: 3
+
--- /dev/null
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for multiple
+small range continuos overlaps with predecessor.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
--- /dev/null
+%YAML 1.1
+---
+
+engine-analysis:
+ rules-fast-pattern: yes
+ rules: yes
+
+detect:
+ profiling:
+ grouping:
+ dump-to-disk: yes
+ include-rules: yes
+ include-mpm-stats: yes
--- /dev/null
+alert tcp any any -> any 1:20 (flow:to_server; content:"abc"; sid:1;)
+alert tcp any 1024: -> any 15:40 (flow:to_server; content:"abc"; sid:2;)
+alert tcp any 1024: -> any 35:60 (flow:to_server; content:"abc"; sid:3;)
+alert tcp any any -> any 55:80 (flow:to_server; content:"abc"; sid:4;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver.__len: 7
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[0].port: 15
+ tcp.toserver[0].port2: 20
+ tcp.toserver[0].rulegroup.id: 0
+ tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+ tcp.toserver[0].rulegroup.rules[1].sig_id: 2
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[1].port: 35
+ tcp.toserver[1].port2: 40
+ tcp.toserver[1].rulegroup.id: 1
+ tcp.toserver[1].rulegroup.rules[0].sig_id: 2
+ tcp.toserver[1].rulegroup.rules[1].sig_id: 3
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[2].port: 55
+ tcp.toserver[2].port2: 60
+ tcp.toserver[2].rulegroup.id: 2
+ tcp.toserver[2].rulegroup.rules[0].sig_id: 3
+ tcp.toserver[2].rulegroup.rules[1].sig_id: 4
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[3].port: 1
+ tcp.toserver[3].port2: 14
+ tcp.toserver[3].rulegroup.id: 3
+ tcp.toserver[3].rulegroup.rules[0].sig_id: 1
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[4].port: 21
+ tcp.toserver[4].port2: 34
+ tcp.toserver[4].rulegroup.id: 4
+ tcp.toserver[4].rulegroup.rules[0].sig_id: 2
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[5].port: 41
+ tcp.toserver[5].port2: 54
+ tcp.toserver[5].rulegroup.id: 5
+ tcp.toserver[5].rulegroup.rules[0].sig_id: 3
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[6].port: 61
+ tcp.toserver[6].port2: 80
+ tcp.toserver[6].rulegroup.id: 6
+ tcp.toserver[6].rulegroup.rules[0].sig_id: 4
+
--- /dev/null
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for several separate
+single points.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
--- /dev/null
+%YAML 1.1
+---
+
+engine-analysis:
+ rules-fast-pattern: yes
+ rules: yes
+
+detect:
+ profiling:
+ grouping:
+ dump-to-disk: yes
+ include-rules: yes
+ include-mpm-stats: yes
--- /dev/null
+drop tls any 1 -> any 10 (flow:to_server; sid:1; gid:10000002;)
+drop tls any 2 -> any 20 (flow:to_server; sid:2; gid:10000002;)
+drop tls any 3 -> any 30 (flow:to_server; sid:3; gid:10000002;)
+drop tls any 4 -> any 40 (flow:to_server; sid:4; gid:10000002;)
+drop tls any 5 -> any 50 (flow:to_server; sid:5; gid:10000002;)
+drop tls any 6 -> any 60 (flow:to_server; sid:6; gid:10000002;)
+drop tls any 7 -> any 70 (flow:to_server; sid:7; gid:10000002;)
+drop tls any 8 -> any 80 (flow:to_server; sid:8; gid:10000002;)
+drop tls any 9 -> any 90 (flow:to_server; sid:9; gid:10000002;)
+drop tls any 10 -> any 100 (flow:to_server; sid:10; gid:10000002;)
+drop tls any 11 -> any 110 (flow:to_server; sid:11; gid:10000002;)
+drop tls any 12 -> any 120 (flow:to_server; sid:12; gid:10000002;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver.__len: 12
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[0].port: 80
+ tcp.toserver[0].port2: 80
+ tcp.toserver[0].rulegroup.id: 0
+ tcp.toserver[0].rulegroup.rules[0].sig_id: 8
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[1].port: 10
+ tcp.toserver[1].port2: 10
+ tcp.toserver[1].rulegroup.id: 1
+ tcp.toserver[1].rulegroup.rules[0].sig_id: 1
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[2].port: 20
+ tcp.toserver[2].port2: 20
+ tcp.toserver[2].rulegroup.id: 2
+ tcp.toserver[2].rulegroup.rules[0].sig_id: 2
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[3].port: 30
+ tcp.toserver[3].port2: 30
+ tcp.toserver[3].rulegroup.id: 3
+ tcp.toserver[3].rulegroup.rules[0].sig_id: 3
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[4].port: 40
+ tcp.toserver[4].port2: 40
+ tcp.toserver[4].rulegroup.id: 4
+ tcp.toserver[4].rulegroup.rules[0].sig_id: 4
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[5].port: 50
+ tcp.toserver[5].port2: 50
+ tcp.toserver[5].rulegroup.id: 5
+ tcp.toserver[5].rulegroup.rules[0].sig_id: 5
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[6].port: 60
+ tcp.toserver[6].port2: 60
+ tcp.toserver[6].rulegroup.id: 6
+ tcp.toserver[6].rulegroup.rules[0].sig_id: 6
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[7].port: 70
+ tcp.toserver[7].port2: 70
+ tcp.toserver[7].rulegroup.id: 7
+ tcp.toserver[7].rulegroup.rules[0].sig_id: 7
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[8].port: 90
+ tcp.toserver[8].port2: 90
+ tcp.toserver[8].rulegroup.id: 8
+ tcp.toserver[8].rulegroup.rules[0].sig_id: 9
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[9].port: 100
+ tcp.toserver[9].port2: 100
+ tcp.toserver[9].rulegroup.id: 9
+ tcp.toserver[9].rulegroup.rules[0].sig_id: 10
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[10].port: 110
+ tcp.toserver[10].port2: 110
+ tcp.toserver[10].rulegroup.id: 10
+ tcp.toserver[10].rulegroup.rules[0].sig_id: 11
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[11].port: 120
+ tcp.toserver[11].port2: 120
+ tcp.toserver[11].rulegroup.id: 11
+ tcp.toserver[11].rulegroup.rules[0].sig_id: 12
projects / thirdparty / suricata-verify.git / commitdiff
