tests: add rule type checks for iprep rules

To accompany rule types documentation.
Added these separately, as they require extra config files.
As the test name still includes `rule-types`, it's still possible to
both batches of tests at once.

Related to
Task #https://redmine.openinfosecfoundation.org/issues/7031

diff --git a/tests/iprep-12-rule-types/README.md b/tests/iprep-12-rule-types/README.md
new file mode 100644 (file)
index 0000000..a443548
--- /dev/null
+++ b/tests/iprep-12-rule-types/README.md
@@ -0,0 +1,5 @@
+# Test Description
+
+Check rule types with iprep keyword present: set, isset and isnotset options.
+
+Test setup copied and adapted from test `iprep-11-isset`.

diff --git a/tests/iprep-12-rule-types/iprep.rules b/tests/iprep-12-rule-types/iprep.rules
new file mode 100644 (file)
index 0000000..6ace671
--- /dev/null
+++ b/tests/iprep-12-rule-types/iprep.rules
@@ -0,0 +1,6 @@
+alert ip any any -> any any (sid:1; iprep:dst,2402000,isset;)
+alert ip any any -> any any (sid:2; iprep:dst,2402000,isnotset;)
+alert ip any any -> any any (sid:3; iprep:dst,2402000,=,0;)
+alert http any any -> any any (sid:4; iprep:dst,2402000,=,0;)
+alert http any any -> any any (sid:5; iprep:dst,2402000,isset;)
+alert http any any -> any any (sid:6; iprep:dst,2402000,isnotset;)

diff --git a/tests/iprep-12-rule-types/scirius-categories.txt b/tests/iprep-12-rule-types/scirius-categories.txt
new file mode 100644 (file)
index 0000000..7b1ea8c
--- /dev/null
+++ b/tests/iprep-12-rule-types/scirius-categories.txt
@@ -0,0 +1,10 @@
+1,2520000,ET TOR Known Tor Exit Node Traffic
+2,2522000,ET TOR Known Tor Relay/Router (Not Exit) Node Traffic
+3,2403300,ET CINS Active Threat Intelligence Poor Reputation IP
+4,2525000,ET 3CORESec Poor Reputation IP
+5,2400000,ET DROP Spamhaus DROP Listed Traffic Inbound
+6,2500000,ET COMPROMISED Known Compromised or Hostile Host Traffic
+7,2404033,ET CNC Shadowserver Reported CnC Server
+8,2404000,ET CNC Shadowserver Reported CnC Server IP
+9,2404300,ET CNC Feodo Tracker Reported CnC Server
+10,2402000,ET DROP Dshield Block Listed Source

diff --git a/tests/iprep-12-rule-types/scirius-iprep.list b/tests/iprep-12-rule-types/scirius-iprep.list
new file mode 100644 (file)
index 0000000..d1de253
--- /dev/null
+++ b/tests/iprep-12-rule-types/scirius-iprep.list
@@ -0,0 +1,15 @@
+#8.8.8.8,10,100
+4.4.4.4,10,100
+104.244.72.152,1,100
+51.210.242.169,1,100
+193.218.118.100,1,100
+51.210.242.133,1,100
+91.192.103.50,1,100
+198.251.80.157,1,100
+135.148.33.65,1,100
+199.249.230.89,1,100
+46.194.44.245,1,100
+45.153.160.137,1,100
+135.148.33.89,1,100
+185.242.113.224,1,100
+37.139.8.104,1,100

diff --git a/tests/iprep-12-rule-types/suricata.yaml b/tests/iprep-12-rule-types/suricata.yaml
new file mode 100644 (file)
index 0000000..803a008
--- /dev/null
+++ b/tests/iprep-12-rule-types/suricata.yaml
@@ -0,0 +1,17 @@
+%YAML 1.1
+---
+
+reputation-categories-file: scirius-categories.txt
+reputation-files:
+  - scirius-iprep.list
+
+engine-analysis:
+  # enables printing reports for each rule
+  rules: yes
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      types:
+        - alert

diff --git a/tests/iprep-12-rule-types/test.yaml b/tests/iprep-12-rule-types/test.yaml
new file mode 100644 (file)
index 0000000..4b193c9
--- /dev/null
+++ b/tests/iprep-12-rule-types/test.yaml
@@ -0,0 +1,44 @@
+requires:
+  min-version: 7
+  pcap: false
+
+args:
+- --engine-analysis
+
+checks:
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 1
+        type: "ip_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 2
+        type: "ip_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 3
+        type: "ip_only"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 4
+        type: "pkt"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 5
+        type: "pkt"
+  - filter:
+      filename: rules.json
+      count: 1
+      match:
+        id: 6
+        type: "pkt"