location: Enhance test for new keywords

This commite adds tests for the following newly introduced rule keywords
when building suricata with libloc support:

* anycast
* anyonymous-proxy
* satellite-provider

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

diff --git a/tests/location/create-database.py b/tests/location/create-database.py
index 9f2f91d9176909089679c230e82806902b0642f6..a5b89868e5db0d98cab1805369ebcc7f8ed76fd4 100644 (file)
--- a/tests/location/create-database.py
+++ b/tests/location/create-database.py
@@ -17,6 +17,7 @@ test_data = {
             'ccontinent': 'EU',
             'asnumber': 8560,
             'asname': '1&1 IONOS SE',
+            'flags': ["NETWORK_FLAG_ANYCAST", "NETWORK_FLAG_ANONYMOUS_PROXY", "NETWORK_FLAG_SATELLITE_PROVIDER"],
         }
     }
 
@@ -47,5 +48,12 @@ for addr, data in test_data.items():
     net.country_code = data["ccode"]
     net.asn = asn.number
 
+    # Check if one ore more network flags should be added to this network.
+    if "flags" in data.keys():
+        # Loop through the list of flags.
+        for flag in data["flags"]:
+            # Add flag to the network.
+            net.set_flag(getattr(location, flag))
+
 # Write the database to disk
 db.write("test.db")

diff --git a/tests/location/test.db b/tests/location/test.db
index 098592fb9eced425715ac836412b2cd07ece3574..01f3c713897281d49b07186c1ae8cd784f9e1778 100644 (file)
Binary files a/tests/location/test.db and b/tests/location/test.db differ

diff --git a/tests/location/test.rules b/tests/location/test.rules
index a4a88f7cec4d1e2230a64556961b702d5ac8ecbc..49746d0abfab0b5a10e3c876eb3048ee051c33a9 100644 (file)
--- a/tests/location/test.rules
+++ b/tests/location/test.rules
@@ -1,2 +1,5 @@
 alert tcp any any -> any any (msg:"China IP"; flow:established,to_server; geoip:dst,CN; sid:1; rev:1; flowbits:isnotset,china; flowbits:set,china;)
 alert tcp any any -> any any (msg:"German IP"; flow:established,to_server; geoip: dst,DE; sid:2; rev:1; flowbits:isnotset,german; flowbits:set,german;)
+alert tcp any any -> any any (msg:"ANYCAST ADDRESS"; flow:established,to_server; anycast: dst; sid: 3; rev:1; flowbits:isnotset,anycast; flowbits:set,anycast;)
+alert tcp any any -> any any (msg:"ANONYMOUS PROXY"; flow:established,to_server; anonymous-proxy: dst; sid: 4; rev:1; flowbits:isnotset,anonymous-proxy; flowbits:set,anonymous-proxy;)
+alert tcp any any -> any any (msg:"SATELLITE PROVIDER"; flow:established,to_server; satellite-provider: dst; sid: 5; rev:1; flowbits:isnotset,satellite-provider; flowbits:set,satellite-provider;)

diff --git a/tests/location/test.yaml b/tests/location/test.yaml
index 49b29b39510253bbe73d3d16c47a9e972fcda72a..878e7a704c896519a364276c70585f1bdf618c3b 100644 (file)
--- a/tests/location/test.yaml
+++ b/tests/location/test.yaml
@@ -5,15 +5,36 @@ requires:
 
 checks:
 
-  # Check that we only have one alert event type in eve.
+  # Check that we only have four events in eve.
   - filter:
-      count: 1
+      count: 4
       match:
         event_type: alert
 
-  # Check alert is the good one
+  # Check if the geoip keyword workded.
   - filter:
       count: 1
       match:
         event_type: alert
         alert.signature_id: 2
+
+  # Check if the anycast keyword worked.
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+
+  # Check if the anonymous-proxy keyword worked.
+  - filter:
+      count: 1
+      match:
+          event_type: alert
+          alert.signature_id: 4
+
+  # Check if the satellite-provider keyworkd worked.
+  - filter:
+      count: 1
+      match:
+          event_type: alert
+          alert.signature_id: 5