checks:
- shell:
- args: grep "SC_WARN_ERSPAN_CONFIG" suricata.log | wc -l | xargs
+ args: grep "ERSPAN Type I is no longer configurable" suricata.log | wc -l | xargs
expect: 1
checks:
- shell:
- args: grep "SC_WARN_CLASSIFICATION_CONFIG" suricata.log | wc -l | xargs
+ args: grep "Invalid Classtype in" suricata.log | wc -l | xargs
expect: 1
checks:
- shell:
- args: grep -e "SC_WARN_CLASSIFICATION_CONFIG" suricata.log | wc -l | xargs
+ args: grep -e "Error loading classification configuration from" suricata.log | wc -l | xargs
expect: 1
checks:
- shell:
- args: grep "SC_ERR_INVALID_NUMERIC_VALUE" suricata.log | wc -l | xargs
+ args: grep "is not a valid reputation value" suricata.log | wc -l | xargs
+ expect: 1
+ - shell:
+ args: grep "bad rep for dataset" suricata.log | wc -l | xargs
expect: 1
checks:
- shell:
- args: grep "SC_ERR_INVALID_SIGNATURE" suricata.log | wc -l | xargs
- expect: 5
-
- - shell:
- args: grep "SC_ERR_INVALID_VALUE" suricata.log | wc -l | xargs
- expect: 5
+ args: grep "Error" suricata.log | wc -l | xargs
+ expect: 11
expect: 1
- shell:
- args: grep SC_ERR_INVALID_SIGNATURE suricata.log | wc -l | xargs
- expect: 26
+ args: grep Error suricata.log | wc -l | xargs
+ expect: 27
- shell:
args: grep "Expression seen with a sticky buffer" suricata.log | wc -l | xargs
checks:
- shell:
- args: grep "SC_ERR_REFERENCE_CONFIG" suricata.log | wc -l | xargs
+ args: grep "Invalid Reference Config in" suricata.log | wc -l | xargs
expect: 1
checks:
- shell:
- args: grep -e "SC_ERR_REFERENCE_CONFIG" suricata.log | wc -l | xargs
+ args: grep -e "unknown reference key" suricata.log | wc -l | xargs
expect: 1
- shell:
- args: grep -e "SC_ERR_REFERENCE_UNKNOWN" suricata.log | wc -l | xargs
+ args: grep -e "Invalid Reference Config in" suricata.log | wc -l | xargs
expect: 1
engine.message: "unknown byte_ keyword var seen in depth - d."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: "detect"
engine.message: "invalid value for depth: -5."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "signature can't match as required content length 30 exceeds dsize value 10"
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "signature can't match as required content length 20 exceeds dsize value 16"
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: "detect"
engine.message: "Invalid unescaped double quote within content section."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "can't use multiple depths for the same content."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "depth needs preceding content, uricontent option, http_client_body, http_server_body, http_header option, http_raw_header option, http_method option, http_cookie, http_raw_uri, http_stat_msg, http_stat_code, http_user_agent, http_host, http_raw_host or file_data/dce_stub_data sticky buffer options."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "depth needs preceding content, uricontent option, http_client_body, http_server_body, http_header option, http_raw_header option, http_method option, http_cookie, http_raw_uri, http_stat_msg, http_stat_code, http_user_agent, http_host, http_raw_host or file_data/dce_stub_data sticky buffer options."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "signature can't match as required content length 102 exceeds dsize value 50"
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "signature can't match as required content length 12 exceeds dsize value 10"
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "signature can't match as required content length 30 exceeds dsize value 10"
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "Invalid hex code in content - |l0 01 01|, hex l. Invalidating signature."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+ - filter:
+ min-version: 7
+ count: 4
+ match:
+ event_type: engine
+ engine.module: detect
+
- filter:
min-version: 7.0
count: 1
engine.message: "Invalid hex code in content - \u0001\u00101 10 0j|, hex j. Invalidating signature."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "Invalid hex code assembly in content - |1. Invalidating signature."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "can't have a relative negated keyword set along with 'fast_pattern'."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "can't use multiple offsets for the same content."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "invalid formatting to content keyword: value must be double quoted 'content'"
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "can't have a relative keyword set along with 'fast_pattern:only;'."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "bad option value formatting (possible missing semicolon) for keyword content: '\"AA\" depth:20'"
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "unknown rule keyword ''."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
engine.message: "can't use multiple withins for the same content."
- filter:
+ lt-version: 7
count: 1
match:
event_type: engine
engine.error: "SC_ERR_NO_RULES_LOADED"
+
+ - filter:
+ min-version: 7
+ count: 3
+ match:
+ event_type: engine
+ engine.module: detect
requires:
- min-version: 7
+ min-version: 8 # TODO
checks:
- shell:
args: grep "Error loading threshold configuration" suricata.log | wc -l | xargs
expect: 1
- - shell:
- args: grep "SC_WARN_THRESH_CONFIG" suricata.log | wc -l | xargs
- expect: 1
+ # TODO
+ #- shell:
+ # lt-version: 7
+ # args: grep "SC_WARN_THRESH_CONFIG" suricata.log | wc -l | xargs
+ # expect: 1
checks:
- - shell:
- args: grep -e "SC_ERR_PCRE_MATCH" suricata.log | wc -l | xargs
- expect: 1
+ #- shell:
+ # args: grep -e "SC_ERR_PCRE_MATCH" suricata.log | wc -l | xargs
+ # expect: 1
- shell:
args: grep -e "Threshold config parsed.*0 rule.*found" suricata.log | wc -l | xargs
projects / thirdparty / suricata-verify.git / commitdiff
