--- /dev/null
+Similar to `../requires-ok` but does include one rule that will fail
+to load. This is to test that a bad rule after "skipped" rule fails
+out and is not recorded as skipped.
--- /dev/null
+requires:
+ min-version: 7.0.3
+
+pcap: ../eve-metadata/testmyids.pcap
+
+args:
+ - -v
+
+# As we have a bad rule, expect exit-code 1.
+exit-code: 1
+
+# No checks, as no stats are written on exit code 0.
--- /dev/null
+# Rule for Suricata >= 7 and < 8.
+alert http any any -> any any (msg:"TEST Suricata >= 7 and < 8"; content:"uid=0"; requires: version >= 7 < 8; sid:7; rev:1;)
+
+# Rule for Suricata >= 7.0.3 but less than 8... Or >= 8.0.1
+alert http any any -> any any (content:"uid=0"; requires: version >= 7.0.3 < 8 | >= 8.0.1; sid:9; rev:1;)
+
+# Rule for Suricata >= 8.
+alert http any any -> any any (msg:"TEST Suricata >= 8"; content:"uid=0"; requires: version >= 8.0.0; sid:8; rev:1;)
+
+# These rules have something invalid about them, but do follow the general rule
+# structure, so should be eliminated by the requires statement.
+alert vxlan any any -> any any (requires: version >= 10; sid:1;)
+alert udp any any -> any any (vxlan_vni:10; requires: version >= 10; sid:2;)
+alert http any any => any any (requires: version >= 10; sid:3;)
+alert tcp any any -> any any (frame:smtp.not_supported; requires: version >= 10; sid:4;)
count: 1
match:
event_type: stats
- stats.detect.engines[0].rules_skipped: 6
+ stats.detect.engines[0].rules_skipped: 5
+ stats.detect.engines[0].rules_loaded: 2
+ stats.detect.engines[0].rules_failed: 0
- filter:
requires:
count: 1
match:
event_type: stats
- stats.detect.engines[0].rules_skipped: 7
+ stats.detect.engines[0].rules_skipped: 6
+ stats.detect.engines[0].rules_loaded: 1
+ stats.detect.engines[0].rules_failed: 0