]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
detect/port: add rule grouping tests 1678/head 1680/head
authorShivani Bhardwaj <shivanib134@gmail.com>
Wed, 21 Feb 2024 09:50:42 +0000 (15:20 +0530)
committerShivani Bhardwaj <shivanib134@gmail.com>
Sat, 2 Mar 2024 03:24:36 +0000 (08:54 +0530)
32 files changed:
tests/rule-grouping/rule-grouping-1/README.md [new file with mode: 0644]
tests/rule-grouping/rule-grouping-1/suricata.yaml [new file with mode: 0644]
tests/rule-grouping/rule-grouping-1/test.rules [new file with mode: 0644]
tests/rule-grouping/rule-grouping-1/test.yaml [new file with mode: 0644]
tests/rule-grouping/rule-grouping-2/README.md [new file with mode: 0644]
tests/rule-grouping/rule-grouping-2/suricata.yaml [new file with mode: 0644]
tests/rule-grouping/rule-grouping-2/test.rules [new file with mode: 0644]
tests/rule-grouping/rule-grouping-2/test.yaml [new file with mode: 0644]
tests/rule-grouping/rule-grouping-3/README.md [new file with mode: 0644]
tests/rule-grouping/rule-grouping-3/suricata.yaml [new file with mode: 0644]
tests/rule-grouping/rule-grouping-3/test.rules [new file with mode: 0644]
tests/rule-grouping/rule-grouping-3/test.yaml [new file with mode: 0644]
tests/rule-grouping/rule-grouping-4/README.md [new file with mode: 0644]
tests/rule-grouping/rule-grouping-4/suricata.yaml [new file with mode: 0644]
tests/rule-grouping/rule-grouping-4/test.rules [new file with mode: 0644]
tests/rule-grouping/rule-grouping-4/test.yaml [new file with mode: 0644]
tests/rule-grouping/rule-grouping-5/README.md [new file with mode: 0644]
tests/rule-grouping/rule-grouping-5/suricata.yaml [new file with mode: 0644]
tests/rule-grouping/rule-grouping-5/test.rules [new file with mode: 0644]
tests/rule-grouping/rule-grouping-5/test.yaml [new file with mode: 0644]
tests/rule-grouping/rule-grouping-6/README.md [new file with mode: 0644]
tests/rule-grouping/rule-grouping-6/suricata.yaml [new file with mode: 0644]
tests/rule-grouping/rule-grouping-6/test.rules [new file with mode: 0644]
tests/rule-grouping/rule-grouping-6/test.yaml [new file with mode: 0644]
tests/rule-grouping/rule-grouping-7/README.md [new file with mode: 0644]
tests/rule-grouping/rule-grouping-7/suricata.yaml [new file with mode: 0644]
tests/rule-grouping/rule-grouping-7/test.rules [new file with mode: 0644]
tests/rule-grouping/rule-grouping-7/test.yaml [new file with mode: 0644]
tests/rule-grouping/rule-grouping-8/README.md [new file with mode: 0644]
tests/rule-grouping/rule-grouping-8/suricata.yaml [new file with mode: 0644]
tests/rule-grouping/rule-grouping-8/test.rules [new file with mode: 0644]
tests/rule-grouping/rule-grouping-8/test.yaml [new file with mode: 0644]

diff --git a/tests/rule-grouping/rule-grouping-1/README.md b/tests/rule-grouping/rule-grouping-1/README.md
new file mode 100644 (file)
index 0000000..b669e4d
--- /dev/null
@@ -0,0 +1,12 @@
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for small range
+overlaps and single points with "any".
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
diff --git a/tests/rule-grouping/rule-grouping-1/suricata.yaml b/tests/rule-grouping/rule-grouping-1/suricata.yaml
new file mode 100644 (file)
index 0000000..549defa
--- /dev/null
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules-fast-pattern: yes
+  rules: yes
+
+detect:
+  profiling:
+    grouping:
+      dump-to-disk: yes
+      include-rules: yes
+      include-mpm-stats: yes
diff --git a/tests/rule-grouping/rule-grouping-1/test.rules b/tests/rule-grouping/rule-grouping-1/test.rules
new file mode 100644 (file)
index 0000000..bd336a7
--- /dev/null
@@ -0,0 +1,4 @@
+alert tcp any any -> any any (flow:to_server; content:"abc"; sid:1;)
+alert tcp any 1024: -> any 80 (flow:to_server; content:"abc"; sid:2;)
+alert tcp any 1024: -> any 80:81 (flow:to_server; content:"abc"; sid:3;)
+alert tcp any any -> any 445 (flow:to_server; content:"abc"; sid:4;)
diff --git a/tests/rule-grouping/rule-grouping-1/test.yaml b/tests/rule-grouping/rule-grouping-1/test.yaml
new file mode 100644 (file)
index 0000000..a9203ad
--- /dev/null
@@ -0,0 +1,67 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver.__len: 6
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[0].port: 80
+        tcp.toserver[0].port2: 80
+        tcp.toserver[0].rulegroup.id: 0
+        tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+        tcp.toserver[0].rulegroup.rules[1].sig_id: 2
+        tcp.toserver[0].rulegroup.rules[2].sig_id: 3
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[1].port: 445
+        tcp.toserver[1].port2: 445
+        tcp.toserver[1].rulegroup.id: 1
+        tcp.toserver[1].rulegroup.rules[0].sig_id: 1
+        tcp.toserver[1].rulegroup.rules[1].sig_id: 4
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[2].port: 81
+        tcp.toserver[2].port2: 81
+        tcp.toserver[2].rulegroup.id: 2
+        tcp.toserver[2].rulegroup.rules[0].sig_id: 1
+        tcp.toserver[2].rulegroup.rules[1].sig_id: 3
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[3].port: 0
+        tcp.toserver[3].port2: 79
+        tcp.toserver[3].rulegroup.id: 3
+        tcp.toserver[3].rulegroup.rules[0].sig_id: 1
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[4].port: 82
+        tcp.toserver[4].port2: 444
+        tcp.toserver[4].rulegroup.id: 3
+        tcp.toserver[4].rulegroup.rules[0].sig_id: 1
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[5].port: 446
+        tcp.toserver[5].port2: 65535
+        tcp.toserver[5].rulegroup.id: 3
+        tcp.toserver[5].rulegroup.rules[0].sig_id: 1
+
diff --git a/tests/rule-grouping/rule-grouping-2/README.md b/tests/rule-grouping/rule-grouping-2/README.md
new file mode 100644 (file)
index 0000000..00156b6
--- /dev/null
@@ -0,0 +1,12 @@
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for all disjointed
+ports and ranges i.e. no overlaps.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
diff --git a/tests/rule-grouping/rule-grouping-2/suricata.yaml b/tests/rule-grouping/rule-grouping-2/suricata.yaml
new file mode 100644 (file)
index 0000000..549defa
--- /dev/null
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules-fast-pattern: yes
+  rules: yes
+
+detect:
+  profiling:
+    grouping:
+      dump-to-disk: yes
+      include-rules: yes
+      include-mpm-stats: yes
diff --git a/tests/rule-grouping/rule-grouping-2/test.rules b/tests/rule-grouping/rule-grouping-2/test.rules
new file mode 100644 (file)
index 0000000..08540db
--- /dev/null
@@ -0,0 +1,13 @@
+drop tls any 1 -> any 1 (flow:to_server; sid:1; gid:10000002;)
+drop tls any 2 -> any 2 (flow:to_server; sid:2; gid:10000002;)
+drop tls any 3 -> any 3 (flow:to_server; sid:3; gid:10000002;)
+drop tls any 4 -> any 4 (flow:to_server; sid:4; gid:10000002;)
+drop tls any 5 -> any 5 (flow:to_server; sid:5; gid:10000002;)
+drop tls any 6 -> any 6 (flow:to_server; sid:6; gid:10000002;)
+drop tls any 7 -> any 7 (flow:to_server; sid:7; gid:10000002;)
+drop tls any 8 -> any 8 (flow:to_server; sid:8; gid:10000002;)
+drop tls any 9 -> any 9 (flow:to_server; sid:9; gid:10000002;)
+drop tls any 10 -> any 10 (flow:to_server; sid:10; gid:10000002;)
+drop tls any 11 -> any 11 (flow:to_server; sid:11; gid:10000002;)
+drop tls any 12 -> any 12 (flow:to_server; sid:12; gid:10000002;)
+drop tcp any any -> any 1024:65535 (flow:to_server; sid:13; gid:10000003;)
diff --git a/tests/rule-grouping/rule-grouping-2/test.yaml b/tests/rule-grouping/rule-grouping-2/test.yaml
new file mode 100644 (file)
index 0000000..afac6c1
--- /dev/null
@@ -0,0 +1,119 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver.__len: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[0].port: 1
+        tcp.toserver[0].port2: 1
+        tcp.toserver[0].rulegroup.id: 0
+        tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[1].port: 2
+        tcp.toserver[1].port2: 2
+        tcp.toserver[1].rulegroup.id: 1
+        tcp.toserver[1].rulegroup.rules[0].sig_id: 2
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[2].port: 3
+        tcp.toserver[2].port2: 3
+        tcp.toserver[2].rulegroup.id: 2
+        tcp.toserver[2].rulegroup.rules[0].sig_id: 3
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[3].port: 4
+        tcp.toserver[3].port2: 4
+        tcp.toserver[3].rulegroup.id: 3
+        tcp.toserver[3].rulegroup.rules[0].sig_id: 4
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[4].port: 5
+        tcp.toserver[4].port2: 5
+        tcp.toserver[4].rulegroup.id: 4
+        tcp.toserver[4].rulegroup.rules[0].sig_id: 5
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[5].port: 6
+        tcp.toserver[5].port2: 6
+        tcp.toserver[5].rulegroup.id: 5
+        tcp.toserver[5].rulegroup.rules[0].sig_id: 6
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[6].port: 7
+        tcp.toserver[6].port2: 7
+        tcp.toserver[6].rulegroup.id: 6
+        tcp.toserver[6].rulegroup.rules[0].sig_id: 7
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[7].port: 8
+        tcp.toserver[7].port2: 8
+        tcp.toserver[7].rulegroup.id: 7
+        tcp.toserver[7].rulegroup.rules[0].sig_id: 8
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[8].port: 9
+        tcp.toserver[8].port2: 9
+        tcp.toserver[8].rulegroup.id: 8
+        tcp.toserver[8].rulegroup.rules[0].sig_id: 9
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[9].port: 10
+        tcp.toserver[9].port2: 10
+        tcp.toserver[9].rulegroup.id: 9
+        tcp.toserver[9].rulegroup.rules[0].sig_id: 10
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[10].port: 11
+        tcp.toserver[10].port2: 11
+        tcp.toserver[10].rulegroup.id: 10
+        tcp.toserver[10].rulegroup.rules[0].sig_id: 11
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[11].port: 12
+        tcp.toserver[11].port2: 12
+        tcp.toserver[11].rulegroup.id: 11
+        tcp.toserver[11].rulegroup.rules[0].sig_id: 12
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[12].port: 1024
+        tcp.toserver[12].port2: 65535
+        tcp.toserver[12].rulegroup.id: 12
+        tcp.toserver[12].rulegroup.rules[0].sig_id: 13
+
diff --git a/tests/rule-grouping/rule-grouping-3/README.md b/tests/rule-grouping/rule-grouping-3/README.md
new file mode 100644 (file)
index 0000000..7197568
--- /dev/null
@@ -0,0 +1,12 @@
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for single point
+disruptions in a continuous range.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
diff --git a/tests/rule-grouping/rule-grouping-3/suricata.yaml b/tests/rule-grouping/rule-grouping-3/suricata.yaml
new file mode 100644 (file)
index 0000000..549defa
--- /dev/null
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules-fast-pattern: yes
+  rules: yes
+
+detect:
+  profiling:
+    grouping:
+      dump-to-disk: yes
+      include-rules: yes
+      include-mpm-stats: yes
diff --git a/tests/rule-grouping/rule-grouping-3/test.rules b/tests/rule-grouping/rule-grouping-3/test.rules
new file mode 100644 (file)
index 0000000..e8df9a0
--- /dev/null
@@ -0,0 +1,13 @@
+drop tls any 21017 -> any 9808 (flow:to_server; sid:1; gid:10000002;)
+drop tls any 31342 -> any 48640 (flow:to_server; sid:2; gid:10000002;)
+drop tls any 5121 -> any 51362 (flow:to_server; sid:3; gid:10000002;)
+drop tls any 37506 -> any 23033 (flow:to_server; sid:4; gid:10000002;)
+drop tls any 62314 -> any 63977 (flow:to_server; sid:5; gid:10000002;)
+drop tls any 20097 -> any 3772 (flow:to_server; sid:6; gid:10000002;)
+drop tls any 41962 -> any 20998 (flow:to_server; sid:7; gid:10000002;)
+drop tls any 8575 -> any 9263 (flow:to_server; sid:8; gid:10000002;)
+drop tls any 30307 -> any 2926 (flow:to_server; sid:9; gid:10000002;)
+drop tls any 20461 -> any 42188 (flow:to_server; sid:10; gid:10000002;)
+drop tls any 50359 -> any 9780 (flow:to_server; sid:11; gid:10000002;)
+drop tls any 36743 -> any 11673 (flow:to_server; sid:12; gid:10000002;)
+drop tcp any any -> any 1024:65535 (flow:to_server; sid:13; gid:10000003;)
diff --git a/tests/rule-grouping/rule-grouping-3/test.yaml b/tests/rule-grouping/rule-grouping-3/test.yaml
new file mode 100644 (file)
index 0000000..4d43603
--- /dev/null
@@ -0,0 +1,227 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver.__len: 25
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[0].port: 2926
+        tcp.toserver[0].port2: 2926
+        tcp.toserver[0].rulegroup.id: 0
+        tcp.toserver[0].rulegroup.rules[0].sig_id: 9
+        tcp.toserver[0].rulegroup.rules[1].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[1].port: 3772
+        tcp.toserver[1].port2: 3772
+        tcp.toserver[1].rulegroup.id: 1
+        tcp.toserver[1].rulegroup.rules[0].sig_id: 6
+        tcp.toserver[1].rulegroup.rules[1].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[2].port: 9263
+        tcp.toserver[2].port2: 9263
+        tcp.toserver[2].rulegroup.id: 2
+        tcp.toserver[2].rulegroup.rules[0].sig_id: 8
+        tcp.toserver[2].rulegroup.rules[1].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[3].port: 9780
+        tcp.toserver[3].port2: 9780
+        tcp.toserver[3].rulegroup.id: 3
+        tcp.toserver[3].rulegroup.rules[0].sig_id: 11
+        tcp.toserver[3].rulegroup.rules[1].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[4].port: 9808
+        tcp.toserver[4].port2: 9808
+        tcp.toserver[4].rulegroup.id: 4
+        tcp.toserver[4].rulegroup.rules[0].sig_id: 1
+        tcp.toserver[4].rulegroup.rules[1].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[5].port: 11673
+        tcp.toserver[5].port2: 11673
+        tcp.toserver[5].rulegroup.id: 5
+        tcp.toserver[5].rulegroup.rules[0].sig_id: 12
+        tcp.toserver[5].rulegroup.rules[1].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[6].port: 20998
+        tcp.toserver[6].port2: 20998
+        tcp.toserver[6].rulegroup.id: 6
+        tcp.toserver[6].rulegroup.rules[0].sig_id: 7
+        tcp.toserver[6].rulegroup.rules[1].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[7].port: 23033
+        tcp.toserver[7].port2: 23033
+        tcp.toserver[7].rulegroup.id: 7
+        tcp.toserver[7].rulegroup.rules[0].sig_id: 4
+        tcp.toserver[7].rulegroup.rules[1].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[8].port: 42188
+        tcp.toserver[8].port2: 42188
+        tcp.toserver[8].rulegroup.id: 8
+        tcp.toserver[8].rulegroup.rules[0].sig_id: 10
+        tcp.toserver[8].rulegroup.rules[1].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[9].port: 48640
+        tcp.toserver[9].port2: 48640
+        tcp.toserver[9].rulegroup.id: 9
+        tcp.toserver[9].rulegroup.rules[0].sig_id: 2
+        tcp.toserver[9].rulegroup.rules[1].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[10].port: 51362
+        tcp.toserver[10].port2: 51362
+        tcp.toserver[10].rulegroup.id: 10
+        tcp.toserver[10].rulegroup.rules[0].sig_id: 3
+        tcp.toserver[10].rulegroup.rules[1].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[11].port: 63977
+        tcp.toserver[11].port2: 63977
+        tcp.toserver[11].rulegroup.id: 11
+        tcp.toserver[11].rulegroup.rules[0].sig_id: 5
+        tcp.toserver[11].rulegroup.rules[1].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[12].port: 1024
+        tcp.toserver[12].port2: 2925
+        tcp.toserver[12].rulegroup.id: 12
+        tcp.toserver[12].rulegroup.rules[0].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[13].port: 2927
+        tcp.toserver[13].port2: 3771
+        tcp.toserver[13].rulegroup.id: 12
+        tcp.toserver[13].rulegroup.rules[0].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[14].port: 3773
+        tcp.toserver[14].port2: 9262
+        tcp.toserver[14].rulegroup.id: 12
+        tcp.toserver[14].rulegroup.rules[0].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[15].port: 9264
+        tcp.toserver[15].port2: 9779
+        tcp.toserver[15].rulegroup.id: 12
+        tcp.toserver[15].rulegroup.rules[0].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[16].port: 9781
+        tcp.toserver[16].port2: 9807
+        tcp.toserver[16].rulegroup.id: 12
+        tcp.toserver[16].rulegroup.rules[0].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[17].port: 9809
+        tcp.toserver[17].port2: 11672
+        tcp.toserver[17].rulegroup.id: 12
+        tcp.toserver[17].rulegroup.rules[0].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[18].port: 11674
+        tcp.toserver[18].port2: 20997
+        tcp.toserver[18].rulegroup.id: 12
+        tcp.toserver[18].rulegroup.rules[0].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[19].port: 20999
+        tcp.toserver[19].port2: 23032
+        tcp.toserver[19].rulegroup.id: 12
+        tcp.toserver[19].rulegroup.rules[0].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[20].port: 23034
+        tcp.toserver[20].port2: 42187
+        tcp.toserver[20].rulegroup.id: 12
+        tcp.toserver[20].rulegroup.rules[0].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[21].port: 42189
+        tcp.toserver[21].port2: 48639
+        tcp.toserver[21].rulegroup.id: 12
+        tcp.toserver[21].rulegroup.rules[0].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[22].port: 48641
+        tcp.toserver[22].port2: 51361
+        tcp.toserver[22].rulegroup.id: 12
+        tcp.toserver[22].rulegroup.rules[0].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[23].port: 51363
+        tcp.toserver[23].port2: 63976
+        tcp.toserver[23].rulegroup.id: 12
+        tcp.toserver[23].rulegroup.rules[0].sig_id: 13
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[24].port: 63978
+        tcp.toserver[24].port2: 65535
+        tcp.toserver[24].rulegroup.id: 12
+        tcp.toserver[24].rulegroup.rules[0].sig_id: 13
+
diff --git a/tests/rule-grouping/rule-grouping-4/README.md b/tests/rule-grouping/rule-grouping-4/README.md
new file mode 100644 (file)
index 0000000..f504f75
--- /dev/null
@@ -0,0 +1,11 @@
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for too many overlapping ranges.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
diff --git a/tests/rule-grouping/rule-grouping-4/suricata.yaml b/tests/rule-grouping/rule-grouping-4/suricata.yaml
new file mode 100644 (file)
index 0000000..549defa
--- /dev/null
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules-fast-pattern: yes
+  rules: yes
+
+detect:
+  profiling:
+    grouping:
+      dump-to-disk: yes
+      include-rules: yes
+      include-mpm-stats: yes
diff --git a/tests/rule-grouping/rule-grouping-4/test.rules b/tests/rule-grouping/rule-grouping-4/test.rules
new file mode 100644 (file)
index 0000000..3a3e589
--- /dev/null
@@ -0,0 +1,7 @@
+drop tls any 1 -> any 1:8 (sid:1; gid:10000002;)
+drop tls any 2 -> any 3:94 (sid:2; gid:10000002;)
+drop tls any 3 -> any 7:43 (sid:3; gid:10000002;)
+drop tls any 4 -> any 100:120 (sid:4; gid:10000002;)
+drop tls any 5 -> any 25:89 (sid:5; gid:10000002;)
+drop tls any 6 -> any 7:25 (sid:6; gid:10000002;)
+drop tls any 7 -> any 80:100 (sid:7; gid:10000002;)
diff --git a/tests/rule-grouping/rule-grouping-4/test.yaml b/tests/rule-grouping/rule-grouping-4/test.yaml
new file mode 100644 (file)
index 0000000..3f07201
--- /dev/null
@@ -0,0 +1,126 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver.__len: 12
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[0].port: 7
+        tcp.toserver[0].port2: 8
+        tcp.toserver[0].rulegroup.id: 0
+        tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+        tcp.toserver[0].rulegroup.rules[1].sig_id: 2
+        tcp.toserver[0].rulegroup.rules[2].sig_id: 3
+        tcp.toserver[0].rulegroup.rules[3].sig_id: 6
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[1].port: 25
+        tcp.toserver[1].port2: 25
+        tcp.toserver[1].rulegroup.id: 1
+        tcp.toserver[1].rulegroup.rules[0].sig_id: 2
+        tcp.toserver[1].rulegroup.rules[1].sig_id: 3
+        tcp.toserver[1].rulegroup.rules[2].sig_id: 5
+        tcp.toserver[1].rulegroup.rules[3].sig_id: 6
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[2].port: 9
+        tcp.toserver[2].port2: 24
+        tcp.toserver[2].rulegroup.id: 2
+        tcp.toserver[2].rulegroup.rules[0].sig_id: 2
+        tcp.toserver[2].rulegroup.rules[1].sig_id: 3
+        tcp.toserver[2].rulegroup.rules[2].sig_id: 6
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[3].port: 26
+        tcp.toserver[3].port2: 43
+        tcp.toserver[3].rulegroup.id: 3
+        tcp.toserver[3].rulegroup.rules[0].sig_id: 2
+        tcp.toserver[3].rulegroup.rules[1].sig_id: 3
+        tcp.toserver[3].rulegroup.rules[2].sig_id: 5
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[4].port: 80
+        tcp.toserver[4].port2: 89
+        tcp.toserver[4].rulegroup.id: 4
+        tcp.toserver[4].rulegroup.rules[0].sig_id: 2
+        tcp.toserver[4].rulegroup.rules[1].sig_id: 5
+        tcp.toserver[4].rulegroup.rules[2].sig_id: 7
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[5].port: 3
+        tcp.toserver[5].port2: 6
+        tcp.toserver[5].rulegroup.id: 5
+        tcp.toserver[5].rulegroup.rules[0].sig_id: 1
+        tcp.toserver[5].rulegroup.rules[1].sig_id: 2
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[6].port: 44
+        tcp.toserver[6].port2: 79
+        tcp.toserver[6].rulegroup.id: 6
+        tcp.toserver[6].rulegroup.rules[0].sig_id: 2
+        tcp.toserver[6].rulegroup.rules[1].sig_id: 5
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[7].port: 90
+        tcp.toserver[7].port2: 94
+        tcp.toserver[7].rulegroup.id: 7
+        tcp.toserver[7].rulegroup.rules[0].sig_id: 2
+        tcp.toserver[7].rulegroup.rules[1].sig_id: 7
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[8].port: 100
+        tcp.toserver[8].port2: 100
+        tcp.toserver[8].rulegroup.id: 8
+        tcp.toserver[8].rulegroup.rules[0].sig_id: 4
+        tcp.toserver[8].rulegroup.rules[1].sig_id: 7
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[9].port: 1
+        tcp.toserver[9].port2: 2
+        tcp.toserver[9].rulegroup.id: 9
+        tcp.toserver[9].rulegroup.rules[0].sig_id: 1
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[10].port: 95
+        tcp.toserver[10].port2: 99
+        tcp.toserver[10].rulegroup.id: 10
+        tcp.toserver[10].rulegroup.rules[0].sig_id: 7
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[11].port: 101
+        tcp.toserver[11].port2: 120
+        tcp.toserver[11].rulegroup.id: 11
+        tcp.toserver[11].rulegroup.rules[0].sig_id: 4
diff --git a/tests/rule-grouping/rule-grouping-5/README.md b/tests/rule-grouping/rule-grouping-5/README.md
new file mode 100644 (file)
index 0000000..1f8cba3
--- /dev/null
@@ -0,0 +1,13 @@
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for disjointed
+overlapping ranges i.e. ranges with overlap among themselves but a gap in
+between.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
diff --git a/tests/rule-grouping/rule-grouping-5/suricata.yaml b/tests/rule-grouping/rule-grouping-5/suricata.yaml
new file mode 100644 (file)
index 0000000..549defa
--- /dev/null
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules-fast-pattern: yes
+  rules: yes
+
+detect:
+  profiling:
+    grouping:
+      dump-to-disk: yes
+      include-rules: yes
+      include-mpm-stats: yes
diff --git a/tests/rule-grouping/rule-grouping-5/test.rules b/tests/rule-grouping/rule-grouping-5/test.rules
new file mode 100644 (file)
index 0000000..b56738d
--- /dev/null
@@ -0,0 +1,10 @@
+drop tls any 21017 -> any 1:50 (flow:to_server; sid:1; gid:10000002;)
+drop tls any 31342 -> any 25:80 (flow:to_server; sid:2; gid:10000002;)
+drop tls any 5121 -> any 39:100 (flow:to_server; sid:3; gid:10000002;)
+drop tls any 37506 -> any 90:135 (flow:to_server; sid:4; gid:10000002;)
+drop tls any 62314 -> any 120:200 (flow:to_server; sid:5; gid:10000002;)
+drop tls any 20097 -> any 150:3000 (flow:to_server; sid:6; gid:10000002;)
+drop tls any 41962 -> any 5000:8000 (flow:to_server; sid:7; gid:10000002;)
+drop tls any 8575 -> any 5500:7700 (flow:to_server; sid:8; gid:10000002;)
+drop tls any 30307 -> any 7000:9000 (flow:to_server; sid:9; gid:10000002;)
+drop tls any 20461 -> any 9000:10000 (flow:to_server; sid:10; gid:10000002;)
diff --git a/tests/rule-grouping/rule-grouping-5/test.yaml b/tests/rule-grouping/rule-grouping-5/test.yaml
new file mode 100644 (file)
index 0000000..0b6abfa
--- /dev/null
@@ -0,0 +1,171 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver.__len: 18
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[0].port: 39
+        tcp.toserver[0].port2: 50
+        tcp.toserver[0].rulegroup.id: 0
+        tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+        tcp.toserver[0].rulegroup.rules[1].sig_id: 2
+        tcp.toserver[0].rulegroup.rules[2].sig_id: 3
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[1].port: 7000
+        tcp.toserver[1].port2: 7700
+        tcp.toserver[1].rulegroup.id: 1
+        tcp.toserver[1].rulegroup.rules[0].sig_id: 7
+        tcp.toserver[1].rulegroup.rules[1].sig_id: 8
+        tcp.toserver[1].rulegroup.rules[2].sig_id: 9
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[2].port: 25
+        tcp.toserver[2].port2: 38
+        tcp.toserver[2].rulegroup.id: 2
+        tcp.toserver[2].rulegroup.rules[0].sig_id: 1
+        tcp.toserver[2].rulegroup.rules[1].sig_id: 2
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[3].port: 51
+        tcp.toserver[3].port2: 80
+        tcp.toserver[3].rulegroup.id: 3
+        tcp.toserver[3].rulegroup.rules[0].sig_id: 2
+        tcp.toserver[3].rulegroup.rules[1].sig_id: 3
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[4].port: 90
+        tcp.toserver[4].port2: 100
+        tcp.toserver[4].rulegroup.id: 4
+        tcp.toserver[4].rulegroup.rules[0].sig_id: 3
+        tcp.toserver[4].rulegroup.rules[1].sig_id: 4
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[5].port: 120
+        tcp.toserver[5].port2: 135
+        tcp.toserver[5].rulegroup.id: 5
+        tcp.toserver[5].rulegroup.rules[0].sig_id: 4
+        tcp.toserver[5].rulegroup.rules[1].sig_id: 5
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[6].port: 150
+        tcp.toserver[6].port2: 200
+        tcp.toserver[6].rulegroup.id: 6
+        tcp.toserver[6].rulegroup.rules[0].sig_id: 5
+        tcp.toserver[6].rulegroup.rules[1].sig_id: 6
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[7].port: 5500
+        tcp.toserver[7].port2: 6999
+        tcp.toserver[7].rulegroup.id: 7
+        tcp.toserver[7].rulegroup.rules[0].sig_id: 7
+        tcp.toserver[7].rulegroup.rules[1].sig_id: 8
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[8].port: 7701
+        tcp.toserver[8].port2: 8000
+        tcp.toserver[8].rulegroup.id: 8
+        tcp.toserver[8].rulegroup.rules[0].sig_id: 7
+        tcp.toserver[8].rulegroup.rules[1].sig_id: 9
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[9].port: 9000
+        tcp.toserver[9].port2: 9000
+        tcp.toserver[9].rulegroup.id: 9
+        tcp.toserver[9].rulegroup.rules[0].sig_id: 9
+        tcp.toserver[9].rulegroup.rules[1].sig_id: 10
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[10].port: 1
+        tcp.toserver[10].port2: 24
+        tcp.toserver[10].rulegroup.id: 10
+        tcp.toserver[10].rulegroup.rules[0].sig_id: 1
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[11].port: 81
+        tcp.toserver[11].port2: 89
+        tcp.toserver[11].rulegroup.id: 11
+        tcp.toserver[11].rulegroup.rules[0].sig_id: 3
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[12].port: 101
+        tcp.toserver[12].port2: 119
+        tcp.toserver[12].rulegroup.id: 12
+        tcp.toserver[12].rulegroup.rules[0].sig_id: 4
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[13].port: 136
+        tcp.toserver[13].port2: 149
+        tcp.toserver[13].rulegroup.id: 13
+        tcp.toserver[13].rulegroup.rules[0].sig_id: 5
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[14].port: 201
+        tcp.toserver[14].port2: 3000
+        tcp.toserver[14].rulegroup.id: 14
+        tcp.toserver[14].rulegroup.rules[0].sig_id: 6
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[15].port: 5000
+        tcp.toserver[15].port2: 5499
+        tcp.toserver[15].rulegroup.id: 15
+        tcp.toserver[15].rulegroup.rules[0].sig_id: 7
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[16].port: 8001
+        tcp.toserver[16].port2: 8999
+        tcp.toserver[16].rulegroup.id: 16
+        tcp.toserver[16].rulegroup.rules[0].sig_id: 9
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[17].port: 9001
+        tcp.toserver[17].port2: 10000
+        tcp.toserver[17].rulegroup.id: 17
+        tcp.toserver[17].rulegroup.rules[0].sig_id: 10
+
diff --git a/tests/rule-grouping/rule-grouping-6/README.md b/tests/rule-grouping/rule-grouping-6/README.md
new file mode 100644 (file)
index 0000000..922a078
--- /dev/null
@@ -0,0 +1,13 @@
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for all disjointed
+ports and ranges i.e. no overlaps with joingroup limiting the toserver groups
+at 10.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
diff --git a/tests/rule-grouping/rule-grouping-6/suricata.yaml b/tests/rule-grouping/rule-grouping-6/suricata.yaml
new file mode 100644 (file)
index 0000000..d784001
--- /dev/null
@@ -0,0 +1,16 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules-fast-pattern: yes
+  rules: yes
+
+detect:
+  profile: custom
+  custom-values:
+    toserver-groups: 10
+  profiling:
+    grouping:
+      dump-to-disk: yes
+      include-rules: yes
+      include-mpm-stats: yes
diff --git a/tests/rule-grouping/rule-grouping-6/test.rules b/tests/rule-grouping/rule-grouping-6/test.rules
new file mode 100644 (file)
index 0000000..08540db
--- /dev/null
@@ -0,0 +1,13 @@
+drop tls any 1 -> any 1 (flow:to_server; sid:1; gid:10000002;)
+drop tls any 2 -> any 2 (flow:to_server; sid:2; gid:10000002;)
+drop tls any 3 -> any 3 (flow:to_server; sid:3; gid:10000002;)
+drop tls any 4 -> any 4 (flow:to_server; sid:4; gid:10000002;)
+drop tls any 5 -> any 5 (flow:to_server; sid:5; gid:10000002;)
+drop tls any 6 -> any 6 (flow:to_server; sid:6; gid:10000002;)
+drop tls any 7 -> any 7 (flow:to_server; sid:7; gid:10000002;)
+drop tls any 8 -> any 8 (flow:to_server; sid:8; gid:10000002;)
+drop tls any 9 -> any 9 (flow:to_server; sid:9; gid:10000002;)
+drop tls any 10 -> any 10 (flow:to_server; sid:10; gid:10000002;)
+drop tls any 11 -> any 11 (flow:to_server; sid:11; gid:10000002;)
+drop tls any 12 -> any 12 (flow:to_server; sid:12; gid:10000002;)
+drop tcp any any -> any 1024:65535 (flow:to_server; sid:13; gid:10000003;)
diff --git a/tests/rule-grouping/rule-grouping-6/test.yaml b/tests/rule-grouping/rule-grouping-6/test.yaml
new file mode 100644 (file)
index 0000000..f57398c
--- /dev/null
@@ -0,0 +1,100 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[0].port: 1
+        tcp.toserver[0].port2: 1
+        tcp.toserver[0].rulegroup.id: 0
+        tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[1].port: 2
+        tcp.toserver[1].port2: 2
+        tcp.toserver[1].rulegroup.id: 1
+        tcp.toserver[1].rulegroup.rules[0].sig_id: 2
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[2].port: 3
+        tcp.toserver[2].port2: 3
+        tcp.toserver[2].rulegroup.id: 2
+        tcp.toserver[2].rulegroup.rules[0].sig_id: 3
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[3].port: 4
+        tcp.toserver[3].port2: 4
+        tcp.toserver[3].rulegroup.id: 3
+        tcp.toserver[3].rulegroup.rules[0].sig_id: 4
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[4].port: 5
+        tcp.toserver[4].port2: 5
+        tcp.toserver[4].rulegroup.id: 4
+        tcp.toserver[4].rulegroup.rules[0].sig_id: 5
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[5].port: 6
+        tcp.toserver[5].port2: 6
+        tcp.toserver[5].rulegroup.id: 5
+        tcp.toserver[5].rulegroup.rules[0].sig_id: 6
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[6].port: 7
+        tcp.toserver[6].port2: 7
+        tcp.toserver[6].rulegroup.id: 6
+        tcp.toserver[6].rulegroup.rules[0].sig_id: 7
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[7].port: 8
+        tcp.toserver[7].port2: 8
+        tcp.toserver[7].rulegroup.id: 7
+        tcp.toserver[7].rulegroup.rules[0].sig_id: 8
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[8].port: 9
+        tcp.toserver[8].port2: 9
+        tcp.toserver[8].rulegroup.id: 8
+        tcp.toserver[8].rulegroup.rules[0].sig_id: 9
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[9].port: 10
+        tcp.toserver[9].port2: 10
+        tcp.toserver[9].rulegroup.id: 9
+        tcp.toserver[9].rulegroup.rules[0].sig_id: 10
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[10].port: 0
+        tcp.toserver[10].port2: 65535
+        tcp.toserver[10].rulegroup.id: 10
+        tcp.toserver[10].rulegroup.rules[0].sig_id: 11
+        tcp.toserver[10].rulegroup.rules[1].sig_id: 12
+        tcp.toserver[10].rulegroup.rules[2].sig_id: 13
+
diff --git a/tests/rule-grouping/rule-grouping-7/README.md b/tests/rule-grouping/rule-grouping-7/README.md
new file mode 100644 (file)
index 0000000..630e562
--- /dev/null
@@ -0,0 +1,12 @@
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for single
+disjointed port points.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
diff --git a/tests/rule-grouping/rule-grouping-7/suricata.yaml b/tests/rule-grouping/rule-grouping-7/suricata.yaml
new file mode 100644 (file)
index 0000000..549defa
--- /dev/null
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules-fast-pattern: yes
+  rules: yes
+
+detect:
+  profiling:
+    grouping:
+      dump-to-disk: yes
+      include-rules: yes
+      include-mpm-stats: yes
diff --git a/tests/rule-grouping/rule-grouping-7/test.rules b/tests/rule-grouping/rule-grouping-7/test.rules
new file mode 100644 (file)
index 0000000..f9cd3fa
--- /dev/null
@@ -0,0 +1 @@
+alert tcp any any -> any [587,25] (flow:established,to_server; sid:2; rev:3;)
diff --git a/tests/rule-grouping/rule-grouping-7/test.yaml b/tests/rule-grouping/rule-grouping-7/test.yaml
new file mode 100644 (file)
index 0000000..356f781
--- /dev/null
@@ -0,0 +1,31 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver.__len: 2
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[0].port: 25
+        tcp.toserver[0].port2: 25
+        tcp.toserver[0].rulegroup.id: 0
+        tcp.toserver[0].rulegroup.rules[0].sig_id: 2
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[1].port: 587
+        tcp.toserver[1].port2: 587
+        tcp.toserver[1].rulegroup.id: 0
+        tcp.toserver[1].rulegroup.rules[0].sig_id: 2
+
diff --git a/tests/rule-grouping/rule-grouping-8/README.md b/tests/rule-grouping/rule-grouping-8/README.md
new file mode 100644 (file)
index 0000000..1d352d6
--- /dev/null
@@ -0,0 +1,12 @@
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for single
+disjointed port points that are adjacent to each other on a number line.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
diff --git a/tests/rule-grouping/rule-grouping-8/suricata.yaml b/tests/rule-grouping/rule-grouping-8/suricata.yaml
new file mode 100644 (file)
index 0000000..549defa
--- /dev/null
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules-fast-pattern: yes
+  rules: yes
+
+detect:
+  profiling:
+    grouping:
+      dump-to-disk: yes
+      include-rules: yes
+      include-mpm-stats: yes
diff --git a/tests/rule-grouping/rule-grouping-8/test.rules b/tests/rule-grouping/rule-grouping-8/test.rules
new file mode 100644 (file)
index 0000000..9f748cd
--- /dev/null
@@ -0,0 +1 @@
+alert tcp any any -> any [2010,2011] (flow:established,to_server; sid:3; rev:1;)
diff --git a/tests/rule-grouping/rule-grouping-8/test.yaml b/tests/rule-grouping/rule-grouping-8/test.yaml
new file mode 100644 (file)
index 0000000..cd608f3
--- /dev/null
@@ -0,0 +1,23 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver.__len: 1
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[0].port: 2010
+        tcp.toserver[0].port2: 2011
+        tcp.toserver[0].rulegroup.id: 0
+        tcp.toserver[0].rulegroup.rules[0].sig_id: 3
+