--- /dev/null
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for small range
+overlaps and single points with "any".
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
--- /dev/null
+%YAML 1.1
+---
+
+engine-analysis:
+ rules-fast-pattern: yes
+ rules: yes
+
+detect:
+ profiling:
+ grouping:
+ dump-to-disk: yes
+ include-rules: yes
+ include-mpm-stats: yes
--- /dev/null
+alert tcp any any -> any any (flow:to_server; content:"abc"; sid:1;)
+alert tcp any 1024: -> any 80 (flow:to_server; content:"abc"; sid:2;)
+alert tcp any 1024: -> any 80:81 (flow:to_server; content:"abc"; sid:3;)
+alert tcp any any -> any 445 (flow:to_server; content:"abc"; sid:4;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver.__len: 6
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[0].port: 80
+ tcp.toserver[0].port2: 80
+ tcp.toserver[0].rulegroup.id: 0
+ tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+ tcp.toserver[0].rulegroup.rules[1].sig_id: 2
+ tcp.toserver[0].rulegroup.rules[2].sig_id: 3
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[1].port: 445
+ tcp.toserver[1].port2: 445
+ tcp.toserver[1].rulegroup.id: 1
+ tcp.toserver[1].rulegroup.rules[0].sig_id: 1
+ tcp.toserver[1].rulegroup.rules[1].sig_id: 4
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[2].port: 81
+ tcp.toserver[2].port2: 81
+ tcp.toserver[2].rulegroup.id: 2
+ tcp.toserver[2].rulegroup.rules[0].sig_id: 1
+ tcp.toserver[2].rulegroup.rules[1].sig_id: 3
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[3].port: 0
+ tcp.toserver[3].port2: 79
+ tcp.toserver[3].rulegroup.id: 3
+ tcp.toserver[3].rulegroup.rules[0].sig_id: 1
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[4].port: 82
+ tcp.toserver[4].port2: 444
+ tcp.toserver[4].rulegroup.id: 3
+ tcp.toserver[4].rulegroup.rules[0].sig_id: 1
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[5].port: 446
+ tcp.toserver[5].port2: 65535
+ tcp.toserver[5].rulegroup.id: 3
+ tcp.toserver[5].rulegroup.rules[0].sig_id: 1
+
--- /dev/null
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for all disjointed
+ports and ranges i.e. no overlaps.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
--- /dev/null
+%YAML 1.1
+---
+
+engine-analysis:
+ rules-fast-pattern: yes
+ rules: yes
+
+detect:
+ profiling:
+ grouping:
+ dump-to-disk: yes
+ include-rules: yes
+ include-mpm-stats: yes
--- /dev/null
+drop tls any 1 -> any 1 (flow:to_server; sid:1; gid:10000002;)
+drop tls any 2 -> any 2 (flow:to_server; sid:2; gid:10000002;)
+drop tls any 3 -> any 3 (flow:to_server; sid:3; gid:10000002;)
+drop tls any 4 -> any 4 (flow:to_server; sid:4; gid:10000002;)
+drop tls any 5 -> any 5 (flow:to_server; sid:5; gid:10000002;)
+drop tls any 6 -> any 6 (flow:to_server; sid:6; gid:10000002;)
+drop tls any 7 -> any 7 (flow:to_server; sid:7; gid:10000002;)
+drop tls any 8 -> any 8 (flow:to_server; sid:8; gid:10000002;)
+drop tls any 9 -> any 9 (flow:to_server; sid:9; gid:10000002;)
+drop tls any 10 -> any 10 (flow:to_server; sid:10; gid:10000002;)
+drop tls any 11 -> any 11 (flow:to_server; sid:11; gid:10000002;)
+drop tls any 12 -> any 12 (flow:to_server; sid:12; gid:10000002;)
+drop tcp any any -> any 1024:65535 (flow:to_server; sid:13; gid:10000003;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver.__len: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[0].port: 1
+ tcp.toserver[0].port2: 1
+ tcp.toserver[0].rulegroup.id: 0
+ tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[1].port: 2
+ tcp.toserver[1].port2: 2
+ tcp.toserver[1].rulegroup.id: 1
+ tcp.toserver[1].rulegroup.rules[0].sig_id: 2
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[2].port: 3
+ tcp.toserver[2].port2: 3
+ tcp.toserver[2].rulegroup.id: 2
+ tcp.toserver[2].rulegroup.rules[0].sig_id: 3
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[3].port: 4
+ tcp.toserver[3].port2: 4
+ tcp.toserver[3].rulegroup.id: 3
+ tcp.toserver[3].rulegroup.rules[0].sig_id: 4
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[4].port: 5
+ tcp.toserver[4].port2: 5
+ tcp.toserver[4].rulegroup.id: 4
+ tcp.toserver[4].rulegroup.rules[0].sig_id: 5
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[5].port: 6
+ tcp.toserver[5].port2: 6
+ tcp.toserver[5].rulegroup.id: 5
+ tcp.toserver[5].rulegroup.rules[0].sig_id: 6
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[6].port: 7
+ tcp.toserver[6].port2: 7
+ tcp.toserver[6].rulegroup.id: 6
+ tcp.toserver[6].rulegroup.rules[0].sig_id: 7
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[7].port: 8
+ tcp.toserver[7].port2: 8
+ tcp.toserver[7].rulegroup.id: 7
+ tcp.toserver[7].rulegroup.rules[0].sig_id: 8
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[8].port: 9
+ tcp.toserver[8].port2: 9
+ tcp.toserver[8].rulegroup.id: 8
+ tcp.toserver[8].rulegroup.rules[0].sig_id: 9
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[9].port: 10
+ tcp.toserver[9].port2: 10
+ tcp.toserver[9].rulegroup.id: 9
+ tcp.toserver[9].rulegroup.rules[0].sig_id: 10
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[10].port: 11
+ tcp.toserver[10].port2: 11
+ tcp.toserver[10].rulegroup.id: 10
+ tcp.toserver[10].rulegroup.rules[0].sig_id: 11
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[11].port: 12
+ tcp.toserver[11].port2: 12
+ tcp.toserver[11].rulegroup.id: 11
+ tcp.toserver[11].rulegroup.rules[0].sig_id: 12
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[12].port: 1024
+ tcp.toserver[12].port2: 65535
+ tcp.toserver[12].rulegroup.id: 12
+ tcp.toserver[12].rulegroup.rules[0].sig_id: 13
+
--- /dev/null
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for single point
+disruptions in a continuous range.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
--- /dev/null
+%YAML 1.1
+---
+
+engine-analysis:
+ rules-fast-pattern: yes
+ rules: yes
+
+detect:
+ profiling:
+ grouping:
+ dump-to-disk: yes
+ include-rules: yes
+ include-mpm-stats: yes
--- /dev/null
+drop tls any 21017 -> any 9808 (flow:to_server; sid:1; gid:10000002;)
+drop tls any 31342 -> any 48640 (flow:to_server; sid:2; gid:10000002;)
+drop tls any 5121 -> any 51362 (flow:to_server; sid:3; gid:10000002;)
+drop tls any 37506 -> any 23033 (flow:to_server; sid:4; gid:10000002;)
+drop tls any 62314 -> any 63977 (flow:to_server; sid:5; gid:10000002;)
+drop tls any 20097 -> any 3772 (flow:to_server; sid:6; gid:10000002;)
+drop tls any 41962 -> any 20998 (flow:to_server; sid:7; gid:10000002;)
+drop tls any 8575 -> any 9263 (flow:to_server; sid:8; gid:10000002;)
+drop tls any 30307 -> any 2926 (flow:to_server; sid:9; gid:10000002;)
+drop tls any 20461 -> any 42188 (flow:to_server; sid:10; gid:10000002;)
+drop tls any 50359 -> any 9780 (flow:to_server; sid:11; gid:10000002;)
+drop tls any 36743 -> any 11673 (flow:to_server; sid:12; gid:10000002;)
+drop tcp any any -> any 1024:65535 (flow:to_server; sid:13; gid:10000003;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver.__len: 25
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[0].port: 2926
+ tcp.toserver[0].port2: 2926
+ tcp.toserver[0].rulegroup.id: 0
+ tcp.toserver[0].rulegroup.rules[0].sig_id: 9
+ tcp.toserver[0].rulegroup.rules[1].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[1].port: 3772
+ tcp.toserver[1].port2: 3772
+ tcp.toserver[1].rulegroup.id: 1
+ tcp.toserver[1].rulegroup.rules[0].sig_id: 6
+ tcp.toserver[1].rulegroup.rules[1].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[2].port: 9263
+ tcp.toserver[2].port2: 9263
+ tcp.toserver[2].rulegroup.id: 2
+ tcp.toserver[2].rulegroup.rules[0].sig_id: 8
+ tcp.toserver[2].rulegroup.rules[1].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[3].port: 9780
+ tcp.toserver[3].port2: 9780
+ tcp.toserver[3].rulegroup.id: 3
+ tcp.toserver[3].rulegroup.rules[0].sig_id: 11
+ tcp.toserver[3].rulegroup.rules[1].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[4].port: 9808
+ tcp.toserver[4].port2: 9808
+ tcp.toserver[4].rulegroup.id: 4
+ tcp.toserver[4].rulegroup.rules[0].sig_id: 1
+ tcp.toserver[4].rulegroup.rules[1].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[5].port: 11673
+ tcp.toserver[5].port2: 11673
+ tcp.toserver[5].rulegroup.id: 5
+ tcp.toserver[5].rulegroup.rules[0].sig_id: 12
+ tcp.toserver[5].rulegroup.rules[1].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[6].port: 20998
+ tcp.toserver[6].port2: 20998
+ tcp.toserver[6].rulegroup.id: 6
+ tcp.toserver[6].rulegroup.rules[0].sig_id: 7
+ tcp.toserver[6].rulegroup.rules[1].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[7].port: 23033
+ tcp.toserver[7].port2: 23033
+ tcp.toserver[7].rulegroup.id: 7
+ tcp.toserver[7].rulegroup.rules[0].sig_id: 4
+ tcp.toserver[7].rulegroup.rules[1].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[8].port: 42188
+ tcp.toserver[8].port2: 42188
+ tcp.toserver[8].rulegroup.id: 8
+ tcp.toserver[8].rulegroup.rules[0].sig_id: 10
+ tcp.toserver[8].rulegroup.rules[1].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[9].port: 48640
+ tcp.toserver[9].port2: 48640
+ tcp.toserver[9].rulegroup.id: 9
+ tcp.toserver[9].rulegroup.rules[0].sig_id: 2
+ tcp.toserver[9].rulegroup.rules[1].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[10].port: 51362
+ tcp.toserver[10].port2: 51362
+ tcp.toserver[10].rulegroup.id: 10
+ tcp.toserver[10].rulegroup.rules[0].sig_id: 3
+ tcp.toserver[10].rulegroup.rules[1].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[11].port: 63977
+ tcp.toserver[11].port2: 63977
+ tcp.toserver[11].rulegroup.id: 11
+ tcp.toserver[11].rulegroup.rules[0].sig_id: 5
+ tcp.toserver[11].rulegroup.rules[1].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[12].port: 1024
+ tcp.toserver[12].port2: 2925
+ tcp.toserver[12].rulegroup.id: 12
+ tcp.toserver[12].rulegroup.rules[0].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[13].port: 2927
+ tcp.toserver[13].port2: 3771
+ tcp.toserver[13].rulegroup.id: 12
+ tcp.toserver[13].rulegroup.rules[0].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[14].port: 3773
+ tcp.toserver[14].port2: 9262
+ tcp.toserver[14].rulegroup.id: 12
+ tcp.toserver[14].rulegroup.rules[0].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[15].port: 9264
+ tcp.toserver[15].port2: 9779
+ tcp.toserver[15].rulegroup.id: 12
+ tcp.toserver[15].rulegroup.rules[0].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[16].port: 9781
+ tcp.toserver[16].port2: 9807
+ tcp.toserver[16].rulegroup.id: 12
+ tcp.toserver[16].rulegroup.rules[0].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[17].port: 9809
+ tcp.toserver[17].port2: 11672
+ tcp.toserver[17].rulegroup.id: 12
+ tcp.toserver[17].rulegroup.rules[0].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[18].port: 11674
+ tcp.toserver[18].port2: 20997
+ tcp.toserver[18].rulegroup.id: 12
+ tcp.toserver[18].rulegroup.rules[0].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[19].port: 20999
+ tcp.toserver[19].port2: 23032
+ tcp.toserver[19].rulegroup.id: 12
+ tcp.toserver[19].rulegroup.rules[0].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[20].port: 23034
+ tcp.toserver[20].port2: 42187
+ tcp.toserver[20].rulegroup.id: 12
+ tcp.toserver[20].rulegroup.rules[0].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[21].port: 42189
+ tcp.toserver[21].port2: 48639
+ tcp.toserver[21].rulegroup.id: 12
+ tcp.toserver[21].rulegroup.rules[0].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[22].port: 48641
+ tcp.toserver[22].port2: 51361
+ tcp.toserver[22].rulegroup.id: 12
+ tcp.toserver[22].rulegroup.rules[0].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[23].port: 51363
+ tcp.toserver[23].port2: 63976
+ tcp.toserver[23].rulegroup.id: 12
+ tcp.toserver[23].rulegroup.rules[0].sig_id: 13
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[24].port: 63978
+ tcp.toserver[24].port2: 65535
+ tcp.toserver[24].rulegroup.id: 12
+ tcp.toserver[24].rulegroup.rules[0].sig_id: 13
+
--- /dev/null
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for too many overlapping ranges.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
--- /dev/null
+%YAML 1.1
+---
+
+engine-analysis:
+ rules-fast-pattern: yes
+ rules: yes
+
+detect:
+ profiling:
+ grouping:
+ dump-to-disk: yes
+ include-rules: yes
+ include-mpm-stats: yes
--- /dev/null
+drop tls any 1 -> any 1:8 (sid:1; gid:10000002;)
+drop tls any 2 -> any 3:94 (sid:2; gid:10000002;)
+drop tls any 3 -> any 7:43 (sid:3; gid:10000002;)
+drop tls any 4 -> any 100:120 (sid:4; gid:10000002;)
+drop tls any 5 -> any 25:89 (sid:5; gid:10000002;)
+drop tls any 6 -> any 7:25 (sid:6; gid:10000002;)
+drop tls any 7 -> any 80:100 (sid:7; gid:10000002;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver.__len: 12
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[0].port: 7
+ tcp.toserver[0].port2: 8
+ tcp.toserver[0].rulegroup.id: 0
+ tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+ tcp.toserver[0].rulegroup.rules[1].sig_id: 2
+ tcp.toserver[0].rulegroup.rules[2].sig_id: 3
+ tcp.toserver[0].rulegroup.rules[3].sig_id: 6
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[1].port: 25
+ tcp.toserver[1].port2: 25
+ tcp.toserver[1].rulegroup.id: 1
+ tcp.toserver[1].rulegroup.rules[0].sig_id: 2
+ tcp.toserver[1].rulegroup.rules[1].sig_id: 3
+ tcp.toserver[1].rulegroup.rules[2].sig_id: 5
+ tcp.toserver[1].rulegroup.rules[3].sig_id: 6
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[2].port: 9
+ tcp.toserver[2].port2: 24
+ tcp.toserver[2].rulegroup.id: 2
+ tcp.toserver[2].rulegroup.rules[0].sig_id: 2
+ tcp.toserver[2].rulegroup.rules[1].sig_id: 3
+ tcp.toserver[2].rulegroup.rules[2].sig_id: 6
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[3].port: 26
+ tcp.toserver[3].port2: 43
+ tcp.toserver[3].rulegroup.id: 3
+ tcp.toserver[3].rulegroup.rules[0].sig_id: 2
+ tcp.toserver[3].rulegroup.rules[1].sig_id: 3
+ tcp.toserver[3].rulegroup.rules[2].sig_id: 5
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[4].port: 80
+ tcp.toserver[4].port2: 89
+ tcp.toserver[4].rulegroup.id: 4
+ tcp.toserver[4].rulegroup.rules[0].sig_id: 2
+ tcp.toserver[4].rulegroup.rules[1].sig_id: 5
+ tcp.toserver[4].rulegroup.rules[2].sig_id: 7
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[5].port: 3
+ tcp.toserver[5].port2: 6
+ tcp.toserver[5].rulegroup.id: 5
+ tcp.toserver[5].rulegroup.rules[0].sig_id: 1
+ tcp.toserver[5].rulegroup.rules[1].sig_id: 2
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[6].port: 44
+ tcp.toserver[6].port2: 79
+ tcp.toserver[6].rulegroup.id: 6
+ tcp.toserver[6].rulegroup.rules[0].sig_id: 2
+ tcp.toserver[6].rulegroup.rules[1].sig_id: 5
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[7].port: 90
+ tcp.toserver[7].port2: 94
+ tcp.toserver[7].rulegroup.id: 7
+ tcp.toserver[7].rulegroup.rules[0].sig_id: 2
+ tcp.toserver[7].rulegroup.rules[1].sig_id: 7
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[8].port: 100
+ tcp.toserver[8].port2: 100
+ tcp.toserver[8].rulegroup.id: 8
+ tcp.toserver[8].rulegroup.rules[0].sig_id: 4
+ tcp.toserver[8].rulegroup.rules[1].sig_id: 7
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[9].port: 1
+ tcp.toserver[9].port2: 2
+ tcp.toserver[9].rulegroup.id: 9
+ tcp.toserver[9].rulegroup.rules[0].sig_id: 1
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[10].port: 95
+ tcp.toserver[10].port2: 99
+ tcp.toserver[10].rulegroup.id: 10
+ tcp.toserver[10].rulegroup.rules[0].sig_id: 7
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[11].port: 101
+ tcp.toserver[11].port2: 120
+ tcp.toserver[11].rulegroup.id: 11
+ tcp.toserver[11].rulegroup.rules[0].sig_id: 4
--- /dev/null
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for disjointed
+overlapping ranges i.e. ranges with overlap among themselves but a gap in
+between.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
--- /dev/null
+%YAML 1.1
+---
+
+engine-analysis:
+ rules-fast-pattern: yes
+ rules: yes
+
+detect:
+ profiling:
+ grouping:
+ dump-to-disk: yes
+ include-rules: yes
+ include-mpm-stats: yes
--- /dev/null
+drop tls any 21017 -> any 1:50 (flow:to_server; sid:1; gid:10000002;)
+drop tls any 31342 -> any 25:80 (flow:to_server; sid:2; gid:10000002;)
+drop tls any 5121 -> any 39:100 (flow:to_server; sid:3; gid:10000002;)
+drop tls any 37506 -> any 90:135 (flow:to_server; sid:4; gid:10000002;)
+drop tls any 62314 -> any 120:200 (flow:to_server; sid:5; gid:10000002;)
+drop tls any 20097 -> any 150:3000 (flow:to_server; sid:6; gid:10000002;)
+drop tls any 41962 -> any 5000:8000 (flow:to_server; sid:7; gid:10000002;)
+drop tls any 8575 -> any 5500:7700 (flow:to_server; sid:8; gid:10000002;)
+drop tls any 30307 -> any 7000:9000 (flow:to_server; sid:9; gid:10000002;)
+drop tls any 20461 -> any 9000:10000 (flow:to_server; sid:10; gid:10000002;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver.__len: 18
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[0].port: 39
+ tcp.toserver[0].port2: 50
+ tcp.toserver[0].rulegroup.id: 0
+ tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+ tcp.toserver[0].rulegroup.rules[1].sig_id: 2
+ tcp.toserver[0].rulegroup.rules[2].sig_id: 3
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[1].port: 7000
+ tcp.toserver[1].port2: 7700
+ tcp.toserver[1].rulegroup.id: 1
+ tcp.toserver[1].rulegroup.rules[0].sig_id: 7
+ tcp.toserver[1].rulegroup.rules[1].sig_id: 8
+ tcp.toserver[1].rulegroup.rules[2].sig_id: 9
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[2].port: 25
+ tcp.toserver[2].port2: 38
+ tcp.toserver[2].rulegroup.id: 2
+ tcp.toserver[2].rulegroup.rules[0].sig_id: 1
+ tcp.toserver[2].rulegroup.rules[1].sig_id: 2
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[3].port: 51
+ tcp.toserver[3].port2: 80
+ tcp.toserver[3].rulegroup.id: 3
+ tcp.toserver[3].rulegroup.rules[0].sig_id: 2
+ tcp.toserver[3].rulegroup.rules[1].sig_id: 3
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[4].port: 90
+ tcp.toserver[4].port2: 100
+ tcp.toserver[4].rulegroup.id: 4
+ tcp.toserver[4].rulegroup.rules[0].sig_id: 3
+ tcp.toserver[4].rulegroup.rules[1].sig_id: 4
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[5].port: 120
+ tcp.toserver[5].port2: 135
+ tcp.toserver[5].rulegroup.id: 5
+ tcp.toserver[5].rulegroup.rules[0].sig_id: 4
+ tcp.toserver[5].rulegroup.rules[1].sig_id: 5
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[6].port: 150
+ tcp.toserver[6].port2: 200
+ tcp.toserver[6].rulegroup.id: 6
+ tcp.toserver[6].rulegroup.rules[0].sig_id: 5
+ tcp.toserver[6].rulegroup.rules[1].sig_id: 6
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[7].port: 5500
+ tcp.toserver[7].port2: 6999
+ tcp.toserver[7].rulegroup.id: 7
+ tcp.toserver[7].rulegroup.rules[0].sig_id: 7
+ tcp.toserver[7].rulegroup.rules[1].sig_id: 8
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[8].port: 7701
+ tcp.toserver[8].port2: 8000
+ tcp.toserver[8].rulegroup.id: 8
+ tcp.toserver[8].rulegroup.rules[0].sig_id: 7
+ tcp.toserver[8].rulegroup.rules[1].sig_id: 9
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[9].port: 9000
+ tcp.toserver[9].port2: 9000
+ tcp.toserver[9].rulegroup.id: 9
+ tcp.toserver[9].rulegroup.rules[0].sig_id: 9
+ tcp.toserver[9].rulegroup.rules[1].sig_id: 10
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[10].port: 1
+ tcp.toserver[10].port2: 24
+ tcp.toserver[10].rulegroup.id: 10
+ tcp.toserver[10].rulegroup.rules[0].sig_id: 1
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[11].port: 81
+ tcp.toserver[11].port2: 89
+ tcp.toserver[11].rulegroup.id: 11
+ tcp.toserver[11].rulegroup.rules[0].sig_id: 3
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[12].port: 101
+ tcp.toserver[12].port2: 119
+ tcp.toserver[12].rulegroup.id: 12
+ tcp.toserver[12].rulegroup.rules[0].sig_id: 4
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[13].port: 136
+ tcp.toserver[13].port2: 149
+ tcp.toserver[13].rulegroup.id: 13
+ tcp.toserver[13].rulegroup.rules[0].sig_id: 5
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[14].port: 201
+ tcp.toserver[14].port2: 3000
+ tcp.toserver[14].rulegroup.id: 14
+ tcp.toserver[14].rulegroup.rules[0].sig_id: 6
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[15].port: 5000
+ tcp.toserver[15].port2: 5499
+ tcp.toserver[15].rulegroup.id: 15
+ tcp.toserver[15].rulegroup.rules[0].sig_id: 7
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[16].port: 8001
+ tcp.toserver[16].port2: 8999
+ tcp.toserver[16].rulegroup.id: 16
+ tcp.toserver[16].rulegroup.rules[0].sig_id: 9
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[17].port: 9001
+ tcp.toserver[17].port2: 10000
+ tcp.toserver[17].rulegroup.id: 17
+ tcp.toserver[17].rulegroup.rules[0].sig_id: 10
+
--- /dev/null
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for all disjointed
+ports and ranges i.e. no overlaps with joingroup limiting the toserver groups
+at 10.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
--- /dev/null
+%YAML 1.1
+---
+
+engine-analysis:
+ rules-fast-pattern: yes
+ rules: yes
+
+detect:
+ profile: custom
+ custom-values:
+ toserver-groups: 10
+ profiling:
+ grouping:
+ dump-to-disk: yes
+ include-rules: yes
+ include-mpm-stats: yes
--- /dev/null
+drop tls any 1 -> any 1 (flow:to_server; sid:1; gid:10000002;)
+drop tls any 2 -> any 2 (flow:to_server; sid:2; gid:10000002;)
+drop tls any 3 -> any 3 (flow:to_server; sid:3; gid:10000002;)
+drop tls any 4 -> any 4 (flow:to_server; sid:4; gid:10000002;)
+drop tls any 5 -> any 5 (flow:to_server; sid:5; gid:10000002;)
+drop tls any 6 -> any 6 (flow:to_server; sid:6; gid:10000002;)
+drop tls any 7 -> any 7 (flow:to_server; sid:7; gid:10000002;)
+drop tls any 8 -> any 8 (flow:to_server; sid:8; gid:10000002;)
+drop tls any 9 -> any 9 (flow:to_server; sid:9; gid:10000002;)
+drop tls any 10 -> any 10 (flow:to_server; sid:10; gid:10000002;)
+drop tls any 11 -> any 11 (flow:to_server; sid:11; gid:10000002;)
+drop tls any 12 -> any 12 (flow:to_server; sid:12; gid:10000002;)
+drop tcp any any -> any 1024:65535 (flow:to_server; sid:13; gid:10000003;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[0].port: 1
+ tcp.toserver[0].port2: 1
+ tcp.toserver[0].rulegroup.id: 0
+ tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[1].port: 2
+ tcp.toserver[1].port2: 2
+ tcp.toserver[1].rulegroup.id: 1
+ tcp.toserver[1].rulegroup.rules[0].sig_id: 2
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[2].port: 3
+ tcp.toserver[2].port2: 3
+ tcp.toserver[2].rulegroup.id: 2
+ tcp.toserver[2].rulegroup.rules[0].sig_id: 3
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[3].port: 4
+ tcp.toserver[3].port2: 4
+ tcp.toserver[3].rulegroup.id: 3
+ tcp.toserver[3].rulegroup.rules[0].sig_id: 4
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[4].port: 5
+ tcp.toserver[4].port2: 5
+ tcp.toserver[4].rulegroup.id: 4
+ tcp.toserver[4].rulegroup.rules[0].sig_id: 5
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[5].port: 6
+ tcp.toserver[5].port2: 6
+ tcp.toserver[5].rulegroup.id: 5
+ tcp.toserver[5].rulegroup.rules[0].sig_id: 6
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[6].port: 7
+ tcp.toserver[6].port2: 7
+ tcp.toserver[6].rulegroup.id: 6
+ tcp.toserver[6].rulegroup.rules[0].sig_id: 7
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[7].port: 8
+ tcp.toserver[7].port2: 8
+ tcp.toserver[7].rulegroup.id: 7
+ tcp.toserver[7].rulegroup.rules[0].sig_id: 8
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[8].port: 9
+ tcp.toserver[8].port2: 9
+ tcp.toserver[8].rulegroup.id: 8
+ tcp.toserver[8].rulegroup.rules[0].sig_id: 9
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[9].port: 10
+ tcp.toserver[9].port2: 10
+ tcp.toserver[9].rulegroup.id: 9
+ tcp.toserver[9].rulegroup.rules[0].sig_id: 10
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[10].port: 0
+ tcp.toserver[10].port2: 65535
+ tcp.toserver[10].rulegroup.id: 10
+ tcp.toserver[10].rulegroup.rules[0].sig_id: 11
+ tcp.toserver[10].rulegroup.rules[1].sig_id: 12
+ tcp.toserver[10].rulegroup.rules[2].sig_id: 13
+
--- /dev/null
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for single
+disjointed port points.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
--- /dev/null
+%YAML 1.1
+---
+
+engine-analysis:
+ rules-fast-pattern: yes
+ rules: yes
+
+detect:
+ profiling:
+ grouping:
+ dump-to-disk: yes
+ include-rules: yes
+ include-mpm-stats: yes
--- /dev/null
+alert tcp any any -> any [587,25] (flow:established,to_server; sid:2; rev:3;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver.__len: 2
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[0].port: 25
+ tcp.toserver[0].port2: 25
+ tcp.toserver[0].rulegroup.id: 0
+ tcp.toserver[0].rulegroup.rules[0].sig_id: 2
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[1].port: 587
+ tcp.toserver[1].port2: 587
+ tcp.toserver[1].rulegroup.id: 0
+ tcp.toserver[1].rulegroup.rules[0].sig_id: 2
+
--- /dev/null
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for single
+disjointed port points that are adjacent to each other on a number line.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6792
--- /dev/null
+%YAML 1.1
+---
+
+engine-analysis:
+ rules-fast-pattern: yes
+ rules: yes
+
+detect:
+ profiling:
+ grouping:
+ dump-to-disk: yes
+ include-rules: yes
+ include-mpm-stats: yes
--- /dev/null
+alert tcp any any -> any [2010,2011] (flow:established,to_server; sid:3; rev:1;)
--- /dev/null
+requires:
+ min-version: 8
+
+pcap: false
+
+args:
+ - --engine-analysis
+
+checks:
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver.__len: 1
+ - filter:
+ filename: rule_group.json
+ count: 1
+ match:
+ tcp.toserver[0].port: 2010
+ tcp.toserver[0].port2: 2011
+ tcp.toserver[0].rulegroup.id: 0
+ tcp.toserver[0].rulegroup.rules[0].sig_id: 3
+