rule-grouping: add boundary port tests

diff --git a/tests/rule-grouping/rule-grouping-17/README.md b/tests/rule-grouping/rule-grouping-17/README.md
new file mode 100644 (file)
index 0000000..e52cd1b
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-17/README.md
@@ -0,0 +1,12 @@
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for small range
+overlaps and single points with the boundary values of UINT16.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6896

diff --git a/tests/rule-grouping/rule-grouping-17/suricata.yaml b/tests/rule-grouping/rule-grouping-17/suricata.yaml
new file mode 100644 (file)
index 0000000..549defa
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-17/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules-fast-pattern: yes
+  rules: yes
+
+detect:
+  profiling:
+    grouping:
+      dump-to-disk: yes
+      include-rules: yes
+      include-mpm-stats: yes

diff --git a/tests/rule-grouping/rule-grouping-17/test.rules b/tests/rule-grouping/rule-grouping-17/test.rules
new file mode 100644 (file)
index 0000000..970105a
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-17/test.rules
@@ -0,0 +1,5 @@
+alert tcp any any -> any 0:1000 (flow:to_server; content:"abc"; sid:1;)
+alert tcp any any -> any 0 (flow:to_server; content:"abc"; sid:2;)
+alert tcp any any -> any 35000:65535 (flow:to_server; content:"abc"; sid:3;)
+alert tcp any any -> any 65535 (flow:to_server; content:"abc"; sid:4;)
+

diff --git a/tests/rule-grouping/rule-grouping-17/test.yaml b/tests/rule-grouping/rule-grouping-17/test.yaml
new file mode 100644 (file)
index 0000000..ba80990
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-17/test.yaml
@@ -0,0 +1,49 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver.__len: 4
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[0].port: 0
+        tcp.toserver[0].port2: 0
+        tcp.toserver[0].rulegroup.id: 0
+        tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+        tcp.toserver[0].rulegroup.rules[1].sig_id: 2
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[1].port: 65535
+        tcp.toserver[1].port2: 65535
+        tcp.toserver[1].rulegroup.id: 1
+        tcp.toserver[1].rulegroup.rules[0].sig_id: 3
+        tcp.toserver[1].rulegroup.rules[1].sig_id: 4
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[2].port: 1
+        tcp.toserver[2].port2: 1000
+        tcp.toserver[2].rulegroup.id: 2
+        tcp.toserver[2].rulegroup.rules[0].sig_id: 1
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[3].port: 35000
+        tcp.toserver[3].port2: 65534
+        tcp.toserver[3].rulegroup.id: 3
+        tcp.toserver[3].rulegroup.rules[0].sig_id: 3
+

diff --git a/tests/rule-grouping/rule-grouping-18/README.md b/tests/rule-grouping/rule-grouping-18/README.md
new file mode 100644 (file)
index 0000000..3a99391
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-18/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test to demonstrate the error in case port is out of bounds.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6896

diff --git a/tests/rule-grouping/rule-grouping-18/suricata.yaml b/tests/rule-grouping/rule-grouping-18/suricata.yaml
new file mode 100644 (file)
index 0000000..549defa
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-18/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules-fast-pattern: yes
+  rules: yes
+
+detect:
+  profiling:
+    grouping:
+      dump-to-disk: yes
+      include-rules: yes
+      include-mpm-stats: yes

diff --git a/tests/rule-grouping/rule-grouping-18/test.rules b/tests/rule-grouping/rule-grouping-18/test.rules
new file mode 100644 (file)
index 0000000..a5620ce
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-18/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any 65536 (flow:to_server; content:"abc"; sid:1;)

diff --git a/tests/rule-grouping/rule-grouping-18/test.yaml b/tests/rule-grouping/rule-grouping-18/test.yaml
new file mode 100644 (file)
index 0000000..59746b1
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-18/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+exit-code: 1

diff --git a/tests/rule-grouping/rule-grouping-19/README.md b/tests/rule-grouping/rule-grouping-19/README.md
new file mode 100644 (file)
index 0000000..858fa62
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-19/README.md
@@ -0,0 +1,12 @@
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for small range
+overlaps and single points with UINT16 boundary overlaps.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6896

diff --git a/tests/rule-grouping/rule-grouping-19/suricata.yaml b/tests/rule-grouping/rule-grouping-19/suricata.yaml
new file mode 100644 (file)
index 0000000..549defa
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-19/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules-fast-pattern: yes
+  rules: yes
+
+detect:
+  profiling:
+    grouping:
+      dump-to-disk: yes
+      include-rules: yes
+      include-mpm-stats: yes

diff --git a/tests/rule-grouping/rule-grouping-19/test.rules b/tests/rule-grouping/rule-grouping-19/test.rules
new file mode 100644 (file)
index 0000000..3460d44
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-19/test.rules
@@ -0,0 +1,4 @@
+alert tcp any any -> any 0:65535 (flow:to_server; content:"abc"; sid:1;)
+alert tcp any 1024: -> any 0:120 (flow:to_server; content:"abc"; sid:2;)
+alert tcp any 1024: -> any 0 (flow:to_server; content:"abc"; sid:3;)
+

diff --git a/tests/rule-grouping/rule-grouping-19/test.yaml b/tests/rule-grouping/rule-grouping-19/test.yaml
new file mode 100644 (file)
index 0000000..55c5345
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-19/test.yaml
@@ -0,0 +1,42 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver.__len: 3
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[0].port: 0
+        tcp.toserver[0].port2: 0
+        tcp.toserver[0].rulegroup.id: 0
+        tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+        tcp.toserver[0].rulegroup.rules[1].sig_id: 2
+        tcp.toserver[0].rulegroup.rules[2].sig_id: 3
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[1].port: 1
+        tcp.toserver[1].port2: 120
+        tcp.toserver[1].rulegroup.id: 1
+        tcp.toserver[1].rulegroup.rules[0].sig_id: 1
+        tcp.toserver[1].rulegroup.rules[1].sig_id: 2
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[2].port: 121
+        tcp.toserver[2].port2: 65535
+        tcp.toserver[2].rulegroup.id: 2
+        tcp.toserver[2].rulegroup.rules[0].sig_id: 1
+