test: lua-rule-errors

Test for correct behvaior when a Lua rule crashes.

On crash, a Lua script should not result in a match when negation is
applied. Also test for:
- error stat
- one time logging per thread

Ticket: #6940

diff --git a/tests/lua/lua-bad-script/README.md b/tests/lua/lua-bad-script/README.md
new file mode 100644 (file)
index 0000000..ab88078
--- /dev/null
+++ b/tests/lua/lua-bad-script/README.md
@@ -0,0 +1,5 @@
+Test that a crashed rule script does not alert when negated.
+
+Also tests:
+- one time logging for a script that crashes
+- stat increment each time a script crashes

diff --git a/tests/lua/lua-bad-script/error.lua b/tests/lua/lua-bad-script/error.lua
new file mode 100644 (file)
index 0000000..d81ffb8
--- /dev/null
+++ b/tests/lua/lua-bad-script/error.lua
@@ -0,0 +1,8 @@
+function init(args)
+   return {}
+end
+
+function match(args)
+   foobar()
+   return 0
+end

diff --git a/tests/lua/lua-bad-script/logging.yaml b/tests/lua/lua-bad-script/logging.yaml
new file mode 100644 (file)
index 0000000..0051732
--- /dev/null
+++ b/tests/lua/lua-bad-script/logging.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+logging:
+  default-log-level: info
+  outputs:
+    - file:
+        enabled: yes
+        level: info
+        filename: suricata.json
+        type: json

diff --git a/tests/lua/lua-bad-script/match.lua b/tests/lua/lua-bad-script/match.lua
new file mode 100644 (file)
index 0000000..c932654
--- /dev/null
+++ b/tests/lua/lua-bad-script/match.lua
@@ -0,0 +1,7 @@
+function init(args)
+   return {}
+end
+
+function match(args)
+   return 1
+end

diff --git a/tests/lua/lua-bad-script/nomatch.lua b/tests/lua/lua-bad-script/nomatch.lua
new file mode 100644 (file)
index 0000000..a3bafe1
--- /dev/null
+++ b/tests/lua/lua-bad-script/nomatch.lua
@@ -0,0 +1,7 @@
+function init(args)
+   return {}
+end
+
+function match(args)
+   return 0
+end

diff --git a/tests/lua/lua-bad-script/test.pcap b/tests/lua/lua-bad-script/test.pcap
new file mode 100644 (file)
index 0000000..5c9ee35
Binary files /dev/null and b/tests/lua/lua-bad-script/test.pcap differ

diff --git a/tests/lua/lua-bad-script/test.rules b/tests/lua/lua-bad-script/test.rules
new file mode 100644 (file)
index 0000000..89cfb32
--- /dev/null
+++ b/tests/lua/lua-bad-script/test.rules
@@ -0,0 +1,3 @@
+alert udp any any -> any any (msg:"MATCH"; lua:match.lua; sid:1; rev:1;)
+alert udp any any -> any any (msg:"NOMATCH"; lua:!nomatch.lua; sid:2; rev:1;)
+alert udp any any -> any any (msg:"ERROR"; lua:!error.lua; sid:3; rev:1;)

diff --git a/tests/lua/lua-bad-script/test.yaml b/tests/lua/lua-bad-script/test.yaml
new file mode 100644 (file)
index 0000000..765da4c
--- /dev/null
+++ b/tests/lua/lua-bad-script/test.yaml
@@ -0,0 +1,44 @@
+requires:
+  min-version: 8
+  features:
+    - HAVE_LUA
+
+args:
+   - --set default-rule-path=${TEST_DIR}
+   - --set security.lua.allow-rules=true
+   - --include ${TEST_DIR}/logging.yaml
+
+   # Run single threaded so all Lua errors occur on the same thread so
+   # we can test one-time logging per thread.
+   - --runmode single
+
+checks:
+  - filter:
+      count: 8
+      match:
+        alert.signature_id: 1
+
+  - filter:
+      count: 8
+      match:
+        alert.signature_id: 2
+
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 3
+
+  # PCAP has 8 packets, which means 8 Lua failures.
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.detect.lua.errors: 8
+
+  # The Lua failure should only be logged once.
+  - filter:
+      filename: suricata.json
+      count: 1
+      match:
+        event_type: engine
+        engine.message.__find: Lua script failed to run successfully