Adds tests for negated content and absent keyword

Ticket: 2224

diff --git a/tests/detect-absent-file-multi/README.md b/tests/detect-absent-file-multi/README.md
new file mode 100644 (file)
index 0000000..fd27387
--- /dev/null
+++ b/tests/detect-absent-file-multi/README.md
@@ -0,0 +1,18 @@
+# Test Description
+
+Test `absent` keyword with files
+
+## PCAP
+
+Manually crafted with input
+```
+GET /noheaders HTTP/1.0
+
+HTTP/1.0 500 BAD
+Header1: value1
+
+```
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2224

diff --git a/tests/detect-absent-file-multi/input.pcap b/tests/detect-absent-file-multi/input.pcap
new file mode 100644 (file)
index 0000000..724dfef
Binary files /dev/null and b/tests/detect-absent-file-multi/input.pcap differ

diff --git a/tests/detect-absent-file-multi/test.rules b/tests/detect-absent-file-multi/test.rules
new file mode 100644 (file)
index 0000000..87ab2a6
--- /dev/null
+++ b/tests/detect-absent-file-multi/test.rules
@@ -0,0 +1,10 @@
+alert http any any -> any any (msg:"no file data"; flow:established,to_client; file.data; absent; http.stat_code; content: "500"; sid:1;)
+alert http any any -> any any (msg:"no file data, no alert"; flow:established,to_client; file.data; bsize: >0; http.stat_code; content: "500"; sid:2;)
+alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_client; file.data; absent: or_else; content: !"abc"; http.stat_code; content: "500"; sid:3;)
+alert http any any -> any any (msg:"not abc, no alert"; flow:established,to_client; file.data; content: !"abc"; http.stat_code; content: "500"; sid:4;)
+alert http any any -> any any (msg:"alert on only stat code"; flow:established,to_client; http.stat_code; content: "500"; sid:5;)
+alert http any any -> any any (msg:"no file data"; flow:established,to_client; file.data; absent; sid:6;)
+alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_client; file.data; absent: or_else; content: !"abc"; sid:7;)
+
+alert http any any -> any any (msg:"no request headers or not abc"; flow:established,to_server; http.request_header; absent: or_else; content: !"abc"; sid:10;)
+alert http any any -> any any (msg:"no file data or not abc"; flow:established,to_server; http.request_header; absent; http.uri; content: "noheaders"; sid:11;)

diff --git a/tests/detect-absent-file-multi/test.yaml b/tests/detect-absent-file-multi/test.yaml
new file mode 100644 (file)
index 0000000..9d37404
--- /dev/null
+++ b/tests/detect-absent-file-multi/test.yaml
@@ -0,0 +1,52 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 5
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 7
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 10
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 11

diff --git a/tests/detect-absent-http-request-body/README.md b/tests/detect-absent-http-request-body/README.md
new file mode 100644 (file)
index 0000000..d9cb672
--- /dev/null
+++ b/tests/detect-absent-http-request-body/README.md
@@ -0,0 +1,14 @@
+# Test Description
+
+Test `absent` keyword with `http.request_body`
+
+## PCAP
+
+Manually crafted with server
+`python3 -m http.server`
+and client
+`curl -X POST http://127.0.0.1:8000/toto`
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2224

diff --git a/tests/detect-absent-http-request-body/input.pcap b/tests/detect-absent-http-request-body/input.pcap
new file mode 100644 (file)
index 0000000..1e4de3a
Binary files /dev/null and b/tests/detect-absent-http-request-body/input.pcap differ

diff --git a/tests/detect-absent-http-request-body/test.rules b/tests/detect-absent-http-request-body/test.rules
new file mode 100644 (file)
index 0000000..b368a60
--- /dev/null
+++ b/tests/detect-absent-http-request-body/test.rules
@@ -0,0 +1,6 @@
+alert http any any -> any any (msg:"no request body"; flow:established,to_server; http.request_body; absent; http.method; content: "POST"; sid:1;)
+alert http any any -> any any (msg:"no request body, no alert"; flow:established,to_server; http.request_body; bsize: >0; http.method; content: "POST"; sid:2;)
+alert http any any -> any any (msg:"no request body or not abc"; flow:established,to_server; http.request_body; absent: or_else; content: !"abc"; http.method; content: "POST"; sid:3;)
+alert http any any -> any any (msg:"not abc, no alert"; flow:established,to_server; http.request_body; content: !"abc"; http.method; content: "POST"; sid:4;)
+alert http any any -> any any (msg:"no request body"; flow:established,to_server; http.request_body; absent; sid:5;)
+alert http any any -> any any (msg:"no request body or not abc"; flow:established,to_server; http.request_body; absent: or_else; content: !"abc"; sid:6;)

diff --git a/tests/detect-absent-http-request-body/test.yaml b/tests/detect-absent-http-request-body/test.yaml
new file mode 100644 (file)
index 0000000..549bf9c
--- /dev/null
+++ b/tests/detect-absent-http-request-body/test.yaml
@@ -0,0 +1,37 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 2
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 3
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 4
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 5
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6

diff --git a/tests/detect-absent-negated-content/README.md b/tests/detect-absent-negated-content/README.md
new file mode 100644 (file)
index 0000000..a5b9b8e
--- /dev/null
+++ b/tests/detect-absent-negated-content/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test rules with negated content on buffers that are absent
+
+## PCAP
+
+From the issue https://redmine.openinfosecfoundation.org/issues/2224
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2224

diff --git a/tests/detect-absent-negated-content/no_referer.pcap b/tests/detect-absent-negated-content/no_referer.pcap
new file mode 100644 (file)
index 0000000..0ef6c2e
Binary files /dev/null and b/tests/detect-absent-negated-content/no_referer.pcap differ

diff --git a/tests/detect-absent-negated-content/test.rules b/tests/detect-absent-negated-content/test.rules
new file mode 100644 (file)
index 0000000..aec7ce3
--- /dev/null
+++ b/tests/detect-absent-negated-content/test.rules
@@ -0,0 +1,17 @@
+# This signature should alert with _any_  pcap
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for URI"; flow:established,to_server; http.uri; bsize:1; content:"/"; sid:1;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"No match without `absent` and negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; content:!"example"; sid:5;)
+
+# Positive tests about alerts
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:!"example"; sid:6;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated pcre"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else ; pcre:!"/example/"; sid:7;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent; sid:8;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content to fast_pattern"; flow:established,to_server; http.referer; absent; sid:9;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or positive content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:"example"; sid:10;)
+
+# reference test with positive and negated content
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TP test for UA"; flow:established,to_server; http.user_agent; content:"foo"; content:!"bar"; sid:20;)
+
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent or negated content matches on the negated content"; flow:established,to_server; http.user_agent; absent: or_else; content:!"bar"; sid:21;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only does not match"; flow:established,to_server; http.user_agent; absent; sid:22;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent or positive content matches on the positive content"; flow:established,to_server; http.user_agent; absent: or_else; content:"foo"; sid:23;)

diff --git a/tests/detect-absent-negated-content/test.yaml b/tests/detect-absent-negated-content/test.yaml
new file mode 100644 (file)
index 0000000..a2921b9
--- /dev/null
+++ b/tests/detect-absent-negated-content/test.yaml
@@ -0,0 +1,62 @@
+requires:
+  min-version: 8
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 5
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 6
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 7
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 8
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 9
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 20
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 21
+- filter:
+    count: 0
+    match:
+      event_type: alert
+      alert.signature_id: 22
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 23
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 10

diff --git a/tests/rules/absent/README.md b/tests/rules/absent/README.md
new file mode 100644 (file)
index 0000000..40150cd
--- /dev/null
+++ b/tests/rules/absent/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test `absent` keyword rule analysis
+
+## PCAP
+
+From the issue https://redmine.openinfosecfoundation.org/issues/2224
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/2224

diff --git a/tests/rules/absent/test.rules b/tests/rules/absent/test.rules
new file mode 100644 (file)
index 0000000..a095e13
--- /dev/null
+++ b/tests/rules/absent/test.rules
@@ -0,0 +1,3 @@
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else; content:!"example"; sid:6;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent keyword or negated pcre"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent: or_else ; pcre:!"/example/"; sid:7;)
+alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"absent only keyword without any content"; flow:established,to_server; http.uri; bsize:1; content:"/"; http.referer; absent; sid:8;)

diff --git a/tests/rules/absent/test.yaml b/tests/rules/absent/test.yaml
new file mode 100644 (file)
index 0000000..69e3bd4
--- /dev/null
+++ b/tests/rules/absent/test.yaml
@@ -0,0 +1,37 @@
+requires:
+    min-version: 8
+    pcap: false
+
+args:
+    - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 6
+      engines[2].name: "http_referer"
+      engines[2].matches[0].name: "absent"
+      engines[2].matches[0].absent.or_else: true
+      engines[2].matches[1].name: "content"
+      engines[2].matches[1].content.negated: true
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 7
+      engines[2].name: "http_referer"
+      engines[2].matches[0].name: "absent"
+      engines[2].matches[0].absent.or_else: true
+      engines[2].matches[1].name: "pcre"
+      engines[2].matches[1].pcre.negated: true
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 8
+      engines[2].name: "http_referer"
+      engines[2].matches[0].name: "absent"
+      engines[2].matches[0].absent.or_else: false
+      engines[2].matches.__len: 1