--- /dev/null
+Test noalert flag for hostbits
--- /dev/null
+alert ip any any -> any any (hostbits:noalert; content:"GET "; sid:1;)
+alert ip any any -> any any (msg:"isset option"; hostbits:isset,fbt; content:"GET "; sid:2;)
+alert ip any any -> any any (hostbits:set,abc; content:"GET "; sid:3;)
--- /dev/null
+args:
+- -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+- filter:
+ count: 1
+ match:
+ event_type: flow
+- filter:
+ count: 1
+ match:
+ event_type: stats
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"GET /one/ HTTP/1.1\r\nHost: one.example.org\r\n\r\n"
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Tests the set / isset hostbits keywords
--- /dev/null
+alert ip any any -> any any (hostbits:isset,abc,src; content:"GET "; sid:1;)
+alert ip any any -> any any (hostbits:isnotset,abc,dst; content:"GET "; sid:2;)
+alert ip any any -> any any (hostbits:unset,abc,src; content:"GET "; sid:4;)
+alert ip any any -> any any (hostbits:set,myflow2; sid:10;)
+alert ip any any -> any any (hostbits:isset,myflow2; sid:11;)
--- /dev/null
+args:
+- -k none
+
+checks:
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 4
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 10
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 11
+- filter:
+ count: 1
+ match:
+ event_type: flow
+- filter:
+ count: 1
+ match:
+ event_type: stats
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"GET /one/ HTTP/1.1\r\nHost: one.example.org\r\n\r\n"
+
+wrpcap('input.pcap', pkts)
--- /dev/null
+Tests the set / toggle / toggle / isset keywords
--- /dev/null
+alert ip any any -> any any (hostbits:toggle,abc,dst; content:"GET "; sid:1;)
+alert ip any any -> any any (hostbits:set,myflow2; sid:2;)
+alert ip any any -> any any (hostbits:toggle,myflow2; sid:3;)
+alert ip any any -> any any (hostbits:isset,myflow2; sid:4;)
--- /dev/null
+args:
+- -k none
+
+checks:
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+- filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3
+- filter:
+ count: 0
+ match:
+ event_type: alert
+ alert.signature_id: 4
+- filter:
+ count: 1
+ match:
+ event_type: flow
+- filter:
+ count: 1
+ match:
+ event_type: stats
--- /dev/null
+#!/usr/bin/env python
+from scapy.all import *
+
+pkts = []
+
+pkts += Ether(dst='ff:ff:ff:ff:ff:ff', src='00:01:02:03:04:05')/ \
+ Dot1Q(vlan=6)/ \
+ IP(dst='1.2.3.4', src='5.6.7.8')/TCP(sport=6666, dport=80, flags='P''A')/"GET /one/ HTTP/1.1\r\nHost: one.example.org\r\n\r\n"
+
+wrpcap('input.pcap', pkts)
projects / thirdparty / suricata-verify.git / commitdiff
