From: Jason Ish <jason.ish@oisf.net>
Date: Thu, 10 Apr 2025 22:17:13 +0000 (-0600)
Subject: test: update tests for suricata.rule lib
X-Git-Tag: suricata-7.0.11~84
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=07a01ae5286c2c09360e63adfccf7996f5ee2bbb;p=thirdparty%2Fsuricata-verify.git

test: update tests for suricata.rule lib

Ticket: #7490
---

diff --git a/tests/lua-match-scrule/lua-scrule-action.lua b/tests/lua-match-scrule/lua-scrule-action.lua
index 57180718b..edb64f4be 100644
--- a/tests/lua-match-scrule/lua-scrule-action.lua
+++ b/tests/lua-match-scrule/lua-scrule-action.lua
@@ -1,10 +1,13 @@
+local rule = require("suricata.rule")
+
 function init(args)
     local needs = {}
     return needs
 end
 
 function match(args)
-    action = SCRuleAction()
+    local sig = rule.get_rule()
+    local action = sig:action()
 
     if action == "alert" then
         return 1
diff --git a/tests/lua-match-scrule/lua-scrule-class.lua b/tests/lua-match-scrule/lua-scrule-class.lua
index d9633283b..5e6f52063 100644
--- a/tests/lua-match-scrule/lua-scrule-class.lua
+++ b/tests/lua-match-scrule/lua-scrule-class.lua
@@ -1,14 +1,22 @@
+local rule = require("suricata.rule")
+
 function init(args)
     local needs = {}
     return needs
 end
 
 function match(args)
-    msg, prio = SCRuleClass()
+    local sig = rule.get_rule()
+
+    local class_description = sig:class_description()
+    if class_description ~= "Potentially Bad Traffic" then
+       return 0
+    end
 
-    if msg == "Potentially Bad Traffic" and prio == 2 then
-        return 1
-    else
-        return 0
+    local priority = sig:priority()
+    if priority ~= 2 then
+       return 0
     end
+
+    return 1
 end
diff --git a/tests/lua-match-scrule/lua-scrule-ids.lua b/tests/lua-match-scrule/lua-scrule-ids.lua
index 893116110..9ca0e2bfa 100644
--- a/tests/lua-match-scrule/lua-scrule-ids.lua
+++ b/tests/lua-match-scrule/lua-scrule-ids.lua
@@ -1,10 +1,15 @@
+local rule = require("suricata.rule")
+
 function init(args)
     local needs = {}
     return needs
 end
 
 function match(args)
-    sid, rev, gid = SCRuleIds()
+    local sig = rule.get_rule()
+    local sid = sig:sid()
+    local rev = sig:rev()
+    local gid = sig:gid()
 
     if sid == 1 and rev == 7 and gid == 1 then
         return 1
diff --git a/tests/lua-match-scrule/lua-scrule-msg.lua b/tests/lua-match-scrule/lua-scrule-msg.lua
index 71757e34d..9b1ad777d 100644
--- a/tests/lua-match-scrule/lua-scrule-msg.lua
+++ b/tests/lua-match-scrule/lua-scrule-msg.lua
@@ -1,10 +1,13 @@
+local rule = require("suricata.rule")
+
 function init(args)
     local needs = {}
     return needs
 end
 
 function match(args)
-    msg = SCRuleMsg()
+    local sig = rule.get_rule()
+    local msg = sig:msg()
 
     if msg == "FOO" then
         return 1
diff --git a/tests/lua-match-scrule/test.yaml b/tests/lua-match-scrule/test.yaml
index 9e536a3e8..08fd53fa9 100644
--- a/tests/lua-match-scrule/test.yaml
+++ b/tests/lua-match-scrule/test.yaml
@@ -1,7 +1,7 @@
 pcap: ../flowbit-oring/input.pcap
 
 requires:
-  min-version: 7
+  min-version: 8
   features:
     - HAVE_LUA
 
diff --git a/tests/lua-scrule-ids/lua-scrule-ids.lua b/tests/lua-scrule-ids/lua-scrule-ids.lua
index d68d48ed1..9558ec332 100644
--- a/tests/lua-scrule-ids/lua-scrule-ids.lua
+++ b/tests/lua-scrule-ids/lua-scrule-ids.lua
@@ -1,12 +1,14 @@
 -- lua_pushinteger output test for SCRuleIds and ...
 local packet = require "suricata.packet"
+local rule = require "suricata.rule"
+
 name = "lua-scrule-ids.log"
 
 function init(args)
-    local needs = {}
-    needs["type"] = "packet"
-    needs["filter"] = "alerts"
-    return needs
+    return {
+        type = "packet",
+        filter = "alerts",
+    }
 end
 
 function setup(args)
@@ -18,7 +20,10 @@ end
 function log(args)
     p = packet.get()
     timestring = p:timestring_legacy()
-    sid, rev, gid = SCRuleIds()
+    local sig = rule.get_rule()
+    local sid = sig:sid()
+    local rev = sig:rev()
+    local gid = sig:gid()
 
     file:write ("[**] " .. timestring .. "\nSCRuleIds is\n[**]\nSignature id: " .. sid .. "\nrevision: " .. rev .. "\nGroup id: " .. gid .. "[**]")
     file:flush()
diff --git a/tests/pre8/lua-match-scrule/README.md b/tests/pre8/lua-match-scrule/README.md
new file mode 100644
index 000000000..872ec683e
--- /dev/null
+++ b/tests/pre8/lua-match-scrule/README.md
@@ -0,0 +1 @@
+Tests Lua's SCRule functions for match scripts.
diff --git a/tests/pre8/lua-match-scrule/lua-scrule-action.lua b/tests/pre8/lua-match-scrule/lua-scrule-action.lua
new file mode 100644
index 000000000..57180718b
--- /dev/null
+++ b/tests/pre8/lua-match-scrule/lua-scrule-action.lua
@@ -0,0 +1,14 @@
+function init(args)
+    local needs = {}
+    return needs
+end
+
+function match(args)
+    action = SCRuleAction()
+
+    if action == "alert" then
+        return 1
+    else
+        return 0
+    end
+end
diff --git a/tests/pre8/lua-match-scrule/lua-scrule-class.lua b/tests/pre8/lua-match-scrule/lua-scrule-class.lua
new file mode 100644
index 000000000..d9633283b
--- /dev/null
+++ b/tests/pre8/lua-match-scrule/lua-scrule-class.lua
@@ -0,0 +1,14 @@
+function init(args)
+    local needs = {}
+    return needs
+end
+
+function match(args)
+    msg, prio = SCRuleClass()
+
+    if msg == "Potentially Bad Traffic" and prio == 2 then
+        return 1
+    else
+        return 0
+    end
+end
diff --git a/tests/pre8/lua-match-scrule/lua-scrule-ids.lua b/tests/pre8/lua-match-scrule/lua-scrule-ids.lua
new file mode 100644
index 000000000..893116110
--- /dev/null
+++ b/tests/pre8/lua-match-scrule/lua-scrule-ids.lua
@@ -0,0 +1,14 @@
+function init(args)
+    local needs = {}
+    return needs
+end
+
+function match(args)
+    sid, rev, gid = SCRuleIds()
+
+    if sid == 1 and rev == 7 and gid == 1 then
+        return 1
+    else
+        return 0
+    end
+end
diff --git a/tests/pre8/lua-match-scrule/lua-scrule-msg.lua b/tests/pre8/lua-match-scrule/lua-scrule-msg.lua
new file mode 100644
index 000000000..71757e34d
--- /dev/null
+++ b/tests/pre8/lua-match-scrule/lua-scrule-msg.lua
@@ -0,0 +1,14 @@
+function init(args)
+    local needs = {}
+    return needs
+end
+
+function match(args)
+    msg = SCRuleMsg()
+
+    if msg == "FOO" then
+        return 1
+    else
+        return 0
+    end
+end
diff --git a/tests/pre8/lua-match-scrule/suricata.yaml b/tests/pre8/lua-match-scrule/suricata.yaml
new file mode 100644
index 000000000..34ebc573c
--- /dev/null
+++ b/tests/pre8/lua-match-scrule/suricata.yaml
@@ -0,0 +1,4 @@
+%YAML 1.1
+---
+
+include: ../../../etc/suricata-4.0.3.yaml
diff --git a/tests/pre8/lua-match-scrule/test.rules b/tests/pre8/lua-match-scrule/test.rules
new file mode 100644
index 000000000..ee3294c11
--- /dev/null
+++ b/tests/pre8/lua-match-scrule/test.rules
@@ -0,0 +1,8 @@
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-ids.lua; sid:1; rev:7;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-ids.lua; sid:2; rev:7;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-action.lua; sid:3; rev:7;)
+drop ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-action.lua; sid:4; rev:7;)
+alert ip any any -> any any (msg:"FOO"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-msg.lua; sid:5; rev:7;)
+alert ip any any -> any any (msg:"BAR"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-msg.lua; sid:6; rev:7;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-class.lua; sid:7; rev:7;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:not-suspicious; lua:lua-scrule-class.lua; sid:8; rev:7;)
diff --git a/tests/pre8/lua-match-scrule/test.yaml b/tests/pre8/lua-match-scrule/test.yaml
new file mode 100644
index 000000000..727f35e77
--- /dev/null
+++ b/tests/pre8/lua-match-scrule/test.yaml
@@ -0,0 +1,44 @@
+pcap: ../../flowbit-oring/input.pcap
+
+requires:
+  min-version: 7
+  lt-version: 8
+  features:
+    - HAVE_LUA
+
+args:
+  - --set security.lua.allow-rules=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 3
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 5
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 6
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 7
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 8