From: Benjamin Wilkins <benjamin.wilkins@uwaterloo.ca>
Date: Tue, 2 Nov 2021 19:24:21 +0000 (-0400)
Subject: lua: Test SCRule* functions for match scripts
X-Git-Tag: suricata-5.0.10~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f18df0dd18723f8fcc37fbf74d438ef3c6ffb4a;p=thirdparty%2Fsuricata-verify.git

lua: Test SCRule* functions for match scripts
---

diff --git a/tests/lua-match-scrule/README.md b/tests/lua-match-scrule/README.md
new file mode 100644
index 000000000..872ec683e
--- /dev/null
+++ b/tests/lua-match-scrule/README.md
@@ -0,0 +1 @@
+Tests Lua's SCRule functions for match scripts.
diff --git a/tests/lua-match-scrule/input.pcap b/tests/lua-match-scrule/input.pcap
new file mode 100644
index 000000000..8fb6832de
Binary files /dev/null and b/tests/lua-match-scrule/input.pcap differ
diff --git a/tests/lua-match-scrule/lua-scrule-action.lua b/tests/lua-match-scrule/lua-scrule-action.lua
new file mode 100644
index 000000000..57180718b
--- /dev/null
+++ b/tests/lua-match-scrule/lua-scrule-action.lua
@@ -0,0 +1,14 @@
+function init(args)
+    local needs = {}
+    return needs
+end
+
+function match(args)
+    action = SCRuleAction()
+
+    if action == "alert" then
+        return 1
+    else
+        return 0
+    end
+end
diff --git a/tests/lua-match-scrule/lua-scrule-class.lua b/tests/lua-match-scrule/lua-scrule-class.lua
new file mode 100644
index 000000000..d9633283b
--- /dev/null
+++ b/tests/lua-match-scrule/lua-scrule-class.lua
@@ -0,0 +1,14 @@
+function init(args)
+    local needs = {}
+    return needs
+end
+
+function match(args)
+    msg, prio = SCRuleClass()
+
+    if msg == "Potentially Bad Traffic" and prio == 2 then
+        return 1
+    else
+        return 0
+    end
+end
diff --git a/tests/lua-match-scrule/lua-scrule-ids.lua b/tests/lua-match-scrule/lua-scrule-ids.lua
new file mode 100644
index 000000000..893116110
--- /dev/null
+++ b/tests/lua-match-scrule/lua-scrule-ids.lua
@@ -0,0 +1,14 @@
+function init(args)
+    local needs = {}
+    return needs
+end
+
+function match(args)
+    sid, rev, gid = SCRuleIds()
+
+    if sid == 1 and rev == 7 and gid == 1 then
+        return 1
+    else
+        return 0
+    end
+end
diff --git a/tests/lua-match-scrule/lua-scrule-msg.lua b/tests/lua-match-scrule/lua-scrule-msg.lua
new file mode 100644
index 000000000..71757e34d
--- /dev/null
+++ b/tests/lua-match-scrule/lua-scrule-msg.lua
@@ -0,0 +1,14 @@
+function init(args)
+    local needs = {}
+    return needs
+end
+
+function match(args)
+    msg = SCRuleMsg()
+
+    if msg == "FOO" then
+        return 1
+    else
+        return 0
+    end
+end
diff --git a/tests/lua-match-scrule/suricata.yaml b/tests/lua-match-scrule/suricata.yaml
new file mode 100644
index 000000000..e27e9967f
--- /dev/null
+++ b/tests/lua-match-scrule/suricata.yaml
@@ -0,0 +1,4 @@
+%YAML 1.1
+---
+
+include: ../../etc/suricata-4.0.3.yaml
\ No newline at end of file
diff --git a/tests/lua-match-scrule/test.rules b/tests/lua-match-scrule/test.rules
new file mode 100644
index 000000000..ee3294c11
--- /dev/null
+++ b/tests/lua-match-scrule/test.rules
@@ -0,0 +1,8 @@
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-ids.lua; sid:1; rev:7;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-ids.lua; sid:2; rev:7;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-action.lua; sid:3; rev:7;)
+drop ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-action.lua; sid:4; rev:7;)
+alert ip any any -> any any (msg:"FOO"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-msg.lua; sid:5; rev:7;)
+alert ip any any -> any any (msg:"BAR"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-msg.lua; sid:6; rev:7;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; lua:lua-scrule-class.lua; sid:7; rev:7;)
+alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:not-suspicious; lua:lua-scrule-class.lua; sid:8; rev:7;)
diff --git a/tests/lua-match-scrule/test.yaml b/tests/lua-match-scrule/test.yaml
new file mode 100644
index 000000000..c1d12a16e
--- /dev/null
+++ b/tests/lua-match-scrule/test.yaml
@@ -0,0 +1,38 @@
+requires:
+  min-version: 7
+  features:
+    - HAVE_LUA
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 2
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 3
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 4
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 5
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 6
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 7
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 8