From: Philippe Antoine Date: Thu, 21 Oct 2021 11:43:01 +0000 (+0200) Subject: lua: adds test about ScFlowVarGet X-Git-Tag: suricata-6.0.4~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3e8b4599ffbcf96886c4c4971596f3c91b22390a;p=thirdparty%2Fsuricata-verify.git lua: adds test about ScFlowVarGet cf redmine 2094 --- diff --git a/tests/lua-scflowvarget/README.md b/tests/lua-scflowvarget/README.md new file mode 100644 index 000000000..6c252afbb --- /dev/null +++ b/tests/lua-scflowvarget/README.md @@ -0,0 +1,17 @@ +To test that SCFlowvarGet (lua) doesn't always return nil. + +The original issue emerged due to a lua detection script that used a single rule to set up +a flow variable and match on it. + +The problem is that during detection, the steps happen in this order: +- pattern matching +- lua script execution +- setting flow variables as part of post match + +So, a workaround is to have 2 rules: +- one that does the pattern matching and setting the flow var +- another second one that does the Lua script + +This test works based on that. + +Pcap provided by Chris Knott at https://redmine.openinfosecfoundation.org/issues/2094 diff --git a/tests/lua-scflowvarget/input.pcap b/tests/lua-scflowvarget/input.pcap new file mode 100644 index 000000000..b763c97a4 Binary files /dev/null and b/tests/lua-scflowvarget/input.pcap differ diff --git a/tests/lua-scflowvarget/suricata.yaml b/tests/lua-scflowvarget/suricata.yaml new file mode 100644 index 000000000..51b7cb333 --- /dev/null +++ b/tests/lua-scflowvarget/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - flow + diff --git a/tests/lua-scflowvarget/test.lua b/tests/lua-scflowvarget/test.lua new file mode 100644 index 000000000..38e49acdb --- /dev/null +++ b/tests/lua-scflowvarget/test.lua @@ -0,0 +1,18 @@ +function init (args) + local needs = {} + needs["http.request_headers"] = tostring(true) + needs["flowvar"] = {"TestVar"} + return needs +end + +function match(args) + print "Before loading Variable" + testVar = ScFlowvarGet(0); + if testVar then + print "testVar is set" + else + print "testVar is not set" + return 0 + end + return 1 +end diff --git a/tests/lua-scflowvarget/test.rules b/tests/lua-scflowvarget/test.rules new file mode 100644 index 000000000..cbbcc6418 --- /dev/null +++ b/tests/lua-scflowvarget/test.rules @@ -0,0 +1,2 @@ +alert http any any -> any any (msg: "Test"; http.request_line; pcre: "^/GET (.*)$/G, flow:TestVar"; flowbits: set, flowtestvar; noalert; sid:6677000; rev:1;) +alert http any any -> any any (msg: "Test2"; flow: to_server; lua:test.lua; flowbits: isset, flowtestvar; sid:6677001; rev:1;) diff --git a/tests/lua-scflowvarget/test.yaml b/tests/lua-scflowvarget/test.yaml new file mode 100644 index 000000000..9332b9f66 --- /dev/null +++ b/tests/lua-scflowvarget/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 7.0.0 + features: + - HAVE_LUA + +args: + - -k none + +checks: + - filter: + count: 1 + match: + event_type: alert + metadata.flowvars[0].TestVar: "/zib100/zib100.json?origin=orf.at HTTP/1.1"