From: Juliana Fajardini <jufajardini@oisf.net>
Date: Thu, 27 Mar 2025 14:20:07 +0000 (-0700)
Subject: tests/lua: update/ add more for lua flow lua lib
X-Git-Tag: suricata-7.0.11~137
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=44a72d35d99eee7fe72f60ba128e2a8c8dabd4ad;p=thirdparty%2Fsuricata-verify.git

tests/lua: update/ add more for lua flow lua lib

For tests that used SCFlow functions but are min-version: 8.
Add a few more tests to cover other funcitons.

Task #7489
---

diff --git a/tests/datasets/datasets-lua-01/dataset.lua b/tests/datasets/datasets-lua-01/dataset.lua
index 08489a18a..1ad3960b8 100644
--- a/tests/datasets/datasets-lua-01/dataset.lua
+++ b/tests/datasets/datasets-lua-01/dataset.lua
@@ -1,4 +1,5 @@
 local dataset = require "suricata.dataset"
+local flow = require("suricata.flow")
 
 function init (args)
     local needs = {}
@@ -16,7 +17,8 @@ function thread_init (args)
 end
 
 function match (args)
-    ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
+    local f = flow.get()
+    ipver, srcip, dstip, proto, sp, dp = f:tuple()
     str = ipver .. ":<" .. srcip .. ">:<" .. dstip .. ">:" .. dp
 
     ret, err = conn_new:add(str, #str);
diff --git a/tests/datasets/datasets-lua-02/dataset-dns.lua b/tests/datasets/datasets-lua-02/dataset-dns.lua
index b01a4be8d..fa009e655 100644
--- a/tests/datasets/datasets-lua-02/dataset-dns.lua
+++ b/tests/datasets/datasets-lua-02/dataset-dns.lua
@@ -1,3 +1,4 @@
+local flow = require("suricata.flow")
 local dataset = require("suricata.dataset")
 local dns = require("suricata.dns")
 
@@ -17,7 +18,8 @@ function thread_init (args)
 end
 
 function match (args)
-    ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
+    local f = flow.get()
+    ipver, srcip, dstip, proto, sp, dp = f:tuple()
     local tx = dns.get_tx()
     query = tx:rrname()
     if query == nil then
diff --git a/tests/lua-flowfunctions/README.md b/tests/lua-flowfunctions/README.md
new file mode 100644
index 000000000..90f4a1cd1
--- /dev/null
+++ b/tests/lua-flowfunctions/README.md
@@ -0,0 +1 @@
+Test Lua flow lib functions
diff --git a/tests/lua-flowfunctions/dataset-lua.rules b/tests/lua-flowfunctions/dataset-lua.rules
new file mode 100644
index 000000000..db7eb2932
--- /dev/null
+++ b/tests/lua-flowfunctions/dataset-lua.rules
@@ -0,0 +1 @@
+alert http any any -> any any (msg:"HTTP GET"; http.method; content:"GET"; sid:1;)
diff --git a/tests/lua-flowfunctions/expected/flow_http_lua.log b/tests/lua-flowfunctions/expected/flow_http_lua.log
new file mode 100644
index 000000000..ea2a2e5e5
--- /dev/null
+++ b/tests/lua-flowfunctions/expected/flow_http_lua.log
@@ -0,0 +1,2 @@
+[**] Start time 2015-10-06T15:16:43.136335+0000 [**] -> alproto http [**] 6 [**] alerted: true
+[**] First packet: 1444144603.0 [**] Last packet: 136335.0
diff --git a/tests/lua-flowfunctions/lua-flowfunctions.lua b/tests/lua-flowfunctions/lua-flowfunctions.lua
new file mode 100644
index 000000000..e82010be9
--- /dev/null
+++ b/tests/lua-flowfunctions/lua-flowfunctions.lua
@@ -0,0 +1,39 @@
+-- simple output test for some lua flow lib functions
+name = "flow_http_lua.log"
+
+local flow = require("suricata.flow")
+
+function init (args)
+    local needs = {}
+    needs["type"] = "flow"
+    needs["protocol"] = "http"
+    return needs
+end
+
+function setup (args)
+    filename = SCLogPath() .. "/" .. name
+    file = assert(io.open(filename, "a"))
+    SCLogInfo("Log Filename " .. filename)
+    http = 0
+end
+
+function log(args)
+    local f = flow.get()
+    ts = f:timestring_iso8601()
+    has_alerts = f:has_alerts()
+    ipver, srcip, dstip, proto, sp, dp = f:tuple()
+    alproto, alproto_ts, alproto_tc, alproto_orig, alproto_expect = f:app_layer_proto()
+    start_sec, start_usec, last_sec, last_usec = f:timestamps()
+    id = f:id()
+    id_str = string.format("%.0f", id)
+
+    if has_alerts then
+        file:write ("[**] Start time " .. ts .. " [**] -> alproto " .. alproto .. " [**] " .. proto .. " [**] alerted: true\n[**] First packet: " .. start_sec .." [**] Last packet: " .. last_sec .. "\n")
+        file:flush()
+    end
+end
+
+function deinit (args)
+    SCLogInfo ("HTTP logged: " .. http);
+    file:close(file)
+end
diff --git a/tests/lua-flowfunctions/suricata.yaml b/tests/lua-flowfunctions/suricata.yaml
new file mode 100644
index 000000000..46e869734
--- /dev/null
+++ b/tests/lua-flowfunctions/suricata.yaml
@@ -0,0 +1,19 @@
+%YAML 1.1
+---
+
+include: ../lua-output-http/default.yaml
+
+outputs:
+  - lua:
+      enabled: yes
+      scripts-dir: .
+      scripts:
+         - lua-flowfunctions.lua
+  - eve-log:
+      enabled: yes
+      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
+      filename: eve.json
+      types:
+        - alert
+        - http
+        - flow
diff --git a/tests/lua-flowfunctions/test.yaml b/tests/lua-flowfunctions/test.yaml
new file mode 100644
index 000000000..e1b071bdc
--- /dev/null
+++ b/tests/lua-flowfunctions/test.yaml
@@ -0,0 +1,15 @@
+pcap: ../lua-output-http/input.pcap
+
+requires:
+  features:
+    - HAVE_LUA
+  min-version: 8
+
+checks:
+  - file-compare:
+      filename: flow_http_lua.log
+      expected: expected/flow_http_lua.log
+  - filter:
+      count: 1
+      match:
+        event_type: alert
diff --git a/tests/lua-flowstats/README.md b/tests/lua-flowstats/README.md
new file mode 100644
index 000000000..167facf58
--- /dev/null
+++ b/tests/lua-flowstats/README.md
@@ -0,0 +1 @@
+Tests lua flow suricata lib flow stats output.
diff --git a/tests/lua-flowstats/expected/lua-scflowstats.log b/tests/lua-flowstats/expected/lua-scflowstats.log
new file mode 100644
index 000000000..447c6363c
--- /dev/null
+++ b/tests/lua-flowstats/expected/lua-scflowstats.log
@@ -0,0 +1,7 @@
+[**] 10/06/2015-15:16:43.136335
+SCFlowStats is
+Packet count to server:  6
+Byte count to server: 504
+Packet count to client: 4
+Byte count to client: 635
+[**]
\ No newline at end of file
diff --git a/tests/lua-flowstats/lua-scflowstats.lua b/tests/lua-flowstats/lua-scflowstats.lua
new file mode 100644
index 000000000..b195840ab
--- /dev/null
+++ b/tests/lua-flowstats/lua-scflowstats.lua
@@ -0,0 +1,29 @@
+-- fast.log style output test for suricata.flow lua lib
+name = "lua-scflowstats.log"
+
+local flow = require("suricata.flow")
+
+function init(args)
+    local needs = {}
+    needs["type"] = "flow"
+    return needs
+end
+
+function setup(args)
+    filename = SCLogPath() .. "/" .. name
+    file = assert(io.open(filename, "a"))
+    SCLogInfo("lua SCFlowStats Log Filename " .. filename)
+end
+
+function log(args)
+    local f = flow.get()
+    timestring = f:timestring_legacy()
+    tscnt, tsbytes, tccnt, tcbytes = f:stats()
+
+   file:write ("[**] " .. timestring .. "\nSCFlowStats is\nPacket count to server:  " .. tscnt .. "\nByte count to server: " .. tsbytes .. "\nPacket count to client: " .. tccnt .. "\nByte count to client: " .. tcbytes .. "\n[**]")
+    file:flush()
+end
+
+function deinit(args)
+    file:close(file)
+end
diff --git a/tests/lua-flowstats/suricata.yaml b/tests/lua-flowstats/suricata.yaml
new file mode 100644
index 000000000..cf4111a94
--- /dev/null
+++ b/tests/lua-flowstats/suricata.yaml
@@ -0,0 +1,11 @@
+%YAML 1.1
+---
+
+include: ../lua-output-http/default.yaml
+
+outputs:
+  - lua:
+      enabled: yes
+      scripts-dir: .
+      scripts:
+         - lua-scflowstats.lua
diff --git a/tests/lua-flowstats/test.yaml b/tests/lua-flowstats/test.yaml
new file mode 100644
index 000000000..e585b64e3
--- /dev/null
+++ b/tests/lua-flowstats/test.yaml
@@ -0,0 +1,12 @@
+pcap: ../lua-output-http/input.pcap
+
+requires:
+  features:
+    - HAVE_LUA
+  min-version: 8
+
+checks:
+  - file-compare:
+      # A check that compares two files
+      filename: lua-scflowstats.log
+      expected: expected/lua-scflowstats.log
diff --git a/tests/lua-flowtuple/README.md b/tests/lua-flowtuple/README.md
new file mode 100644
index 000000000..874e325ab
--- /dev/null
+++ b/tests/lua-flowtuple/README.md
@@ -0,0 +1 @@
+Tests Lua's SCFlowTuple output.
diff --git a/tests/lua-flowtuple/expected/scflow-tuple.log b/tests/lua-flowtuple/expected/scflow-tuple.log
new file mode 100644
index 000000000..761d67212
--- /dev/null
+++ b/tests/lua-flowtuple/expected/scflow-tuple.log
@@ -0,0 +1,4 @@
+{2018-08-12T17:30:41.693796+0000 [**]
+SCFlowTuple is
+IP Version:  4
+Src: 10.9.0.2:58038 -> Dst: 139.162.123.134:80 [**] Protocol: http2(6) alproto_orig: http alproto_expect:  http2}
diff --git a/tests/lua-flowtuple/scflowtuple.lua b/tests/lua-flowtuple/scflowtuple.lua
new file mode 100644
index 000000000..e2288a7f0
--- /dev/null
+++ b/tests/lua-flowtuple/scflowtuple.lua
@@ -0,0 +1,31 @@
+-- simple SCFlowTuple log test
+local flow = require("suricata.flow")
+
+name = "scflow-tuple.log"
+
+function init(args)
+    local needs = {}
+    needs["type"] = "flow"
+    return needs
+end
+
+
+function setup(args)
+    filename = SCLogPath() .. "/" .. name
+    file = assert(io.open(filename, "a"))
+    SCLogNotice("lua SCFlowTuple Log Filename " .. filename)
+end
+
+function log(args)
+    f = flow.get()
+    startts = f:timestring_iso8601()
+    ipver, srcip, dstip, proto, sp, dp = f:tuple()
+    alproto, alproto_ts, alproto_tc, alproto_orig, alproto_expect = f:app_layer_proto()
+
+    file:write ("{" .. startts .. " [**]\nSCFlowTuple is\nIP Version:  " .. ipver .. "\nSrc: " .. srcip .. ":" .. sp .. " -> Dst: " .. dstip .. ":" .. dp .. " [**] Protocol: " .. alproto .. "(" .. proto .. ")" .. " alproto_orig: " .. alproto_orig .. " alproto_expect:  " .. alproto_expect .. "}\n")
+    file:flush()
+end
+
+function deinit(args)
+    file:close(file)
+end
diff --git a/tests/lua-flowtuple/suricata.yaml b/tests/lua-flowtuple/suricata.yaml
new file mode 100644
index 000000000..eca1407ec
--- /dev/null
+++ b/tests/lua-flowtuple/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+include: ../lua-output-http/default.yaml
+
+outputs:
+  - lua:
+      enabled: yes
+      scripts-dir: .
+      scripts:
+         - scflowtuple.lua
+
diff --git a/tests/lua-flowtuple/test.yaml b/tests/lua-flowtuple/test.yaml
new file mode 100644
index 000000000..bf659749f
--- /dev/null
+++ b/tests/lua-flowtuple/test.yaml
@@ -0,0 +1,15 @@
+pcap: ../http2-keywords2/input.pcap
+
+args:
+- -k none --set stream.midstream=true
+
+requires:
+  features:
+    - HAVE_LUA
+  min-version: 8
+
+checks:
+  - file-compare:
+      # A check that compares two files
+      filename: scflow-tuple.log
+      expected: expected/scflow-tuple.log
diff --git a/tests/lua-output-dns/test.lua b/tests/lua-output-dns/test.lua
index 8645d1947..db06e79ce 100644
--- a/tests/lua-output-dns/test.lua
+++ b/tests/lua-output-dns/test.lua
@@ -1,3 +1,4 @@
+local flow = require("suricata.flow")
 local packet = require "suricata.packet"
 local dns = require "suricata.dns"
 
@@ -17,7 +18,8 @@ end
 function log(args)
    p = packet.get()
    ts = p:timestring_legacy()
-   ip_ver, src_ip, dst_ip, proto, sp, dp = SCFlowTuple()
+   f = flow.get()
+   ip_ver, src_ip, dst_ip, proto, sp, dp = f:tuple()
    local tx = dns.get_tx()
    tx_id = tx:txid()
 
diff --git a/tests/lua-output-http-02/http.lua b/tests/lua-output-http-02/http.lua
index 4bb64640e..a55f9b25e 100644
--- a/tests/lua-output-http-02/http.lua
+++ b/tests/lua-output-http-02/http.lua
@@ -1,4 +1,5 @@
 -- simple fast-log to file lua module
+local flow = require("suricata.flow")
 local packet = require "suricata.packet"
 
 name = "http_lua.log"
@@ -37,7 +38,8 @@ function log(args)
 
     p = packet.get()
     ts = p:timestring_iso8601()
-    ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
+    f = flow.get()
+    ipver, srcip, dstip, proto, sp, dp = f:tuple()
 
     file:write (ts .. " " .. http_host .. " [**] " .. http_uri .. " [**] " ..
            http_ua .. " [**] " .. srcip .. ":" .. math.floor(sp) .. " -> " ..
diff --git a/tests/lua-output-http/http.lua b/tests/lua-output-http/http.lua
index fbe9a6736..0f5c0fecc 100644
--- a/tests/lua-output-http/http.lua
+++ b/tests/lua-output-http/http.lua
@@ -1,5 +1,6 @@
 -- simple fast-log to file lua module
 local packet = require "suricata.packet"
+local flow = require("suricata.flow")
 
 name = "http_lua.log"
 
@@ -37,7 +38,8 @@ function log(args)
 
     p = packet.get()
     ts = p:timestring_legacy()
-    ipver, srcip, dstip, proto, sp, dp = SCFlowTuple()
+    f = flow.get()
+    ipver, srcip, dstip, proto, sp, dp = f:tuple()
 
     file:write (ts .. " " .. http_host .. " [**] " .. http_uri .. " [**] " ..
            http_ua .. " [**] " .. srcip .. ":" .. math.floor(sp) .. " -> " ..
diff --git a/tests/lua-output-streaming/expected/6-172.16.1.68-162.209.114.75-58384-80 b/tests/lua-output-streaming/expected/6-172.16.1.68-162.209.114.75-58384-80
new file mode 100644
index 000000000..a4813b162
Binary files /dev/null and b/tests/lua-output-streaming/expected/6-172.16.1.68-162.209.114.75-58384-80 differ
diff --git a/tests/lua-output-streaming/expected/http-6-172.16.1.68-162.209.114.75-58384-80 b/tests/lua-output-streaming/expected/http-6-172.16.1.68-162.209.114.75-58384-80
new file mode 100644
index 000000000..ac759d24e
Binary files /dev/null and b/tests/lua-output-streaming/expected/http-6-172.16.1.68-162.209.114.75-58384-80 differ
diff --git a/tests/lua-output-streaming/streaming-http.lua b/tests/lua-output-streaming/streaming-http.lua
new file mode 100644
index 000000000..2b9fba807
--- /dev/null
+++ b/tests/lua-output-streaming/streaming-http.lua
@@ -0,0 +1,34 @@
+local flow = require "suricata.flow"
+
+function init (args)
+    local needs = {}
+    needs["type"] = "streaming"
+    needs["protocol"] = "http"
+    return needs
+end
+
+function setup (args)
+    filepath = SCLogPath()
+end
+
+function log(args)
+    f = flow.get()
+    ts = f:timestring_legacy()
+    ipver, srcip, dstip, proto, sp, dp = f:tuple()
+    data, data_open, data_close = SCStreamingBuffer()
+    SCLogNotice("called with data_open " .. tostring(data_open) .. " data_close " .. tostring(data_close));
+    filename = filepath .. "/http-" .. proto .. "-" .. srcip .. "-" .. dstip .. "-" .. sp .. "-" .. dp
+
+    file_mode = "a"
+    if (data_open == true) then
+        file_mode = "w"
+    end
+
+    file = assert(io.open(filename, file_mode))
+    file:write (data)
+    file:flush()
+    file.close(file)
+end
+
+function deinit (args)
+end
diff --git a/tests/lua-output-streaming/streaming-tcp.lua b/tests/lua-output-streaming/streaming-tcp.lua
new file mode 100644
index 000000000..f54c7e368
--- /dev/null
+++ b/tests/lua-output-streaming/streaming-tcp.lua
@@ -0,0 +1,34 @@
+local flow = require("suricata.flow")
+
+function init (args)
+    local needs = {}
+    needs["type"] = "streaming"
+    needs["filter"] = "tcp"
+    return needs
+end
+
+function setup (args)
+    filepath = SCLogPath()
+    alerts = 0
+end
+
+function log(args)
+    f = flow.get()
+    ts = f:timestring_legacy()
+    ipver, srcip, dstip, proto, sp, dp = f:tuple()
+    data, data_open, data_close = SCStreamingBuffer()
+    filename = filepath .. "/" .. proto .. "-" .. srcip .. "-" .. dstip .. "-" .. sp .. "-" .. dp
+
+    file_mode = "a"
+    if (data_open == true) then
+        file_mode = "w"
+    end
+
+    file = assert(io.open(filename, file_mode))
+    file:write (data)
+    file:flush()
+    file.close(file)
+end
+
+function deinit (args)
+end
diff --git a/tests/lua-output-streaming/suricata.yaml b/tests/lua-output-streaming/suricata.yaml
new file mode 100644
index 000000000..73365db0b
--- /dev/null
+++ b/tests/lua-output-streaming/suricata.yaml
@@ -0,0 +1,35 @@
+%YAML 1.1
+---
+
+outputs:
+  - lua:
+      enabled: yes
+      scripts-dir: .
+      scripts:
+        - streaming-tcp.lua
+        - streaming-http.lua
+
+app-layer:
+  protocols:
+    http:
+      enabled: yes
+      libhtp:
+         default-config:
+           personality: IDS
+
+           # Can be specified in kb, mb, gb.  Just a number indicates
+           # it's in bytes.
+           request-body-limit: 200kb
+           response-body-limit: 200kb
+
+           # inspection limits
+           request-body-minimal-inspect-size: 32kb
+           request-body-inspect-window: 4kb
+           response-body-minimal-inspect-size: 40kb
+           response-body-inspect-window: 16kb
+
+           # response body decompression (0 disables)
+           response-body-decompress-layer-limit: 2
+
+           # auto will use http-body-inline mode in IPS mode, yes or no set it statically
+           http-body-inline: auto
diff --git a/tests/lua-output-streaming/test.yaml b/tests/lua-output-streaming/test.yaml
new file mode 100644
index 000000000..9008f2ff1
--- /dev/null
+++ b/tests/lua-output-streaming/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  features:
+    - HAVE_LUA
+  min-version: 8
+
+pcap: ../filestore-v2.1-forced/suricata-update-pdf.pcap
+
+checks:
+  - file-compare:
+      filename: 6-172.16.1.68-162.209.114.75-58384-80
+      expected: expected/6-172.16.1.68-162.209.114.75-58384-80
+  - file-compare:
+      filename: http-6-172.16.1.68-162.209.114.75-58384-80
+      expected: expected/http-6-172.16.1.68-162.209.114.75-58384-80