From: Haleema Khan Date: Mon, 24 Oct 2022 15:05:32 +0000 (+0500) Subject: detect-bytemath: add tests X-Git-Tag: suricata-6.0.10~40 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=482fee97be895b19eeb4aead358c06fa4ed58728;p=thirdparty%2Fsuricata-verify.git detect-bytemath: add tests Ticket: #5589 --- diff --git a/tests/detect-bytemath-add-04/README.md b/tests/detect-bytemath-add-04/README.md new file mode 100644 index 000000000..9909a517b --- /dev/null +++ b/tests/detect-bytemath-add-04/README.md @@ -0,0 +1,11 @@ +Description +=========== +Test byte_math payload keyword. + +PCAP +==== +PCAP comes from the suricata verify test[detect-bytemath-01] + +Redmine ticket +============== +https://redmine.openinfosecfoundation.org/issues/5589 \ No newline at end of file diff --git a/tests/detect-bytemath-add-04/input.pcap b/tests/detect-bytemath-add-04/input.pcap new file mode 100644 index 000000000..4a18a072c Binary files /dev/null and b/tests/detect-bytemath-add-04/input.pcap differ diff --git a/tests/detect-bytemath-add-04/test.rules b/tests/detect-bytemath-add-04/test.rules new file mode 100644 index 000000000..37648a378 --- /dev/null +++ b/tests/detect-bytemath-add-04/test.rules @@ -0,0 +1,9 @@ +alert tcp any any -> any any (ipv4.hdr; byte_extract: 1, 0, extracted_val, relative;byte_math: bytes 1, offset 1, oper +, rvalue extracted_val, result var;byte_test: 2, <, var, 2;msg:\ +"Byte extract and byte math with byte test verification\ +";sid:1;) +alert tcp any any -> any any (ipv4.hdr; byte_extract: 1, 0, extracted_val, relative;byte_math: bytes 1, offset 1, oper +, rvalue extracted_val, result var;byte_test: 2, !=, var, 2;msg:\ +"Byte extract and byte math with byte test verification\ +";sid:2;) +alert tcp any any -> any any (ipv4.hdr; byte_extract: 1, 0, extracted_val, relative;byte_math: bytes 1, offset 1, oper +, rvalue extracted_val, result var;byte_test: 2, >, var, 11;msg:\ +"Byte extract and byte math with byte test verification\ +";sid:3;) \ No newline at end of file diff --git a/tests/detect-bytemath-add-04/test.yaml b/tests/detect-bytemath-add-04/test.yaml new file mode 100644 index 000000000..d6b300c6e --- /dev/null +++ b/tests/detect-bytemath-add-04/test.yaml @@ -0,0 +1,20 @@ +requires: + files: + - src/detect-bytemath.c + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 \ No newline at end of file diff --git a/tests/detect-bytemath-sub-03/README.md b/tests/detect-bytemath-sub-03/README.md new file mode 100644 index 000000000..9909a517b --- /dev/null +++ b/tests/detect-bytemath-sub-03/README.md @@ -0,0 +1,11 @@ +Description +=========== +Test byte_math payload keyword. + +PCAP +==== +PCAP comes from the suricata verify test[detect-bytemath-01] + +Redmine ticket +============== +https://redmine.openinfosecfoundation.org/issues/5589 \ No newline at end of file diff --git a/tests/detect-bytemath-sub-03/input.pcap b/tests/detect-bytemath-sub-03/input.pcap new file mode 100644 index 000000000..4a18a072c Binary files /dev/null and b/tests/detect-bytemath-sub-03/input.pcap differ diff --git a/tests/detect-bytemath-sub-03/test.rules b/tests/detect-bytemath-sub-03/test.rules new file mode 100644 index 000000000..ca44a00a6 --- /dev/null +++ b/tests/detect-bytemath-sub-03/test.rules @@ -0,0 +1,9 @@ +alert tcp any any -> any any (ipv4.hdr; byte_extract: 1, 0, extracted_val, relative;byte_math: bytes 1, offset 1, oper -, rvalue extracted_val, result var;byte_test: 1, <, var, 9;msg:\ +"Byte extract and byte math with byte test verification\ +";sid:1;) +alert tcp any any -> any any (ipv4.hdr; byte_extract: 1, 0, extracted_val, relative;byte_math: bytes 1, offset 1, oper -, rvalue extracted_val, result var;byte_test: 1,!=, var, 9;msg:\ +"Byte extract and byte math with byte test verification\ +";sid:2;) +alert tcp any any -> any any (ipv4.hdr; byte_extract: 1, 0, extracted_val, relative;byte_math: bytes 1, offset 0, oper -, rvalue extracted_val, result var;byte_test: 1,>, var, 0;msg:\ +"Byte extract and byte math with byte test verification\ +";sid:3;) \ No newline at end of file diff --git a/tests/detect-bytemath-sub-03/test.yaml b/tests/detect-bytemath-sub-03/test.yaml new file mode 100644 index 000000000..d6b300c6e --- /dev/null +++ b/tests/detect-bytemath-sub-03/test.yaml @@ -0,0 +1,20 @@ +requires: + files: + - src/detect-bytemath.c + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 \ No newline at end of file