From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Sat, 10 Jun 2023 13:28:45 +0000 (-0400)
Subject: detect/bytejump: Test for nbyte variable name
X-Git-Tag: suricata-7.0.0~13
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=574057e945d32b9b954543f8a73496c1b676bdbc;p=thirdparty%2Fsuricata-verify.git

detect/bytejump: Test for nbyte variable name

This commit adds tests with a rules that uses an nbyte variable name.

Issue: 6105
---

diff --git a/tests/detect-bytejump-02/input.pcap b/tests/detect-bytejump-02/input.pcap
new file mode 100644
index 000000000..65b52b0d8
Binary files /dev/null and b/tests/detect-bytejump-02/input.pcap differ
diff --git a/tests/detect-bytejump-02/test.rules b/tests/detect-bytejump-02/test.rules
new file mode 100644
index 000000000..f0906f11d
--- /dev/null
+++ b/tests/detect-bytejump-02/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"byte_jump varname test sig"; flow:to_server,established; content:"|00 00 00|"; byte_extract:1,4,rpkt_len,relative; byte_jump:rpkt_len,0,relative; isdataat:1,relative; classtype:bad-unknown; sid:1;)
diff --git a/tests/detect-bytejump-02/test.yaml b/tests/detect-bytejump-02/test.yaml
new file mode 100644
index 000000000..188915b40
--- /dev/null
+++ b/tests/detect-bytejump-02/test.yaml
@@ -0,0 +1,12 @@
+requires:
+    min-version: 7
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/detect-bytejump-03/test.rules b/tests/detect-bytejump-03/test.rules
new file mode 100644
index 000000000..39e1da076
--- /dev/null
+++ b/tests/detect-bytejump-03/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"byte_jump invalid varname test sig"; flow:to_server,established; content:"|00 00 00|"; byte_extract:1,4,rpkt_len2,relative; byte_jump:no_var,0,relative; isdataat:1,relative; classtype:bad-unknown; sid:2;)
diff --git a/tests/detect-bytejump-03/test.yaml b/tests/detect-bytejump-03/test.yaml
new file mode 100644
index 000000000..a498a0302
--- /dev/null
+++ b/tests/detect-bytejump-03/test.yaml
@@ -0,0 +1,16 @@
+requires:
+    min-version: 7
+
+    # No pcap required.
+    pcap: false
+
+args:
+    - --engine-analysis
+
+checks:
+    - shell:
+        args: grep "Unknown byte_extract var seen in byte_jump - no_var" suricata.log | wc -l | xargs
+        expect: 1
+
+exit-code: 1
+