From: Jason Ish Date: Mon, 20 Sep 2021 17:43:49 +0000 (-0600) Subject: tests: convert check.sh to test.yaml X-Git-Tag: suricata-6.0.4~19 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=75075432d29eb25bf31e7ddc05a712416540a4d3;p=thirdparty%2Fsuricata-verify.git tests: convert check.sh to test.yaml --- diff --git a/tests/datasets-05-state/check.sh b/tests/datasets-05-state/check.sh deleted file mode 100755 index 97d6dce7c..000000000 --- a/tests/datasets-05-state/check.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -exec cmp ${OUTPUT_DIR}/state.csv ${TEST_DIR}/expected/state.csv diff --git a/tests/datasets-05-state/test.yaml b/tests/datasets-05-state/test.yaml index dddcc0047..0ccb0b9f6 100644 --- a/tests/datasets-05-state/test.yaml +++ b/tests/datasets-05-state/test.yaml @@ -9,3 +9,8 @@ command: | --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} \ -c "${SRCDIR}/suricata.yaml" -r ${TEST_DIR}/input.pcap -S ${TEST_DIR}/test.rules \ --data-dir="${OUTPUT_DIR}" + +checks: + - file-compare: + filename: state.csv + expected: expected/state.csv diff --git a/tests/detect-filestore-config-01/check.sh b/tests/detect-filestore-config-01/check.sh deleted file mode 100755 index a174e470e..000000000 --- a/tests/detect-filestore-config-01/check.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -if grep -q "Warning: Rule requires file-store but the output file-store is not enabled." $OUTPUT_DIR/rules_analysis.txt; then - echo "Pattern found in rules_analysis.txt" - exit 1 -fi diff --git a/tests/detect-filestore-config-01/test.yaml b/tests/detect-filestore-config-01/test.yaml index bf6ff6c0e..8e70e771f 100644 --- a/tests/detect-filestore-config-01/test.yaml +++ b/tests/detect-filestore-config-01/test.yaml @@ -7,3 +7,8 @@ command: | ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" \ --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} \ -c "${TEST_DIR}/suricata.yaml" -S ${TEST_DIR}/test.rules --engine-analysis + +checks: + - shell: + args: | + grep -v -q "Warning: Rule requires file-store but the output file-store is not enabled." rules_analysis.txt diff --git a/tests/detect-filestore-config-02/check.sh b/tests/detect-filestore-config-02/check.sh deleted file mode 100755 index d72cab938..000000000 --- a/tests/detect-filestore-config-02/check.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -if ! grep -q "Warning: Rule requires file-store but the output file-store is not enabled." $OUTPUT_DIR/rules_analysis.txt; then - echo "Pattern not found" - exit 1 -fi -exit 0 diff --git a/tests/detect-filestore-config-02/test.yaml b/tests/detect-filestore-config-02/test.yaml index b5a54d96d..7b3774b14 100644 --- a/tests/detect-filestore-config-02/test.yaml +++ b/tests/detect-filestore-config-02/test.yaml @@ -7,3 +7,8 @@ command: | ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" \ --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} \ -c "${TEST_DIR}/suricata.yaml" -S ${TEST_DIR}/test.rules --engine-analysis + +checks: + - shell: + args: | + grep -q "Warning: Rule requires file-store but the output file-store is not enabled." rules_analysis.txt diff --git a/tests/detect-filestore-config-03/check.sh b/tests/detect-filestore-config-03/check.sh deleted file mode 100755 index 6feafbc6a..000000000 --- a/tests/detect-filestore-config-03/check.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -if grep '\[ERRCODE: SC_WARN_ALERT_CONFIG(324)\] - One or more rule(s) depends on the file-store output log which is not enabled. Enable the output "file-store"' $OUTPUT_DIR/stdout; then - echo "pattern found in stdout" - exit 1 -fi diff --git a/tests/detect-filestore-config-03/test.yaml b/tests/detect-filestore-config-03/test.yaml index f7fa7c9c4..f991f0efd 100644 --- a/tests/detect-filestore-config-03/test.yaml +++ b/tests/detect-filestore-config-03/test.yaml @@ -2,3 +2,8 @@ requires: min-version: 5.0.1 features: - HAVE_NSS + +checks: + - shell: + args: | + grep -v '\[ERRCODE: SC_WARN_ALERT_CONFIG(324)\] - One or more rule(s) depends on the file-store output log which is not enabled. Enable the output "file-store"' stdout diff --git a/tests/detect-filestore-config-04/check.sh b/tests/detect-filestore-config-04/check.sh deleted file mode 100755 index 375298b4a..000000000 --- a/tests/detect-filestore-config-04/check.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -if ! grep -q 'One or more rule(s) depends on the file-store output log which is not enabled. Enable the output "file-store"' $OUTPUT_DIR/stdout; then - echo "pattern not found" - exit 1 -fi -exit 0 diff --git a/tests/detect-filestore-config-04/test.yaml b/tests/detect-filestore-config-04/test.yaml index 81735aaeb..e65028856 100644 --- a/tests/detect-filestore-config-04/test.yaml +++ b/tests/detect-filestore-config-04/test.yaml @@ -2,3 +2,7 @@ requires: min-version: 6.0 features: - HAVE_NSS + +checks: + - shell: + args: grep -q 'One or more rule(s) depends on the file-store output log which is not enabled. Enable the output "file-store"' stdout diff --git a/tests/dnp3-dnp3_data-alert/check.sh b/tests/dnp3-dnp3_data-alert/check.sh deleted file mode 100755 index ee2d0326b..000000000 --- a/tests/dnp3-dnp3_data-alert/check.sh +++ /dev/null @@ -1,9 +0,0 @@ -#! /bin/sh - -. ${TOPDIR}/util/functions.sh - -# Should have 4 DNP3 data match alerts. -n=$(grep "DNP3 Data match" eve.json | wc -l | xargs) -assert_eq 4 "$n" "bad event count" - -exit 0 diff --git a/tests/dnp3-dnp3_data-alert/test.yaml b/tests/dnp3-dnp3_data-alert/test.yaml index 56ea9b0d5..1b009bd20 100644 --- a/tests/dnp3-dnp3_data-alert/test.yaml +++ b/tests/dnp3-dnp3_data-alert/test.yaml @@ -1,3 +1,10 @@ requires: features: - HAVE_LIBJANSSON + +checks: + - filter: + count: 4 + match: + event_type: alert + alert.signature_id: 4 diff --git a/tests/dnp3-dnp3_func-alert/check.sh b/tests/dnp3-dnp3_func-alert/check.sh deleted file mode 100755 index 8d16638d6..000000000 --- a/tests/dnp3-dnp3_func-alert/check.sh +++ /dev/null @@ -1,13 +0,0 @@ -#! /bin/sh - -. ${TOPDIR}/util/functions.sh - -# Should have one alert sid 1. -n=$(jq_count eve.json 'select(.alert.signature_id == 1)') -assert_eq 1 "$n" "sig id 1" - -# Should have one alert sid 2. -n=$(jq_count eve.json 'select(.alert.signature_id == 2)') -assert_eq 1 "$n" "sig id 1" - -exit 0 diff --git a/tests/dnp3-dnp3_func-alert/test.yaml b/tests/dnp3-dnp3_func-alert/test.yaml index 56ea9b0d5..6d038fb31 100644 --- a/tests/dnp3-dnp3_func-alert/test.yaml +++ b/tests/dnp3-dnp3_func-alert/test.yaml @@ -1,3 +1,13 @@ requires: features: - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + alert.signature_id: 1 + - filter: + count: 1 + match: + alert.signature_id: 2 diff --git a/tests/dns-eve-v1/check.sh b/tests/dns-eve-v1/check.sh deleted file mode 100755 index 1d8a0ecc4..000000000 --- a/tests/dns-eve-v1/check.sh +++ /dev/null @@ -1,11 +0,0 @@ -#! /bin/sh - -. ${TOPDIR}/util/functions.sh - -# 4 queries. -n=$(jq_count eve.json 'select(.dns.type == "query")') -assert_eq 4 "$n" "queries" - -# 5 answers. -n=$(jq_count eve.json 'select(.dns.type == "answer")') -assert_eq 5 "$n" "answers" diff --git a/tests/dns-eve-v1/test.yaml b/tests/dns-eve-v1/test.yaml index 9ee272d75..655b17fdb 100644 --- a/tests/dns-eve-v1/test.yaml +++ b/tests/dns-eve-v1/test.yaml @@ -2,3 +2,13 @@ requires: features: - HAVE_LIBJANSSON lt-version: 7 + +checks: + - filter: + count: 4 + match: + dns.type: query + - filter: + count: 5 + match: + dns.type: answer diff --git a/tests/dns-json-log/check.sh b/tests/dns-json-log/check.sh deleted file mode 100755 index d833374da..000000000 --- a/tests/dns-json-log/check.sh +++ /dev/null @@ -1,22 +0,0 @@ -#! /bin/sh - -# Expect 9 dns records. -n=$(cat dns.json | jq -c 'select(.event_type == "dns")' | wc -l | xargs) -if test $n -ne 9; then - echo "failed: expected 9 dns events, got $n" - exit 1 -fi - -# 4 are queries. -n=$(cat dns.json | jq -c 'select(.event_type == "dns") | select(.dns.type == "query")' | wc -l | xargs) -if test $n -ne 4; then - echo "failed: expected 4 dns queries, got $n" - exit 1 -fi - -# 4 are queries. -n=$(cat dns.json | jq -c 'select(.event_type == "dns") | select(.dns.type == "answer")' | wc -l | xargs) -if test $n -ne 5; then - echo "failed: expected 5 dns answers, got $n" - exit 1 -fi diff --git a/tests/dns-json-log/test.yaml b/tests/dns-json-log/test.yaml index 2824cf6f6..c3a0d030d 100644 --- a/tests/dns-json-log/test.yaml +++ b/tests/dns-json-log/test.yaml @@ -2,3 +2,22 @@ requires: lt-version: 6 features: - HAVE_LIBJANSSON + +checks: + - filter: + count: 9 + filename: dns.json + match: + event_type: dns + - filter: + count: 4 + filename: dns.json + match: + event_type: dns + dns.type: query + - filter: + count: 5 + filename: dns.json + match: + event_type: dns + dns.type: answer diff --git a/tests/dns-single-request-v1/check.sh b/tests/dns-single-request-v1/check.sh deleted file mode 100755 index f2d46c6dd..000000000 --- a/tests/dns-single-request-v1/check.sh +++ /dev/null @@ -1,12 +0,0 @@ -#! /bin/sh - -. ${TOPDIR}/util/functions.sh - -# One query for suricon.net. -n=$(jq_count eve.json 'select(.dns.type == "query") | select(.dns.rrname == "suricon.net")') -assert_eq 1 "$n" "request" - -# One answer with rdata of 181.224.138.142. -n=$(jq_count eve.json 'select(.dns.type == "answer") | select(.dns.rdata == "181.224.138.142")') -assert_eq 1 "$n" "response" - diff --git a/tests/dns-single-request-v1/test.yaml b/tests/dns-single-request-v1/test.yaml index 9ee272d75..b4b2c5d1a 100644 --- a/tests/dns-single-request-v1/test.yaml +++ b/tests/dns-single-request-v1/test.yaml @@ -2,3 +2,15 @@ requires: features: - HAVE_LIBJANSSON lt-version: 7 + +checks: + - filter: + count: 1 + match: + dns.type: query + dns.rrname: suricon.net + - filter: + count: 1 + match: + dns.type: answer + dns.rdata: "181.224.138.142" diff --git a/tests/dns-tcp-multirequest-buffer-v1/check.sh b/tests/dns-tcp-multirequest-buffer-v1/check.sh deleted file mode 100755 index 760512510..000000000 --- a/tests/dns-tcp-multirequest-buffer-v1/check.sh +++ /dev/null @@ -1,15 +0,0 @@ -#! /bin/sh - -count=$(cat eve.json | jq -c 'select(.dns.type=="query")' | wc -l | xargs) -if [ "${count}" -ne 20 ]; then - echo "error: expected 20 queries, got ${count}" - exit 1 -fi - -count=$(cat eve.json | jq -c 'select(.dns.type=="answer")' | wc -l | xargs) -if [ "${count}" -ne 40 ]; then - echo "error: expected 40 answers, got ${count}" - exit 1 -fi - -exit 0 diff --git a/tests/dns-tcp-multirequest-buffer-v1/test.yaml b/tests/dns-tcp-multirequest-buffer-v1/test.yaml index 8dafa433a..015e39ffe 100644 --- a/tests/dns-tcp-multirequest-buffer-v1/test.yaml +++ b/tests/dns-tcp-multirequest-buffer-v1/test.yaml @@ -2,3 +2,13 @@ requires: features: - HAVE_LIBJANSSON lt-version: 7 + +checks: + - filter: + count: 20 + match: + dns.type: query + - filter: + count: 40 + match: + dns.type: answer diff --git a/tests/dns-udp-eve-log-aaaa-only-v1/check.sh b/tests/dns-udp-eve-log-aaaa-only-v1/check.sh deleted file mode 100755 index 43b477d00..000000000 --- a/tests/dns-udp-eve-log-aaaa-only-v1/check.sh +++ /dev/null @@ -1,12 +0,0 @@ -#! /bin/sh - -. ${TOPDIR}/util/functions.sh - -n=$(jq_count eve.json 'select(.dns.rrtype == "AAAA")') -assert_eq 2 $n "expected 2 aaaa records" - -n=$(jq_count eve.json 'select(.dns.rrtype != "AAAA")') -assert_eq 0 $n "expected 0 non-aaaa records" - -exit 0 - diff --git a/tests/dns-udp-eve-log-aaaa-only-v1/test.yaml b/tests/dns-udp-eve-log-aaaa-only-v1/test.yaml index 9ee272d75..cc69e0fc9 100644 --- a/tests/dns-udp-eve-log-aaaa-only-v1/test.yaml +++ b/tests/dns-udp-eve-log-aaaa-only-v1/test.yaml @@ -2,3 +2,14 @@ requires: features: - HAVE_LIBJANSSON lt-version: 7 + +checks: + # There should only be AAAA DNS records. + - filter: + count: 2 + match: + dns.rrtype: AAAA + - filter: + count: 2 + match: + event_type: dns diff --git a/tests/dns-udp-eve-log-answer-only-v1/check.sh b/tests/dns-udp-eve-log-answer-only-v1/check.sh deleted file mode 100755 index 8faa28e66..000000000 --- a/tests/dns-udp-eve-log-answer-only-v1/check.sh +++ /dev/null @@ -1,10 +0,0 @@ -#! /bin/sh - -. ${TOPDIR}/util/functions.sh - -# Should be no answers. -n=$(jq_count eve.json 'select(.event_type == "dns") | select(.dns.type != "answer")') -assert_eq 0 $n "only answers expected" - -exit 0 - diff --git a/tests/dns-udp-eve-log-answer-only-v1/test.yaml b/tests/dns-udp-eve-log-answer-only-v1/test.yaml index 9ee272d75..117d87e21 100644 --- a/tests/dns-udp-eve-log-answer-only-v1/test.yaml +++ b/tests/dns-udp-eve-log-answer-only-v1/test.yaml @@ -2,3 +2,13 @@ requires: features: - HAVE_LIBJANSSON lt-version: 7 + +checks: + - filter: + count: 18 + match: + event_type: dns + - filter: + count: 18 + match: + dns.type: answer diff --git a/tests/dns-udp-eve-log-mx-only-v1/check.sh b/tests/dns-udp-eve-log-mx-only-v1/check.sh deleted file mode 100755 index 133517d8d..000000000 --- a/tests/dns-udp-eve-log-mx-only-v1/check.sh +++ /dev/null @@ -1,9 +0,0 @@ -#! /bin/sh - -. ${TOPDIR}/util/functions.sh - -n=$(jq_count eve.json 'select(.dns.rrtype != "MX")') -assert_eq 0 $n "only expected mx records" - -exit 0 - diff --git a/tests/dns-udp-eve-log-mx-only-v1/test.yaml b/tests/dns-udp-eve-log-mx-only-v1/test.yaml index 9ee272d75..9af7359a6 100644 --- a/tests/dns-udp-eve-log-mx-only-v1/test.yaml +++ b/tests/dns-udp-eve-log-mx-only-v1/test.yaml @@ -2,3 +2,13 @@ requires: features: - HAVE_LIBJANSSON lt-version: 7 + +checks: + - filter: + count: 6 + match: + dns.rrtype: MX + - filter: + count: 6 + match: + event_type: dns diff --git a/tests/dns-udp-eve-log-query-only-v1/check.sh b/tests/dns-udp-eve-log-query-only-v1/check.sh deleted file mode 100755 index 284af2161..000000000 --- a/tests/dns-udp-eve-log-query-only-v1/check.sh +++ /dev/null @@ -1,10 +0,0 @@ -#! /bin/sh - -. ${TOPDIR}/util/functions.sh - -# Should be no answers. -n=$(jq_count eve.json 'select(.event_type == "dns") | select(.dns.type != "query")') -assert_eq 0 $n "only queries expected" - -exit 0 - diff --git a/tests/dns-udp-eve-log-query-only-v1/test.yaml b/tests/dns-udp-eve-log-query-only-v1/test.yaml index 9ee272d75..8f28eae74 100644 --- a/tests/dns-udp-eve-log-query-only-v1/test.yaml +++ b/tests/dns-udp-eve-log-query-only-v1/test.yaml @@ -2,3 +2,16 @@ requires: features: - HAVE_LIBJANSSON lt-version: 7 + +checks: + # Check to verify that all DNS records are query only, + # and no responses. + - filter: + count: 3 + match: + event_type: dns + - filter: + count: 3 + match: + event_type: dns + dns.type: query diff --git a/tests/linktype-228/check.sh b/tests/linktype-228/check.sh deleted file mode 100755 index a11309df5..000000000 --- a/tests/linktype-228/check.sh +++ /dev/null @@ -1,5 +0,0 @@ -#! /bin/sh - -tcp=$(cat eve.json | \ - jq -c 'select(.event_type == "stats") | .stats.decoder.tcp') -test "${tcp}" = "7" diff --git a/tests/linktype-228/test.yaml b/tests/linktype-228/test.yaml index ad1c54aee..6d6de4dd8 100644 --- a/tests/linktype-228/test.yaml +++ b/tests/linktype-228/test.yaml @@ -3,3 +3,10 @@ requires: min-version: 4.1.0 features: - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: stats + stats.decoder.tcp: 7 diff --git a/tests/lua-output-dns/check.sh b/tests/lua-output-dns/check.sh deleted file mode 100755 index e615993c6..000000000 --- a/tests/lua-output-dns/check.sh +++ /dev/null @@ -1,32 +0,0 @@ -#! /bin/sh - -set -e - -if ! grep -q "Query TX 0d4f \[\*\*\] block.dropbox.com \[\*\*\] A \[\*\*\] 10.16.1.11:49697 -> 10.16.1.1:53" lua-dns.log; then - echo "failed to find query for block.dropbox.com" - exit 1 -fi - -if ! cat lua-dns.log | \ - grep "Response" | \ - grep "client-cf.dropbox.com" | \ - grep "52.85.112.21" > /dev/null; -then - echo "failed to find response for client-cf.dropbox.com" - exit 1 -fi - -if ! cat lua-dns.log | \ - grep "Response TX 62b2" | \ - grep "NXDOMAIN" > /dev/null; -then - echo "failed to find NXDOMAIN error" - exit 1 -fi - -if ! cat lua-dns.log | grep "SOA" > /dev/null; then - echo "failed find SOA response record" - exit 1 -fi - -exit 0 diff --git a/tests/lua-output-dns/test.yaml b/tests/lua-output-dns/test.yaml index 4bb475d43..9db269e6e 100644 --- a/tests/lua-output-dns/test.yaml +++ b/tests/lua-output-dns/test.yaml @@ -1,3 +1,16 @@ requires: features: - HAVE_LUA + +checks: + - shell: + args: grep -q "Query TX 0d4f \[\*\*\] block.dropbox.com \[\*\*\] A \[\*\*\] 10.16.1.11:49697 -> 10.16.1.1:53" lua-dns.log + - shell: + args: cat lua-dns.log | grep Response | grep client-cf.dropbox.com | wc -l + expect: 2 + - shell: + args: cat lua-dns.log | grep "Response TX 62b2" | grep NXDOMAIN | wc -l + expect: 1 + - shell: + args: grep SOA lua-dns.log | wc -l + expect: 1 diff --git a/tests/lua-output-http/check.sh b/tests/lua-output-http/check.sh deleted file mode 100755 index a3f3c1321..000000000 --- a/tests/lua-output-http/check.sh +++ /dev/null @@ -1,3 +0,0 @@ -#! /bin/sh - -exec cmp http_lua.log ${TEST_DIR}/expected/http_lua.log diff --git a/tests/lua-output-http/test.yaml b/tests/lua-output-http/test.yaml index 4bb475d43..c4e436605 100644 --- a/tests/lua-output-http/test.yaml +++ b/tests/lua-output-http/test.yaml @@ -1,3 +1,8 @@ requires: features: - HAVE_LUA + +checks: + - file-compare: + filename: http_lua.log + expected: expected/http_lua.log diff --git a/tests/lua-output-smtp/check.sh b/tests/lua-output-smtp/check.sh deleted file mode 100755 index 7a3040d02..000000000 --- a/tests/lua-output-smtp/check.sh +++ /dev/null @@ -1,4 +0,0 @@ -#! /bin/sh - -exec grep -q 'FROM TO {}' \ - smtp_lua.log diff --git a/tests/lua-output-smtp/test.yaml b/tests/lua-output-smtp/test.yaml index 4bb475d43..ed9158c7a 100644 --- a/tests/lua-output-smtp/test.yaml +++ b/tests/lua-output-smtp/test.yaml @@ -1,3 +1,7 @@ requires: features: - HAVE_LUA + +checks: + - shell: + args: grep -q 'FROM TO {}' smtp_lua.log diff --git a/tests/output-eve-fileinfo/check.sh b/tests/output-eve-fileinfo/check.sh deleted file mode 100755 index 4152bddc6..000000000 --- a/tests/output-eve-fileinfo/check.sh +++ /dev/null @@ -1,8 +0,0 @@ -#! /bin/sh - -. ${TOPDIR}/util/functions.sh - -filename=$(cat eve.json | jq -c .fileinfo.filename) -assert_eq '"eicar.com"' "$filename" "bad filename" - -exit 0 diff --git a/tests/output-eve-fileinfo/test.yaml b/tests/output-eve-fileinfo/test.yaml index 56ea9b0d5..177703e83 100644 --- a/tests/output-eve-fileinfo/test.yaml +++ b/tests/output-eve-fileinfo/test.yaml @@ -1,3 +1,9 @@ requires: features: - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + fileinfo.filename: eicar.com diff --git a/tests/output-pcap-log/check.sh b/tests/output-pcap-log/check.sh deleted file mode 100755 index ac1e9efa0..000000000 --- a/tests/output-pcap-log/check.sh +++ /dev/null @@ -1,3 +0,0 @@ -#! /bin/sh - -exec cmp ${TEST_DIR}/expected/log.pcap.1444144603 log.pcap.1444144603 diff --git a/tests/output-pcap-log/test.yaml b/tests/output-pcap-log/test.yaml new file mode 100644 index 000000000..f4a6b028e --- /dev/null +++ b/tests/output-pcap-log/test.yaml @@ -0,0 +1,4 @@ +checks: + - file-compare: + filename: log.pcap.1444144603 + expected: expected/log.pcap.1444144603 diff --git a/tests/proto-mismatch-http-ssh/check.sh b/tests/proto-mismatch-http-ssh/check.sh deleted file mode 100755 index 1a078d7b8..000000000 --- a/tests/proto-mismatch-http-ssh/check.sh +++ /dev/null @@ -1,29 +0,0 @@ -#! /bin/sh - -failed=no - -# We should get a "SURICATA Applayer Mismatch protocol both -# directions" alert. -n=$(cat eve.json | \ - jq -c 'select(.alert.signature_id == 2260000)' | \ - wc -l | xargs) -if [ "$n" != 1 ]; then - echo "expected 1 event with SID 2260000" - failed=yes -fi - -# We should have a flow event with app_proto = http and app_proto_tc = ssh. -n=$(cat eve.json | \ - jq -c 'select(.event_type == "flow") | select(.app_proto == "http") | select(.app_proto_tc == "ssh")' | \ - wc -l | xargs) -if [ "$n" != 1 ]; then - echo "expected 1 event with app_proto http and app_proto_tc ssh" - failed=yes -fi - -if [ "${failed}" = "yes" ]; then - exit 1 -fi - -exit 0 - diff --git a/tests/proto-mismatch-http-ssh/test.yaml b/tests/proto-mismatch-http-ssh/test.yaml index 56ea9b0d5..7ded94e24 100644 --- a/tests/proto-mismatch-http-ssh/test.yaml +++ b/tests/proto-mismatch-http-ssh/test.yaml @@ -1,3 +1,15 @@ requires: features: - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + alert.signature_id: 2260000 + - filter: + count: 1 + match: + event_type: flow + app_proto: http + app_proto_tc: ssh diff --git a/tests/tls-fingerprint-alert/check.sh b/tests/tls-fingerprint-alert/check.sh deleted file mode 100755 index f43b9a295..000000000 --- a/tests/tls-fingerprint-alert/check.sh +++ /dev/null @@ -1,10 +0,0 @@ -#! /usr/bin/env bash - -# Check for a single alert. -n=$(cat eve.json | jq -c 'select(.event_type == "alert")' | wc -l | xargs) -if test "${n}" -ne 1; then - echo "expected 1 event, found ${n}" - exit 1 -fi - -exit 0 diff --git a/tests/tls-fingerprint-alert/test.yaml b/tests/tls-fingerprint-alert/test.yaml index 56ea9b0d5..d8119d83e 100644 --- a/tests/tls-fingerprint-alert/test.yaml +++ b/tests/tls-fingerprint-alert/test.yaml @@ -1,3 +1,9 @@ requires: features: - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: alert diff --git a/tests/tls-json-output-ids/check.sh b/tests/tls-json-output-ids/check.sh deleted file mode 100755 index b7342ce7f..000000000 --- a/tests/tls-json-output-ids/check.sh +++ /dev/null @@ -1,12 +0,0 @@ -#! /usr/bin/env bash - -# Check for 1 tls event. -n=$(cat eve.json | jq -c 'select(.event_type == "tls")' | wc -l | xargs) -if test "${n}" -ne 1; then - echo "expected 1 event, got $n" - exit 1 -fi - -exit 0 - - diff --git a/tests/tls-json-output-ids/test.yaml b/tests/tls-json-output-ids/test.yaml index 56ea9b0d5..7092e6a5c 100644 --- a/tests/tls-json-output-ids/test.yaml +++ b/tests/tls-json-output-ids/test.yaml @@ -1,3 +1,9 @@ requires: features: - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: tls diff --git a/tests/tls-json-output-ips/check.sh b/tests/tls-json-output-ips/check.sh deleted file mode 100755 index b7342ce7f..000000000 --- a/tests/tls-json-output-ips/check.sh +++ /dev/null @@ -1,12 +0,0 @@ -#! /usr/bin/env bash - -# Check for 1 tls event. -n=$(cat eve.json | jq -c 'select(.event_type == "tls")' | wc -l | xargs) -if test "${n}" -ne 1; then - echo "expected 1 event, got $n" - exit 1 -fi - -exit 0 - - diff --git a/tests/tls-json-output-ips/test.yaml b/tests/tls-json-output-ips/test.yaml index 56ea9b0d5..7092e6a5c 100644 --- a/tests/tls-json-output-ips/test.yaml +++ b/tests/tls-json-output-ips/test.yaml @@ -1,3 +1,9 @@ requires: features: - HAVE_LIBJANSSON + +checks: + - filter: + count: 1 + match: + event_type: tls