From: Benjamin Wilkins Date: Tue, 9 Nov 2021 21:00:13 +0000 (-0500) Subject: lua: Test byte_extract access from match scripts X-Git-Tag: suricata-6.0.8~30 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=76c8df3352fea625917cdbd9e1372d041e202806;p=thirdparty%2Fsuricata-verify.git lua: Test byte_extract access from match scripts --- diff --git a/tests/lua-byte-extract/README.md b/tests/lua-byte-extract/README.md new file mode 100644 index 000000000..dfcc27af7 --- /dev/null +++ b/tests/lua-byte-extract/README.md @@ -0,0 +1 @@ +Tests Lua's accessing variables from byte_extract and byte_math in lua match scripts. diff --git a/tests/lua-byte-extract/input.pcap b/tests/lua-byte-extract/input.pcap new file mode 100644 index 000000000..8fb6832de Binary files /dev/null and b/tests/lua-byte-extract/input.pcap differ diff --git a/tests/lua-byte-extract/lua-byte-extract.lua b/tests/lua-byte-extract/lua-byte-extract.lua new file mode 100644 index 000000000..fcc0901cc --- /dev/null +++ b/tests/lua-byte-extract/lua-byte-extract.lua @@ -0,0 +1,16 @@ +function init(args) + local needs = {} + needs["bytevar"] = {"var1", "var2"} + return needs +end + +function match(args) + local var1 = SCByteVarGet(0) + local var2 = SCByteVarGet(1) + + if string.pack(">i4", var1) == "HTTP" and string.pack(">i4", var2) == "/1.1" then + return 1 + else + return 0 + end +end diff --git a/tests/lua-byte-extract/lua-byte-math.lua b/tests/lua-byte-extract/lua-byte-math.lua new file mode 100644 index 000000000..bd66c4b03 --- /dev/null +++ b/tests/lua-byte-extract/lua-byte-math.lua @@ -0,0 +1,15 @@ +function init(args) + local needs = {} + needs["bytevar"] = {"var2"} + return needs +end + +function match(args) + local var2 = SCByteVarGet(0) + + if string.pack(">i4", var2) == "HTTP" then + return 1 + else + return 0 + end +end diff --git a/tests/lua-byte-extract/suricata.yaml b/tests/lua-byte-extract/suricata.yaml new file mode 100644 index 000000000..e27e9967f --- /dev/null +++ b/tests/lua-byte-extract/suricata.yaml @@ -0,0 +1,4 @@ +%YAML 1.1 +--- + +include: ../../etc/suricata-4.0.3.yaml \ No newline at end of file diff --git a/tests/lua-byte-extract/test.rules b/tests/lua-byte-extract/test.rules new file mode 100644 index 000000000..5774d73a7 --- /dev/null +++ b/tests/lua-byte-extract/test.rules @@ -0,0 +1,2 @@ +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; byte_extract:4,0,var1; byte_extract:4,4,var2; lua:lua-byte-extract.lua; sid:1; rev:7;) +alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; byte_math: bytes 4, offset 0, oper +, rvalue 0, result var2; lua:lua-byte-math.lua; sid:2; rev:7;) diff --git a/tests/lua-byte-extract/test.yaml b/tests/lua-byte-extract/test.yaml new file mode 100644 index 000000000..d6197b565 --- /dev/null +++ b/tests/lua-byte-extract/test.yaml @@ -0,0 +1,14 @@ +requires: + features: + - HAVE_LUA + +checks: + - filter: + count: 1 + match: + alert.signature_id: 1 + - filter: + count: 1 + match: + alert.signature_id: 2 +