From: Jason Ish Date: Thu, 7 Nov 2019 19:19:33 +0000 (-0600) Subject: Add ability to match on the length of an array. X-Git-Tag: suricata-6.0.4~335 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7bd9400ca8fdaf9760e85320f7eb43c5ee66ad13;p=thirdparty%2Fsuricata-verify.git Add ability to match on the length of an array. By using the "magic" key value of __len, a match can be done on the length of an array. For example: - filter: count: 1 match: event_type: http http.response_headers.__len: 9 This does rely on us never using __len as an actual object key, so is a bit of a hack. --- diff --git a/README.md b/README.md index 29751920e..00124f097 100644 --- a/README.md +++ b/README.md @@ -28,12 +28,8 @@ Or to run a single test: - Optional: Create a suricata.yaml in the test directory. - Note: You may want to add something like: - ``` - include: ../../etc/suricata-4.0.3.yaml - ``` - to the top and then just make the necessary overrides in the tests - suricata.yaml. + Its usually OK to just add the bits of YAML required to enable + features for the test. If the test directory does not include a suricata.yaml, the one found in your build directory will be used. @@ -112,6 +108,9 @@ checks: # Example match on array item: alert.metadata.tag[0]: "tag1" + + # Example match on the length of an array. + alert.metadata.tag.__len: 3 # Check that a field exists: has-key: alert.rule diff --git a/run.py b/run.py index a0d2b4ff1..002d1ad21 100755 --- a/run.py +++ b/run.py @@ -224,6 +224,15 @@ def find_value(name, obj): """ parts = name.split(".") for part in parts: + + if part == "__len": + # Get the length of the object. Return -1 if the object is + # not a type that has a length (numbers). + try: + return len(obj) + except: + return -1 + name = None index = None m = re.match("^(.*)\[(\d+)\]$", part)