From: Jason Ish Date: Fri, 24 May 2024 17:09:36 +0000 (-0600) Subject: test: add lua test for blocked lua library X-Git-Tag: suricata-6.0.20~34 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e0846c92dfdf6efe79e988de3b1a82a54d592d8;p=thirdparty%2Fsuricata-verify.git test: add lua test for blocked lua library --- diff --git a/tests/lua/lua-blocked-function-1/README.md b/tests/lua/lua-blocked-function-1/README.md new file mode 100644 index 000000000..f886733b9 --- /dev/null +++ b/tests/lua/lua-blocked-function-1/README.md @@ -0,0 +1 @@ +Test for a Lua rule calling a function in a blocked library, "io". diff --git a/tests/lua/lua-blocked-function-1/ioopen.lua b/tests/lua/lua-blocked-function-1/ioopen.lua new file mode 100644 index 000000000..87fd7b6ee --- /dev/null +++ b/tests/lua/lua-blocked-function-1/ioopen.lua @@ -0,0 +1,9 @@ +function init(args) + local requires = {} + return requires +end + +function match(args) + local file = io.open("/dev/null") + return 1 +end diff --git a/tests/lua/lua-blocked-function-1/pcall.lua b/tests/lua/lua-blocked-function-1/pcall.lua new file mode 100644 index 000000000..526718daa --- /dev/null +++ b/tests/lua/lua-blocked-function-1/pcall.lua @@ -0,0 +1,9 @@ +function init(args) + local requires = {} + return requires +end + +function match(args) + pcall(function() error("error") end) + return 1 +end diff --git a/tests/lua/lua-blocked-function-1/test.rules b/tests/lua/lua-blocked-function-1/test.rules new file mode 100644 index 000000000..8dbd0c64d --- /dev/null +++ b/tests/lua/lua-blocked-function-1/test.rules @@ -0,0 +1,3 @@ +alert http any any -> any any (msg:"TEST"; content:"uid=0"; lua:ioopen.lua; sid:1; rev:1;) +alert http any any -> any any (msg:"TEST"; content:"uid=0"; lua:pcall.lua; sid:2; rev:1;) + diff --git a/tests/lua/lua-blocked-function-1/test.yaml b/tests/lua/lua-blocked-function-1/test.yaml new file mode 100644 index 000000000..9a22d692f --- /dev/null +++ b/tests/lua/lua-blocked-function-1/test.yaml @@ -0,0 +1,34 @@ +requires: + min-version: 8 + +args: + - --set default-rule-path=${TEST_DIR} + - --set security.lua.allow-rules=true + - --set logging.outputs.1.file.type=json + +checks: + - filter: + filename: suricata.log + count: 1 + match: + engine.message.__startswith: "Lua script failed to run successfully" + engine.message.__endswith: "attempt to index a nil value (global 'io')" + - filter: + filename: suricata.log + count: 1 + match: + engine.message.__startswith: "Lua script failed to run successfully" + engine.message.__endswith: "Blocked Lua function called: pcall" + - filter: + count: 0 + match: + event_type: alert + - filter: + count: 1 + match: + event_type: stats + stats.detect.lua.errors: 2 + + # Doesn't match up with errors as the call to the "io" + # function isn't blocked, it simply doesn't exist. + stats.detect.lua.blocked_function_errors: 1 diff --git a/tests/lua/lua-blocked-function-1/testmyids.pcap b/tests/lua/lua-blocked-function-1/testmyids.pcap new file mode 100644 index 000000000..868c57e59 Binary files /dev/null and b/tests/lua/lua-blocked-function-1/testmyids.pcap differ