From: Shivani Bhardwaj Date: Fri, 20 Jun 2025 12:08:34 +0000 (+0530) Subject: flowbits: add tests for invalid flowbit cmd combinations X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8290d253fa5f64da40e86a0cbf5798fcb0bc2599;p=thirdparty%2Fsuricata-verify.git flowbits: add tests for invalid flowbit cmd combinations Bug 7772 Bug 7773 Bug 7774 Bug 7817 Bug 7818 Bug 8166 --- diff --git a/tests/flowbits-invalid-01/suricata.yaml b/tests/flowbits-invalid-01/suricata.yaml new file mode 100644 index 000000000..fb8c821fd --- /dev/null +++ b/tests/flowbits-invalid-01/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +engine-analysis: + rules: yes + +logging: + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/flowbits-invalid-01/test.rules b/tests/flowbits-invalid-01/test.rules new file mode 100644 index 000000000..95b40097f --- /dev/null +++ b/tests/flowbits-invalid-01/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg: "Illegal flowbit set + isset combination"; http.method; content:"GET"; flowbits:set,fb1; flowbits:isset,fb1; sid:111;) diff --git a/tests/flowbits-invalid-01/test.yaml b/tests/flowbits-invalid-01/test.yaml new file mode 100644 index 000000000..af4c8973c --- /dev/null +++ b/tests/flowbits-invalid-01/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 9 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + count: 1 + match: + log_level: Warning + engine.message: "inconsequential flowbit command combination in the same signature: set and isset" diff --git a/tests/flowbits-invalid-02/suricata.yaml b/tests/flowbits-invalid-02/suricata.yaml new file mode 100644 index 000000000..fb8c821fd --- /dev/null +++ b/tests/flowbits-invalid-02/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +engine-analysis: + rules: yes + +logging: + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/flowbits-invalid-02/test.rules b/tests/flowbits-invalid-02/test.rules new file mode 100644 index 000000000..b061b5583 --- /dev/null +++ b/tests/flowbits-invalid-02/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg: "Illegal flowbit unset + isnotset combination"; http.method; content:"GET"; flowbits:unset,fb1; flowbits:isnotset,fb1; sid:111;) diff --git a/tests/flowbits-invalid-02/test.yaml b/tests/flowbits-invalid-02/test.yaml new file mode 100644 index 000000000..9da6b8bd8 --- /dev/null +++ b/tests/flowbits-invalid-02/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 9 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + count: 1 + match: + log_level: Warning + engine.message: "inconsequential flowbit command combination in the same signature: unset and isnotset" diff --git a/tests/flowbits-invalid-03/suricata.yaml b/tests/flowbits-invalid-03/suricata.yaml new file mode 100644 index 000000000..fb8c821fd --- /dev/null +++ b/tests/flowbits-invalid-03/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +engine-analysis: + rules: yes + +logging: + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/flowbits-invalid-03/test.rules b/tests/flowbits-invalid-03/test.rules new file mode 100644 index 000000000..94eaea171 --- /dev/null +++ b/tests/flowbits-invalid-03/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg: "Illegal flowbit set + toggle combination"; http.method; content:"GET"; flowbits:set,fb1; flowbits:toggle,fb1; sid:111;) diff --git a/tests/flowbits-invalid-03/test.yaml b/tests/flowbits-invalid-03/test.yaml new file mode 100644 index 000000000..1969a12d9 --- /dev/null +++ b/tests/flowbits-invalid-03/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 9 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + count: 1 + match: + log_level: Warning + engine.message: "inconsequential flowbit command combination in the same signature: set and toggle" diff --git a/tests/flowbits-invalid-04/suricata.yaml b/tests/flowbits-invalid-04/suricata.yaml new file mode 100644 index 000000000..fb8c821fd --- /dev/null +++ b/tests/flowbits-invalid-04/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +engine-analysis: + rules: yes + +logging: + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/flowbits-invalid-04/test.rules b/tests/flowbits-invalid-04/test.rules new file mode 100644 index 000000000..b5ecfc50a --- /dev/null +++ b/tests/flowbits-invalid-04/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg: "Illegal flowbit isset + isnot combination"; http.method; content:"GET"; flowbits:isset,fb1; flowbits:isnotset,fb1; sid:111;) diff --git a/tests/flowbits-invalid-04/test.yaml b/tests/flowbits-invalid-04/test.yaml new file mode 100644 index 000000000..92ada610e --- /dev/null +++ b/tests/flowbits-invalid-04/test.yaml @@ -0,0 +1,16 @@ +requires: + min-version: 9 + +pcap: false + +exit-code: 1 + +args: + - --engine-analysis + +checks: + - filter: + count: 1 + match: + log_level: Error + engine.message: "invalid flowbit command combination in the same signature: isset and isnotset" diff --git a/tests/flowbits-invalid-05/suricata.yaml b/tests/flowbits-invalid-05/suricata.yaml new file mode 100644 index 000000000..fb8c821fd --- /dev/null +++ b/tests/flowbits-invalid-05/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +engine-analysis: + rules: yes + +logging: + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/flowbits-invalid-05/test.rules b/tests/flowbits-invalid-05/test.rules new file mode 100644 index 000000000..27c654668 --- /dev/null +++ b/tests/flowbits-invalid-05/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg: "Illegal flowbit set + unset combination"; http.method; content:"GET"; flowbits:set,fb1; flowbits:unset,fb1; sid:111;) diff --git a/tests/flowbits-invalid-05/test.yaml b/tests/flowbits-invalid-05/test.yaml new file mode 100644 index 000000000..5b7af88af --- /dev/null +++ b/tests/flowbits-invalid-05/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 9 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + count: 1 + match: + log_level: Warning + engine.message: "inconsequential flowbit command combination in the same signature: set and unset" diff --git a/tests/flowbits-invalid-06/suricata.yaml b/tests/flowbits-invalid-06/suricata.yaml new file mode 100644 index 000000000..fb8c821fd --- /dev/null +++ b/tests/flowbits-invalid-06/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +engine-analysis: + rules: yes + +logging: + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/flowbits-invalid-06/test.rules b/tests/flowbits-invalid-06/test.rules new file mode 100644 index 000000000..e1d5bc5c0 --- /dev/null +++ b/tests/flowbits-invalid-06/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg: "Illegal flowbit unset + toggle combination"; http.method; content:"GET"; flowbits:unset,fb1; flowbits:toggle,fb1; sid:111;) diff --git a/tests/flowbits-invalid-06/test.yaml b/tests/flowbits-invalid-06/test.yaml new file mode 100644 index 000000000..159cddf34 --- /dev/null +++ b/tests/flowbits-invalid-06/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 9 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + count: 1 + match: + log_level: Warning + engine.message: "inconsequential flowbit command combination in the same signature: unset and toggle" diff --git a/tests/flowbits-invalid-07/suricata.yaml b/tests/flowbits-invalid-07/suricata.yaml new file mode 100644 index 000000000..fb8c821fd --- /dev/null +++ b/tests/flowbits-invalid-07/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +engine-analysis: + rules: yes + +logging: + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/flowbits-invalid-07/test.rules b/tests/flowbits-invalid-07/test.rules new file mode 100644 index 000000000..1c177026d --- /dev/null +++ b/tests/flowbits-invalid-07/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg: "Illegal flowbit isset + set combination"; http.method; content:"GET"; flowbits:isset,fb1; flowbits:set,fb1; sid:111;) diff --git a/tests/flowbits-invalid-07/test.yaml b/tests/flowbits-invalid-07/test.yaml new file mode 100644 index 000000000..79bbd14df --- /dev/null +++ b/tests/flowbits-invalid-07/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 9 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + count: 1 + match: + log_level: Warning + engine.message: "inconsequential flowbit command combination in the same signature: isset and set" diff --git a/tests/flowbits-invalid-08/suricata.yaml b/tests/flowbits-invalid-08/suricata.yaml new file mode 100644 index 000000000..fb8c821fd --- /dev/null +++ b/tests/flowbits-invalid-08/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +engine-analysis: + rules: yes + +logging: + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/flowbits-invalid-08/test.rules b/tests/flowbits-invalid-08/test.rules new file mode 100644 index 000000000..b281a6da9 --- /dev/null +++ b/tests/flowbits-invalid-08/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg: "Illegal flowbit isnotset + unset combination"; http.method; content:"GET"; flowbits:isnotset,fb1; flowbits:unset,fb1; sid:111;) diff --git a/tests/flowbits-invalid-08/test.yaml b/tests/flowbits-invalid-08/test.yaml new file mode 100644 index 000000000..ab19acc54 --- /dev/null +++ b/tests/flowbits-invalid-08/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 9 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + count: 1 + match: + log_level: Warning + engine.message: "inconsequential flowbit command combination in the same signature: isnotset and unset" diff --git a/tests/flowbits-invalid-09/suricata.yaml b/tests/flowbits-invalid-09/suricata.yaml new file mode 100644 index 000000000..fb8c821fd --- /dev/null +++ b/tests/flowbits-invalid-09/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +engine-analysis: + rules: yes + +logging: + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/flowbits-invalid-09/test.rules b/tests/flowbits-invalid-09/test.rules new file mode 100644 index 000000000..76318bc8b --- /dev/null +++ b/tests/flowbits-invalid-09/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg: "Illegal flowbit toggle + set combination"; http.method; content:"GET"; flowbits:toggle,fb1; flowbits:set,fb1; sid:111;) diff --git a/tests/flowbits-invalid-09/test.yaml b/tests/flowbits-invalid-09/test.yaml new file mode 100644 index 000000000..5475b05e6 --- /dev/null +++ b/tests/flowbits-invalid-09/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 9 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + count: 1 + match: + log_level: Warning + engine.message: "inconsequential flowbit command combination in the same signature: toggle and set" diff --git a/tests/flowbits-invalid-10/suricata.yaml b/tests/flowbits-invalid-10/suricata.yaml new file mode 100644 index 000000000..fb8c821fd --- /dev/null +++ b/tests/flowbits-invalid-10/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +engine-analysis: + rules: yes + +logging: + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/flowbits-invalid-10/test.rules b/tests/flowbits-invalid-10/test.rules new file mode 100644 index 000000000..e638a07b1 --- /dev/null +++ b/tests/flowbits-invalid-10/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg: "Illegal flowbit isnotset + isset combination"; http.method; content:"GET"; flowbits:isnotset,fb1; flowbits:isset,fb1; sid:111;) diff --git a/tests/flowbits-invalid-10/test.yaml b/tests/flowbits-invalid-10/test.yaml new file mode 100644 index 000000000..92ada610e --- /dev/null +++ b/tests/flowbits-invalid-10/test.yaml @@ -0,0 +1,16 @@ +requires: + min-version: 9 + +pcap: false + +exit-code: 1 + +args: + - --engine-analysis + +checks: + - filter: + count: 1 + match: + log_level: Error + engine.message: "invalid flowbit command combination in the same signature: isset and isnotset" diff --git a/tests/flowbits-invalid-11/suricata.yaml b/tests/flowbits-invalid-11/suricata.yaml new file mode 100644 index 000000000..fb8c821fd --- /dev/null +++ b/tests/flowbits-invalid-11/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +engine-analysis: + rules: yes + +logging: + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/flowbits-invalid-11/test.rules b/tests/flowbits-invalid-11/test.rules new file mode 100644 index 000000000..46fbcc5c4 --- /dev/null +++ b/tests/flowbits-invalid-11/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg: "Illegal flowbit unset + set combination"; http.method; content:"GET"; flowbits:unset,fb1; flowbits:set,fb1; sid:111;) diff --git a/tests/flowbits-invalid-11/test.yaml b/tests/flowbits-invalid-11/test.yaml new file mode 100644 index 000000000..3b0593234 --- /dev/null +++ b/tests/flowbits-invalid-11/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 9 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + count: 1 + match: + log_level: Warning + engine.message: "inconsequential flowbit command combination in the same signature: unset and set" diff --git a/tests/flowbits-invalid-12/suricata.yaml b/tests/flowbits-invalid-12/suricata.yaml new file mode 100644 index 000000000..fb8c821fd --- /dev/null +++ b/tests/flowbits-invalid-12/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +engine-analysis: + rules: yes + +logging: + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/flowbits-invalid-12/test.rules b/tests/flowbits-invalid-12/test.rules new file mode 100644 index 000000000..fd4961c6c --- /dev/null +++ b/tests/flowbits-invalid-12/test.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg: "Illegal flowbit toggle + unset combination"; http.method; content:"GET"; flowbits:toggle,fb1; flowbits:unset,fb1; sid:111;) diff --git a/tests/flowbits-invalid-12/test.yaml b/tests/flowbits-invalid-12/test.yaml new file mode 100644 index 000000000..860fdd288 --- /dev/null +++ b/tests/flowbits-invalid-12/test.yaml @@ -0,0 +1,14 @@ +requires: + min-version: 9 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + count: 1 + match: + log_level: Warning + engine.message: "inconsequential flowbit command combination in the same signature: toggle and unset"