From: Eric Leblond Date: Wed, 7 May 2025 09:18:57 +0000 (+0200) Subject: tests: update datajson to latest code X-Git-Tag: suricata-7.0.11~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=85f4700ae2f04d90c277715d2263e5c09fdc60c8;p=thirdparty%2Fsuricata-verify.git tests: update datajson to latest code --- diff --git a/tests/datajson/datajson-01-ip/test.yaml b/tests/datajson/datajson-01-ip/test.yaml index 6b2df3d70..d0c3ba592 100644 --- a/tests/datajson/datajson-01-ip/test.yaml +++ b/tests/datajson/datajson-01-ip/test.yaml @@ -14,4 +14,4 @@ checks: match: event_type: alert alert.signature_id: 1 - alert.extra.src_ip.test: success + alert.context.src_ip.test: success diff --git a/tests/datajson/datajson-02-multiple/test.yaml b/tests/datajson/datajson-02-multiple/test.yaml index 68fd47900..5738beeed 100644 --- a/tests/datajson/datajson-02-multiple/test.yaml +++ b/tests/datajson/datajson-02-multiple/test.yaml @@ -14,5 +14,5 @@ checks: match: event_type: alert alert.signature_id: 1 - alert.extra.src_ip.test: success - alert.extra.bad_host.year: 2005 + alert.context.src_ip.test: success + alert.context.bad_host.year: 2005 diff --git a/tests/datajson/datajson-03-jsonline/test.rules b/tests/datajson/datajson-03-jsonline/test.rules index 378b6a3f9..106d2c884 100644 --- a/tests/datajson/datajson-03-jsonline/test.rules +++ b/tests/datajson/datajson-03-jsonline/test.rules @@ -1 +1 @@ -alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,format jsonline,enrichment_key bad_host,value_key host; ip.src; dataset:isset,src_ip,type ip,load src.lst,format jsonline,enrichment_key src_ip,value_key ip; sid:1;) +alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,format ndjson,enrichment_key bad_host,value_key host; ip.src; dataset:isset,src_ip,type ip,load src.lst,format ndjson,enrichment_key src_ip,value_key ip; sid:1;) diff --git a/tests/datajson/datajson-03-jsonline/test.yaml b/tests/datajson/datajson-03-jsonline/test.yaml index 87e90bdab..1a9107120 100644 --- a/tests/datajson/datajson-03-jsonline/test.yaml +++ b/tests/datajson/datajson-03-jsonline/test.yaml @@ -16,7 +16,7 @@ checks: match: event_type: alert alert.signature_id: 1 - alert.extra.src_ip.test: success - alert.extra.bad_host.year: 2005 - alert.extra.src_ip.ip: "10.16.1.11" - alert.extra.bad_host.host: "www.testmyids.com" + alert.context.src_ip.test: success + alert.context.bad_host.year: 2005 + alert.context.src_ip.ip: "10.16.1.11" + alert.context.bad_host.host: "www.testmyids.com" diff --git a/tests/datajson/datajson-04-hashes/test.yaml b/tests/datajson/datajson-04-hashes/test.yaml index eec1c13c6..153e8e114 100644 --- a/tests/datajson/datajson-04-hashes/test.yaml +++ b/tests/datajson/datajson-04-hashes/test.yaml @@ -14,10 +14,10 @@ checks: match: event_type: alert alert.signature_id: 1 - alert.extra.bad_sha.year: 2005 + alert.context.bad_sha.year: 2005 - filter: count: 1 match: event_type: alert alert.signature_id: 2 - alert.extra.bad_md5.year: 2007 + alert.context.bad_md5.year: 2007 diff --git a/tests/datajson/datajson-05-duplicate/test.yaml b/tests/datajson/datajson-05-duplicate/test.yaml index 68fd47900..5738beeed 100644 --- a/tests/datajson/datajson-05-duplicate/test.yaml +++ b/tests/datajson/datajson-05-duplicate/test.yaml @@ -14,5 +14,5 @@ checks: match: event_type: alert alert.signature_id: 1 - alert.extra.src_ip.test: success - alert.extra.bad_host.year: 2005 + alert.context.src_ip.test: success + alert.context.bad_host.year: 2005 diff --git a/tests/datajson/datajson-06-remove-key/test.rules b/tests/datajson/datajson-06-remove-key/test.rules index f5a613861..329e7ccd3 100644 --- a/tests/datajson/datajson-06-remove-key/test.rules +++ b/tests/datajson/datajson-06-remove-key/test.rules @@ -1 +1 @@ -alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,format jsonline,enrichment_key bad_host,remove_key, value_key host; ip.src; dataset:isset,src_ip,type ip,load src.lst,format jsonline,enrichment_key src_ip,value_key ip, remove_key; sid:1;) +alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,format ndjson,enrichment_key bad_host,remove_key, value_key host; ip.src; dataset:isset,src_ip,type ip,load src.lst,format ndjson,enrichment_key src_ip,value_key ip, remove_key; sid:1;) diff --git a/tests/datajson/datajson-06-remove-key/test.yaml b/tests/datajson/datajson-06-remove-key/test.yaml index 13c495ee2..bb1772b81 100644 --- a/tests/datajson/datajson-06-remove-key/test.yaml +++ b/tests/datajson/datajson-06-remove-key/test.yaml @@ -16,20 +16,20 @@ checks: match: event_type: alert alert.signature_id: 1 - alert.extra.src_ip.test: success - alert.extra.bad_host.year: 2005 + alert.context.src_ip.test: success + alert.context.bad_host.year: 2005 - filter: count: 0 match: event_type: alert alert.signature_id: 1 - alert.extra.src_ip.test: success - alert.extra.src_ip.ip: 10.16.1.11 - alert.extra.bad_host.year: 2005 + alert.context.src_ip.test: success + alert.context.src_ip.ip: 10.16.1.11 + alert.context.bad_host.year: 2005 - filter: count: 0 match: event_type: alert alert.signature_id: 1 - alert.extra.src_ip.test: success - alert.extra.bad_host.host: www.testmyids.com + alert.context.src_ip.test: success + alert.context.bad_host.host: www.testmyids.com diff --git a/tests/datajson/datajson-09-jsonformat/test.yaml b/tests/datajson/datajson-09-jsonformat/test.yaml index 0a102d314..1131e8b48 100644 --- a/tests/datajson/datajson-09-jsonformat/test.yaml +++ b/tests/datajson/datajson-09-jsonformat/test.yaml @@ -14,27 +14,27 @@ checks: match: event_type: alert alert.signature_id: 1 - alert.extra.src_ip.test: success - alert.extra.bad_host.year: 2005 + alert.context.src_ip.test: success + alert.context.bad_host.year: 2005 - filter: count: 1 match: event_type: alert alert.signature_id: 2 - alert.extra.src_ip.test: success - alert.extra.dbad_host.year: 2005 + alert.context.src_ip.test: success + alert.context.dbad_host.year: 2005 - filter: count: 1 match: event_type: alert alert.signature_id: 3 - alert.extra.src_ip.test: success - alert.extra.nbad_host.year: 2005 + alert.context.src_ip.test: success + alert.context.nbad_host.year: 2005 - filter: count: 1 match: event_type: alert alert.signature_id: 4 - alert.extra.src_ip.test: success - alert.extra.nkbad_host.year: 2005 - alert.extra.nkbad_host.host.domain: testmyids.com + alert.context.src_ip.test: success + alert.context.nkbad_host.year: 2005 + alert.context.nkbad_host.host.domain: testmyids.com diff --git a/tests/datajson/datajson-10-remove-nested-key/test.rules b/tests/datajson/datajson-10-remove-nested-key/test.rules index 7b9d012fc..3810aa448 100644 --- a/tests/datajson/datajson-10-remove-nested-key/test.rules +++ b/tests/datajson/datajson-10-remove-nested-key/test.rules @@ -1 +1 @@ -alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,format jsonline,enrichment_key bad_host,value_key ioc.host,remove_key; ip.src; dataset:isset,src_ip,type ip,load src.lst,format jsonline,enrichment_key src_ip,value_key ip; sid:1;) +alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,format ndjson,enrichment_key bad_host,value_key ioc.host,remove_key; ip.src; dataset:isset,src_ip,type ip,load src.lst,format ndjson,enrichment_key src_ip,value_key ip; sid:1;) diff --git a/tests/datajson/datajson-10-remove-nested-key/test.yaml b/tests/datajson/datajson-10-remove-nested-key/test.yaml index e256f8885..0931da2b9 100644 --- a/tests/datajson/datajson-10-remove-nested-key/test.yaml +++ b/tests/datajson/datajson-10-remove-nested-key/test.yaml @@ -16,15 +16,15 @@ checks: match: event_type: alert alert.signature_id: 1 - alert.extra.src_ip.test: success - alert.extra.bad_host.year: 2005 - alert.extra.src_ip.ip: "10.16.1.11" + alert.context.src_ip.test: success + alert.context.bad_host.year: 2005 + alert.context.src_ip.ip: "10.16.1.11" - filter: count: 0 match: event_type: alert alert.signature_id: 1 - alert.extra.src_ip.test: success - alert.extra.bad_host.year: 2005 - alert.extra.src_ip.ip: "10.16.1.11" - alert.extra.bad_host.host: "www.testmyids.com" + alert.context.src_ip.test: success + alert.context.bad_host.year: 2005 + alert.context.src_ip.ip: "10.16.1.11" + alert.context.bad_host.host: "www.testmyids.com" diff --git a/tests/detect-pcre/detect-pcre-06/test.rules b/tests/detect-pcre/detect-pcre-06/test.rules index 608d6c2ed..036d79e7b 100644 --- a/tests/detect-pcre/detect-pcre-06/test.rules +++ b/tests/detect-pcre/detect-pcre-06/test.rules @@ -1,5 +1,5 @@ alert http any any -> any any (http.user_agent; pcre:"/^(?P[a-zA-Z]+)/"; priority:1; sid:1;) -alert http any any -> any any (http.user_agent; pcre:"/^([a-zA-Z]+).*Ubuntu\/(\d+\.\d).*Firefox\/(.*)/ ,alert:user_agent, flow:ubuntu, pkt:firefox"; sid:2;) +alert http any any -> any any (http.user_agent; pcre:"/^([a-zA-Z]+).*Ubuntu\/(\d+\.\d).*Firefox\/(.*)/,alert:user_agent, flow:ubuntu, pkt:firefox"; sid:2;) # Shouldn't match alert http any any -> any any (msg:"pcre flowvar http header, user-agent, no match"; content:"User-Agent: "; http_header; pcre:"/(?P.*)\r\n/HR"; content:"xyz"; http_header; priority:1; sid:3;) alert http any any -> any any (msg:"pcre flowvar http header, server, no match"; content:"Server: "; http_header; pcre:"/(?P.*)\r\n/HR"; content:"xyz"; http_header; priority:3; sid:4;) diff --git a/tests/detect-pcre/detect-pcre-06/test.yaml b/tests/detect-pcre/detect-pcre-06/test.yaml index 080d8d7c4..6b0540ef3 100644 --- a/tests/detect-pcre/detect-pcre-06/test.yaml +++ b/tests/detect-pcre/detect-pcre-06/test.yaml @@ -20,13 +20,13 @@ checks: match: event_type: alert alert.signature_id: 1 - alert.extra.ua: Mozilla + alert.context.ua: Mozilla - filter: count: 1 match: event_type: alert alert.signature_id: 2 - alert.extra.user_agent: Mozilla + alert.context.user_agent: Mozilla metadata.flowvars[0].ubuntu: "8.1" metadata.pktvars[0].firefox: "3.0.13" - filter: