From: Jeff Lucovsky Date: Sat, 22 Jan 2022 14:33:50 +0000 (-0500) Subject: tests/dsize Suricata version 7 and later tests X-Git-Tag: suricata-6.0.9~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=88a754ffdf76e4ea3eecb9bfa3f42682318b214e;p=thirdparty%2Fsuricata-verify.git tests/dsize Suricata version 7 and later tests This commit adds a test for Suricata 7 and later with the new dsize validation logic. A new error message indicating the actual and expected dsize value is emitted when there's a mismatch. --- diff --git a/tests/test-bad-content-dsize-rule-2/suricata.yaml b/tests/test-bad-content-dsize-rule-2/suricata.yaml new file mode 100644 index 000000000..dcaae57fe --- /dev/null +++ b/tests/test-bad-content-dsize-rule-2/suricata.yaml @@ -0,0 +1,10 @@ +%YAML 1.1 +--- + +logging: + default-log-level: info + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/test-bad-content-dsize-rule-2/test.rules b/tests/test-bad-content-dsize-rule-2/test.rules new file mode 100644 index 000000000..f5cd807fb --- /dev/null +++ b/tests/test-bad-content-dsize-rule-2/test.rules @@ -0,0 +1 @@ +alert udp any any -> any any (msg:"TEST SUCCESFUL - Content Greater than Dsize INVALID combination "; dsize:10; content:"thisstringisgreaterthan10bytes"; sid:6666662; rev:1;) diff --git a/tests/test-bad-content-dsize-rule-2/test.yaml b/tests/test-bad-content-dsize-rule-2/test.yaml new file mode 100644 index 000000000..4a4af612e --- /dev/null +++ b/tests/test-bad-content-dsize-rule-2/test.yaml @@ -0,0 +1,20 @@ +requires: + version: 7 + +command: | + ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -r ${TEST_DIR}/ -S ${TEST_DIR}/test.rules + +checks: + # check that we have the following entries in eve.json + # match 1 specific rule load failure reason + - filter: + count: 1 + match: + event_type: engine + engine.message: "signature can't match as required content length 30 exceeds dsize value 10" + + - filter: + count: 1 + match: + event_type: engine + engine.error: "SC_ERR_NO_RULES_LOADED" diff --git a/tests/test-bad-content-dsize-rule-3/suricata.yaml b/tests/test-bad-content-dsize-rule-3/suricata.yaml new file mode 100644 index 000000000..dcaae57fe --- /dev/null +++ b/tests/test-bad-content-dsize-rule-3/suricata.yaml @@ -0,0 +1,10 @@ +%YAML 1.1 +--- + +logging: + default-log-level: info + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/test-bad-content-dsize-rule-3/test.rules b/tests/test-bad-content-dsize-rule-3/test.rules new file mode 100644 index 000000000..22e765189 --- /dev/null +++ b/tests/test-bad-content-dsize-rule-3/test.rules @@ -0,0 +1 @@ +alert ip any any -> any any (msg:"dsize -- negated content requires more content";dsize:16; content:"abcdef"; startswith; content:!"a"; distance:0; content:"789"; distance:0; content:!"c"; distance:1; within:10;sid:5;) diff --git a/tests/test-bad-content-dsize-rule-3/test.yaml b/tests/test-bad-content-dsize-rule-3/test.yaml new file mode 100644 index 000000000..061320393 --- /dev/null +++ b/tests/test-bad-content-dsize-rule-3/test.yaml @@ -0,0 +1,20 @@ +requires: + version: 7 + +command: | + ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/etc/classification.config" --set reference-config-file="${SRCDIR}/etc/reference.config" -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -r ${TEST_DIR}/ -S ${TEST_DIR}/test.rules + +checks: + # check that we have the following entries in eve.json + # match 1 specific rule load failure reason + - filter: + count: 1 + match: + event_type: engine + engine.message: "signature can't match as required content length 20 exceeds dsize value 16" + + - filter: + count: 1 + match: + event_type: engine + engine.error: "SC_ERR_NO_RULES_LOADED" diff --git a/tests/test-bad-dsize-offset-rule-2/suricata.yaml b/tests/test-bad-dsize-offset-rule-2/suricata.yaml new file mode 100644 index 000000000..dcaae57fe --- /dev/null +++ b/tests/test-bad-dsize-offset-rule-2/suricata.yaml @@ -0,0 +1,10 @@ +%YAML 1.1 +--- + +logging: + default-log-level: info + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/test-bad-dsize-offset-rule-2/test.rules b/tests/test-bad-dsize-offset-rule-2/test.rules new file mode 100644 index 000000000..72e469f77 --- /dev/null +++ b/tests/test-bad-dsize-offset-rule-2/test.rules @@ -0,0 +1 @@ +alert udp any any -> any any (msg:"TEST SUCCESSFUL - dsize/offset INVALID combination "; dsize:50; content:"AA"; offset:100; sid:6666661; rev:1;) diff --git a/tests/test-bad-dsize-offset-rule-2/test.yaml b/tests/test-bad-dsize-offset-rule-2/test.yaml new file mode 100644 index 000000000..d3d485d00 --- /dev/null +++ b/tests/test-bad-dsize-offset-rule-2/test.yaml @@ -0,0 +1,20 @@ +requires: + version: 7 + +command: | + ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -r ${TEST_DIR}/ -S ${TEST_DIR}/test.rules + +checks: + # check that we have the following entries in eve.json + # match 1 specific rule load failure reason + - filter: + count: 1 + match: + event_type: engine + engine.message: "signature can't match as required content length 102 exceeds dsize value 50" + + - filter: + count: 1 + match: + event_type: engine + engine.error: "SC_ERR_NO_RULES_LOADED" diff --git a/tests/test-bad-dsize-range-offset-rule-2/suricata.yaml b/tests/test-bad-dsize-range-offset-rule-2/suricata.yaml new file mode 100644 index 000000000..dcaae57fe --- /dev/null +++ b/tests/test-bad-dsize-range-offset-rule-2/suricata.yaml @@ -0,0 +1,10 @@ +%YAML 1.1 +--- + +logging: + default-log-level: info + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/test-bad-dsize-range-offset-rule-2/test.rules b/tests/test-bad-dsize-range-offset-rule-2/test.rules new file mode 100644 index 000000000..7bbe446b4 --- /dev/null +++ b/tests/test-bad-dsize-range-offset-rule-2/test.rules @@ -0,0 +1 @@ +alert udp any any -> any any (msg:"TEST SUCCESFUL - dsize/offset INVALID combination "; dsize:5<>10; content:"AAAA"; offset:8; sid:6666665; rev:1;) diff --git a/tests/test-bad-dsize-range-offset-rule-2/test.yaml b/tests/test-bad-dsize-range-offset-rule-2/test.yaml new file mode 100644 index 000000000..74e366c66 --- /dev/null +++ b/tests/test-bad-dsize-range-offset-rule-2/test.yaml @@ -0,0 +1,20 @@ +requires: + min-version: 7 + +command: | + ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -r ${TEST_DIR}/ -S ${TEST_DIR}/test.rules + +checks: + # check that we have the following entries in eve.json + # match 1 specific rule load failure reason + - filter: + count: 1 + match: + event_type: engine + engine.message: "signature can't match as required content length 12 exceeds dsize value 10" + + - filter: + count: 1 + match: + event_type: engine + engine.error: "SC_ERR_NO_RULES_LOADED" diff --git a/tests/test-bad-dsize-range-rule-2/suricata.yaml b/tests/test-bad-dsize-range-rule-2/suricata.yaml new file mode 100644 index 000000000..dcaae57fe --- /dev/null +++ b/tests/test-bad-dsize-range-rule-2/suricata.yaml @@ -0,0 +1,10 @@ +%YAML 1.1 +--- + +logging: + default-log-level: info + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/test-bad-dsize-range-rule-2/test.rules b/tests/test-bad-dsize-range-rule-2/test.rules new file mode 100644 index 000000000..64b71f8dd --- /dev/null +++ b/tests/test-bad-dsize-range-rule-2/test.rules @@ -0,0 +1 @@ +alert udp any any -> any any (msg:"TEST SUCCESFUL - dsize with range INVALID combination "; dsize:5<>10; content:"thisstringisgreaterthan10bytes"; sid:6666664; rev:1;) diff --git a/tests/test-bad-dsize-range-rule-2/test.yaml b/tests/test-bad-dsize-range-rule-2/test.yaml new file mode 100644 index 000000000..073955fa6 --- /dev/null +++ b/tests/test-bad-dsize-range-rule-2/test.yaml @@ -0,0 +1,20 @@ +requires: + min-version: 7 + +command: | + ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -r ${TEST_DIR}/ -S ${TEST_DIR}/test.rules + +checks: + # check that we have the following entries in eve.json + # match 1 specific rule load failure reason + - filter: + count: 1 + match: + event_type: engine + engine.message: "signature can't match as required content length 30 exceeds dsize value 10" + + - filter: + count: 1 + match: + event_type: engine + engine.error: "SC_ERR_NO_RULES_LOADED"