From: Victor Julien <victor@inliniac.net>
Date: Sat, 25 Jan 2025 08:50:58 +0000 (+0100)
Subject: tests: add prefilter analysis tests
X-Git-Tag: suricata-7.0.9~51
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a7033d5ecec9e88ef4c4467d04dde6e82a5da9a3;p=thirdparty%2Fsuricata-verify.git

tests: add prefilter analysis tests
---

diff --git a/tests/rules/prefilter/test.rules b/tests/rules/prefilter/test.rules
new file mode 100644
index 000000000..b3870b19e
--- /dev/null
+++ b/tests/rules/prefilter/test.rules
@@ -0,0 +1,11 @@
+alert tcp any any -> any any (content:"one"; content:"1"; prefilter; sid:1;)
+alert tcp any any -> any any (uricontent:"one"; uricontent:"1"; prefilter; sid:2;)
+alert tcp any any -> any any (content:"one"; http_uri; content:"1"; prefilter; http_uri; sid:3;)
+alert tcp any any -> any any (http.uri; content:"one"; content:"1"; prefilter; sid:4;)
+
+# test prefilter keyword for file_data
+alert tcp any any -> any 25 (msg:"VIRUS INBOUND bad file attachment"; flow:to_server,established; content:"content-disposition|3a| attachment|3b|"; nocase; content:".zip|22|"; nocase; within:128; file_data; content:".pdf.exe"; prefilter; within:64; sid:10; rev:1;)
+# test prefilter keyword for file.data
+alert tcp any any -> any 25 (msg:"VIRUS INBOUND bad file attachment"; flow:to_server,established; content:"content-disposition|3a| attachment|3b|"; nocase; content:".zip|22|"; nocase; within:128; file.data; content:".pdf.exe"; prefilter; within:64; sid:11; rev:1;)
+
+alert tcp any any -> any any (flow:established,to_server; stream_size:server,<,1111; prefilter; content: "EICAR"; sid:20;)
diff --git a/tests/rules/prefilter/test.yaml b/tests/rules/prefilter/test.yaml
new file mode 100644
index 000000000..c1a294fcf
--- /dev/null
+++ b/tests/rules/prefilter/test.yaml
@@ -0,0 +1,57 @@
+requires:
+    min-version: 8.0.0
+    pcap: false
+
+args:
+    - --engine-analysis
+
+checks:
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      mpm.buffer: "payload"
+      mpm.pattern: "1"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 2
+      mpm.buffer: "http_uri"
+      mpm.pattern: "1"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 3
+      mpm.buffer: "http_uri"
+      mpm.pattern: "1"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 4
+      mpm.buffer: "http_uri"
+      mpm.pattern: "1"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 10
+      mpm.buffer: "file_data"
+      mpm.pattern: ".pdf.exe"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 11
+      mpm.buffer: "file_data"
+      mpm.pattern: ".pdf.exe"
+- filter:
+    filename: rules.json
+    count: 1
+    match:
+      id: 20
+      prefilter.buffer: "packet"
+      prefilter.name: "stream_size"