From: Jason Ish Date: Fri, 24 May 2024 17:09:07 +0000 (-0600) Subject: run.py: add __startswith and __endswith for string matching X-Git-Tag: suricata-6.0.20~36 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b66c45479c72820e46f49b0916cb7e7669e3bb13;p=thirdparty%2Fsuricata-verify.git run.py: add __startswith and __endswith for string matching --- diff --git a/README.md b/README.md index a6d4ce99d..9760eb9e9 100644 --- a/README.md +++ b/README.md @@ -159,6 +159,12 @@ checks: # Find a substring in a field engine.message.__find: script failed + # Check if a string starts with an expected value + engine.message.__startswith: "This is the start of the string" + + # Check if a string ends with an expected value + engine.message.__endswith: "the end of a string" + - shell: # A simple shell check. If the command exits with a non-0 exit code the # check will fail. The script is run in the output directory of the diff --git a/run.py b/run.py index 2d195e2a7..151607050 100755 --- a/run.py +++ b/run.py @@ -390,9 +390,8 @@ def find_value(name, obj): return len(obj) except: return -1 - if part == "__find": - # Return full obj on __find and do a substring find in caller - # where the expected is also available + if part in ["__find", "__startswith", "__endswith"]: + # Return full object, caller will handle the special match logic. break name = None index = None @@ -562,13 +561,18 @@ class FilterCheck: return False else: val = find_value(key, event) - if val != expected: - if key.endswith("__find"): - if val.find(expected) != -1: - return True + if key.endswith("__find"): + if val.find(expected) < 0: + return False + elif key.endswith("__startswith"): + if not val.startswith(expected): + return False + elif key.endswith("__endswith"): + if not val.endswith(expected): + return False + elif val != expected: if str(val) == str(expected): print("Different types but same string", type(val), val, type(expected), expected) - return False return False return True