From: Hadiqa Alamdar Bukhari Date: Wed, 13 Dec 2023 11:23:16 +0000 (+0500) Subject: tests: add rule type check for flowbits X-Git-Tag: suricata-6.0.16~28 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7d8cf3aaf7ca9975f59579314fe5d6323a53591;p=thirdparty%2Fsuricata-verify.git tests: add rule type check for flowbits Task #6309 --- diff --git a/tests/rules/flowbits/test.rules b/tests/rules/flowbits/test.rules new file mode 100644 index 000000000..bf24deab8 --- /dev/null +++ b/tests/rules/flowbits/test.rules @@ -0,0 +1,13 @@ +alert ip any any -> any any (msg:"Flowbit set"; flowbits:set,fb1; sid:1;) +alert ip any any -> any any (msg:"Flowbit set"; flowbits:set,fb2; sid:2;) +alert ip any any -> any any (msg:"Flowbit isset ored flowbits"; flowbits:isset,fb1|fb2; sid:3;) +alert ip any any -> any any (msg:"Flowbit isset ored flowbits"; flowbits:isset,fb3|fb1; sid:4;) +alert ip any any -> any any (msg:"Flowbit isset ored flowbits"; flowbits:isset,fb3|fb4; sid:5;) +alert ip any any -> any any (msg:"Flowbit isnotset ored flowbits"; flowbits:isnotset,fb5|fb6 ; sid:6;) +alert ip any any -> any any (msg:"Flowbit isnotset ored flowbits"; flowbits:isnotset, fb1|fb2 ; sid:7;) +alert ip any any -> any any (msg:"Flowbit unset"; flowbits:unset,fb1; sid:8;) +alert ip any any -> any any (msg:"Flowbit toggle"; flowbits:toggle,fb1; sid:9;) +alert ip any any -> any any (msg:"Flowbit isset"; flowbits:isset,fb1; sid:10;) +alert ip any any -> any any (msg:"Flowbit isset and flowbits"; flowbits:isset,fb1; flowbits:isset,fb2; sid:11;) +alert ip any any -> any any (msg:"Flowbit isset and flowbits"; flowbits:isset,fb1; flowbits:isset,fb5; sid:12;) +alert ip any any -> any any (msg:"Flowbit set with noalert"; flowbits:set,fb3; flowbits:noalert; sid:13;) \ No newline at end of file diff --git a/tests/rules/flowbits/test.yaml b/tests/rules/flowbits/test.yaml new file mode 100644 index 000000000..4e5fd595c --- /dev/null +++ b/tests/rules/flowbits/test.yaml @@ -0,0 +1,129 @@ +requires: + min-version: 8.0 + pcap: false + +args: + - --engine-analysis + +checks: +- filter: + filename: rules.json + count: 1 + match: + id: 1 + lists.postmatch.matches[0].name: "flowbits" + lists.postmatch.matches[0].flowbits.cmd: "set" + lists.postmatch.matches[0].flowbits.names[0]: "fb1" +- filter: + filename: rules.json + count: 1 + match: + id: 2 + lists.postmatch.matches[0].name: "flowbits" + lists.postmatch.matches[0].flowbits.cmd: "set" + lists.postmatch.matches[0].flowbits.names[0]: "fb2" +- filter: + filename: rules.json + count: 1 + match: + id: 3 + lists.packet.matches[0].name: "flowbits" + lists.packet.matches[0].flowbits.cmd: "isset" + lists.packet.matches[0].flowbits.names[0]: "fb1" + lists.packet.matches[0].flowbits.operator: "or" + lists.packet.matches[0].flowbits.names[1]: "fb2" +- filter: + filename: rules.json + count: 1 + match: + id: 4 + lists.packet.matches[0].name: "flowbits" + lists.packet.matches[0].flowbits.cmd: "isset" + lists.packet.matches[0].flowbits.names[0]: "fb3" + lists.packet.matches[0].flowbits.operator: "or" + lists.packet.matches[0].flowbits.names[1]: "fb1" +- filter: + filename: rules.json + count: 1 + match: + id: 5 + lists.packet.matches[0].name: "flowbits" + lists.packet.matches[0].flowbits.cmd: "isset" + lists.packet.matches[0].flowbits.names[0]: "fb3" + lists.packet.matches[0].flowbits.operator: "or" + lists.packet.matches[0].flowbits.names[1]: "fb4" +- filter: + filename: rules.json + count: 1 + match: + id: 6 + lists.packet.matches[0].name: "flowbits" + lists.packet.matches[0].flowbits.cmd: "isnotset" + lists.packet.matches[0].flowbits.names[0]: "fb5" + lists.packet.matches[0].flowbits.operator: "or" + lists.packet.matches[0].flowbits.names[1]: "fb6" +- filter: + filename: rules.json + count: 1 + match: + id: 7 + lists.packet.matches[0].name: "flowbits" + lists.packet.matches[0].flowbits.cmd: "isnotset" + lists.packet.matches[0].flowbits.names[0]: "fb1" + lists.packet.matches[0].flowbits.operator: "or" + lists.packet.matches[0].flowbits.names[1]: "fb2" +- filter: + filename: rules.json + count: 1 + match: + id: 8 + lists.postmatch.matches[0].name: "flowbits" + lists.postmatch.matches[0].flowbits.cmd: "unset" + lists.postmatch.matches[0].flowbits.names[0]: "fb1" +- filter: + filename: rules.json + count: 1 + match: + id: 9 + lists.postmatch.matches[0].name: "flowbits" + lists.postmatch.matches[0].flowbits.cmd: "toggle" + lists.postmatch.matches[0].flowbits.names[0]: "fb1" +- filter: + filename: rules.json + count: 1 + match: + id: 10 + lists.packet.matches[0].name: "flowbits" + lists.packet.matches[0].flowbits.cmd: "isset" + lists.packet.matches[0].flowbits.names[0]: "fb1" +- filter: + filename: rules.json + count: 1 + match: + id: 11 + lists.packet.matches[0].name: "flowbits" + lists.packet.matches[0].flowbits.cmd: "isset" + lists.packet.matches[0].flowbits.names[0]: "fb1" + lists.packet.matches[1].name: "flowbits" + lists.packet.matches[1].flowbits.cmd: "isset" + lists.packet.matches[1].flowbits.names[0]: "fb2" +- filter: + filename: rules.json + count: 1 + match: + id: 12 + lists.packet.matches[0].name: "flowbits" + lists.packet.matches[0].flowbits.cmd: "isset" + lists.packet.matches[0].flowbits.names[0]: "fb1" + lists.packet.matches[1].name: "flowbits" + lists.packet.matches[1].flowbits.cmd: "isset" + lists.packet.matches[1].flowbits.names[0]: "fb5" +- filter: + filename: rules.json + count: 1 + match: + id: 13 + flags[4]: "noalert" + lists.postmatch.matches[0].name: "flowbits" + lists.postmatch.matches[0].flowbits.cmd: "set" + lists.postmatch.matches[0].flowbits.names[0]: "fb3" \ No newline at end of file