From: Philippe Antoine <pantoine@oisf.net>
Date: Fri, 2 May 2025 06:51:38 +0000 (+0200)
Subject: ja3: adds tests for lua
X-Git-Tag: suricata-7.0.11~70
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d66cf08d067e9142018ee032db0004208b9dad28;p=thirdparty%2Fsuricata-verify.git

ja3: adds tests for lua

Ticket: 7605
---

diff --git a/tests/ja3-lua-rules-quic/README.md b/tests/ja3-lua-rules-quic/README.md
new file mode 100644
index 000000000..643f6413a
--- /dev/null
+++ b/tests/ja3-lua-rules-quic/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test JA3 lua rules with quic
+
+## Related issue
+
+https://redmine.openinfosecfoundation.org/issues/7605
+
+## PCAP
+
+Reused from another QUIC test
diff --git a/tests/ja3-lua-rules-quic/test-ja3.lua b/tests/ja3-lua-rules-quic/test-ja3.lua
new file mode 100644
index 000000000..35cd6773b
--- /dev/null
+++ b/tests/ja3-lua-rules-quic/test-ja3.lua
@@ -0,0 +1,20 @@
+local ja3 = require("suricata.ja3")
+
+function init (args)
+   ja3.enable_ja3()
+   local needs = {}
+   needs["ja3"] = true
+   return needs
+end
+
+function match(args)
+   local tx = ja3.get_tx()
+   local h = tx:ja3_get_hash()
+   if h == "ea0aece5703cb982b232a0684fc35b16" then
+      local s = tx:ja3_get_string()
+      if s == "771,4865-4866-4867,5-10-11-13-65281-23-16-18-43-51-57,29-23-24-25,0" then
+         return 1
+      end
+   end
+   return 0
+end
diff --git a/tests/ja3-lua-rules-quic/test.rules b/tests/ja3-lua-rules-quic/test.rules
new file mode 100644
index 000000000..551d8c686
--- /dev/null
+++ b/tests/ja3-lua-rules-quic/test.rules
@@ -0,0 +1 @@
+alert ip any any -> any any (msg:"TEST JA3 LUA"; requires: feature ja3; lua:test-ja3.lua; sid:1; rev:1;)
diff --git a/tests/ja3-lua-rules-quic/test.yaml b/tests/ja3-lua-rules-quic/test.yaml
new file mode 100644
index 000000000..dc37bfe06
--- /dev/null
+++ b/tests/ja3-lua-rules-quic/test.yaml
@@ -0,0 +1,16 @@
+pcap: ../quic-v2-ja3/input.pcap
+
+requires:
+  min-version: 8
+  features:
+    - HAVE_JA3
+
+args:
+  - -k none --set default-rule-path=. --simulate-ips
+
+checks:
+  - filter:
+      count: 1
+      match:
+        alert.signature_id: 1
+        pcap_cnt: 1
diff --git a/tests/tls/tls-ja3s/test-ja3s-hash.lua b/tests/tls/tls-ja3s/test-ja3s-hash.lua
index 061186f96..5add7cb27 100644
--- a/tests/tls/tls-ja3s/test-ja3s-hash.lua
+++ b/tests/tls/tls-ja3s/test-ja3s-hash.lua
@@ -1,10 +1,15 @@
+local ja3 = require("suricata.ja3")
+
 function init(args)
+    ja3.enable_ja3()
     local needs = {}
+    needs["ja3s"] = true
     return needs
 end
 
 function match(args)
-    hash = Ja3SGetHash()
+    local tx = ja3.get_tx()
+    local hash = tx:ja3s_get_hash()
     if hash == nil then
         return 0
     end
diff --git a/tests/tls/tls-ja3s/test-ja3s-string.lua b/tests/tls/tls-ja3s/test-ja3s-string.lua
index 7f28c5136..5bc70f692 100644
--- a/tests/tls/tls-ja3s/test-ja3s-string.lua
+++ b/tests/tls/tls-ja3s/test-ja3s-string.lua
@@ -1,10 +1,15 @@
+local ja3 = require("suricata.ja3")
+
 function init(args)
+    ja3.enable_ja3()
     local needs = {}
+    needs["ja3s"] = true
     return needs
 end
 
 function match(args)
-    str = Ja3SGetString()
+    local tx = ja3.get_tx()
+    local str = tx:ja3s_get_string()
     if str == nil then
         return 0
     end
diff --git a/tests/tls/tls-ja3s/test.rules b/tests/tls/tls-ja3s/test.rules
index 97276aefd..0c60fe100 100644
--- a/tests/tls/tls-ja3s/test.rules
+++ b/tests/tls/tls-ja3s/test.rules
@@ -1,4 +1,5 @@
 alert tls any any -> any any (msg:"ja3s.hash test"; flow:established,to_client; ja3s.hash; content:"5d79edf64e03689ff559a54e9d9487bc"; sid:1;)
 alert tls any any -> any any (msg:"ja3s.string test"; flow:established,to_client; ja3s.string; content:"771,49199,65281-0-11-16-23"; sid:2;)
-alert tls:server_hello any any -> any any (msg:"ja3s.hash Lua test"; flow:established,to_client; lua:test-ja3s-hash.lua; sid:3;)
-alert tls:server_hello any any -> any any (msg:"ja3s.string Lua test"; flow:established,to_client; lua:test-ja3s-string.lua; sid:4;)
+# flow:established,to_client is not really needed as Suricata engine will deduce that from the needs["ja3s"] in lua
+alert tls:server_hello any any -> any any (msg:"ja3s.hash Lua test"; requires: feature ja3; flow:established,to_client; lua:test-ja3s-hash.lua; sid:3;)
+alert tls:server_hello any any -> any any (msg:"ja3s.string Lua test"; requires: feature ja3; flow:established,to_client; lua:test-ja3s-string.lua; sid:4;)