From: Jeff Lucovsky Date: Mon, 18 May 2020 14:08:50 +0000 (-0400) Subject: tests/bsize Add test cases for bsize X-Git-Tag: suricata-6.0.10~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc0e5983495ae3c6877de331e4c0069aa75ae907;p=thirdparty%2Fsuricata-verify.git tests/bsize Add test cases for bsize This commit adds several test cases for the `bsize` keyword. These tests apply to Suricata 7.0.x and newer. --- diff --git a/tests/detect-bsize-01/test.rules b/tests/detect-bsize-01/test.rules new file mode 100644 index 000000000..c477a1898 --- /dev/null +++ b/tests/detect-bsize-01/test.rules @@ -0,0 +1,13 @@ +# invalid +alert http any any -> any any (msg:"bsize: value < content len"; http.uri; content:"abcdefgh123456"; bsize:2; sid:1;) +alert http any any -> any any (msg:"bsize: value < content len"; http.uri; content:"abcdefgh123456"; bsize:<13; sid:2;) +alert http any any -> any any (msg:"bsize: value < content len"; http.uri; content:"abcdefgh123456"; bsize:10<>13; sid:3;) +alert http any any -> any any (msg:"bsize: value < content len";http.uri; content:"abcdefghi123456"; offset:12; bsize:3; sid:4;) +alert http any any -> any any (msg:"bsize: value < content len"; http.uri; content:"abc"; offset:3; depth:3; bsize:3; sid:5;) +alert http any any -> any any (msg:"bsize: value < content len"; http.uri; content:"abcef"; content: "gh"; bsize:1; sid:6;) +alert http any any -> any any (msg:"bsize test";http.uri; content:"abcef"; content: "g"; bsize:1; sid:8;) +alert http any any -> any any (msg:"bsize test";http.uri; content:"abcef"; content: "g"; bsize:4; sid:9;) +# good +alert http any any -> any any (msg:"bsize test"; http.uri; content:"/index.php"; bsize:>1024; sid:7;) +alert http any any -> any any (msg:"bsize test"; http.uri; content:"abcdefgh123456"; bsize:<20; sid:10;) +alert http any any -> any any (msg:"bsize test"; http.uri; content:"abcdefgh123456"; bsize:15<>25; sid:11;) diff --git a/tests/detect-bsize-01/test.yaml b/tests/detect-bsize-01/test.yaml new file mode 100644 index 000000000..803678477 --- /dev/null +++ b/tests/detect-bsize-01/test.yaml @@ -0,0 +1,37 @@ +requires: + min-version: 7.0.0 + pcap: false + +args: + - --engine-analysis + +exit-code: 1 + +checks: + - shell: + args: grep "signature can.*t match as required content length 14 exceeds bsize value.*2" suricata.log | wc -l | xargs + expect: 1 + + - shell: + args: grep "signature can.*t match as required content length 14 exceeds bsize value.*13" suricata.log | wc -l | xargs + expect: 1 + + - shell: + args: grep "signature can.*t match as required content length 15 exceeds bsize value.*3" suricata.log | wc -l | xargs + expect: 1 + + - shell: + args: grep "signature can.*t match as required content length 14 exceeds bsize range.*10-13" suricata.log | wc -l | xargs + expect: 1 + + - shell: + args: grep "signature can.*t match as required content length 6 exceeds bsize value.*3" suricata.log | wc -l | xargs + expect: 1 + + - shell: + args: grep "signature can.*t match as required content length 5 exceeds bsize value.*1" suricata.log | wc -l | xargs + expect: 2 + + - shell: + args: grep "signature can.*t match as required content length 5 exceeds bsize value.*4" suricata.log | wc -l | xargs + expect: 1