From: Shivani Bhardwaj Date: Tue, 1 Apr 2025 06:12:51 +0000 (+0530) Subject: http: add lua lib detection tests X-Git-Tag: suricata-7.0.11~126 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2271414a99f49cbab2432da6973777a43963767;p=thirdparty%2Fsuricata-verify.git http: add lua lib detection tests --- diff --git a/tests/lua-detect-http-01/README.md b/tests/lua-detect-http-01/README.md new file mode 100644 index 000000000..6ec44e024 --- /dev/null +++ b/tests/lua-detect-http-01/README.md @@ -0,0 +1 @@ +Test Lua detection of HTTP methods via library. diff --git a/tests/lua-detect-http-01/http-lua.rules b/tests/lua-detect-http-01/http-lua.rules new file mode 100644 index 000000000..77272f005 --- /dev/null +++ b/tests/lua-detect-http-01/http-lua.rules @@ -0,0 +1,4 @@ +alert http any any -> any any (msg: "Test HTTP Lua request.line"; lua: test-request-line.lua; sid:1;) +alert http any any -> any any (msg: "Test HTTP Lua request.headers.raw"; lua: test-request-headers-raw.lua; flow:to_server; sid:2;) +alert http any any -> any any (msg: "Test HTTP Lua response.body"; lua: test-response-body.lua; sid:3;) +alert http any any -> any any (msg: "Test HTTP Lua response-headers-raw"; lua: test-response-headers-raw.lua; flow:to_client; sid:4;) diff --git a/tests/lua-detect-http-01/suricata.yaml b/tests/lua-detect-http-01/suricata.yaml new file mode 100644 index 000000000..51af22dfa --- /dev/null +++ b/tests/lua-detect-http-01/suricata.yaml @@ -0,0 +1,4 @@ +%YAML 1.1 +--- + +include: ../../etc/suricata-4.0.3.yaml diff --git a/tests/lua-detect-http-01/test-request-headers-raw.lua b/tests/lua-detect-http-01/test-request-headers-raw.lua new file mode 100644 index 000000000..f3e47a336 --- /dev/null +++ b/tests/lua-detect-http-01/test-request-headers-raw.lua @@ -0,0 +1,22 @@ +-- simple http match on request_headers_raw module +local packet = require "suricata.packet" +local http = require("suricata.http") + +function init (args) + local needs = {} + needs["http.request_headers.raw"] = tostring(true) + return needs +end + +function match(args) + local tx = http.get_tx() + http_request_headers_raw, err = tx:request_headers_raw() + + if #http_request_headers_raw > 0 then + if http_request_headers_raw:find("User%-Agent: curl") then + return 1 + end + end + + return 0 +end diff --git a/tests/lua-detect-http-01/test-request-line.lua b/tests/lua-detect-http-01/test-request-line.lua new file mode 100644 index 000000000..ee71eba32 --- /dev/null +++ b/tests/lua-detect-http-01/test-request-line.lua @@ -0,0 +1,22 @@ +-- simple http match on request_line module +local http = require("suricata.http") + +function init (args) + local needs = {} + needs["http.request_line"] = tostring(true) + return needs +end + +function match(args) + local tx, err = http.get_tx() + http_request_line, err = tx:request_line() + + if #http_request_line > 0 then + --GET /base64-hello-world.txt HTTP/1.1 + if http_request_line:find("^GET") then + return 1 + end + end + + return 0 +end diff --git a/tests/lua-detect-http-01/test-response-body.lua b/tests/lua-detect-http-01/test-response-body.lua new file mode 100644 index 000000000..7ca6f620d --- /dev/null +++ b/tests/lua-detect-http-01/test-response-body.lua @@ -0,0 +1,23 @@ +-- simple http match on response_body module +local http = require("suricata.http") + +function init (args) + local needs = {} + needs["http.response_body"] = tostring(true) + return needs +end + +function match(args) + local tx, err = http.get_tx() + http_response_body, err = tx:response_body() + if http_response_body ~= nil then + for i = 1,#http_response_body,1 + do + if http_response_body[i]:find("^SGVsbG8gV29ybGQu") then + return 1 + end + end + end + + return 0 +end diff --git a/tests/lua-detect-http-01/test-response-headers-raw.lua b/tests/lua-detect-http-01/test-response-headers-raw.lua new file mode 100644 index 000000000..625c11954 --- /dev/null +++ b/tests/lua-detect-http-01/test-response-headers-raw.lua @@ -0,0 +1,22 @@ +-- simple http match on response_headers_raw module +local packet = require "suricata.packet" +local http = require("suricata.http") + +function init (args) + local needs = {} + needs["http.response_headers.raw"] = tostring(true) + return needs +end + +function match(args) + local tx = http.get_tx() + http_response_headers_raw, err = tx:response_headers_raw() + + if #http_response_headers_raw > 0 then + if http_response_headers_raw:find("^Server: nginx/1.6.3") then + return 1 + end + end + + return 0 +end diff --git a/tests/lua-detect-http-01/test.yaml b/tests/lua-detect-http-01/test.yaml new file mode 100644 index 000000000..7411be98d --- /dev/null +++ b/tests/lua-detect-http-01/test.yaml @@ -0,0 +1,28 @@ +requires: + features: + - HAVE_LUA + min-version: 8 + +pcap: ../lua-output-http/input.pcap + +args: + - --set security.lua.allow-rules=true + +checks: + - filter: + count: 1 + match: + alert.signature_id: 1 + - filter: + count: 1 + match: + alert.signature_id: 2 + - filter: + count: 1 + match: + alert.signature_id: 3 + - filter: + count: 1 + match: + alert.signature_id: 4 +