From: Eric Leblond <el@stamus-networks.com>
Date: Mon, 24 Mar 2025 20:07:02 +0000 (+0100)
Subject: tests: update datajson to new file format
X-Git-Tag: suricata-7.0.11~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fa30f000ff94fb5da2db8ff66c9bd26d16b576b8;p=thirdparty%2Fsuricata-verify.git

tests: update datajson to new file format

Update the tests to use JSON format and the new dataset syntax.
---

diff --git a/tests/datajson/datajson-01-ip/src.lst b/tests/datajson/datajson-01-ip/src.lst
index f44ad188c..7553335cf 100644
--- a/tests/datajson/datajson-01-ip/src.lst
+++ b/tests/datajson/datajson-01-ip/src.lst
@@ -1 +1 @@
-10.16.1.11,{"test": "success","context":3}
+[{"ip": "10.16.1.11", "test": "success", "context":3}]
diff --git a/tests/datajson/datajson-01-ip/test.rules b/tests/datajson/datajson-01-ip/test.rules
index 6a94208f4..ce880a2ff 100644
--- a/tests/datajson/datajson-01-ip/test.rules
+++ b/tests/datajson/datajson-01-ip/test.rules
@@ -1 +1 @@
-alert http any any -> any any (flow:established,to_server; http.host; content:"testmyids.com"; ip.src; datajson:isset,src_ip,type ip,load src.lst,key src_ip; sid:1;)
+alert http any any -> any any (flow:established,to_server; http.host; content:"testmyids.com"; ip.src; dataset:isset,src_ip,type ip,load src.lst,format json, enrichment_key src_ip, value_key ip; sid:1;)
diff --git a/tests/datajson/datajson-02-multiple/host.lst b/tests/datajson/datajson-02-multiple/host.lst
index f1b1a17a6..e72716b08 100644
--- a/tests/datajson/datajson-02-multiple/host.lst
+++ b/tests/datajson/datajson-02-multiple/host.lst
@@ -1 +1 @@
-d3d3LnRlc3RteWlkcy5jb20=,{"context":"gold old test", "year": 2005}
+[{"host": "www.testmyids.com", "context":"gold old test", "year": 2005}]
diff --git a/tests/datajson/datajson-02-multiple/src.lst b/tests/datajson/datajson-02-multiple/src.lst
index f44ad188c..7553335cf 100644
--- a/tests/datajson/datajson-02-multiple/src.lst
+++ b/tests/datajson/datajson-02-multiple/src.lst
@@ -1 +1 @@
-10.16.1.11,{"test": "success","context":3}
+[{"ip": "10.16.1.11", "test": "success", "context":3}]
diff --git a/tests/datajson/datajson-02-multiple/test.rules b/tests/datajson/datajson-02-multiple/test.rules
index acbf3045a..592636c0c 100644
--- a/tests/datajson/datajson-02-multiple/test.rules
+++ b/tests/datajson/datajson-02-multiple/test.rules
@@ -1 +1 @@
-alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,badhost,type string,load host.lst,key bad_host; ip.src; datajson:isset,src_ip,type ip,load src.lst,key src_ip; sid:1;)
+alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,format json,enrichment_key bad_host,value_key host; ip.src; dataset:isset,src_ip,type ip,load src.lst,format json,enrichment_key src_ip,value_key ip; sid:1;)
diff --git a/tests/datajson/datajson-04-hashes/badmd5.lst b/tests/datajson/datajson-04-hashes/badmd5.lst
index 390a1e659..9ae44e3fd 100644
--- a/tests/datajson/datajson-04-hashes/badmd5.lst
+++ b/tests/datajson/datajson-04-hashes/badmd5.lst
@@ -1 +1 @@
-b65d49730d16e5a8a7b2ab95350848b8,{"year": 2007, "where": "home"}
+[{"hash": "b65d49730d16e5a8a7b2ab95350848b8", "year": 2007, "where": "home"}]
diff --git a/tests/datajson/datajson-04-hashes/badsha.lst b/tests/datajson/datajson-04-hashes/badsha.lst
index 58bcade9d..d8e87afdb 100644
--- a/tests/datajson/datajson-04-hashes/badsha.lst
+++ b/tests/datajson/datajson-04-hashes/badsha.lst
@@ -1,2 +1 @@
-e0ca4ff795b3f32d45260678e4ab79884793c05a149f2b350d10274451dc210a,{"year":2005,"where":"internet"}
-#E0CA4FF795B3F32D45260678E4AB79884793C05A149F2B350D10274451DC210A,{"year":2005,"where":"internet"}
+[{"hash": "e0ca4ff795b3f32d45260678e4ab79884793c05a149f2b350d10274451dc210a","year":2005,"where":"internet"}]
diff --git a/tests/datajson/datajson-04-hashes/badsha1.lst b/tests/datajson/datajson-04-hashes/badsha1.lst
deleted file mode 100644
index 1cdea21c5..000000000
--- a/tests/datajson/datajson-04-hashes/badsha1.lst
+++ /dev/null
@@ -1 +0,0 @@
-6951a4eb86e09aac29a003a35ee4d6b4a8468a6e,{"year":2006,"where":"internet"}
diff --git a/tests/datajson/datajson-04-hashes/test.rules b/tests/datajson/datajson-04-hashes/test.rules
index af67a6908..900bdbba3 100644
--- a/tests/datajson/datajson-04-hashes/test.rules
+++ b/tests/datajson/datajson-04-hashes/test.rules
@@ -1,2 +1,2 @@
-alert http any any -> any any (flow:established,to_server; http.host; content: "testmyids"; to_sha256; datajson:isset,badcat,type sha256,load badsha.lst,key bad_sha; sid:1; rev:1;)
-alert http any any -> any any (flow:established,to_server; http.host; content: "testmyids"; to_md5; datajson:isset,badmd5,type md5,load badmd5.lst,key bad_md5; sid:2; rev:1;)
+alert http any any -> any any (flow:established,to_server; http.host; content: "testmyids"; to_sha256; dataset:isset,badcat,type sha256,load badsha.lst,format json,enrichment_key bad_sha,value_key hash; sid:1; rev:1;)
+alert http any any -> any any (flow:established,to_server; http.host; content: "testmyids"; to_md5; dataset:isset,badmd5,type md5,load badmd5.lst,format json,enrichment_key bad_md5,value_key hash; sid:2; rev:1;)
diff --git a/tests/datajson/datajson-05-duplicate/host.lst b/tests/datajson/datajson-05-duplicate/host.lst
index d852cad3b..76f22e577 100644
--- a/tests/datajson/datajson-05-duplicate/host.lst
+++ b/tests/datajson/datajson-05-duplicate/host.lst
@@ -1,2 +1,4 @@
-d3d3LnRlc3RteWlkcy5jb20=,{"context":"good old test", "year": 2005}
-d3d3LnRlc3RteWlkcy5jb20=,{"context":"gold old test", "year": 2006}
+[
+    {"host":"www.testmyids.com", "context":"good old test", "year": 2005},
+    {"host":"www.testmyids.com", "context":"gold old test", "year": 2006}
+]
diff --git a/tests/datajson/datajson-05-duplicate/src.lst b/tests/datajson/datajson-05-duplicate/src.lst
index 4993bc672..b5945d4bc 100644
--- a/tests/datajson/datajson-05-duplicate/src.lst
+++ b/tests/datajson/datajson-05-duplicate/src.lst
@@ -1,2 +1,4 @@
-10.16.1.11,{"test": "success","context":1}
-10.16.1.11,{"test": "fail","context":2}
+[
+    {"ip": "10.16.1.11","test": "success","context":1},
+    {"ip": "10.16.1.11","test": "fail","context":2}
+]
diff --git a/tests/datajson/datajson-05-duplicate/test.rules b/tests/datajson/datajson-05-duplicate/test.rules
index acbf3045a..592636c0c 100644
--- a/tests/datajson/datajson-05-duplicate/test.rules
+++ b/tests/datajson/datajson-05-duplicate/test.rules
@@ -1 +1 @@
-alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,badhost,type string,load host.lst,key bad_host; ip.src; datajson:isset,src_ip,type ip,load src.lst,key src_ip; sid:1;)
+alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,format json,enrichment_key bad_host,value_key host; ip.src; dataset:isset,src_ip,type ip,load src.lst,format json,enrichment_key src_ip,value_key ip; sid:1;)
diff --git a/tests/datajson/datajson-06-valid-json/host.lst b/tests/datajson/datajson-06-valid-json/host.lst
deleted file mode 100644
index e184bf68b..000000000
--- a/tests/datajson/datajson-06-valid-json/host.lst
+++ /dev/null
@@ -1 +0,0 @@
-d3d3LnRlc3RteWlkcy5jb20=,"context"
diff --git a/tests/datajson/datajson-06-valid-json/input.pcap b/tests/datajson/datajson-06-valid-json/input.pcap
deleted file mode 100644
index 8fb6832de..000000000
Binary files a/tests/datajson/datajson-06-valid-json/input.pcap and /dev/null differ
diff --git a/tests/datajson/datajson-06-valid-json/ip.lst b/tests/datajson/datajson-06-valid-json/ip.lst
deleted file mode 100644
index 4d112f86e..000000000
--- a/tests/datajson/datajson-06-valid-json/ip.lst
+++ /dev/null
@@ -1,2 +0,0 @@
-10.16.1.12,1.2
-10.16.1.11,42
diff --git a/tests/datajson/datajson-06-valid-json/ip2.lst b/tests/datajson/datajson-06-valid-json/ip2.lst
deleted file mode 100644
index 19d54fd4e..000000000
--- a/tests/datajson/datajson-06-valid-json/ip2.lst
+++ /dev/null
@@ -1 +0,0 @@
-10.16.1.11,1.2
diff --git a/tests/datajson/datajson-06-valid-json/test.rules b/tests/datajson/datajson-06-valid-json/test.rules
deleted file mode 100644
index 599e42191..000000000
--- a/tests/datajson/datajson-06-valid-json/test.rules
+++ /dev/null
@@ -1,2 +0,0 @@
-alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,badhost,type string,load host.lst,key bad_host; ip.src; datajson:isset,bip,type ipv6,load ip.lst,key ip; sid:1;)
-alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,badhost,type string,load host.lst,key bad_host; ip.src; datajson:isset,bip2,type ipv6,load ip2.lst,key ip; sid:2;)
diff --git a/tests/datajson/datajson-06-valid-json/test.yaml b/tests/datajson/datajson-06-valid-json/test.yaml
deleted file mode 100644
index 933e9a630..000000000
--- a/tests/datajson/datajson-06-valid-json/test.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-requires:
-  min-version: 8
-
-args:
- - -k none --set datasets.enabled=yes
-
-checks:
-  - filter:
-      count: 2
-      match:
-        event_type: alert
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 1
-        alert.extra.ip: 42
-        alert.extra.bad_host: context
-  - filter:
-      count: 1
-      match:
-        event_type: alert
-        alert.signature_id: 2
-        alert.extra.ip: 1.2
-        alert.extra.bad_host: context
diff --git a/tests/datajson/datajson-07-dataset/test.rules b/tests/datajson/datajson-07-dataset/test.rules
index 5513f03b2..95a825895 100644
--- a/tests/datajson/datajson-07-dataset/test.rules
+++ b/tests/datajson/datajson-07-dataset/test.rules
@@ -1,2 +1,2 @@
-alert http any any -> any any (flow:established,to_server; ip.src; datajson:isset,bip,type ipv6,load ip.lst,key ip; sid:1;)
-alert http any any -> any any (flow:established,to_server; http.host; datajson:isset,badhost,type string,load host.lst,key bad_host; sid:2;)
+alert http any any -> any any (flow:established,to_server; ip.src; dataset:isset,bip,type ipv6,load ip.lst,key ip; sid:1;)
+alert http any any -> any any (flow:established,to_server; http.host; dataset:isset,badhost,type string,load host.lst,enrichment_key bad_host; sid:2;)
diff --git a/tests/datajson/datajson-08-invalid-json/test.rules b/tests/datajson/datajson-08-invalid-json/test.rules
index 4de245d33..71aa789ba 100644
--- a/tests/datajson/datajson-08-invalid-json/test.rules
+++ b/tests/datajson/datajson-08-invalid-json/test.rules
@@ -1 +1 @@
-alert http any any -> any any (flow:established,to_server; ip.src; datajson:isset,bip,type ipv6,load ip.lst,key ip; sid:1;)
+alert http any any -> any any (flow:established,to_server; ip.src; dataset:isset,bip,type ipv6,load ip.lst,format json, enrichment_key ip, value_key ip; sid:1;)