From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Sun, 9 Jul 2023 14:41:11 +0000 (-0400)
Subject: test/byte_math: Add nbyte variable name tests
X-Git-Tag: suricata-7.0.0~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1303%2Fhead;p=thirdparty%2Fsuricata-verify.git

test/byte_math: Add nbyte variable name tests

Issue: 6145

Add tests related to nbyte variable name usage for byte_math
---

diff --git a/tests/detect-bytemath-05/input.pcap b/tests/detect-bytemath-05/input.pcap
new file mode 100644
index 000000000..4a18a072c
Binary files /dev/null and b/tests/detect-bytemath-05/input.pcap differ
diff --git a/tests/detect-bytemath-05/test.rules b/tests/detect-bytemath-05/test.rules
new file mode 100644
index 000000000..bbaad2932
--- /dev/null
+++ b/tests/detect-bytemath-05/test.rules
@@ -0,0 +1,5 @@
+alert tcp any any -> any any (msg:"byte_math varname test sig"; \
+    ipv4.hdr; byte_extract:1,5,rpkt_len,relative; \
+    byte_math:bytes rpkt_len, offset 1, oper +, rvalue 102, result result_val; \
+    tcp.hdr; byte_test: 1, =, result_val, 1, relative; \
+    sid:1;)
diff --git a/tests/detect-bytemath-05/test.yaml b/tests/detect-bytemath-05/test.yaml
new file mode 100644
index 000000000..f4edccea6
--- /dev/null
+++ b/tests/detect-bytemath-05/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  min-version: 7
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/detect-bytemath-06/test.rules b/tests/detect-bytemath-06/test.rules
new file mode 100644
index 000000000..366e23fdb
--- /dev/null
+++ b/tests/detect-bytemath-06/test.rules
@@ -0,0 +1,5 @@
+alert tcp any any -> any any (msg:"byte_math bad varname test sig"; \
+    ipv4.hdr; byte_extract:1,5,rpkt_len,relative; \
+    byte_math:bytes no_var, offset 1, oper +, rvalue 102, result result_val; \
+    tcp.hdr; byte_test: 1, =, result_val, 1, relative; \
+    sid:1;)
diff --git a/tests/detect-bytemath-06/test.yaml b/tests/detect-bytemath-06/test.yaml
new file mode 100644
index 000000000..3f7a4f66f
--- /dev/null
+++ b/tests/detect-bytemath-06/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 7
+
+  pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - shell:
+     args: grep "unknown byte_ keyword var seen in byte_math - no_var" suricata.log | wc -l | xargs
+     expect: 1
+
+exit-code: 1