From: Shivani Bhardwaj Date: Wed, 21 Feb 2024 09:50:42 +0000 (+0530) Subject: detect/port: add rule grouping tests X-Git-Tag: suricata-6.0.17~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1678%2Fhead;p=thirdparty%2Fsuricata-verify.git detect/port: add rule grouping tests --- diff --git a/tests/rule-grouping/rule-grouping-1/README.md b/tests/rule-grouping/rule-grouping-1/README.md new file mode 100644 index 000000000..b669e4d5b --- /dev/null +++ b/tests/rule-grouping/rule-grouping-1/README.md @@ -0,0 +1,12 @@ +# Test Description + +Test to demonstrate the port grouping and SGH distribution for small range +overlaps and single points with "any". + +## PCAP + +None + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6792 diff --git a/tests/rule-grouping/rule-grouping-1/suricata.yaml b/tests/rule-grouping/rule-grouping-1/suricata.yaml new file mode 100644 index 000000000..549defa9d --- /dev/null +++ b/tests/rule-grouping/rule-grouping-1/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +engine-analysis: + rules-fast-pattern: yes + rules: yes + +detect: + profiling: + grouping: + dump-to-disk: yes + include-rules: yes + include-mpm-stats: yes diff --git a/tests/rule-grouping/rule-grouping-1/test.rules b/tests/rule-grouping/rule-grouping-1/test.rules new file mode 100644 index 000000000..bd336a730 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-1/test.rules @@ -0,0 +1,4 @@ +alert tcp any any -> any any (flow:to_server; content:"abc"; sid:1;) +alert tcp any 1024: -> any 80 (flow:to_server; content:"abc"; sid:2;) +alert tcp any 1024: -> any 80:81 (flow:to_server; content:"abc"; sid:3;) +alert tcp any any -> any 445 (flow:to_server; content:"abc"; sid:4;) diff --git a/tests/rule-grouping/rule-grouping-1/test.yaml b/tests/rule-grouping/rule-grouping-1/test.yaml new file mode 100644 index 000000000..a9203ade2 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-1/test.yaml @@ -0,0 +1,67 @@ +requires: + min-version: 8 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver.__len: 6 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[0].port: 80 + tcp.toserver[0].port2: 80 + tcp.toserver[0].rulegroup.id: 0 + tcp.toserver[0].rulegroup.rules[0].sig_id: 1 + tcp.toserver[0].rulegroup.rules[1].sig_id: 2 + tcp.toserver[0].rulegroup.rules[2].sig_id: 3 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[1].port: 445 + tcp.toserver[1].port2: 445 + tcp.toserver[1].rulegroup.id: 1 + tcp.toserver[1].rulegroup.rules[0].sig_id: 1 + tcp.toserver[1].rulegroup.rules[1].sig_id: 4 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[2].port: 81 + tcp.toserver[2].port2: 81 + tcp.toserver[2].rulegroup.id: 2 + tcp.toserver[2].rulegroup.rules[0].sig_id: 1 + tcp.toserver[2].rulegroup.rules[1].sig_id: 3 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[3].port: 0 + tcp.toserver[3].port2: 79 + tcp.toserver[3].rulegroup.id: 3 + tcp.toserver[3].rulegroup.rules[0].sig_id: 1 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[4].port: 82 + tcp.toserver[4].port2: 444 + tcp.toserver[4].rulegroup.id: 3 + tcp.toserver[4].rulegroup.rules[0].sig_id: 1 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[5].port: 446 + tcp.toserver[5].port2: 65535 + tcp.toserver[5].rulegroup.id: 3 + tcp.toserver[5].rulegroup.rules[0].sig_id: 1 + diff --git a/tests/rule-grouping/rule-grouping-2/README.md b/tests/rule-grouping/rule-grouping-2/README.md new file mode 100644 index 000000000..00156b6a3 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-2/README.md @@ -0,0 +1,12 @@ +# Test Description + +Test to demonstrate the port grouping and SGH distribution for all disjointed +ports and ranges i.e. no overlaps. + +## PCAP + +None + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6792 diff --git a/tests/rule-grouping/rule-grouping-2/suricata.yaml b/tests/rule-grouping/rule-grouping-2/suricata.yaml new file mode 100644 index 000000000..549defa9d --- /dev/null +++ b/tests/rule-grouping/rule-grouping-2/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +engine-analysis: + rules-fast-pattern: yes + rules: yes + +detect: + profiling: + grouping: + dump-to-disk: yes + include-rules: yes + include-mpm-stats: yes diff --git a/tests/rule-grouping/rule-grouping-2/test.rules b/tests/rule-grouping/rule-grouping-2/test.rules new file mode 100644 index 000000000..08540db9c --- /dev/null +++ b/tests/rule-grouping/rule-grouping-2/test.rules @@ -0,0 +1,13 @@ +drop tls any 1 -> any 1 (flow:to_server; sid:1; gid:10000002;) +drop tls any 2 -> any 2 (flow:to_server; sid:2; gid:10000002;) +drop tls any 3 -> any 3 (flow:to_server; sid:3; gid:10000002;) +drop tls any 4 -> any 4 (flow:to_server; sid:4; gid:10000002;) +drop tls any 5 -> any 5 (flow:to_server; sid:5; gid:10000002;) +drop tls any 6 -> any 6 (flow:to_server; sid:6; gid:10000002;) +drop tls any 7 -> any 7 (flow:to_server; sid:7; gid:10000002;) +drop tls any 8 -> any 8 (flow:to_server; sid:8; gid:10000002;) +drop tls any 9 -> any 9 (flow:to_server; sid:9; gid:10000002;) +drop tls any 10 -> any 10 (flow:to_server; sid:10; gid:10000002;) +drop tls any 11 -> any 11 (flow:to_server; sid:11; gid:10000002;) +drop tls any 12 -> any 12 (flow:to_server; sid:12; gid:10000002;) +drop tcp any any -> any 1024:65535 (flow:to_server; sid:13; gid:10000003;) diff --git a/tests/rule-grouping/rule-grouping-2/test.yaml b/tests/rule-grouping/rule-grouping-2/test.yaml new file mode 100644 index 000000000..afac6c191 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-2/test.yaml @@ -0,0 +1,119 @@ +requires: + min-version: 8 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver.__len: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[0].port: 1 + tcp.toserver[0].port2: 1 + tcp.toserver[0].rulegroup.id: 0 + tcp.toserver[0].rulegroup.rules[0].sig_id: 1 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[1].port: 2 + tcp.toserver[1].port2: 2 + tcp.toserver[1].rulegroup.id: 1 + tcp.toserver[1].rulegroup.rules[0].sig_id: 2 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[2].port: 3 + tcp.toserver[2].port2: 3 + tcp.toserver[2].rulegroup.id: 2 + tcp.toserver[2].rulegroup.rules[0].sig_id: 3 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[3].port: 4 + tcp.toserver[3].port2: 4 + tcp.toserver[3].rulegroup.id: 3 + tcp.toserver[3].rulegroup.rules[0].sig_id: 4 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[4].port: 5 + tcp.toserver[4].port2: 5 + tcp.toserver[4].rulegroup.id: 4 + tcp.toserver[4].rulegroup.rules[0].sig_id: 5 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[5].port: 6 + tcp.toserver[5].port2: 6 + tcp.toserver[5].rulegroup.id: 5 + tcp.toserver[5].rulegroup.rules[0].sig_id: 6 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[6].port: 7 + tcp.toserver[6].port2: 7 + tcp.toserver[6].rulegroup.id: 6 + tcp.toserver[6].rulegroup.rules[0].sig_id: 7 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[7].port: 8 + tcp.toserver[7].port2: 8 + tcp.toserver[7].rulegroup.id: 7 + tcp.toserver[7].rulegroup.rules[0].sig_id: 8 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[8].port: 9 + tcp.toserver[8].port2: 9 + tcp.toserver[8].rulegroup.id: 8 + tcp.toserver[8].rulegroup.rules[0].sig_id: 9 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[9].port: 10 + tcp.toserver[9].port2: 10 + tcp.toserver[9].rulegroup.id: 9 + tcp.toserver[9].rulegroup.rules[0].sig_id: 10 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[10].port: 11 + tcp.toserver[10].port2: 11 + tcp.toserver[10].rulegroup.id: 10 + tcp.toserver[10].rulegroup.rules[0].sig_id: 11 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[11].port: 12 + tcp.toserver[11].port2: 12 + tcp.toserver[11].rulegroup.id: 11 + tcp.toserver[11].rulegroup.rules[0].sig_id: 12 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[12].port: 1024 + tcp.toserver[12].port2: 65535 + tcp.toserver[12].rulegroup.id: 12 + tcp.toserver[12].rulegroup.rules[0].sig_id: 13 + diff --git a/tests/rule-grouping/rule-grouping-3/README.md b/tests/rule-grouping/rule-grouping-3/README.md new file mode 100644 index 000000000..7197568ac --- /dev/null +++ b/tests/rule-grouping/rule-grouping-3/README.md @@ -0,0 +1,12 @@ +# Test Description + +Test to demonstrate the port grouping and SGH distribution for single point +disruptions in a continuous range. + +## PCAP + +None + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6792 diff --git a/tests/rule-grouping/rule-grouping-3/suricata.yaml b/tests/rule-grouping/rule-grouping-3/suricata.yaml new file mode 100644 index 000000000..549defa9d --- /dev/null +++ b/tests/rule-grouping/rule-grouping-3/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +engine-analysis: + rules-fast-pattern: yes + rules: yes + +detect: + profiling: + grouping: + dump-to-disk: yes + include-rules: yes + include-mpm-stats: yes diff --git a/tests/rule-grouping/rule-grouping-3/test.rules b/tests/rule-grouping/rule-grouping-3/test.rules new file mode 100644 index 000000000..e8df9a0b4 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-3/test.rules @@ -0,0 +1,13 @@ +drop tls any 21017 -> any 9808 (flow:to_server; sid:1; gid:10000002;) +drop tls any 31342 -> any 48640 (flow:to_server; sid:2; gid:10000002;) +drop tls any 5121 -> any 51362 (flow:to_server; sid:3; gid:10000002;) +drop tls any 37506 -> any 23033 (flow:to_server; sid:4; gid:10000002;) +drop tls any 62314 -> any 63977 (flow:to_server; sid:5; gid:10000002;) +drop tls any 20097 -> any 3772 (flow:to_server; sid:6; gid:10000002;) +drop tls any 41962 -> any 20998 (flow:to_server; sid:7; gid:10000002;) +drop tls any 8575 -> any 9263 (flow:to_server; sid:8; gid:10000002;) +drop tls any 30307 -> any 2926 (flow:to_server; sid:9; gid:10000002;) +drop tls any 20461 -> any 42188 (flow:to_server; sid:10; gid:10000002;) +drop tls any 50359 -> any 9780 (flow:to_server; sid:11; gid:10000002;) +drop tls any 36743 -> any 11673 (flow:to_server; sid:12; gid:10000002;) +drop tcp any any -> any 1024:65535 (flow:to_server; sid:13; gid:10000003;) diff --git a/tests/rule-grouping/rule-grouping-3/test.yaml b/tests/rule-grouping/rule-grouping-3/test.yaml new file mode 100644 index 000000000..4d4360392 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-3/test.yaml @@ -0,0 +1,227 @@ +requires: + min-version: 8 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver.__len: 25 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[0].port: 2926 + tcp.toserver[0].port2: 2926 + tcp.toserver[0].rulegroup.id: 0 + tcp.toserver[0].rulegroup.rules[0].sig_id: 9 + tcp.toserver[0].rulegroup.rules[1].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[1].port: 3772 + tcp.toserver[1].port2: 3772 + tcp.toserver[1].rulegroup.id: 1 + tcp.toserver[1].rulegroup.rules[0].sig_id: 6 + tcp.toserver[1].rulegroup.rules[1].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[2].port: 9263 + tcp.toserver[2].port2: 9263 + tcp.toserver[2].rulegroup.id: 2 + tcp.toserver[2].rulegroup.rules[0].sig_id: 8 + tcp.toserver[2].rulegroup.rules[1].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[3].port: 9780 + tcp.toserver[3].port2: 9780 + tcp.toserver[3].rulegroup.id: 3 + tcp.toserver[3].rulegroup.rules[0].sig_id: 11 + tcp.toserver[3].rulegroup.rules[1].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[4].port: 9808 + tcp.toserver[4].port2: 9808 + tcp.toserver[4].rulegroup.id: 4 + tcp.toserver[4].rulegroup.rules[0].sig_id: 1 + tcp.toserver[4].rulegroup.rules[1].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[5].port: 11673 + tcp.toserver[5].port2: 11673 + tcp.toserver[5].rulegroup.id: 5 + tcp.toserver[5].rulegroup.rules[0].sig_id: 12 + tcp.toserver[5].rulegroup.rules[1].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[6].port: 20998 + tcp.toserver[6].port2: 20998 + tcp.toserver[6].rulegroup.id: 6 + tcp.toserver[6].rulegroup.rules[0].sig_id: 7 + tcp.toserver[6].rulegroup.rules[1].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[7].port: 23033 + tcp.toserver[7].port2: 23033 + tcp.toserver[7].rulegroup.id: 7 + tcp.toserver[7].rulegroup.rules[0].sig_id: 4 + tcp.toserver[7].rulegroup.rules[1].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[8].port: 42188 + tcp.toserver[8].port2: 42188 + tcp.toserver[8].rulegroup.id: 8 + tcp.toserver[8].rulegroup.rules[0].sig_id: 10 + tcp.toserver[8].rulegroup.rules[1].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[9].port: 48640 + tcp.toserver[9].port2: 48640 + tcp.toserver[9].rulegroup.id: 9 + tcp.toserver[9].rulegroup.rules[0].sig_id: 2 + tcp.toserver[9].rulegroup.rules[1].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[10].port: 51362 + tcp.toserver[10].port2: 51362 + tcp.toserver[10].rulegroup.id: 10 + tcp.toserver[10].rulegroup.rules[0].sig_id: 3 + tcp.toserver[10].rulegroup.rules[1].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[11].port: 63977 + tcp.toserver[11].port2: 63977 + tcp.toserver[11].rulegroup.id: 11 + tcp.toserver[11].rulegroup.rules[0].sig_id: 5 + tcp.toserver[11].rulegroup.rules[1].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[12].port: 1024 + tcp.toserver[12].port2: 2925 + tcp.toserver[12].rulegroup.id: 12 + tcp.toserver[12].rulegroup.rules[0].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[13].port: 2927 + tcp.toserver[13].port2: 3771 + tcp.toserver[13].rulegroup.id: 12 + tcp.toserver[13].rulegroup.rules[0].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[14].port: 3773 + tcp.toserver[14].port2: 9262 + tcp.toserver[14].rulegroup.id: 12 + tcp.toserver[14].rulegroup.rules[0].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[15].port: 9264 + tcp.toserver[15].port2: 9779 + tcp.toserver[15].rulegroup.id: 12 + tcp.toserver[15].rulegroup.rules[0].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[16].port: 9781 + tcp.toserver[16].port2: 9807 + tcp.toserver[16].rulegroup.id: 12 + tcp.toserver[16].rulegroup.rules[0].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[17].port: 9809 + tcp.toserver[17].port2: 11672 + tcp.toserver[17].rulegroup.id: 12 + tcp.toserver[17].rulegroup.rules[0].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[18].port: 11674 + tcp.toserver[18].port2: 20997 + tcp.toserver[18].rulegroup.id: 12 + tcp.toserver[18].rulegroup.rules[0].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[19].port: 20999 + tcp.toserver[19].port2: 23032 + tcp.toserver[19].rulegroup.id: 12 + tcp.toserver[19].rulegroup.rules[0].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[20].port: 23034 + tcp.toserver[20].port2: 42187 + tcp.toserver[20].rulegroup.id: 12 + tcp.toserver[20].rulegroup.rules[0].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[21].port: 42189 + tcp.toserver[21].port2: 48639 + tcp.toserver[21].rulegroup.id: 12 + tcp.toserver[21].rulegroup.rules[0].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[22].port: 48641 + tcp.toserver[22].port2: 51361 + tcp.toserver[22].rulegroup.id: 12 + tcp.toserver[22].rulegroup.rules[0].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[23].port: 51363 + tcp.toserver[23].port2: 63976 + tcp.toserver[23].rulegroup.id: 12 + tcp.toserver[23].rulegroup.rules[0].sig_id: 13 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[24].port: 63978 + tcp.toserver[24].port2: 65535 + tcp.toserver[24].rulegroup.id: 12 + tcp.toserver[24].rulegroup.rules[0].sig_id: 13 + diff --git a/tests/rule-grouping/rule-grouping-4/README.md b/tests/rule-grouping/rule-grouping-4/README.md new file mode 100644 index 000000000..f504f7591 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-4/README.md @@ -0,0 +1,11 @@ +# Test Description + +Test to demonstrate the port grouping and SGH distribution for too many overlapping ranges. + +## PCAP + +None + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6792 diff --git a/tests/rule-grouping/rule-grouping-4/suricata.yaml b/tests/rule-grouping/rule-grouping-4/suricata.yaml new file mode 100644 index 000000000..549defa9d --- /dev/null +++ b/tests/rule-grouping/rule-grouping-4/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +engine-analysis: + rules-fast-pattern: yes + rules: yes + +detect: + profiling: + grouping: + dump-to-disk: yes + include-rules: yes + include-mpm-stats: yes diff --git a/tests/rule-grouping/rule-grouping-4/test.rules b/tests/rule-grouping/rule-grouping-4/test.rules new file mode 100644 index 000000000..3a3e58980 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-4/test.rules @@ -0,0 +1,7 @@ +drop tls any 1 -> any 1:8 (sid:1; gid:10000002;) +drop tls any 2 -> any 3:94 (sid:2; gid:10000002;) +drop tls any 3 -> any 7:43 (sid:3; gid:10000002;) +drop tls any 4 -> any 100:120 (sid:4; gid:10000002;) +drop tls any 5 -> any 25:89 (sid:5; gid:10000002;) +drop tls any 6 -> any 7:25 (sid:6; gid:10000002;) +drop tls any 7 -> any 80:100 (sid:7; gid:10000002;) diff --git a/tests/rule-grouping/rule-grouping-4/test.yaml b/tests/rule-grouping/rule-grouping-4/test.yaml new file mode 100644 index 000000000..3f0720133 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-4/test.yaml @@ -0,0 +1,126 @@ +requires: + min-version: 8 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver.__len: 12 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[0].port: 7 + tcp.toserver[0].port2: 8 + tcp.toserver[0].rulegroup.id: 0 + tcp.toserver[0].rulegroup.rules[0].sig_id: 1 + tcp.toserver[0].rulegroup.rules[1].sig_id: 2 + tcp.toserver[0].rulegroup.rules[2].sig_id: 3 + tcp.toserver[0].rulegroup.rules[3].sig_id: 6 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[1].port: 25 + tcp.toserver[1].port2: 25 + tcp.toserver[1].rulegroup.id: 1 + tcp.toserver[1].rulegroup.rules[0].sig_id: 2 + tcp.toserver[1].rulegroup.rules[1].sig_id: 3 + tcp.toserver[1].rulegroup.rules[2].sig_id: 5 + tcp.toserver[1].rulegroup.rules[3].sig_id: 6 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[2].port: 9 + tcp.toserver[2].port2: 24 + tcp.toserver[2].rulegroup.id: 2 + tcp.toserver[2].rulegroup.rules[0].sig_id: 2 + tcp.toserver[2].rulegroup.rules[1].sig_id: 3 + tcp.toserver[2].rulegroup.rules[2].sig_id: 6 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[3].port: 26 + tcp.toserver[3].port2: 43 + tcp.toserver[3].rulegroup.id: 3 + tcp.toserver[3].rulegroup.rules[0].sig_id: 2 + tcp.toserver[3].rulegroup.rules[1].sig_id: 3 + tcp.toserver[3].rulegroup.rules[2].sig_id: 5 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[4].port: 80 + tcp.toserver[4].port2: 89 + tcp.toserver[4].rulegroup.id: 4 + tcp.toserver[4].rulegroup.rules[0].sig_id: 2 + tcp.toserver[4].rulegroup.rules[1].sig_id: 5 + tcp.toserver[4].rulegroup.rules[2].sig_id: 7 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[5].port: 3 + tcp.toserver[5].port2: 6 + tcp.toserver[5].rulegroup.id: 5 + tcp.toserver[5].rulegroup.rules[0].sig_id: 1 + tcp.toserver[5].rulegroup.rules[1].sig_id: 2 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[6].port: 44 + tcp.toserver[6].port2: 79 + tcp.toserver[6].rulegroup.id: 6 + tcp.toserver[6].rulegroup.rules[0].sig_id: 2 + tcp.toserver[6].rulegroup.rules[1].sig_id: 5 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[7].port: 90 + tcp.toserver[7].port2: 94 + tcp.toserver[7].rulegroup.id: 7 + tcp.toserver[7].rulegroup.rules[0].sig_id: 2 + tcp.toserver[7].rulegroup.rules[1].sig_id: 7 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[8].port: 100 + tcp.toserver[8].port2: 100 + tcp.toserver[8].rulegroup.id: 8 + tcp.toserver[8].rulegroup.rules[0].sig_id: 4 + tcp.toserver[8].rulegroup.rules[1].sig_id: 7 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[9].port: 1 + tcp.toserver[9].port2: 2 + tcp.toserver[9].rulegroup.id: 9 + tcp.toserver[9].rulegroup.rules[0].sig_id: 1 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[10].port: 95 + tcp.toserver[10].port2: 99 + tcp.toserver[10].rulegroup.id: 10 + tcp.toserver[10].rulegroup.rules[0].sig_id: 7 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[11].port: 101 + tcp.toserver[11].port2: 120 + tcp.toserver[11].rulegroup.id: 11 + tcp.toserver[11].rulegroup.rules[0].sig_id: 4 diff --git a/tests/rule-grouping/rule-grouping-5/README.md b/tests/rule-grouping/rule-grouping-5/README.md new file mode 100644 index 000000000..1f8cba35d --- /dev/null +++ b/tests/rule-grouping/rule-grouping-5/README.md @@ -0,0 +1,13 @@ +# Test Description + +Test to demonstrate the port grouping and SGH distribution for disjointed +overlapping ranges i.e. ranges with overlap among themselves but a gap in +between. + +## PCAP + +None + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6792 diff --git a/tests/rule-grouping/rule-grouping-5/suricata.yaml b/tests/rule-grouping/rule-grouping-5/suricata.yaml new file mode 100644 index 000000000..549defa9d --- /dev/null +++ b/tests/rule-grouping/rule-grouping-5/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +engine-analysis: + rules-fast-pattern: yes + rules: yes + +detect: + profiling: + grouping: + dump-to-disk: yes + include-rules: yes + include-mpm-stats: yes diff --git a/tests/rule-grouping/rule-grouping-5/test.rules b/tests/rule-grouping/rule-grouping-5/test.rules new file mode 100644 index 000000000..b56738d88 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-5/test.rules @@ -0,0 +1,10 @@ +drop tls any 21017 -> any 1:50 (flow:to_server; sid:1; gid:10000002;) +drop tls any 31342 -> any 25:80 (flow:to_server; sid:2; gid:10000002;) +drop tls any 5121 -> any 39:100 (flow:to_server; sid:3; gid:10000002;) +drop tls any 37506 -> any 90:135 (flow:to_server; sid:4; gid:10000002;) +drop tls any 62314 -> any 120:200 (flow:to_server; sid:5; gid:10000002;) +drop tls any 20097 -> any 150:3000 (flow:to_server; sid:6; gid:10000002;) +drop tls any 41962 -> any 5000:8000 (flow:to_server; sid:7; gid:10000002;) +drop tls any 8575 -> any 5500:7700 (flow:to_server; sid:8; gid:10000002;) +drop tls any 30307 -> any 7000:9000 (flow:to_server; sid:9; gid:10000002;) +drop tls any 20461 -> any 9000:10000 (flow:to_server; sid:10; gid:10000002;) diff --git a/tests/rule-grouping/rule-grouping-5/test.yaml b/tests/rule-grouping/rule-grouping-5/test.yaml new file mode 100644 index 000000000..0b6abfa84 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-5/test.yaml @@ -0,0 +1,171 @@ +requires: + min-version: 8 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver.__len: 18 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[0].port: 39 + tcp.toserver[0].port2: 50 + tcp.toserver[0].rulegroup.id: 0 + tcp.toserver[0].rulegroup.rules[0].sig_id: 1 + tcp.toserver[0].rulegroup.rules[1].sig_id: 2 + tcp.toserver[0].rulegroup.rules[2].sig_id: 3 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[1].port: 7000 + tcp.toserver[1].port2: 7700 + tcp.toserver[1].rulegroup.id: 1 + tcp.toserver[1].rulegroup.rules[0].sig_id: 7 + tcp.toserver[1].rulegroup.rules[1].sig_id: 8 + tcp.toserver[1].rulegroup.rules[2].sig_id: 9 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[2].port: 25 + tcp.toserver[2].port2: 38 + tcp.toserver[2].rulegroup.id: 2 + tcp.toserver[2].rulegroup.rules[0].sig_id: 1 + tcp.toserver[2].rulegroup.rules[1].sig_id: 2 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[3].port: 51 + tcp.toserver[3].port2: 80 + tcp.toserver[3].rulegroup.id: 3 + tcp.toserver[3].rulegroup.rules[0].sig_id: 2 + tcp.toserver[3].rulegroup.rules[1].sig_id: 3 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[4].port: 90 + tcp.toserver[4].port2: 100 + tcp.toserver[4].rulegroup.id: 4 + tcp.toserver[4].rulegroup.rules[0].sig_id: 3 + tcp.toserver[4].rulegroup.rules[1].sig_id: 4 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[5].port: 120 + tcp.toserver[5].port2: 135 + tcp.toserver[5].rulegroup.id: 5 + tcp.toserver[5].rulegroup.rules[0].sig_id: 4 + tcp.toserver[5].rulegroup.rules[1].sig_id: 5 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[6].port: 150 + tcp.toserver[6].port2: 200 + tcp.toserver[6].rulegroup.id: 6 + tcp.toserver[6].rulegroup.rules[0].sig_id: 5 + tcp.toserver[6].rulegroup.rules[1].sig_id: 6 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[7].port: 5500 + tcp.toserver[7].port2: 6999 + tcp.toserver[7].rulegroup.id: 7 + tcp.toserver[7].rulegroup.rules[0].sig_id: 7 + tcp.toserver[7].rulegroup.rules[1].sig_id: 8 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[8].port: 7701 + tcp.toserver[8].port2: 8000 + tcp.toserver[8].rulegroup.id: 8 + tcp.toserver[8].rulegroup.rules[0].sig_id: 7 + tcp.toserver[8].rulegroup.rules[1].sig_id: 9 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[9].port: 9000 + tcp.toserver[9].port2: 9000 + tcp.toserver[9].rulegroup.id: 9 + tcp.toserver[9].rulegroup.rules[0].sig_id: 9 + tcp.toserver[9].rulegroup.rules[1].sig_id: 10 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[10].port: 1 + tcp.toserver[10].port2: 24 + tcp.toserver[10].rulegroup.id: 10 + tcp.toserver[10].rulegroup.rules[0].sig_id: 1 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[11].port: 81 + tcp.toserver[11].port2: 89 + tcp.toserver[11].rulegroup.id: 11 + tcp.toserver[11].rulegroup.rules[0].sig_id: 3 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[12].port: 101 + tcp.toserver[12].port2: 119 + tcp.toserver[12].rulegroup.id: 12 + tcp.toserver[12].rulegroup.rules[0].sig_id: 4 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[13].port: 136 + tcp.toserver[13].port2: 149 + tcp.toserver[13].rulegroup.id: 13 + tcp.toserver[13].rulegroup.rules[0].sig_id: 5 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[14].port: 201 + tcp.toserver[14].port2: 3000 + tcp.toserver[14].rulegroup.id: 14 + tcp.toserver[14].rulegroup.rules[0].sig_id: 6 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[15].port: 5000 + tcp.toserver[15].port2: 5499 + tcp.toserver[15].rulegroup.id: 15 + tcp.toserver[15].rulegroup.rules[0].sig_id: 7 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[16].port: 8001 + tcp.toserver[16].port2: 8999 + tcp.toserver[16].rulegroup.id: 16 + tcp.toserver[16].rulegroup.rules[0].sig_id: 9 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[17].port: 9001 + tcp.toserver[17].port2: 10000 + tcp.toserver[17].rulegroup.id: 17 + tcp.toserver[17].rulegroup.rules[0].sig_id: 10 + diff --git a/tests/rule-grouping/rule-grouping-6/README.md b/tests/rule-grouping/rule-grouping-6/README.md new file mode 100644 index 000000000..922a07833 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-6/README.md @@ -0,0 +1,13 @@ +# Test Description + +Test to demonstrate the port grouping and SGH distribution for all disjointed +ports and ranges i.e. no overlaps with joingroup limiting the toserver groups +at 10. + +## PCAP + +None + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6792 diff --git a/tests/rule-grouping/rule-grouping-6/suricata.yaml b/tests/rule-grouping/rule-grouping-6/suricata.yaml new file mode 100644 index 000000000..d78400113 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-6/suricata.yaml @@ -0,0 +1,16 @@ +%YAML 1.1 +--- + +engine-analysis: + rules-fast-pattern: yes + rules: yes + +detect: + profile: custom + custom-values: + toserver-groups: 10 + profiling: + grouping: + dump-to-disk: yes + include-rules: yes + include-mpm-stats: yes diff --git a/tests/rule-grouping/rule-grouping-6/test.rules b/tests/rule-grouping/rule-grouping-6/test.rules new file mode 100644 index 000000000..08540db9c --- /dev/null +++ b/tests/rule-grouping/rule-grouping-6/test.rules @@ -0,0 +1,13 @@ +drop tls any 1 -> any 1 (flow:to_server; sid:1; gid:10000002;) +drop tls any 2 -> any 2 (flow:to_server; sid:2; gid:10000002;) +drop tls any 3 -> any 3 (flow:to_server; sid:3; gid:10000002;) +drop tls any 4 -> any 4 (flow:to_server; sid:4; gid:10000002;) +drop tls any 5 -> any 5 (flow:to_server; sid:5; gid:10000002;) +drop tls any 6 -> any 6 (flow:to_server; sid:6; gid:10000002;) +drop tls any 7 -> any 7 (flow:to_server; sid:7; gid:10000002;) +drop tls any 8 -> any 8 (flow:to_server; sid:8; gid:10000002;) +drop tls any 9 -> any 9 (flow:to_server; sid:9; gid:10000002;) +drop tls any 10 -> any 10 (flow:to_server; sid:10; gid:10000002;) +drop tls any 11 -> any 11 (flow:to_server; sid:11; gid:10000002;) +drop tls any 12 -> any 12 (flow:to_server; sid:12; gid:10000002;) +drop tcp any any -> any 1024:65535 (flow:to_server; sid:13; gid:10000003;) diff --git a/tests/rule-grouping/rule-grouping-6/test.yaml b/tests/rule-grouping/rule-grouping-6/test.yaml new file mode 100644 index 000000000..f57398cb1 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-6/test.yaml @@ -0,0 +1,100 @@ +requires: + min-version: 8 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[0].port: 1 + tcp.toserver[0].port2: 1 + tcp.toserver[0].rulegroup.id: 0 + tcp.toserver[0].rulegroup.rules[0].sig_id: 1 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[1].port: 2 + tcp.toserver[1].port2: 2 + tcp.toserver[1].rulegroup.id: 1 + tcp.toserver[1].rulegroup.rules[0].sig_id: 2 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[2].port: 3 + tcp.toserver[2].port2: 3 + tcp.toserver[2].rulegroup.id: 2 + tcp.toserver[2].rulegroup.rules[0].sig_id: 3 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[3].port: 4 + tcp.toserver[3].port2: 4 + tcp.toserver[3].rulegroup.id: 3 + tcp.toserver[3].rulegroup.rules[0].sig_id: 4 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[4].port: 5 + tcp.toserver[4].port2: 5 + tcp.toserver[4].rulegroup.id: 4 + tcp.toserver[4].rulegroup.rules[0].sig_id: 5 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[5].port: 6 + tcp.toserver[5].port2: 6 + tcp.toserver[5].rulegroup.id: 5 + tcp.toserver[5].rulegroup.rules[0].sig_id: 6 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[6].port: 7 + tcp.toserver[6].port2: 7 + tcp.toserver[6].rulegroup.id: 6 + tcp.toserver[6].rulegroup.rules[0].sig_id: 7 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[7].port: 8 + tcp.toserver[7].port2: 8 + tcp.toserver[7].rulegroup.id: 7 + tcp.toserver[7].rulegroup.rules[0].sig_id: 8 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[8].port: 9 + tcp.toserver[8].port2: 9 + tcp.toserver[8].rulegroup.id: 8 + tcp.toserver[8].rulegroup.rules[0].sig_id: 9 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[9].port: 10 + tcp.toserver[9].port2: 10 + tcp.toserver[9].rulegroup.id: 9 + tcp.toserver[9].rulegroup.rules[0].sig_id: 10 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[10].port: 0 + tcp.toserver[10].port2: 65535 + tcp.toserver[10].rulegroup.id: 10 + tcp.toserver[10].rulegroup.rules[0].sig_id: 11 + tcp.toserver[10].rulegroup.rules[1].sig_id: 12 + tcp.toserver[10].rulegroup.rules[2].sig_id: 13 + diff --git a/tests/rule-grouping/rule-grouping-7/README.md b/tests/rule-grouping/rule-grouping-7/README.md new file mode 100644 index 000000000..630e562bc --- /dev/null +++ b/tests/rule-grouping/rule-grouping-7/README.md @@ -0,0 +1,12 @@ +# Test Description + +Test to demonstrate the port grouping and SGH distribution for single +disjointed port points. + +## PCAP + +None + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6792 diff --git a/tests/rule-grouping/rule-grouping-7/suricata.yaml b/tests/rule-grouping/rule-grouping-7/suricata.yaml new file mode 100644 index 000000000..549defa9d --- /dev/null +++ b/tests/rule-grouping/rule-grouping-7/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +engine-analysis: + rules-fast-pattern: yes + rules: yes + +detect: + profiling: + grouping: + dump-to-disk: yes + include-rules: yes + include-mpm-stats: yes diff --git a/tests/rule-grouping/rule-grouping-7/test.rules b/tests/rule-grouping/rule-grouping-7/test.rules new file mode 100644 index 000000000..f9cd3fad1 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-7/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any [587,25] (flow:established,to_server; sid:2; rev:3;) diff --git a/tests/rule-grouping/rule-grouping-7/test.yaml b/tests/rule-grouping/rule-grouping-7/test.yaml new file mode 100644 index 000000000..356f7810e --- /dev/null +++ b/tests/rule-grouping/rule-grouping-7/test.yaml @@ -0,0 +1,31 @@ +requires: + min-version: 8 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver.__len: 2 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[0].port: 25 + tcp.toserver[0].port2: 25 + tcp.toserver[0].rulegroup.id: 0 + tcp.toserver[0].rulegroup.rules[0].sig_id: 2 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[1].port: 587 + tcp.toserver[1].port2: 587 + tcp.toserver[1].rulegroup.id: 0 + tcp.toserver[1].rulegroup.rules[0].sig_id: 2 + diff --git a/tests/rule-grouping/rule-grouping-8/README.md b/tests/rule-grouping/rule-grouping-8/README.md new file mode 100644 index 000000000..1d352d6af --- /dev/null +++ b/tests/rule-grouping/rule-grouping-8/README.md @@ -0,0 +1,12 @@ +# Test Description + +Test to demonstrate the port grouping and SGH distribution for single +disjointed port points that are adjacent to each other on a number line. + +## PCAP + +None + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6792 diff --git a/tests/rule-grouping/rule-grouping-8/suricata.yaml b/tests/rule-grouping/rule-grouping-8/suricata.yaml new file mode 100644 index 000000000..549defa9d --- /dev/null +++ b/tests/rule-grouping/rule-grouping-8/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +engine-analysis: + rules-fast-pattern: yes + rules: yes + +detect: + profiling: + grouping: + dump-to-disk: yes + include-rules: yes + include-mpm-stats: yes diff --git a/tests/rule-grouping/rule-grouping-8/test.rules b/tests/rule-grouping/rule-grouping-8/test.rules new file mode 100644 index 000000000..9f748cdcd --- /dev/null +++ b/tests/rule-grouping/rule-grouping-8/test.rules @@ -0,0 +1 @@ +alert tcp any any -> any [2010,2011] (flow:established,to_server; sid:3; rev:1;) diff --git a/tests/rule-grouping/rule-grouping-8/test.yaml b/tests/rule-grouping/rule-grouping-8/test.yaml new file mode 100644 index 000000000..cd608f3d9 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-8/test.yaml @@ -0,0 +1,23 @@ +requires: + min-version: 8 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver.__len: 1 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[0].port: 2010 + tcp.toserver[0].port2: 2011 + tcp.toserver[0].rulegroup.id: 0 + tcp.toserver[0].rulegroup.rules[0].sig_id: 3 +