From: Jason Ish Date: Tue, 7 May 2024 16:43:27 +0000 (-0600) Subject: test: lua-rule-errors X-Git-Tag: suricata-6.0.20~46 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1835%2Fhead;p=thirdparty%2Fsuricata-verify.git test: lua-rule-errors Test for correct behvaior when a Lua rule crashes. On crash, a Lua script should not result in a match when negation is applied. Also test for: - error stat - one time logging per thread Ticket: #6940 --- diff --git a/tests/lua/lua-bad-script/README.md b/tests/lua/lua-bad-script/README.md new file mode 100644 index 000000000..ab8807813 --- /dev/null +++ b/tests/lua/lua-bad-script/README.md @@ -0,0 +1,5 @@ +Test that a crashed rule script does not alert when negated. + +Also tests: +- one time logging for a script that crashes +- stat increment each time a script crashes diff --git a/tests/lua/lua-bad-script/error.lua b/tests/lua/lua-bad-script/error.lua new file mode 100644 index 000000000..d81ffb833 --- /dev/null +++ b/tests/lua/lua-bad-script/error.lua @@ -0,0 +1,8 @@ +function init(args) + return {} +end + +function match(args) + foobar() + return 0 +end diff --git a/tests/lua/lua-bad-script/logging.yaml b/tests/lua/lua-bad-script/logging.yaml new file mode 100644 index 000000000..00517325a --- /dev/null +++ b/tests/lua/lua-bad-script/logging.yaml @@ -0,0 +1,11 @@ +%YAML 1.1 +--- + +logging: + default-log-level: info + outputs: + - file: + enabled: yes + level: info + filename: suricata.json + type: json diff --git a/tests/lua/lua-bad-script/match.lua b/tests/lua/lua-bad-script/match.lua new file mode 100644 index 000000000..c93265458 --- /dev/null +++ b/tests/lua/lua-bad-script/match.lua @@ -0,0 +1,7 @@ +function init(args) + return {} +end + +function match(args) + return 1 +end diff --git a/tests/lua/lua-bad-script/nomatch.lua b/tests/lua/lua-bad-script/nomatch.lua new file mode 100644 index 000000000..a3bafe15b --- /dev/null +++ b/tests/lua/lua-bad-script/nomatch.lua @@ -0,0 +1,7 @@ +function init(args) + return {} +end + +function match(args) + return 0 +end diff --git a/tests/lua/lua-bad-script/test.pcap b/tests/lua/lua-bad-script/test.pcap new file mode 100644 index 000000000..5c9ee35b3 Binary files /dev/null and b/tests/lua/lua-bad-script/test.pcap differ diff --git a/tests/lua/lua-bad-script/test.rules b/tests/lua/lua-bad-script/test.rules new file mode 100644 index 000000000..89cfb3299 --- /dev/null +++ b/tests/lua/lua-bad-script/test.rules @@ -0,0 +1,3 @@ +alert udp any any -> any any (msg:"MATCH"; lua:match.lua; sid:1; rev:1;) +alert udp any any -> any any (msg:"NOMATCH"; lua:!nomatch.lua; sid:2; rev:1;) +alert udp any any -> any any (msg:"ERROR"; lua:!error.lua; sid:3; rev:1;) diff --git a/tests/lua/lua-bad-script/test.yaml b/tests/lua/lua-bad-script/test.yaml new file mode 100644 index 000000000..765da4c2a --- /dev/null +++ b/tests/lua/lua-bad-script/test.yaml @@ -0,0 +1,44 @@ +requires: + min-version: 8 + features: + - HAVE_LUA + +args: + - --set default-rule-path=${TEST_DIR} + - --set security.lua.allow-rules=true + - --include ${TEST_DIR}/logging.yaml + + # Run single threaded so all Lua errors occur on the same thread so + # we can test one-time logging per thread. + - --runmode single + +checks: + - filter: + count: 8 + match: + alert.signature_id: 1 + + - filter: + count: 8 + match: + alert.signature_id: 2 + + - filter: + count: 0 + match: + alert.signature_id: 3 + + # PCAP has 8 packets, which means 8 Lua failures. + - filter: + count: 1 + match: + event_type: stats + stats.detect.lua.errors: 8 + + # The Lua failure should only be logged once. + - filter: + filename: suricata.json + count: 1 + match: + event_type: engine + engine.message.__find: Lua script failed to run successfully