From: Victor Julien Date: Sat, 1 Jun 2024 14:09:09 +0000 (+0200) Subject: tests: add lua output streaming test X-Git-Tag: suricata-6.0.20~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1877%2Fhead;p=thirdparty%2Fsuricata-verify.git tests: add lua output streaming test --- diff --git a/tests/lua-output-streaming/expected/6-172.16.1.68-162.209.114.75-58384-80 b/tests/lua-output-streaming/expected/6-172.16.1.68-162.209.114.75-58384-80 new file mode 100644 index 000000000..a4813b162 Binary files /dev/null and b/tests/lua-output-streaming/expected/6-172.16.1.68-162.209.114.75-58384-80 differ diff --git a/tests/lua-output-streaming/expected/http-6-172.16.1.68-162.209.114.75-58384-80 b/tests/lua-output-streaming/expected/http-6-172.16.1.68-162.209.114.75-58384-80 new file mode 100644 index 000000000..ac759d24e Binary files /dev/null and b/tests/lua-output-streaming/expected/http-6-172.16.1.68-162.209.114.75-58384-80 differ diff --git a/tests/lua-output-streaming/streaming-http.lua b/tests/lua-output-streaming/streaming-http.lua new file mode 100644 index 000000000..7946de410 --- /dev/null +++ b/tests/lua-output-streaming/streaming-http.lua @@ -0,0 +1,31 @@ +function init (args) + local needs = {} + needs["type"] = "streaming" + needs["protocol"] = "http" + return needs +end + +function setup (args) + filepath = SCLogPath() +end + +function log(args) + ts = SCFlowTimeString() + ipver, srcip, dstip, proto, sp, dp = SCFlowTuple() + data, data_open, data_close = SCStreamingBuffer() + SCLogNotice("called with data_open " .. tostring(data_open) .. " data_close " .. tostring(data_close)); + filename = filepath .. "/http-" .. proto .. "-" .. srcip .. "-" .. dstip .. "-" .. sp .. "-" .. dp + + file_mode = "a" + if (data_open == true) then + file_mode = "w" + end + + file = assert(io.open(filename, file_mode)) + file:write (data) + file:flush() + file.close(file) +end + +function deinit (args) +end diff --git a/tests/lua-output-streaming/streaming-tcp.lua b/tests/lua-output-streaming/streaming-tcp.lua new file mode 100644 index 000000000..3787a9647 --- /dev/null +++ b/tests/lua-output-streaming/streaming-tcp.lua @@ -0,0 +1,31 @@ +function init (args) + local needs = {} + needs["type"] = "streaming" + needs["filter"] = "tcp" + return needs +end + +function setup (args) + filepath = SCLogPath() + alerts = 0 +end + +function log(args) + ts = SCFlowTimeString() + ipver, srcip, dstip, proto, sp, dp = SCFlowTuple() + data, data_open, data_close = SCStreamingBuffer() + filename = filepath .. "/" .. proto .. "-" .. srcip .. "-" .. dstip .. "-" .. sp .. "-" .. dp + + file_mode = "a" + if (data_open == true) then + file_mode = "w" + end + + file = assert(io.open(filename, file_mode)) + file:write (data) + file:flush() + file.close(file) +end + +function deinit (args) +end diff --git a/tests/lua-output-streaming/suricata.yaml b/tests/lua-output-streaming/suricata.yaml new file mode 100644 index 000000000..73365db0b --- /dev/null +++ b/tests/lua-output-streaming/suricata.yaml @@ -0,0 +1,35 @@ +%YAML 1.1 +--- + +outputs: + - lua: + enabled: yes + scripts-dir: . + scripts: + - streaming-tcp.lua + - streaming-http.lua + +app-layer: + protocols: + http: + enabled: yes + libhtp: + default-config: + personality: IDS + + # Can be specified in kb, mb, gb. Just a number indicates + # it's in bytes. + request-body-limit: 200kb + response-body-limit: 200kb + + # inspection limits + request-body-minimal-inspect-size: 32kb + request-body-inspect-window: 4kb + response-body-minimal-inspect-size: 40kb + response-body-inspect-window: 16kb + + # response body decompression (0 disables) + response-body-decompress-layer-limit: 2 + + # auto will use http-body-inline mode in IPS mode, yes or no set it statically + http-body-inline: auto diff --git a/tests/lua-output-streaming/test.yaml b/tests/lua-output-streaming/test.yaml new file mode 100644 index 000000000..b7d11de1f --- /dev/null +++ b/tests/lua-output-streaming/test.yaml @@ -0,0 +1,13 @@ +requires: + features: + - HAVE_LUA + +pcap: ../filestore-v2.1-forced/suricata-update-pdf.pcap + +checks: + - file-compare: + filename: 6-172.16.1.68-162.209.114.75-58384-80 + expected: expected/6-172.16.1.68-162.209.114.75-58384-80 + - file-compare: + filename: http-6-172.16.1.68-162.209.114.75-58384-80 + expected: expected/http-6-172.16.1.68-162.209.114.75-58384-80