From: Jason Ish Date: Thu, 1 May 2025 22:50:45 +0000 (-0600) Subject: tests: test new suricata.flowintlib X-Git-Tag: suricata-7.0.11~75 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2483%2Fhead;p=thirdparty%2Fsuricata-verify.git tests: test new suricata.flowintlib Ticket: #7487 --- diff --git a/tests/lua/lua-flowintlib/README.md b/tests/lua/lua-flowintlib/README.md new file mode 100644 index 000000000..9af9d83ee --- /dev/null +++ b/tests/lua/lua-flowintlib/README.md @@ -0,0 +1 @@ +Test for Lua suricata.flowintlib. diff --git a/tests/lua/lua-flowintlib/check-root-count.lua b/tests/lua/lua-flowintlib/check-root-count.lua new file mode 100644 index 000000000..446622076 --- /dev/null +++ b/tests/lua/lua-flowintlib/check-root-count.lua @@ -0,0 +1,17 @@ +local flowintlib = require("suricata.flowint") + +function init () + return {} +end + +function thread_init () + root_count = flowintlib.get("root_count") +end + +function match () + if root_count:value() == 5 then + return 1 + end + + return 0 +end diff --git a/tests/lua/lua-flowintlib/rootx5.pcap b/tests/lua/lua-flowintlib/rootx5.pcap new file mode 100644 index 000000000..c705708c4 Binary files /dev/null and b/tests/lua/lua-flowintlib/rootx5.pcap differ diff --git a/tests/lua/lua-flowintlib/suricata.yaml b/tests/lua/lua-flowintlib/suricata.yaml new file mode 100644 index 000000000..c25db4ecf --- /dev/null +++ b/tests/lua/lua-flowintlib/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - flow + - http diff --git a/tests/lua/lua-flowintlib/test.rules b/tests/lua/lua-flowintlib/test.rules new file mode 100644 index 000000000..6cadfcf22 --- /dev/null +++ b/tests/lua/lua-flowintlib/test.rules @@ -0,0 +1,4 @@ +alert http any any -> any any (http.response_body; content: "root"; flowint: root_count, +, 1; sid: 1;) +alert http any any -> any any (flowint: root_count, ==, 5; lua: check-root-count.lua; sid: 2;) + +alert http any any -> any any (http.response_body; content: "root"; lua: update-counter.lua; sid: 3;) diff --git a/tests/lua/lua-flowintlib/test.yaml b/tests/lua/lua-flowintlib/test.yaml new file mode 100644 index 000000000..c711884ab --- /dev/null +++ b/tests/lua/lua-flowintlib/test.yaml @@ -0,0 +1,24 @@ +requires: + min-version: 8.0.0 + +args: + - -k none + - --set security.lua.allow-rules=true + +checks: + - filter: + count: 5 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + diff --git a/tests/lua/lua-flowintlib/update-counter.lua b/tests/lua/lua-flowintlib/update-counter.lua new file mode 100644 index 000000000..713171558 --- /dev/null +++ b/tests/lua/lua-flowintlib/update-counter.lua @@ -0,0 +1,64 @@ +local flowintlib = require("suricata.flowint") + +function init () + local set_counter = flowintlib.register("set_counter") + local incr_counter = flowintlib.register("incr_counter") + local decr_counter = flowintlib.register("decr_counter") + return {} +end + +function thread_init () + set_counter = flowintlib.get("set_counter") + incr_counter = flowintlib.get("incr_counter") + decr_counter = flowintlib.get("decr_counter") +end + +function match () + print("update-counter.lua: match") + + local value = set_counter:value() + if value == nil then + set_counter:set(10) + else + set_counter:set(value + 10) + end + + local incr_value = incr_counter:value() + local tmp = incr_counter:incr() + if incr_value == nil then + if tmp ~= 1 then + print("incr return unexpected value") + return 0 + end + else + if tmp ~= incr_value + 1 then + print("incr return unexpected value") + return 0 + end + end + + local decr_value = decr_counter:value() + if decr_value == nil then + print("decr_counter not set, initializing to 9") + decr_counter:set(9) + else + print("decrementing counter with value", desc_value) + decr_counter:decr() + end + + if set_counter:value() ~= 50 then + print("set_counter has unexpected value of ", set_counter:value()) + return 0 + end + + if decr_counter:value() ~= 5 then + print("decr_counter has unexpected value of ", decr_counter:value()) + return 0 + end + + if incr_counter:value() ~= 5 then + print("incr_counter has unexpected value of ", incr_counter:value()) + end + + return 1 +end