From: Ofer Dagan <ofer.d@claroty.com>
Date: Mon, 27 Oct 2025 16:23:13 +0000 (+0100)
Subject: tests: detection_filter unique_on ports and no-dup cases
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2889%2Fhead;p=thirdparty%2Fsuricata-verify.git

tests: detection_filter unique_on ports and no-dup cases

Add tests coverage to the new detection_filter option of unique_on,
for dst and src ports.

Issue: 7928
---

diff --git a/tests/detection_filter-distinct-dstport-no-dups/README.md b/tests/detection_filter-distinct-dstport-no-dups/README.md
new file mode 100644
index 000000000..a1ce62c79
--- /dev/null
+++ b/tests/detection_filter-distinct-dstport-no-dups/README.md
@@ -0,0 +1,17 @@
+Purpose
+-------
+Validate that detection_filter with unique_on dst_port does not trigger when
+the number of distinct destination ports stays below the threshold.
+
+Rule requires 3 distinct destination ports for the same destination host (track by_dst).
+The PCAP only has 2 distinct destination ports, so the threshold is not reached
+and no alerts are expected (sid 100011).
+
+Why this matters
+---------------
+Ensures duplicates or insufficient variety of dst ports do not produce alerts
+when distinct counting (unique_on dst_port) is configured with a higher threshold.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/7928
+
+PCAP: Crafted manually to fit the test.
diff --git a/tests/detection_filter-distinct-dstport-no-dups/input.pcap b/tests/detection_filter-distinct-dstport-no-dups/input.pcap
new file mode 100644
index 000000000..daf22ab28
Binary files /dev/null and b/tests/detection_filter-distinct-dstport-no-dups/input.pcap differ
diff --git a/tests/detection_filter-distinct-dstport-no-dups/test.rules b/tests/detection_filter-distinct-dstport-no-dups/test.rules
new file mode 100644
index 000000000..142a80c86
--- /dev/null
+++ b/tests/detection_filter-distinct-dstport-no-dups/test.rules
@@ -0,0 +1,2 @@
+## Expect 0 alerts: only 2 distinct dst ports present but threshold is 3
+alert tcp any any -> 1.1.1.1 any (msg:"DF distinct dst_port no dup"; flags:S; flow:stateless; detection_filter: track by_dst, count 3, seconds 60, unique_on dst_port; sid:100011; rev:1;)
diff --git a/tests/detection_filter-distinct-dstport-no-dups/test.yaml b/tests/detection_filter-distinct-dstport-no-dups/test.yaml
new file mode 100644
index 000000000..f3098ec02
--- /dev/null
+++ b/tests/detection_filter-distinct-dstport-no-dups/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 100011
diff --git a/tests/detection_filter-distinct-dstport/README.md b/tests/detection_filter-distinct-dstport/README.md
new file mode 100644
index 000000000..8f5397696
--- /dev/null
+++ b/tests/detection_filter-distinct-dstport/README.md
@@ -0,0 +1,17 @@
+Purpose
+-------
+Validate detection_filter distinct counting with unique_on dst_port.
+
+Rule requires 1 distinct destination port for the same destination host (track by_dst).
+The PCAP contains traffic that hits 2 different destination ports to 1.1.1.1,
+so the distinct counter reaches the threshold and one alert is expected (sid 100001).
+
+Why this matters
+---------------
+Introduces coverage for detection_filter unique_on dst_port behavior added in Suricata.
+This test ensures that different dst ports contribute separately toward the threshold
+while duplicate ports do not.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/7928
+
+PCAP: Crafted manually to fit the test.
diff --git a/tests/detection_filter-distinct-dstport/input.pcap b/tests/detection_filter-distinct-dstport/input.pcap
new file mode 100644
index 000000000..f349233a6
Binary files /dev/null and b/tests/detection_filter-distinct-dstport/input.pcap differ
diff --git a/tests/detection_filter-distinct-dstport/test.rules b/tests/detection_filter-distinct-dstport/test.rules
new file mode 100644
index 000000000..5cb1724e8
--- /dev/null
+++ b/tests/detection_filter-distinct-dstport/test.rules
@@ -0,0 +1,2 @@
+## Expect 1 alert after 1 distinct destination port (unique_on dst_port, count 1)
+alert tcp any any -> 1.1.1.1 any (msg:"DF distinct dst_port"; flags:S; flow:stateless; detection_filter: track by_dst, count 1, seconds 60, unique_on dst_port; sid:100001; rev:1;)
diff --git a/tests/detection_filter-distinct-dstport/test.yaml b/tests/detection_filter-distinct-dstport/test.yaml
new file mode 100644
index 000000000..f5c7d993c
--- /dev/null
+++ b/tests/detection_filter-distinct-dstport/test.yaml
@@ -0,0 +1,16 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 100001
+
+  - filter:
+      count: 1
+      match:
+        event_type: stats
+        stats.detect.thresholds.bitmap_alloc_fail: 0
+        stats.detect.thresholds.bitmap_memuse: 8192
diff --git a/tests/detection_filter-distinct-srcport-no-dups/README.md b/tests/detection_filter-distinct-srcport-no-dups/README.md
new file mode 100644
index 000000000..4dafe872b
--- /dev/null
+++ b/tests/detection_filter-distinct-srcport-no-dups/README.md
@@ -0,0 +1,17 @@
+Purpose
+-------
+Validate that detection_filter with unique_on src_port does not trigger when
+the number of distinct source ports stays below the threshold.
+
+Rule requires 3 distinct source ports for the same source host (track by_src).
+The PCAP only has 2 distinct source ports, so the threshold is not reached
+and no alerts are expected (sid 100012).
+
+Why this matters
+---------------
+Ensures duplicates or insufficient variety of src ports do not produce alerts
+when distinct counting (unique_on src_port) is configured with a higher threshold.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/7928
+
+PCAP: Crafted manually to fit the test.
diff --git a/tests/detection_filter-distinct-srcport-no-dups/input.pcap b/tests/detection_filter-distinct-srcport-no-dups/input.pcap
new file mode 100644
index 000000000..195a9896c
Binary files /dev/null and b/tests/detection_filter-distinct-srcport-no-dups/input.pcap differ
diff --git a/tests/detection_filter-distinct-srcport-no-dups/test.rules b/tests/detection_filter-distinct-srcport-no-dups/test.rules
new file mode 100644
index 000000000..d471ec066
--- /dev/null
+++ b/tests/detection_filter-distinct-srcport-no-dups/test.rules
@@ -0,0 +1,2 @@
+## Expect 0 alerts: only 2 distinct src ports present but threshold is 3
+alert tcp any any -> 2.2.2.2 80 (msg:"DF distinct src_port no dup"; flags:S; flow:stateless; detection_filter: track by_src, count 3, seconds 60, unique_on src_port; sid:100012; rev:1;)
diff --git a/tests/detection_filter-distinct-srcport-no-dups/test.yaml b/tests/detection_filter-distinct-srcport-no-dups/test.yaml
new file mode 100644
index 000000000..d0956edf2
--- /dev/null
+++ b/tests/detection_filter-distinct-srcport-no-dups/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 0
+      match:
+        event_type: alert
+        alert.signature_id: 100012
diff --git a/tests/detection_filter-distinct-srcport/README.md b/tests/detection_filter-distinct-srcport/README.md
new file mode 100644
index 000000000..068d17e8e
--- /dev/null
+++ b/tests/detection_filter-distinct-srcport/README.md
@@ -0,0 +1,18 @@
+Purpose
+-------
+Validate detection_filter distinct counting with unique_on src_port.
+
+Rule uses count 1, meaning it alerts after seeing more than 1 distinct source port
+for the same source host (track by_src). The PCAP contains traffic with 2 different
+source ports toward 2.2.2.2:80, so the distinct counter exceeds the threshold (2 > 1)
+and one alert is expected (sid 100002).
+
+Why this matters
+---------------
+Introduces coverage for detection_filter unique_on src_port behavior added in Suricata.
+This test ensures that different src ports contribute separately toward the threshold
+while duplicate ports do not.
+
+Ticket: https://redmine.openinfosecfoundation.org/issues/7928
+
+PCAP: Crafted manually to fit the test.
diff --git a/tests/detection_filter-distinct-srcport/input.pcap b/tests/detection_filter-distinct-srcport/input.pcap
new file mode 100644
index 000000000..a4b9591c0
Binary files /dev/null and b/tests/detection_filter-distinct-srcport/input.pcap differ
diff --git a/tests/detection_filter-distinct-srcport/test.rules b/tests/detection_filter-distinct-srcport/test.rules
new file mode 100644
index 000000000..e7b5711dd
--- /dev/null
+++ b/tests/detection_filter-distinct-srcport/test.rules
@@ -0,0 +1,2 @@
+## Expect 1 alert after seeing >1 distinct source ports (unique_on src_port, count 1)
+alert tcp any any -> 2.2.2.2 80 (msg:"DF distinct src_port"; flags:S; flow:stateless; detection_filter: track by_src, count 1, seconds 60, unique_on src_port; sid:100002; rev:1;)
diff --git a/tests/detection_filter-distinct-srcport/test.yaml b/tests/detection_filter-distinct-srcport/test.yaml
new file mode 100644
index 000000000..975ab3467
--- /dev/null
+++ b/tests/detection_filter-distinct-srcport/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  min-version: 9
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 100002