From 077e8b771d1e669ab685a831a1a664e7ce12e329 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Wed, 20 Dec 2017 13:58:27 -0600 Subject: [PATCH] add signature-id validation to test.yaml With the following in a test.yaml: checks: - signature-id: 1 - signature-id: 2 - signature-id: 3 the eve.json will be checked to make sure it alerts for each signature id provided. --- run.py | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/run.py b/run.py index 9bffd8dcc..d893c6a7d 100755 --- a/run.py +++ b/run.py @@ -34,6 +34,7 @@ import argparse import yaml import glob import re +import json from collections import namedtuple import yaml @@ -128,7 +129,7 @@ class TestConfig: return False return True - + class SuricataConfig: def __init__(self, version): @@ -224,9 +225,18 @@ class TestRunner: print("FAIL: process returned with non-0 exit code: %d" % r) return False - return self.check() + return self.check(test_config) + + def check(self, test_config): + + if "checks" in test_config.config: + for check in test_config.config["checks"]: + for key in check: + if key == "signature-id": + if not self.check_signature_id(check[key]): + raise Exception("signature-id %d not found" % ( + check[key])) - def check(self): if not os.path.exists(os.path.join(self.directory, "check.sh")): print("OK") return True @@ -237,6 +247,17 @@ class TestRunner: print("OK") return True + def check_signature_id(self, sig_id): + with open( + os.path.join( + self.directory, "output", "eve.json"), "rb") as fileobj: + for line in fileobj: + event = json.loads(line) + if "alert" in event: + if event["alert"]["signature_id"] == sig_id: + return True + return False + def default_args(self): args = [ os.path.join(self.cwd, "src/suricata"), -- 2.47.2