From 27cb054fd85c7901f3701b09a0d81650f35faac5 Mon Sep 17 00:00:00 2001
From: Jason Ish <ish@unx.ca>
Date: Thu, 25 Jan 2018 16:26:44 -0600
Subject: [PATCH] eve-metadata: update for recent changes

---
 tests/eve-metadata/check.sh   | 19 -------------------
 tests/eve-metadata/test.rules |  7 +++++--
 tests/eve-metadata/test.yaml  | 11 ++++++-----
 3 files changed, 11 insertions(+), 26 deletions(-)
 delete mode 100755 tests/eve-metadata/check.sh

diff --git a/tests/eve-metadata/check.sh b/tests/eve-metadata/check.sh
deleted file mode 100755
index 32df15860..000000000
--- a/tests/eve-metadata/check.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#! /bin/sh
-
-# Test the flow record metadata.
-test $(cat ./eve.json | \
-    jq -c 'select(.event_type == "flow")' | \
-    jq -c .metadata.flowbits[0]) == \"traffic/label/cli-http\"
-
-# Test the alert record metadata.
-test $(cat ./eve.json | \
-    jq -c 'select(.event_type == "alert")' | \
-    jq -c .metadata.flowbits[0]) == \"traffic/label/cli-http\"
-
-# Test the netflow records. We should have 2 of those, so do a line
-# count on netflow records with the required flowbit.
-test $(cat ./eve.json | \
-    jq -c 'select(.event_type == "netflow")' | \
-    jq -c 'select(.metadata.flowbits[0] == "traffic/label/cli-http")' |\
-    wc -l | xargs) -eq 2
-
diff --git a/tests/eve-metadata/test.rules b/tests/eve-metadata/test.rules
index 7af674942..df6f7f960 100644
--- a/tests/eve-metadata/test.rules
+++ b/tests/eve-metadata/test.rules
@@ -1,9 +1,12 @@
 # Silly rule to set the flowbit "traffic/label/cli-http" on
 # the curl user-agent.
-alert http any any -> any any (content:"curl"; http_user_agent; flowbits:set,traffic/label/cli-http; sid:1; rev:1;)
+alert http any any -> any any (content:"curl"; http_user_agent; flowbits:set,traffic/label/cli-http; flowbits:set,traffic/id/curl; flowbits:set,junkbit; sid:1; rev:1;)
 
 # Capture the UID as a pktvar.
-alert http any any -> any any (pcre:"/uid=(\d+)/, pkt:uid";  noalert; sid:2; rev:1;)
+alert http any any -> any any (pcre:"/uid=(\d+)\(([^)]+)\)/, pkt:uid, pkt:username"; noalert; sid:2; rev:1;)
 
 # Capture the GID as a flowvar.
 alert http any any -> any any (pcre:"/gid=(\d+)/, flow:gid"; noalert; sid:3; rev:1;)
+
+# Capture the GID as a flowvar.
+alert http any any -> any any (pcre:"/gid=(\d+)/, flow:gid"; noalert; sid:4; rev:1;)
diff --git a/tests/eve-metadata/test.yaml b/tests/eve-metadata/test.yaml
index fdf622aa4..8b832e46d 100644
--- a/tests/eve-metadata/test.yaml
+++ b/tests/eve-metadata/test.yaml
@@ -11,24 +11,25 @@ checks:
       count: 1
       match:
         event_type: flow
-        metadata.flowbits[0]: traffic/label/cli-http
-        metadata.flowvars.gid: "0"
+        traffic.id[0]: curl
+        traffic.label[0]: cli-http
 
   - filter:
       count: 1
       match:
         event_type: alert
-        metadata.flowbits[0]: traffic/label/cli-http
+        traffic.id[0]: curl
+        traffic.label[0]: cli-http
 
   - filter:
       count: 2
       match:
         event_type: netflow
-        metadata.flowbits[0]: traffic/label/cli-http
+        traffic.label[0]: cli-http
         
   - filter:
       count: 1
       match:
         event_type: metadata
         metadata.pktvars[0].uid: "0"
-        metadata.flowvars.gid: "0"
+        metadata.flowvars[0].gid: "0"
-- 
2.47.2