From 574057e945d32b9b954543f8a73496c1b676bdbc Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Sat, 10 Jun 2023 09:28:45 -0400
Subject: [PATCH] detect/bytejump: Test for nbyte variable name

This commit adds tests with a rules that uses an nbyte variable name.

Issue: 6105
---
 tests/detect-bytejump-02/input.pcap | Bin 0 -> 527 bytes
 tests/detect-bytejump-02/test.rules |   1 +
 tests/detect-bytejump-02/test.yaml  |  12 ++++++++++++
 tests/detect-bytejump-03/test.rules |   1 +
 tests/detect-bytejump-03/test.yaml  |  16 ++++++++++++++++
 5 files changed, 30 insertions(+)
 create mode 100644 tests/detect-bytejump-02/input.pcap
 create mode 100644 tests/detect-bytejump-02/test.rules
 create mode 100644 tests/detect-bytejump-02/test.yaml
 create mode 100644 tests/detect-bytejump-03/test.rules
 create mode 100644 tests/detect-bytejump-03/test.yaml

diff --git a/tests/detect-bytejump-02/input.pcap b/tests/detect-bytejump-02/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..65b52b0d81420300222c7eb250b08eb9704e1d10
GIT binary patch
literal 527
zc-p&ic+)~A1{MYw`2U}Qfe}c{6y&Gyr?4=X0ofqDd|8rXtXW)v<HqZ(91N}u3>qM1
z4s0{8A6Q{0wMM{9)n3!%IZz=N$dmvk1qQVX5L1-X5vH(iEBD?m`B}j9^ClfsQ$Qww
zO!9bcuL)F`0>s<_LO@fZA*QHjAxu$TYxG9OAV$(d$vY6QTeyKZH9!DpN({slhddSr
z2cRGb_luO|=r=9!*mn7GHrNy+s3~W$nj)dVa9SK3M64#tYz&HAAoJc8AY8TGUQK<C
z`1RftrUg!T{gw*EqF`4AL0r{b!opw)6a?YN6{mGpFxRefV19iBY>GD2lq*<G0lG@n
n9porRkU?SP2<J2$n6~L;LR#B1?<dB114$H!Gr-RAXJ7yTRMU1L

literal 0
Hc-jL100001

diff --git a/tests/detect-bytejump-02/test.rules b/tests/detect-bytejump-02/test.rules
new file mode 100644
index 000000000..f0906f11d
--- /dev/null
+++ b/tests/detect-bytejump-02/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"byte_jump varname test sig"; flow:to_server,established; content:"|00 00 00|"; byte_extract:1,4,rpkt_len,relative; byte_jump:rpkt_len,0,relative; isdataat:1,relative; classtype:bad-unknown; sid:1;)
diff --git a/tests/detect-bytejump-02/test.yaml b/tests/detect-bytejump-02/test.yaml
new file mode 100644
index 000000000..188915b40
--- /dev/null
+++ b/tests/detect-bytejump-02/test.yaml
@@ -0,0 +1,12 @@
+requires:
+    min-version: 7
+
+args:
+ - -k none
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/detect-bytejump-03/test.rules b/tests/detect-bytejump-03/test.rules
new file mode 100644
index 000000000..39e1da076
--- /dev/null
+++ b/tests/detect-bytejump-03/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any any (msg:"byte_jump invalid varname test sig"; flow:to_server,established; content:"|00 00 00|"; byte_extract:1,4,rpkt_len2,relative; byte_jump:no_var,0,relative; isdataat:1,relative; classtype:bad-unknown; sid:2;)
diff --git a/tests/detect-bytejump-03/test.yaml b/tests/detect-bytejump-03/test.yaml
new file mode 100644
index 000000000..a498a0302
--- /dev/null
+++ b/tests/detect-bytejump-03/test.yaml
@@ -0,0 +1,16 @@
+requires:
+    min-version: 7
+
+    # No pcap required.
+    pcap: false
+
+args:
+    - --engine-analysis
+
+checks:
+    - shell:
+        args: grep "Unknown byte_extract var seen in byte_jump - no_var" suricata.log | wc -l | xargs
+        expect: 1
+
+exit-code: 1
+
-- 
2.47.2