From b51fa11009203becf093d54e72a7c8443a13f782 Mon Sep 17 00:00:00 2001 From: jason taylor Date: Wed, 15 May 2019 12:11:27 -0400 Subject: [PATCH] tests: add invalid semicolon usage Signed-off-by: jason taylor --- .../test-bad-depth-distance-rule-1/test.yaml | 2 +- .../test-bad-depth-distance-rule-2/test.yaml | 2 +- tests/test-bad-depth-rule-1/test.yaml | 2 +- tests/test-bad-depth-within-rule-1/test.yaml | 2 +- tests/test-bad-depth-within-rule-2/test.yaml | 2 +- .../test-bad-offset-distance-rule-1/test.yaml | 2 +- tests/test-bad-offset-offset-rule-1/test.yaml | 2 +- tests/test-bad-offset-within-rule-1/test.yaml | 2 +- tests/test-bad-semicolon-rule-2/suricata.yaml | 10 +++++++++ tests/test-bad-semicolon-rule-2/test.rules | 1 + tests/test-bad-semicolon-rule-2/test.yaml | 21 +++++++++++++++++++ 11 files changed, 40 insertions(+), 8 deletions(-) create mode 100644 tests/test-bad-semicolon-rule-2/suricata.yaml create mode 100644 tests/test-bad-semicolon-rule-2/test.rules create mode 100644 tests/test-bad-semicolon-rule-2/test.yaml diff --git a/tests/test-bad-depth-distance-rule-1/test.yaml b/tests/test-bad-depth-distance-rule-1/test.yaml index 5aaee4d13..1e675c1fc 100644 --- a/tests/test-bad-depth-distance-rule-1/test.yaml +++ b/tests/test-bad-depth-distance-rule-1/test.yaml @@ -12,7 +12,7 @@ checks: count: 1 match: event_type: engine - engine.message: "can't use a relative keyword like within\/distance with a absolute relative keyword like depth\/offset for the same content." + engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content." - filter: count: 1 diff --git a/tests/test-bad-depth-distance-rule-2/test.yaml b/tests/test-bad-depth-distance-rule-2/test.yaml index 5aaee4d13..1e675c1fc 100644 --- a/tests/test-bad-depth-distance-rule-2/test.yaml +++ b/tests/test-bad-depth-distance-rule-2/test.yaml @@ -12,7 +12,7 @@ checks: count: 1 match: event_type: engine - engine.message: "can't use a relative keyword like within\/distance with a absolute relative keyword like depth\/offset for the same content." + engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content." - filter: count: 1 diff --git a/tests/test-bad-depth-rule-1/test.yaml b/tests/test-bad-depth-rule-1/test.yaml index 67bddd68b..8e32a142f 100644 --- a/tests/test-bad-depth-rule-1/test.yaml +++ b/tests/test-bad-depth-rule-1/test.yaml @@ -12,7 +12,7 @@ checks: count: 1 match: event_type: engine - engine.message: "depth needs preceding content, uricontent option, http_client_body, http_server_body, http_header option, http_raw_header option, http_method option, http_cookie, http_raw_uri, http_stat_msg, http_stat_code, http_user_agent, http_host, http_raw_host or file_data\/dce_stub_data sticky buffer options" + engine.message: "depth needs preceding content, uricontent option, http_client_body, http_server_body, http_header option, http_raw_header option, http_method option, http_cookie, http_raw_uri, http_stat_msg, http_stat_code, http_user_agent, http_host, http_raw_host or file_data/dce_stub_data sticky buffer options" - filter: count: 1 diff --git a/tests/test-bad-depth-within-rule-1/test.yaml b/tests/test-bad-depth-within-rule-1/test.yaml index 5aaee4d13..1e675c1fc 100644 --- a/tests/test-bad-depth-within-rule-1/test.yaml +++ b/tests/test-bad-depth-within-rule-1/test.yaml @@ -12,7 +12,7 @@ checks: count: 1 match: event_type: engine - engine.message: "can't use a relative keyword like within\/distance with a absolute relative keyword like depth\/offset for the same content." + engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content." - filter: count: 1 diff --git a/tests/test-bad-depth-within-rule-2/test.yaml b/tests/test-bad-depth-within-rule-2/test.yaml index 67bddd68b..8e32a142f 100644 --- a/tests/test-bad-depth-within-rule-2/test.yaml +++ b/tests/test-bad-depth-within-rule-2/test.yaml @@ -12,7 +12,7 @@ checks: count: 1 match: event_type: engine - engine.message: "depth needs preceding content, uricontent option, http_client_body, http_server_body, http_header option, http_raw_header option, http_method option, http_cookie, http_raw_uri, http_stat_msg, http_stat_code, http_user_agent, http_host, http_raw_host or file_data\/dce_stub_data sticky buffer options" + engine.message: "depth needs preceding content, uricontent option, http_client_body, http_server_body, http_header option, http_raw_header option, http_method option, http_cookie, http_raw_uri, http_stat_msg, http_stat_code, http_user_agent, http_host, http_raw_host or file_data/dce_stub_data sticky buffer options" - filter: count: 1 diff --git a/tests/test-bad-offset-distance-rule-1/test.yaml b/tests/test-bad-offset-distance-rule-1/test.yaml index 5aaee4d13..1e675c1fc 100644 --- a/tests/test-bad-offset-distance-rule-1/test.yaml +++ b/tests/test-bad-offset-distance-rule-1/test.yaml @@ -12,7 +12,7 @@ checks: count: 1 match: event_type: engine - engine.message: "can't use a relative keyword like within\/distance with a absolute relative keyword like depth\/offset for the same content." + engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content." - filter: count: 1 diff --git a/tests/test-bad-offset-offset-rule-1/test.yaml b/tests/test-bad-offset-offset-rule-1/test.yaml index b9e74fac1..acb980624 100644 --- a/tests/test-bad-offset-offset-rule-1/test.yaml +++ b/tests/test-bad-offset-offset-rule-1/test.yaml @@ -12,7 +12,7 @@ checks: count: 1 match: event_type: engine - engine.message: "can't use multiple offsets for the same content." + engine.message: "can't use multiple offsets for the same content. " - filter: count: 1 diff --git a/tests/test-bad-offset-within-rule-1/test.yaml b/tests/test-bad-offset-within-rule-1/test.yaml index 5aaee4d13..1e675c1fc 100644 --- a/tests/test-bad-offset-within-rule-1/test.yaml +++ b/tests/test-bad-offset-within-rule-1/test.yaml @@ -12,7 +12,7 @@ checks: count: 1 match: event_type: engine - engine.message: "can't use a relative keyword like within\/distance with a absolute relative keyword like depth\/offset for the same content." + engine.message: "can't use a relative keyword like within/distance with a absolute relative keyword like depth/offset for the same content." - filter: count: 1 diff --git a/tests/test-bad-semicolon-rule-2/suricata.yaml b/tests/test-bad-semicolon-rule-2/suricata.yaml new file mode 100644 index 000000000..dcaae57fe --- /dev/null +++ b/tests/test-bad-semicolon-rule-2/suricata.yaml @@ -0,0 +1,10 @@ +%YAML 1.1 +--- + +logging: + default-log-level: info + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/test-bad-semicolon-rule-2/test.rules b/tests/test-bad-semicolon-rule-2/test.rules new file mode 100644 index 000000000..082958758 --- /dev/null +++ b/tests/test-bad-semicolon-rule-2/test.rules @@ -0,0 +1 @@ +alert udp any any -> any any (msg:"TEST SUCCESFULL - Too Many Semicolons INVALID combination "; content:"AA"; content:"BB";; within:5; sid:6666668; rev:1;) diff --git a/tests/test-bad-semicolon-rule-2/test.yaml b/tests/test-bad-semicolon-rule-2/test.yaml new file mode 100644 index 000000000..39ac12e8d --- /dev/null +++ b/tests/test-bad-semicolon-rule-2/test.yaml @@ -0,0 +1,21 @@ +requires: + features: + - HAVE_LIBJANSSON + +command: | + ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -r ${TEST_DIR}/ -S ${TEST_DIR}/test.rules + +checks: + # check that we have the following entres in eve.json + # match 1 specific rule load failure reason + - filter: + count: 1 + match: + event_type: engine + engine.message: "unknown rule keyword ''." + + - filter: + count: 1 + match: + event_type: engine + engine.error: "SC_ERR_NO_RULES_LOADED" -- 2.47.2