From 8c417619f49db799c2f11ed769b1e60948916e82 Mon Sep 17 00:00:00 2001
From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Wed, 1 Dec 2021 05:42:51 +0100
Subject: [PATCH] location: Enhance test for new keywords

This commite adds tests for the following newly introduced rule keywords
when building suricata with libloc support:

* anycast
* anyonymous-proxy
* satellite-provider

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 tests/location/create-database.py |   8 ++++++++
 tests/location/test.db            | Bin 24674 -> 24674 bytes
 tests/location/test.rules         |   3 +++
 tests/location/test.yaml          |  27 ++++++++++++++++++++++++---
 4 files changed, 35 insertions(+), 3 deletions(-)

diff --git a/tests/location/create-database.py b/tests/location/create-database.py
index 9f2f91d..a5b8986 100644
--- a/tests/location/create-database.py
+++ b/tests/location/create-database.py
@@ -17,6 +17,7 @@ test_data = {
             'ccontinent': 'EU',
             'asnumber': 8560,
             'asname': '1&1 IONOS SE',
+            'flags': ["NETWORK_FLAG_ANYCAST", "NETWORK_FLAG_ANONYMOUS_PROXY", "NETWORK_FLAG_SATELLITE_PROVIDER"],
         }
     }
 
@@ -47,5 +48,12 @@ for addr, data in test_data.items():
     net.country_code = data["ccode"]
     net.asn = asn.number
 
+    # Check if one ore more network flags should be added to this network.
+    if "flags" in data.keys():
+        # Loop through the list of flags.
+        for flag in data["flags"]:
+            # Add flag to the network.
+            net.set_flag(getattr(location, flag))
+
 # Write the database to disk
 db.write("test.db")
diff --git a/tests/location/test.db b/tests/location/test.db
index 098592fb9eced425715ac836412b2cd07ece3574..01f3c713897281d49b07186c1ae8cd784f9e1778 100644
GIT binary patch
delta 34
oc-nh(fbr1*MgbpxXBVf42u21VNL=<OV57iKdq(!nTn-Tm0MsiBH2?qr

delta 34
oc-nh(fbr1*MgbpxXBVf42u21VNDO0Nvr*uuJtM<rE{6yO0LOp|MF0Q*

diff --git a/tests/location/test.rules b/tests/location/test.rules
index a4a88f7..49746d0 100644
--- a/tests/location/test.rules
+++ b/tests/location/test.rules
@@ -1,2 +1,5 @@
 alert tcp any any -> any any (msg:"China IP"; flow:established,to_server; geoip:dst,CN; sid:1; rev:1; flowbits:isnotset,china; flowbits:set,china;)
 alert tcp any any -> any any (msg:"German IP"; flow:established,to_server; geoip: dst,DE; sid:2; rev:1; flowbits:isnotset,german; flowbits:set,german;)
+alert tcp any any -> any any (msg:"ANYCAST ADDRESS"; flow:established,to_server; anycast: dst; sid: 3; rev:1; flowbits:isnotset,anycast; flowbits:set,anycast;)
+alert tcp any any -> any any (msg:"ANONYMOUS PROXY"; flow:established,to_server; anonymous-proxy: dst; sid: 4; rev:1; flowbits:isnotset,anonymous-proxy; flowbits:set,anonymous-proxy;)
+alert tcp any any -> any any (msg:"SATELLITE PROVIDER"; flow:established,to_server; satellite-provider: dst; sid: 5; rev:1; flowbits:isnotset,satellite-provider; flowbits:set,satellite-provider;)
diff --git a/tests/location/test.yaml b/tests/location/test.yaml
index 49b29b3..878e7a7 100644
--- a/tests/location/test.yaml
+++ b/tests/location/test.yaml
@@ -5,15 +5,36 @@ requires:
 
 checks:
 
-  # Check that we only have one alert event type in eve.
+  # Check that we only have four events in eve.
   - filter:
-      count: 1
+      count: 4
       match:
         event_type: alert
 
-  # Check alert is the good one
+  # Check if the geoip keyword workded.
   - filter:
       count: 1
       match:
         event_type: alert
         alert.signature_id: 2
+
+  # Check if the anycast keyword worked.
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 3
+
+  # Check if the anonymous-proxy keyword worked.
+  - filter:
+      count: 1
+      match:
+          event_type: alert
+          alert.signature_id: 4
+
+  # Check if the satellite-provider keyworkd worked.
+  - filter:
+      count: 1
+      match:
+          event_type: alert
+          alert.signature_id: 5
-- 
2.47.2