From e81f7b1d9454a3b5cc50cf98e9454574103927b8 Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Sun, 9 Jul 2023 10:41:11 -0400
Subject: [PATCH] test/byte_math: Add nbyte variable name tests

Issue: 6145

Add tests related to nbyte variable name usage for byte_math
---
 tests/detect-bytemath-05/input.pcap | Bin 0 -> 80 bytes
 tests/detect-bytemath-05/test.rules |   5 +++++
 tests/detect-bytemath-05/test.yaml  |   9 +++++++++
 tests/detect-bytemath-06/test.rules |   5 +++++
 tests/detect-bytemath-06/test.yaml  |  14 ++++++++++++++
 5 files changed, 33 insertions(+)
 create mode 100644 tests/detect-bytemath-05/input.pcap
 create mode 100644 tests/detect-bytemath-05/test.rules
 create mode 100644 tests/detect-bytemath-05/test.yaml
 create mode 100644 tests/detect-bytemath-06/test.rules
 create mode 100644 tests/detect-bytemath-06/test.yaml

diff --git a/tests/detect-bytemath-05/input.pcap b/tests/detect-bytemath-05/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..4a18a072c33c34de444586574c1bd667eaf6f28d
GIT binary patch
literal 80
zc-p&ic+)~A1{MYw`2U}QAr(j)&)*a`_belW29OQHu1Y|Pk%7U1jiKWJgWo<NmSpH)
Q2!QDeU{YWxGGbr=0LWtxFaQ7m

literal 0
Hc-jL100001

diff --git a/tests/detect-bytemath-05/test.rules b/tests/detect-bytemath-05/test.rules
new file mode 100644
index 000000000..bbaad2932
--- /dev/null
+++ b/tests/detect-bytemath-05/test.rules
@@ -0,0 +1,5 @@
+alert tcp any any -> any any (msg:"byte_math varname test sig"; \
+    ipv4.hdr; byte_extract:1,5,rpkt_len,relative; \
+    byte_math:bytes rpkt_len, offset 1, oper +, rvalue 102, result result_val; \
+    tcp.hdr; byte_test: 1, =, result_val, 1, relative; \
+    sid:1;)
diff --git a/tests/detect-bytemath-05/test.yaml b/tests/detect-bytemath-05/test.yaml
new file mode 100644
index 000000000..f4edccea6
--- /dev/null
+++ b/tests/detect-bytemath-05/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  min-version: 7
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
diff --git a/tests/detect-bytemath-06/test.rules b/tests/detect-bytemath-06/test.rules
new file mode 100644
index 000000000..366e23fdb
--- /dev/null
+++ b/tests/detect-bytemath-06/test.rules
@@ -0,0 +1,5 @@
+alert tcp any any -> any any (msg:"byte_math bad varname test sig"; \
+    ipv4.hdr; byte_extract:1,5,rpkt_len,relative; \
+    byte_math:bytes no_var, offset 1, oper +, rvalue 102, result result_val; \
+    tcp.hdr; byte_test: 1, =, result_val, 1, relative; \
+    sid:1;)
diff --git a/tests/detect-bytemath-06/test.yaml b/tests/detect-bytemath-06/test.yaml
new file mode 100644
index 000000000..3f7a4f66f
--- /dev/null
+++ b/tests/detect-bytemath-06/test.yaml
@@ -0,0 +1,14 @@
+requires:
+  min-version: 7
+
+  pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - shell:
+     args: grep "unknown byte_ keyword var seen in byte_math - no_var" suricata.log | wc -l | xargs
+     expect: 1
+
+exit-code: 1
-- 
2.47.2