From 0bf85c6338e7c4686090a1eb20aa8e8ac4f9bb50 Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Fri, 1 Dec 2023 15:18:31 -0600
Subject: [PATCH] test: tests for requires keyword

Feature: #5972
---
 tests/requires/README.md  |  1 +
 tests/requires/test.rules | 15 +++++++++++++
 tests/requires/test.yaml  | 44 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 60 insertions(+)
 create mode 100644 tests/requires/README.md
 create mode 100644 tests/requires/test.rules
 create mode 100644 tests/requires/test.yaml

diff --git a/tests/requires/README.md b/tests/requires/README.md
new file mode 100644
index 000000000..a788e0a03
--- /dev/null
+++ b/tests/requires/README.md
@@ -0,0 +1 @@
+Test for the "requires" keyword.
diff --git a/tests/requires/test.rules b/tests/requires/test.rules
new file mode 100644
index 000000000..eaa41a412
--- /dev/null
+++ b/tests/requires/test.rules
@@ -0,0 +1,15 @@
+# Rule for Suricata >= 7 and < 8.
+alert http any any -> any any (msg:"TEST Suricata >= 7 and < 8"; content:"uid=0"; requires: version >= 7 < 8; sid:7; rev:1;)
+
+# Rule for Suricata >= 7.0.3 but less than 8... Or >= 8.0.1
+alert http any any -> any any (content:"uid=0"; requires: version >= 7.0.3 < 8 | >= 8.0.1; sid:9; rev:1;)
+
+# Rule for Suricata >= 8.
+alert http any any -> any any (msg:"TEST Suricata >= 8"; content:"uid=0"; requires: version >= 8.0.0; sid:8; rev:1;)
+
+# These rules have something invalid about them, but do follow the general rule
+# structure, so should be eliminated by the requires statement.
+alert vxlan any any -> any any (requires: version >= 10; sid:1;)
+alert udp any any -> any any (vxlan_vni:10; requires: version >= 10; sid:2;)
+alert http any any => any any (requires: version >= 10; sid:3;)
+alert tcp any any -> any any (frame:smtp.not_supported; requires: version >= 10; sid:4;)
diff --git a/tests/requires/test.yaml b/tests/requires/test.yaml
new file mode 100644
index 000000000..63ac64c08
--- /dev/null
+++ b/tests/requires/test.yaml
@@ -0,0 +1,44 @@
+requires:
+  files:
+    - rust/src/detect/requires.rs
+
+pcap: ../eve-metadata/testmyids.pcap
+
+checks:
+
+  # Check that for Suricata >= 8.0.0 we have one alert and that alert is sid 8.
+  - filter:
+      requires:
+        min-version: 8
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      requires:
+        min-version: 8
+      count: 1
+      match:
+        alert.signature_id: 8
+
+  # Check that for Suricata >= 7.0.0 and < 8 we have one alert and that alert
+  # is sid 7.
+  - filter:
+      requires:
+        min-version: 7
+        lt-version: 8
+      count: 1
+      match:
+        event_type: alert
+  - filter:
+      requires:
+        min-version: 7
+        lt-version: 8
+      count: 1
+      match:
+        alert.signature_id: 7
+
+  # Should have nothing for SID 9.
+  - filter:
+      count: 0
+      match:
+        alert.signature_id: 9
-- 
2.47.2