From 5195f6f7c2f27dbc6458f8dad327b103adb7d1da Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Sat, 9 Mar 2024 09:49:13 +0530 Subject: [PATCH] rule-grouping: add edge case test --- tests/rule-grouping/rule-grouping-9/README.md | 12 ++++++ .../rule-grouping-9/suricata.yaml | 13 ++++++ .../rule-grouping/rule-grouping-9/test.rules | 3 ++ tests/rule-grouping/rule-grouping-9/test.yaml | 41 +++++++++++++++++++ 4 files changed, 69 insertions(+) create mode 100644 tests/rule-grouping/rule-grouping-9/README.md create mode 100644 tests/rule-grouping/rule-grouping-9/suricata.yaml create mode 100644 tests/rule-grouping/rule-grouping-9/test.rules create mode 100644 tests/rule-grouping/rule-grouping-9/test.yaml diff --git a/tests/rule-grouping/rule-grouping-9/README.md b/tests/rule-grouping/rule-grouping-9/README.md new file mode 100644 index 000000000..e4dbd1321 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-9/README.md @@ -0,0 +1,12 @@ +# Test Description + +Test to demonstrate the port grouping and SGH distribution when a two port points +are single as well as the endpoints for a range. + +## PCAP + +None + +## Related issues + +https://redmine.openinfosecfoundation.org/issues/6843 diff --git a/tests/rule-grouping/rule-grouping-9/suricata.yaml b/tests/rule-grouping/rule-grouping-9/suricata.yaml new file mode 100644 index 000000000..549defa9d --- /dev/null +++ b/tests/rule-grouping/rule-grouping-9/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +engine-analysis: + rules-fast-pattern: yes + rules: yes + +detect: + profiling: + grouping: + dump-to-disk: yes + include-rules: yes + include-mpm-stats: yes diff --git a/tests/rule-grouping/rule-grouping-9/test.rules b/tests/rule-grouping/rule-grouping-9/test.rules new file mode 100644 index 000000000..b32eb6b65 --- /dev/null +++ b/tests/rule-grouping/rule-grouping-9/test.rules @@ -0,0 +1,3 @@ +alert tcp any any -> any 80 (flow:to_server; content:"abc"; sid:2;) +alert tcp any any -> any 100 (flow:to_server; content:"abc"; sid:3;) +alert tcp any any -> any 80:100 (flow:to_server; content:"abc"; sid:4;) diff --git a/tests/rule-grouping/rule-grouping-9/test.yaml b/tests/rule-grouping/rule-grouping-9/test.yaml new file mode 100644 index 000000000..d548965af --- /dev/null +++ b/tests/rule-grouping/rule-grouping-9/test.yaml @@ -0,0 +1,41 @@ +requires: + min-version: 8 + +pcap: false + +args: + - --engine-analysis + +checks: + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver.__len: 3 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[0].port: 80 + tcp.toserver[0].port2: 80 + tcp.toserver[0].rulegroup.id: 0 + tcp.toserver[0].rulegroup.rules[0].sig_id: 2 + tcp.toserver[0].rulegroup.rules[1].sig_id: 4 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[1].port: 100 + tcp.toserver[1].port2: 100 + tcp.toserver[1].rulegroup.id: 1 + tcp.toserver[1].rulegroup.rules[0].sig_id: 3 + tcp.toserver[1].rulegroup.rules[1].sig_id: 4 + - filter: + filename: rule_group.json + count: 1 + match: + tcp.toserver[2].port: 81 + tcp.toserver[2].port2: 99 + tcp.toserver[2].rulegroup.id: 2 + tcp.toserver[2].rulegroup.rules[0].sig_id: 4 + -- 2.47.2