From 633a657f29f15798430b8d7b0c84fa55c26195c4 Mon Sep 17 00:00:00 2001
From: Shivani Bhardwaj <shivanib134@gmail.com>
Date: Mon, 25 Mar 2024 19:05:47 +0530
Subject: [PATCH] rule-grouping: add boundary port tests

---
 .../rule-grouping/rule-grouping-17/README.md  | 12 +++++
 .../rule-grouping-17/suricata.yaml            | 13 +++++
 .../rule-grouping/rule-grouping-17/test.rules |  5 ++
 .../rule-grouping/rule-grouping-17/test.yaml  | 49 +++++++++++++++++++
 .../rule-grouping/rule-grouping-18/README.md  | 11 +++++
 .../rule-grouping-18/suricata.yaml            | 13 +++++
 .../rule-grouping/rule-grouping-18/test.rules |  1 +
 .../rule-grouping/rule-grouping-18/test.yaml  |  9 ++++
 .../rule-grouping/rule-grouping-19/README.md  | 12 +++++
 .../rule-grouping-19/suricata.yaml            | 13 +++++
 .../rule-grouping/rule-grouping-19/test.rules |  4 ++
 .../rule-grouping/rule-grouping-19/test.yaml  | 42 ++++++++++++++++
 12 files changed, 184 insertions(+)
 create mode 100644 tests/rule-grouping/rule-grouping-17/README.md
 create mode 100644 tests/rule-grouping/rule-grouping-17/suricata.yaml
 create mode 100644 tests/rule-grouping/rule-grouping-17/test.rules
 create mode 100644 tests/rule-grouping/rule-grouping-17/test.yaml
 create mode 100644 tests/rule-grouping/rule-grouping-18/README.md
 create mode 100644 tests/rule-grouping/rule-grouping-18/suricata.yaml
 create mode 100644 tests/rule-grouping/rule-grouping-18/test.rules
 create mode 100644 tests/rule-grouping/rule-grouping-18/test.yaml
 create mode 100644 tests/rule-grouping/rule-grouping-19/README.md
 create mode 100644 tests/rule-grouping/rule-grouping-19/suricata.yaml
 create mode 100644 tests/rule-grouping/rule-grouping-19/test.rules
 create mode 100644 tests/rule-grouping/rule-grouping-19/test.yaml

diff --git a/tests/rule-grouping/rule-grouping-17/README.md b/tests/rule-grouping/rule-grouping-17/README.md
new file mode 100644
index 000000000..e52cd1b78
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-17/README.md
@@ -0,0 +1,12 @@
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for small range
+overlaps and single points with the boundary values of UINT16.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6896
diff --git a/tests/rule-grouping/rule-grouping-17/suricata.yaml b/tests/rule-grouping/rule-grouping-17/suricata.yaml
new file mode 100644
index 000000000..549defa9d
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-17/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules-fast-pattern: yes
+  rules: yes
+
+detect:
+  profiling:
+    grouping:
+      dump-to-disk: yes
+      include-rules: yes
+      include-mpm-stats: yes
diff --git a/tests/rule-grouping/rule-grouping-17/test.rules b/tests/rule-grouping/rule-grouping-17/test.rules
new file mode 100644
index 000000000..970105a3b
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-17/test.rules
@@ -0,0 +1,5 @@
+alert tcp any any -> any 0:1000 (flow:to_server; content:"abc"; sid:1;)
+alert tcp any any -> any 0 (flow:to_server; content:"abc"; sid:2;)
+alert tcp any any -> any 35000:65535 (flow:to_server; content:"abc"; sid:3;)
+alert tcp any any -> any 65535 (flow:to_server; content:"abc"; sid:4;)
+
diff --git a/tests/rule-grouping/rule-grouping-17/test.yaml b/tests/rule-grouping/rule-grouping-17/test.yaml
new file mode 100644
index 000000000..ba80990ca
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-17/test.yaml
@@ -0,0 +1,49 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver.__len: 4
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[0].port: 0
+        tcp.toserver[0].port2: 0
+        tcp.toserver[0].rulegroup.id: 0
+        tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+        tcp.toserver[0].rulegroup.rules[1].sig_id: 2
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[1].port: 65535
+        tcp.toserver[1].port2: 65535
+        tcp.toserver[1].rulegroup.id: 1
+        tcp.toserver[1].rulegroup.rules[0].sig_id: 3
+        tcp.toserver[1].rulegroup.rules[1].sig_id: 4
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[2].port: 1
+        tcp.toserver[2].port2: 1000
+        tcp.toserver[2].rulegroup.id: 2
+        tcp.toserver[2].rulegroup.rules[0].sig_id: 1
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[3].port: 35000
+        tcp.toserver[3].port2: 65534
+        tcp.toserver[3].rulegroup.id: 3
+        tcp.toserver[3].rulegroup.rules[0].sig_id: 3
+
diff --git a/tests/rule-grouping/rule-grouping-18/README.md b/tests/rule-grouping/rule-grouping-18/README.md
new file mode 100644
index 000000000..3a9939177
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-18/README.md
@@ -0,0 +1,11 @@
+# Test Description
+
+Test to demonstrate the error in case port is out of bounds.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6896
diff --git a/tests/rule-grouping/rule-grouping-18/suricata.yaml b/tests/rule-grouping/rule-grouping-18/suricata.yaml
new file mode 100644
index 000000000..549defa9d
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-18/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules-fast-pattern: yes
+  rules: yes
+
+detect:
+  profiling:
+    grouping:
+      dump-to-disk: yes
+      include-rules: yes
+      include-mpm-stats: yes
diff --git a/tests/rule-grouping/rule-grouping-18/test.rules b/tests/rule-grouping/rule-grouping-18/test.rules
new file mode 100644
index 000000000..a5620ce30
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-18/test.rules
@@ -0,0 +1 @@
+alert tcp any any -> any 65536 (flow:to_server; content:"abc"; sid:1;)
diff --git a/tests/rule-grouping/rule-grouping-18/test.yaml b/tests/rule-grouping/rule-grouping-18/test.yaml
new file mode 100644
index 000000000..59746b199
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-18/test.yaml
@@ -0,0 +1,9 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+exit-code: 1
diff --git a/tests/rule-grouping/rule-grouping-19/README.md b/tests/rule-grouping/rule-grouping-19/README.md
new file mode 100644
index 000000000..858fa6210
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-19/README.md
@@ -0,0 +1,12 @@
+# Test Description
+
+Test to demonstrate the port grouping and SGH distribution for small range
+overlaps and single points with UINT16 boundary overlaps.
+
+## PCAP
+
+None
+
+## Related issues
+
+https://redmine.openinfosecfoundation.org/issues/6896
diff --git a/tests/rule-grouping/rule-grouping-19/suricata.yaml b/tests/rule-grouping/rule-grouping-19/suricata.yaml
new file mode 100644
index 000000000..549defa9d
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-19/suricata.yaml
@@ -0,0 +1,13 @@
+%YAML 1.1
+---
+
+engine-analysis:
+  rules-fast-pattern: yes
+  rules: yes
+
+detect:
+  profiling:
+    grouping:
+      dump-to-disk: yes
+      include-rules: yes
+      include-mpm-stats: yes
diff --git a/tests/rule-grouping/rule-grouping-19/test.rules b/tests/rule-grouping/rule-grouping-19/test.rules
new file mode 100644
index 000000000..3460d44c2
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-19/test.rules
@@ -0,0 +1,4 @@
+alert tcp any any -> any 0:65535 (flow:to_server; content:"abc"; sid:1;)
+alert tcp any 1024: -> any 0:120 (flow:to_server; content:"abc"; sid:2;)
+alert tcp any 1024: -> any 0 (flow:to_server; content:"abc"; sid:3;)
+
diff --git a/tests/rule-grouping/rule-grouping-19/test.yaml b/tests/rule-grouping/rule-grouping-19/test.yaml
new file mode 100644
index 000000000..55c53455c
--- /dev/null
+++ b/tests/rule-grouping/rule-grouping-19/test.yaml
@@ -0,0 +1,42 @@
+requires:
+  min-version: 8
+
+pcap: false
+
+args:
+  - --engine-analysis
+
+checks:
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver.__len: 3
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[0].port: 0
+        tcp.toserver[0].port2: 0
+        tcp.toserver[0].rulegroup.id: 0
+        tcp.toserver[0].rulegroup.rules[0].sig_id: 1
+        tcp.toserver[0].rulegroup.rules[1].sig_id: 2
+        tcp.toserver[0].rulegroup.rules[2].sig_id: 3
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[1].port: 1
+        tcp.toserver[1].port2: 120
+        tcp.toserver[1].rulegroup.id: 1
+        tcp.toserver[1].rulegroup.rules[0].sig_id: 1
+        tcp.toserver[1].rulegroup.rules[1].sig_id: 2
+  - filter:
+      filename: rule_group.json
+      count: 1
+      match:
+        tcp.toserver[2].port: 121
+        tcp.toserver[2].port2: 65535
+        tcp.toserver[2].rulegroup.id: 2
+        tcp.toserver[2].rulegroup.rules[0].sig_id: 1
+
-- 
2.47.2