From 7e6f77f6f419d56b9e9978678439a1bfd9a3f1bd Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Thu, 24 Apr 2025 12:14:55 -0600
Subject: [PATCH] tests: update for new suricata.flowvar lib; test flowvar set

---
 tests/lua-memleak/test.lua                    |  12 ++++++---
 tests/{ => lua}/lua-scflowvarget/README.md    |   0
 tests/{ => lua}/lua-scflowvarget/input.pcap   | Bin
 .../{ => lua}/lua-scflowvarget/suricata.yaml  |   0
 tests/lua/lua-scflowvarget/test.lua           |  25 ++++++++++++++++++
 tests/{ => lua}/lua-scflowvarget/test.rules   |   0
 tests/lua/lua-scflowvarget/test.yaml          |  13 +++++++++
 tests/lua/lua-scflowvarset/README.md          |   1 +
 tests/lua/lua-scflowvarset/getflowvar.lua     |  19 +++++++++++++
 tests/lua/lua-scflowvarset/input.pcap         | Bin 0 -> 1779 bytes
 tests/lua/lua-scflowvarset/setflowvar.lua     |  23 ++++++++++++++++
 tests/lua/lua-scflowvarset/suricata.yaml      |  12 +++++++++
 tests/lua/lua-scflowvarset/test.rules         |   5 ++++
 tests/lua/lua-scflowvarset/test.yaml          |  20 ++++++++++++++
 tests/pre8/lua-scflowvarget/README.md         |  17 ++++++++++++
 tests/pre8/lua-scflowvarget/input.pcap        | Bin 0 -> 1779 bytes
 tests/pre8/lua-scflowvarget/suricata.yaml     |  12 +++++++++
 tests/{ => pre8}/lua-scflowvarget/test.lua    |   0
 tests/pre8/lua-scflowvarget/test.rules        |   2 ++
 tests/{ => pre8}/lua-scflowvarget/test.yaml   |   1 +
 20 files changed, 159 insertions(+), 3 deletions(-)
 rename tests/{ => lua}/lua-scflowvarget/README.md (100%)
 rename tests/{ => lua}/lua-scflowvarget/input.pcap (100%)
 rename tests/{ => lua}/lua-scflowvarget/suricata.yaml (100%)
 create mode 100644 tests/lua/lua-scflowvarget/test.lua
 rename tests/{ => lua}/lua-scflowvarget/test.rules (100%)
 create mode 100644 tests/lua/lua-scflowvarget/test.yaml
 create mode 100644 tests/lua/lua-scflowvarset/README.md
 create mode 100644 tests/lua/lua-scflowvarset/getflowvar.lua
 create mode 100644 tests/lua/lua-scflowvarset/input.pcap
 create mode 100644 tests/lua/lua-scflowvarset/setflowvar.lua
 create mode 100644 tests/lua/lua-scflowvarset/suricata.yaml
 create mode 100644 tests/lua/lua-scflowvarset/test.rules
 create mode 100644 tests/lua/lua-scflowvarset/test.yaml
 create mode 100644 tests/pre8/lua-scflowvarget/README.md
 create mode 100644 tests/pre8/lua-scflowvarget/input.pcap
 create mode 100644 tests/pre8/lua-scflowvarget/suricata.yaml
 rename tests/{ => pre8}/lua-scflowvarget/test.lua (100%)
 create mode 100644 tests/pre8/lua-scflowvarget/test.rules
 rename tests/{ => pre8}/lua-scflowvarget/test.yaml (94%)

diff --git a/tests/lua-memleak/test.lua b/tests/lua-memleak/test.lua
index 91f7d38c6..35d3d56cc 100644
--- a/tests/lua-memleak/test.lua
+++ b/tests/lua-memleak/test.lua
@@ -1,9 +1,15 @@
+local flowvarlib = require("suricata.flowvar")
+
 function init (args)
-    local needs = {}
-    return needs
+    flowvarlib.register("key")
+    return {}
+end
+
+function thread_init (args)
+    var = flowvarlib.get("key")
 end
 
 function match(args)
-    SCFlowvarSet("key", 3, "value", 5)
+    var:set("value", 5)
     return 1
 end
diff --git a/tests/lua-scflowvarget/README.md b/tests/lua/lua-scflowvarget/README.md
similarity index 100%
rename from tests/lua-scflowvarget/README.md
rename to tests/lua/lua-scflowvarget/README.md
diff --git a/tests/lua-scflowvarget/input.pcap b/tests/lua/lua-scflowvarget/input.pcap
similarity index 100%
rename from tests/lua-scflowvarget/input.pcap
rename to tests/lua/lua-scflowvarget/input.pcap
diff --git a/tests/lua-scflowvarget/suricata.yaml b/tests/lua/lua-scflowvarget/suricata.yaml
similarity index 100%
rename from tests/lua-scflowvarget/suricata.yaml
rename to tests/lua/lua-scflowvarget/suricata.yaml
diff --git a/tests/lua/lua-scflowvarget/test.lua b/tests/lua/lua-scflowvarget/test.lua
new file mode 100644
index 000000000..dce2391aa
--- /dev/null
+++ b/tests/lua/lua-scflowvarget/test.lua
@@ -0,0 +1,25 @@
+local flowvar = require("suricata.flowvar")
+
+function init (args)
+    return {}
+end
+
+function thread_init (args)
+    testvar = flowvar.get("TestVar")
+end
+
+function match(args)
+    print "Before loading Variable"
+    local value = testvar:value()
+    if value == nil then
+       print("TestVar has no value")
+       return 0
+    end
+
+    if value ~= "/zib100/zib100.json?origin=orf.at HTTP/1.1" then
+       print("TestVar has wrong value")
+       return 0
+    end
+
+    return 1
+end
diff --git a/tests/lua-scflowvarget/test.rules b/tests/lua/lua-scflowvarget/test.rules
similarity index 100%
rename from tests/lua-scflowvarget/test.rules
rename to tests/lua/lua-scflowvarget/test.rules
diff --git a/tests/lua/lua-scflowvarget/test.yaml b/tests/lua/lua-scflowvarget/test.yaml
new file mode 100644
index 000000000..0c23a0a70
--- /dev/null
+++ b/tests/lua/lua-scflowvarget/test.yaml
@@ -0,0 +1,13 @@
+requires:
+  min-version: 8.0.0
+
+args:
+ - -k none
+ - --set security.lua.allow-rules=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        metadata.flowvars[0].TestVar: "/zib100/zib100.json?origin=orf.at HTTP/1.1"
diff --git a/tests/lua/lua-scflowvarset/README.md b/tests/lua/lua-scflowvarset/README.md
new file mode 100644
index 000000000..c3dc7bbdf
--- /dev/null
+++ b/tests/lua/lua-scflowvarset/README.md
@@ -0,0 +1 @@
+Test setting and getting a flowvar from Lua.
diff --git a/tests/lua/lua-scflowvarset/getflowvar.lua b/tests/lua/lua-scflowvarset/getflowvar.lua
new file mode 100644
index 000000000..ce61c5444
--- /dev/null
+++ b/tests/lua/lua-scflowvarset/getflowvar.lua
@@ -0,0 +1,19 @@
+local flowvarlib = require("suricata.flowvar")
+
+function init()
+   return {}
+end
+
+function thread_init()
+   flowvar = flowvarlib.get("test_var")
+end
+
+function match()
+   local value = flowvar:value()
+   if value == "foobar" then
+      return 1
+   else
+      print("flowvar does not have expected value")
+      return 0
+   end
+end
diff --git a/tests/lua/lua-scflowvarset/input.pcap b/tests/lua/lua-scflowvarset/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b763c97a453ebd0a5b3bd55f76fecfc8650aaa6b
GIT binary patch
literal 1779
zc-oDW!EYNy6o<#INurf3B|V@@y^L}|N!VTQ#OrmsX+@LNB;dHU9EYHSWKDL*_B5N_
z?e4lIfmT7P)H_n4J)nvU;t(z<mXOM+h)cx<sKh_OflCmokPw`Bv-T#f<wn?^^=Rh3
zZ{M5ud-L@BZ@x&Q3_AW~Pzs)>r~i2O;ddiw5$0lyefsNu`PJ1QuYLQ^#26|eq+1_d
zM0+C$?Vmk6{rLCx=TGjU>e8L+fne;VF?#kVLg~ya2dPu1#!{(FS`h!989gHQSuwXq
zMCc;YN7nuoG(knxCwK2XSStXvyLUPme|$M6?h6`FM+Nb<*GG{7G-FtdQ`W7aF?NA!
zRL4`9XTS9_{R${wL)u~tQc@4C+b2-Yq%wcKhtP7Vj&r+wlW1E1PrVj;?i*gfTim_i
z1x=Mkc%@#i=7>tN(ux;GCic0{)ZSiJTJl_%SrPYK6K^r*E7ajPSXNrFEarppOl~GC
zU5R-nZby-C=5mSeddLE0p~YOVt9ZNIacHifYItgcyS8^T#Fy)sXsR}kVZqSn@dt)J
zjTe01VH<3-%%fZ(UsUr3o+_`@E2}bg_!h&<%-Zs%@lreRwpp%FR5f+>++0y5`8-~u
zO&ajNTUM&ECJR_F5LhmWUMabjXLGk@;?^$rWo)yiLn9{R(6-t~R;$!)b!dy3u&-Py
z$u^t6enC^`WacXCYw_HGc|6gxQdWvZ_1P#o59L2UOjJ{keiEX(uMddISh`b_tK;Y}
z_#qK~!a7K!cnq@AUq1R-u<mt-vd*Bx+n*qmlo-!y8opA_N|zu_6K^nE#$*<bJb)ci
z#3XN$Ig@C3xl+$cYb>}SPH(}dR=Z#GFjPPiQQ$esg5!8Mm6z219UAPIxVH%^5`e_f
z#IC1UVnr6SF!BO`uhKA5Do~ClXSRv!9oQx0xzKco%OplGv{Icy)h0=PRw?Kf)2Tt}
z93(e+RJ9sZjfE!O+=*Bi>o@`-Dyz(GMQs!3HRDBbTaFj9W4ro}4+lg+i`=5ZA}2aW
zRQE#(<4Kopvq=a*gr;b^LP&!cTCu_1hNd;HzO|@8vo#v(wy#ghSa?J{a$=VXb>M5_
z_dDRs-exunaTyu{x1kqp8sZwW+7YImCSK%@-Emv7rQPRjizC{J_~85N$pNW^kgLf{
z8HFAML$~8Ny(Q0exI4sG)8MCSnwI$bG-?a8-o?>h^qS3K?nN^{=+5o_Yo%NNqaS{W
z`(gG)4X+=>8lFIh{+rMDgM9zQ>veC~#aNSp*M;jfom{W{!HJZQPoPX3Q?8GUos`$p
SI4?4gR~JZ%=ySi6<n<rs{0UD0

literal 0
Hc-jL100001

diff --git a/tests/lua/lua-scflowvarset/setflowvar.lua b/tests/lua/lua-scflowvarset/setflowvar.lua
new file mode 100644
index 000000000..a10875565
--- /dev/null
+++ b/tests/lua/lua-scflowvarset/setflowvar.lua
@@ -0,0 +1,23 @@
+local flowvarlib = require("suricata.flowvar")
+
+function init()
+   local flowvar = flowvarlib.register("test_var")
+   return {}
+end
+
+function thread_init()
+   flowvar = flowvarlib.get("test_var")
+end
+
+function match()
+   local value = flowvar:value()
+   if value ~= nil then
+      print("flowvar value should be nil")
+      return 0
+   end
+
+   local value = "foobar"
+   flowvar:set(value, string.len(value))
+
+   return 1
+end
diff --git a/tests/lua/lua-scflowvarset/suricata.yaml b/tests/lua/lua-scflowvarset/suricata.yaml
new file mode 100644
index 000000000..c25db4ecf
--- /dev/null
+++ b/tests/lua/lua-scflowvarset/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - flow
+        - http
diff --git a/tests/lua/lua-scflowvarset/test.rules b/tests/lua/lua-scflowvarset/test.rules
new file mode 100644
index 000000000..93b104b41
--- /dev/null
+++ b/tests/lua/lua-scflowvarset/test.rules
@@ -0,0 +1,5 @@
+#alert http any any -> any any (msg: "Test"; http.request_line; pcre: "^/GET (.*)$/G, flow:TestVar"; flowbits: set, flowtestvar; noalert; sid:6677000; rev:1;)
+
+
+alert http any any -> any any (http.request_line; content: "GET"; lua: setflowvar.lua; sid:1;)
+alert http any any -> any any (http.response_header; content: "Apache"; lua: getflowvar.lua; sid:2;)
diff --git a/tests/lua/lua-scflowvarset/test.yaml b/tests/lua/lua-scflowvarset/test.yaml
new file mode 100644
index 000000000..60c256cbe
--- /dev/null
+++ b/tests/lua/lua-scflowvarset/test.yaml
@@ -0,0 +1,20 @@
+requires:
+  min-version: 8.0.0
+
+args:
+ - -k none
+ - --set security.lua.allow-rules=true
+
+checks:
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 1
+        metadata.flowvars[0].test_var: foobar
+  - filter:
+      count: 1
+      match:
+        event_type: alert
+        alert.signature_id: 2
+        metadata.flowvars[0].test_var: foobar
diff --git a/tests/pre8/lua-scflowvarget/README.md b/tests/pre8/lua-scflowvarget/README.md
new file mode 100644
index 000000000..6c252afbb
--- /dev/null
+++ b/tests/pre8/lua-scflowvarget/README.md
@@ -0,0 +1,17 @@
+To test that SCFlowvarGet (lua) doesn't always return nil.
+
+The original issue emerged due to a lua detection script that used a single rule to set up
+a flow variable and match on it. 
+
+The problem is that during detection, the steps happen in this order:
+- pattern matching
+- lua script execution
+- setting flow variables as part of post match
+
+So, a workaround is to have 2 rules:
+- one that does the pattern matching and setting the flow var
+- another second one that does the Lua script
+
+This test works based on that.
+
+Pcap provided by Chris Knott at https://redmine.openinfosecfoundation.org/issues/2094
diff --git a/tests/pre8/lua-scflowvarget/input.pcap b/tests/pre8/lua-scflowvarget/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b763c97a453ebd0a5b3bd55f76fecfc8650aaa6b
GIT binary patch
literal 1779
zc-oDW!EYNy6o<#INurf3B|V@@y^L}|N!VTQ#OrmsX+@LNB;dHU9EYHSWKDL*_B5N_
z?e4lIfmT7P)H_n4J)nvU;t(z<mXOM+h)cx<sKh_OflCmokPw`Bv-T#f<wn?^^=Rh3
zZ{M5ud-L@BZ@x&Q3_AW~Pzs)>r~i2O;ddiw5$0lyefsNu`PJ1QuYLQ^#26|eq+1_d
zM0+C$?Vmk6{rLCx=TGjU>e8L+fne;VF?#kVLg~ya2dPu1#!{(FS`h!989gHQSuwXq
zMCc;YN7nuoG(knxCwK2XSStXvyLUPme|$M6?h6`FM+Nb<*GG{7G-FtdQ`W7aF?NA!
zRL4`9XTS9_{R${wL)u~tQc@4C+b2-Yq%wcKhtP7Vj&r+wlW1E1PrVj;?i*gfTim_i
z1x=Mkc%@#i=7>tN(ux;GCic0{)ZSiJTJl_%SrPYK6K^r*E7ajPSXNrFEarppOl~GC
zU5R-nZby-C=5mSeddLE0p~YOVt9ZNIacHifYItgcyS8^T#Fy)sXsR}kVZqSn@dt)J
zjTe01VH<3-%%fZ(UsUr3o+_`@E2}bg_!h&<%-Zs%@lreRwpp%FR5f+>++0y5`8-~u
zO&ajNTUM&ECJR_F5LhmWUMabjXLGk@;?^$rWo)yiLn9{R(6-t~R;$!)b!dy3u&-Py
z$u^t6enC^`WacXCYw_HGc|6gxQdWvZ_1P#o59L2UOjJ{keiEX(uMddISh`b_tK;Y}
z_#qK~!a7K!cnq@AUq1R-u<mt-vd*Bx+n*qmlo-!y8opA_N|zu_6K^nE#$*<bJb)ci
z#3XN$Ig@C3xl+$cYb>}SPH(}dR=Z#GFjPPiQQ$esg5!8Mm6z219UAPIxVH%^5`e_f
z#IC1UVnr6SF!BO`uhKA5Do~ClXSRv!9oQx0xzKco%OplGv{Icy)h0=PRw?Kf)2Tt}
z93(e+RJ9sZjfE!O+=*Bi>o@`-Dyz(GMQs!3HRDBbTaFj9W4ro}4+lg+i`=5ZA}2aW
zRQE#(<4Kopvq=a*gr;b^LP&!cTCu_1hNd;HzO|@8vo#v(wy#ghSa?J{a$=VXb>M5_
z_dDRs-exunaTyu{x1kqp8sZwW+7YImCSK%@-Emv7rQPRjizC{J_~85N$pNW^kgLf{
z8HFAML$~8Ny(Q0exI4sG)8MCSnwI$bG-?a8-o?>h^qS3K?nN^{=+5o_Yo%NNqaS{W
z`(gG)4X+=>8lFIh{+rMDgM9zQ>veC~#aNSp*M;jfom{W{!HJZQPoPX3Q?8GUos`$p
SI4?4gR~JZ%=ySi6<n<rs{0UD0

literal 0
Hc-jL100001

diff --git a/tests/pre8/lua-scflowvarget/suricata.yaml b/tests/pre8/lua-scflowvarget/suricata.yaml
new file mode 100644
index 000000000..51b7cb333
--- /dev/null
+++ b/tests/pre8/lua-scflowvarget/suricata.yaml
@@ -0,0 +1,12 @@
+%YAML 1.1
+---
+
+outputs:
+  - eve-log:
+      enabled: yes
+      filetype: regular
+      filename: eve.json
+      types:
+        - alert
+        - flow
+
diff --git a/tests/lua-scflowvarget/test.lua b/tests/pre8/lua-scflowvarget/test.lua
similarity index 100%
rename from tests/lua-scflowvarget/test.lua
rename to tests/pre8/lua-scflowvarget/test.lua
diff --git a/tests/pre8/lua-scflowvarget/test.rules b/tests/pre8/lua-scflowvarget/test.rules
new file mode 100644
index 000000000..cbbcc6418
--- /dev/null
+++ b/tests/pre8/lua-scflowvarget/test.rules
@@ -0,0 +1,2 @@
+alert http any any -> any any (msg: "Test"; http.request_line; pcre: "^/GET (.*)$/G, flow:TestVar"; flowbits: set, flowtestvar; noalert; sid:6677000; rev:1;)
+alert http any any -> any any (msg: "Test2"; flow: to_server; lua:test.lua; flowbits: isset, flowtestvar; sid:6677001; rev:1;)
diff --git a/tests/lua-scflowvarget/test.yaml b/tests/pre8/lua-scflowvarget/test.yaml
similarity index 94%
rename from tests/lua-scflowvarget/test.yaml
rename to tests/pre8/lua-scflowvarget/test.yaml
index d4ac6a513..63f45532c 100644
--- a/tests/lua-scflowvarget/test.yaml
+++ b/tests/pre8/lua-scflowvarget/test.yaml
@@ -1,5 +1,6 @@
 requires:
   min-version: 7.0.0
+  lt-version: 8
   features:
     - HAVE_LUA
 
-- 
2.47.2