From 8074d4f5f8220c469aff9d380c7ac0f22b56629b Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Thu, 1 May 2025 16:50:45 -0600 Subject: [PATCH] tests: test new suricata.flowintlib Ticket: #7487 --- tests/lua/lua-flowintlib/README.md | 1 + tests/lua/lua-flowintlib/check-root-count.lua | 17 +++++ tests/lua/lua-flowintlib/rootx5.pcap | Bin 0 -> 2976 bytes tests/lua/lua-flowintlib/suricata.yaml | 12 ++++ tests/lua/lua-flowintlib/test.rules | 4 ++ tests/lua/lua-flowintlib/test.yaml | 24 +++++++ tests/lua/lua-flowintlib/update-counter.lua | 64 ++++++++++++++++++ 7 files changed, 122 insertions(+) create mode 100644 tests/lua/lua-flowintlib/README.md create mode 100644 tests/lua/lua-flowintlib/check-root-count.lua create mode 100644 tests/lua/lua-flowintlib/rootx5.pcap create mode 100644 tests/lua/lua-flowintlib/suricata.yaml create mode 100644 tests/lua/lua-flowintlib/test.rules create mode 100644 tests/lua/lua-flowintlib/test.yaml create mode 100644 tests/lua/lua-flowintlib/update-counter.lua diff --git a/tests/lua/lua-flowintlib/README.md b/tests/lua/lua-flowintlib/README.md new file mode 100644 index 000000000..9af9d83ee --- /dev/null +++ b/tests/lua/lua-flowintlib/README.md @@ -0,0 +1 @@ +Test for Lua suricata.flowintlib. diff --git a/tests/lua/lua-flowintlib/check-root-count.lua b/tests/lua/lua-flowintlib/check-root-count.lua new file mode 100644 index 000000000..446622076 --- /dev/null +++ b/tests/lua/lua-flowintlib/check-root-count.lua @@ -0,0 +1,17 @@ +local flowintlib = require("suricata.flowint") + +function init () + return {} +end + +function thread_init () + root_count = flowintlib.get("root_count") +end + +function match () + if root_count:value() == 5 then + return 1 + end + + return 0 +end diff --git a/tests/lua/lua-flowintlib/rootx5.pcap b/tests/lua/lua-flowintlib/rootx5.pcap new file mode 100644 index 0000000000000000000000000000000000000000..c705708c4496f33172c5891b4969bf08f0b55b4b GIT binary patch literal 2976 zc-q~TZAcSw9LN8+&4+Fce1KYzaeGrHd3*4oZ6^3MwWc`i@@2HPb2I0i-QBdkP}l1S zDS}oI*&88ComwhY0+fzmOk%vrM34_#UpI@|#Ufg`V&6zC|V*xez*1&|ZbAG7sz~a|nH` ztaW)Q4|zsi@8QE}NVEFm_gjQCx{QZ9O*UEZ@_8++6IyK+keMeMg}lyO=dY6yszQ!T zcOOuJjyy|wv}rsK)7?XP%!i*dK znnT2;XE-Av=j{bD5Lrwd#I(V5#PbC~Ant#imS`m66-CL!1{Xt_sYZtJn60$cKsNHC z#-ce$-?I@9NBam7fq4It7VW_^09PuJ&_~OGINh6;Xhiz6 z7n6yJtx`6Ng=%pp_E6mF(`-D2XUTz%bTt=g=0 z$g{RLWin#8tVKL)E22%AjJr@45Qi~QW!BEfv-T=2(MYT~ZX^@8eAd35)TvFzVR&M_ho(;8zoq@h2A|ZsW<=aZ0D=u~YUqm*R1OHcgCyNBd62<5wta%RTz&3^k8- z*<(1_}*p!-hqhQ*kjJqOtpVpF5QWAewH>(*GF@SmC%~vu^-9;;&@+{ z+VQDEK0X~yu70{6Q|F?&_^0rZQvGM30`XdZmRd$$&bTWj;~b_oz^Nc~UCDS4sDA-~ CT$0KF literal 0 Hc-jL100001 diff --git a/tests/lua/lua-flowintlib/suricata.yaml b/tests/lua/lua-flowintlib/suricata.yaml new file mode 100644 index 000000000..c25db4ecf --- /dev/null +++ b/tests/lua/lua-flowintlib/suricata.yaml @@ -0,0 +1,12 @@ +%YAML 1.1 +--- + +outputs: + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - flow + - http diff --git a/tests/lua/lua-flowintlib/test.rules b/tests/lua/lua-flowintlib/test.rules new file mode 100644 index 000000000..6cadfcf22 --- /dev/null +++ b/tests/lua/lua-flowintlib/test.rules @@ -0,0 +1,4 @@ +alert http any any -> any any (http.response_body; content: "root"; flowint: root_count, +, 1; sid: 1;) +alert http any any -> any any (flowint: root_count, ==, 5; lua: check-root-count.lua; sid: 2;) + +alert http any any -> any any (http.response_body; content: "root"; lua: update-counter.lua; sid: 3;) diff --git a/tests/lua/lua-flowintlib/test.yaml b/tests/lua/lua-flowintlib/test.yaml new file mode 100644 index 000000000..c711884ab --- /dev/null +++ b/tests/lua/lua-flowintlib/test.yaml @@ -0,0 +1,24 @@ +requires: + min-version: 8.0.0 + +args: + - -k none + - --set security.lua.allow-rules=true + +checks: + - filter: + count: 5 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 3 + diff --git a/tests/lua/lua-flowintlib/update-counter.lua b/tests/lua/lua-flowintlib/update-counter.lua new file mode 100644 index 000000000..713171558 --- /dev/null +++ b/tests/lua/lua-flowintlib/update-counter.lua @@ -0,0 +1,64 @@ +local flowintlib = require("suricata.flowint") + +function init () + local set_counter = flowintlib.register("set_counter") + local incr_counter = flowintlib.register("incr_counter") + local decr_counter = flowintlib.register("decr_counter") + return {} +end + +function thread_init () + set_counter = flowintlib.get("set_counter") + incr_counter = flowintlib.get("incr_counter") + decr_counter = flowintlib.get("decr_counter") +end + +function match () + print("update-counter.lua: match") + + local value = set_counter:value() + if value == nil then + set_counter:set(10) + else + set_counter:set(value + 10) + end + + local incr_value = incr_counter:value() + local tmp = incr_counter:incr() + if incr_value == nil then + if tmp ~= 1 then + print("incr return unexpected value") + return 0 + end + else + if tmp ~= incr_value + 1 then + print("incr return unexpected value") + return 0 + end + end + + local decr_value = decr_counter:value() + if decr_value == nil then + print("decr_counter not set, initializing to 9") + decr_counter:set(9) + else + print("decrementing counter with value", desc_value) + decr_counter:decr() + end + + if set_counter:value() ~= 50 then + print("set_counter has unexpected value of ", set_counter:value()) + return 0 + end + + if decr_counter:value() ~= 5 then + print("decr_counter has unexpected value of ", decr_counter:value()) + return 0 + end + + if incr_counter:value() ~= 5 then + print("incr_counter has unexpected value of ", incr_counter:value()) + end + + return 1 +end -- 2.47.2