From c65ba4cc874f77ef8a9f0e58fe73780769ef525a Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Thu, 15 May 2025 07:50:40 -0400 Subject: [PATCH] test/tlslib: Lua TLS library tests Issue: 7608 --- tests/lua/lua-tlslib-01/README.md | 1 + .../lua/lua-tlslib-01/expected/tlslib_lua.log | 5 +++ tests/lua/lua-tlslib-01/input.rules | 1 + tests/lua/lua-tlslib-01/lua-tlsfunctions.lua | 40 ++++++++++++++++++ tests/lua/lua-tlslib-01/suricata.yaml | 18 ++++++++ tests/lua/lua-tlslib-01/test.yaml | 14 ++++++ tests/lua/lua-tlslib-02/README.md | 1 + tests/lua/lua-tlslib-02/input.pcap | Bin 0 -> 26545 bytes tests/lua/lua-tlslib-02/input.rules | 1 + tests/lua/lua-tlslib-02/lua-tlsfunctions.lua | 25 +++++++++++ tests/lua/lua-tlslib-02/test.yaml | 13 ++++++ 11 files changed, 119 insertions(+) create mode 100644 tests/lua/lua-tlslib-01/README.md create mode 100644 tests/lua/lua-tlslib-01/expected/tlslib_lua.log create mode 100644 tests/lua/lua-tlslib-01/input.rules create mode 100644 tests/lua/lua-tlslib-01/lua-tlsfunctions.lua create mode 100644 tests/lua/lua-tlslib-01/suricata.yaml create mode 100644 tests/lua/lua-tlslib-01/test.yaml create mode 100644 tests/lua/lua-tlslib-02/README.md create mode 100644 tests/lua/lua-tlslib-02/input.pcap create mode 100644 tests/lua/lua-tlslib-02/input.rules create mode 100644 tests/lua/lua-tlslib-02/lua-tlsfunctions.lua create mode 100644 tests/lua/lua-tlslib-02/test.yaml diff --git a/tests/lua/lua-tlslib-01/README.md b/tests/lua/lua-tlslib-01/README.md new file mode 100644 index 000000000..378a5f76e --- /dev/null +++ b/tests/lua/lua-tlslib-01/README.md @@ -0,0 +1 @@ +Test Lua lib functions diff --git a/tests/lua/lua-tlslib-01/expected/tlslib_lua.log b/tests/lua/lua-tlslib-01/expected/tlslib_lua.log new file mode 100644 index 000000000..53b60501c --- /dev/null +++ b/tests/lua/lua-tlslib-01/expected/tlslib_lua.log @@ -0,0 +1,5 @@ +client version: TLS 1.2 server_version: TLS 1.2 +client version: TLS 1.2 server_version: TLS 1.2 +client version: TLS 1.2 server_version: TLS 1.2 +client version: TLS 1.2 server_version: TLS 1.2 +client version: TLS 1.2 server_version: TLS 1.2 diff --git a/tests/lua/lua-tlslib-01/input.rules b/tests/lua/lua-tlslib-01/input.rules new file mode 100644 index 000000000..db7eb2932 --- /dev/null +++ b/tests/lua/lua-tlslib-01/input.rules @@ -0,0 +1 @@ +alert http any any -> any any (msg:"HTTP GET"; http.method; content:"GET"; sid:1;) diff --git a/tests/lua/lua-tlslib-01/lua-tlsfunctions.lua b/tests/lua/lua-tlslib-01/lua-tlsfunctions.lua new file mode 100644 index 000000000..32436f0c5 --- /dev/null +++ b/tests/lua/lua-tlslib-01/lua-tlsfunctions.lua @@ -0,0 +1,40 @@ +-- simple output test for some lua flow lib functions +name = "tlslib_lua.log" + +local tls = require("suricata.tls") + +function init (args) + local needs = {} + needs["protocol"] = "tls" + return needs +end + +function setup (args) + filename = SCLogPath() .. "/" .. name + file = assert(io.open(filename, "a")) + SCLogInfo("Log Filename " .. filename) + http = 0 +end + +function ternary(var, T, F) + if var == nil then return T else return F end +end + +function log(args) + local t, err = tls.get_tx() + if t == err then + print(err) + end + cl_version = t:get_client_version() + sv_version = t:get_server_version() + msg = string.format( + "client version: %s server_version: %s\n", + ternary(cl_version, "na-cl-version", cl_version), + ternary(sv_version, "na-sv-version", sv_version)) + file:write(msg) + file:flush() +end + +function deinit (args) + file:close(file) +end diff --git a/tests/lua/lua-tlslib-01/suricata.yaml b/tests/lua/lua-tlslib-01/suricata.yaml new file mode 100644 index 000000000..afc99f8ed --- /dev/null +++ b/tests/lua/lua-tlslib-01/suricata.yaml @@ -0,0 +1,18 @@ +%YAML 1.1 +--- + +outputs: + - lua: + enabled: yes + scripts-dir: . + scripts: + - lua-tlsfunctions.lua + - eve-log: + enabled: yes + filetype: regular + filename: eve.json + types: + - alert + - http + - flow + - tls diff --git a/tests/lua/lua-tlslib-01/test.yaml b/tests/lua/lua-tlslib-01/test.yaml new file mode 100644 index 000000000..1d504dded --- /dev/null +++ b/tests/lua/lua-tlslib-01/test.yaml @@ -0,0 +1,14 @@ +pcap: ../../ethernet-eve/test.pcap + +requires: + features: + - HAVE_LUA + min-version: 8 + +args: + - -k none + +checks: + - file-compare: + filename: tlslib_lua.log + expected: expected/tlslib_lua.log diff --git a/tests/lua/lua-tlslib-02/README.md b/tests/lua/lua-tlslib-02/README.md new file mode 100644 index 000000000..7e63524a9 --- /dev/null +++ b/tests/lua/lua-tlslib-02/README.md @@ -0,0 +1 @@ +Test Lua lib functions with detection diff --git a/tests/lua/lua-tlslib-02/input.pcap b/tests/lua/lua-tlslib-02/input.pcap new file mode 100644 index 0000000000000000000000000000000000000000..299850e1896c4765a5c9008cfa460943c2ac0737 GIT binary patch literal 26545 zc-qvwbySq!_XavMba!`1$Ix98l2Xzg(w%~IN_V%kAR*m|q|zW|&?O-tAkCfO6JPb? z&$aGa_n(XFg?VS*dCorjJo|a}dtjV?^Qr&@fCc>T3l;!`eD@mOF{N?^0puZ%p$9gS zt?uhkY+tiB`2j?LGyot>bRiD7h1U^6#s#3qUOHN*)&Scm2`TPFG4esUDu@jL00Y^FfbqHT^9IA zX3z)j4+~M*nRaCdFXrwZFXPzCoNk_U)=fat*bVMx>1ODr?Z)j!1{4Dd0R@0OfGxlV zU=6SW2mts2d;ng+Ge9^X3=rDQ+0E9?)J@lo(G3U40f+#203qG%-OSze-89`e-AI5U zz;i%8AQxZ>Nv{|{6u<@G1aJVrfJ{IJARUkfnT`}d5^%qpqnovxvHM;(dN(W}8?qYg zfK-4)H+DB703Uz@zyzRmqjkdokO2sQTgXJXAc@8SU;zN=o}Qj;mX3~=c8}T29PI%p z09Y6RWU|PRe~5Q{TK{teuF4`hZy@` z#BXsR04E4=cl?S7qBW6)A})mfUx>)R%o-mC24D<9(uaXD-5K^eC)(a(qT85#uxgo^ z#H{M}_Db)Gl(N>t2WnD4N-bi%sd)}MF@ThlJ!{yZ<0e@}A9g2&N>2lkzvJdN?rvrP z02f+x07!L#fKWQa0bn3>h75v{g#y4x17IWrV57i6u;Jh!7{~lO{$l~!m;#1zuRgV7 zgI?u_b&wH&(cqDo!eqm~qXB^^Z~(9j2MQPo9!3Ke9tWhM&Or^Pgq|Sd5IwjnXUaz| z?yhc>>W^JKtj!*~QYtD+a^Qfmpx40QAU}AdPAMrt$sx%FCMQ7SR4)EP6moAuyg8+>8*V}$k3$P9t2Oa?u)2Ijt2#PGbcwxvd33saKAb8kkNx}{+T@x2x|z|2h;y^4hDviKxI;po!!yQ)rrl? z*7|P6*e%^$In21g9RFSj3cL6Bh5ugT^4Q6d-R!Z8o9o|~vzb430TV$Jh6Rfa#tizE z094SIC}D}ggkVH?c*{UkAPBk|$dDmmfiqqZT?Y$8FQI_t0Yk>lXU}I1WBz+oGZ#D8 zU&CYfHkWwh29|zeBxB14xd0plg!vyD#32HYVFM2VUjgm_Mz79;Tmb>915MXFvtrNn zPA%VTW8|}QB?CJBdjppGU3mI6`QoT@S6TGL!qP;IF7#)_YMl6&m* zAa~=me>COHmdnBgQNpp*taRZ7$M~(vTDWm&HQGm*CUVOYr?%q_5-z4K#{oP5aM{2q z$|ZyloRk2$7%ZQ7PK)Yl7nO!;A(i02v`~^+$7WpQY6r+#!hGVIMdO+AbcvL<&Fcl+T99okM@0l`rgD_HgwE- zw+)wK-&Zwyo~o_wE^6;@Uo4~z&>%L2Pzmf~+oBc?2GFSv=NwnOG~!&aoD%ij>Bspn zUa5mS$zU=#M(-sq@XNy4F0^v6|5%H}fV)~0`EM<9Li4wFHXVZVKMfUQ4Y7s5;=UPmAyY%h~q{|*UFN14+ZgV+zyCvEyj8zq_$8u7t zgv}R1xL(F*)B=FZ1P8&TLR8)FFI7ha!L+OE*m4gLo&Z%WepU1b|L+wY7mWRvG^0Qj zUCq(ajZ%%{PSPRz&A|nRd~tI^C7ll}aCZhh{r}85f`HUN&H;EwO$-3!d1MfjqbJW6 zH%+6-`Of(6$NSrbk6%6xx_7|uE ziEZn)7Pnn3MGLDWPd*Lx8v#tEChj()d!Bqk1j%27*K^*tzp0npVJm&`wMGidY_47+ z^pgZwHi@LG>2ygNM75N9pI~gB`LQN90v#+`*|qOmwy$4gefX5b0C~ZSU)@94ytMSM zv>b?2Z?B>=OENm|&HJaaz<qnGETO8DAB4&cr^p=CD(|r22#?=_rxQ?oUtlEei5Ddij z3xj|Gkc{~JY-PZ(zkKQ*EIt_be^&PIBhcN#{$*;2V0g$6NbB%}wf*B*0xs7 zOy^9@EK48Cu4cjV^&kSrSrlybgKg-8b-{E$*aq?cWg9M#Uf>7Up#8IJxNzK=2KQgG z&kAM+Gv?Fh-wUJppX~pF{`b3}ay1*6y_gWHBnTXCS` zO#R_yuY>>Cp^f8UFv;9#gi*L%cyl>wVOD`@a#G5oUX=wA3Me)As$mn;TGacUjGU3o zvPA7{y3%8AKmf6ra-N;P93W6#q9~CnD2Vv5P)d(U1sg}{wL0&&`-s(#E@C~^NzD1_ z36MIphe&(`SoOY*PVc3Cz=i2TQm3WpL51~7r#mt^R9CycA5CJxEQVLmc6*w&8kh-$ zcaGp;p#8Mmu|veVEc;GGCs?)Ktv|=7zcx&-dYHR+YIr&jD+N$+j7<%^s1J6oj&6!} zrLE*s?*YV%VcqEO@g`#mbud<~3<#PE*_q7;bm>5qlIYLc3%t`_;s0tccOXQ2ReqJbsViO=)91Kv z#de&5TrlHds?HhQtw}Kk4XWDTUnOk;Pjxz-v#ymGM#t<2@IQW^n32gUeQUeziE*9Z zNJ0}#hDkh+1PED@ntJX|Q^y^4N?B86h)K4jCIiT+#h{>aQa#E11b?M*%#6 z&!H#Im1{uq4n-TE*eHm}qQ;esvzXJ4vnF<_m*!T_SLv}+C3BX@=!YfySk8dX)VxHq z_Ov#Gmg8k-L#DN_Fx0h?j|JnplO9ipj$mNu1?%8Hz-P^-6&wsGp~DT$I_1l%bUg2S z1F!mR#lNo>vsLx@695j<1;d#_ZVlxBG7wD94m7(DyywJUs4#jDw5QO1^$@Ker2W1$ z2N9UyFKNeoVCQIRVyA9x=|Jh=!Rl(lfq5rLuqZePceWuZ!9jA@>OnLf`-hAFe(`Tl z;pGtcpQrGHIUvX1p7Q^hc?E&~Ybqe9semA+0;$_ZEKn5rYJq2#(8sQ1(WaDAap8jN zpmSeN_#o%g(`f(8tq<)sY-wqQ(F*6xr?uy!A!N1ZeQBS+wj331w_`^bmcCG{IHRF| zS5%vA_F*=|?*Q3w$ExJGU-to;5+>K`!&;oeK|(u)-7BQ{#T;|Sdo&0I^^+oO#!F+9 zNa1ZGvIj~%J>JhE+gitTh-RweY7lC2ISzwfcQ3M)*xM1IH_Z9b5lh2})OZyoGrYv` zr&}*Wyh+^>wn|pt4;FmJjF*b^YRNmA&3z_&r&QBCE>+p8N+hi(B(A$%yc@L=#d!=aAchG&E0Z#1TBe%t(H1zdFYE(>Beo0VZ940E_y!Vjl@Uhf5 zX!OOXT>Y0kpWqttr<;-$rFMmJz7c^Jip96@W8aJ_EH%v4#Y&HPbnl5XU#nx(l)e{2 ztBrgP^O@u2u;&-Yr=l~93DnpdofmVQSD0qFsxF@mX7H0b7_GRz3R>(UMA9wd%xXP; zLjT!N4j1qo;GbDW)mUDeQd8W5hL5!{U?(dqzT}6dJEAE(kp|cDPGL_#A-h)$su;v6 zf7Bq*?=~@^8pLk`(IBHAG>8eR8c;;_lt1ndXx{A){IZ9^Z}OY{fjbSF)WC6|t(kGY zIDXwayhn0!6DTnUNEZRJJ8{DZAO0;_@V{b1`vzqfU$t26%K>SVvVy5*fS|7FZ> zV9vkn9Af5Rh?(cpgi-z0&VP819a!iuGv@|#{vVc%@;`(Bpj>_ z$ais1wQ|?0>(!v#wQlBHAWdaR05d2$BW*{{Cfa>=;Pb1Yv^;HDEp(oOHR73T$KXK6 zuhC;^)!m^?2PaSlY5tj$Fn633{4Xa3RUw?T{2eFVA&6E$z}@jHCxN;q+E7k@5c`>v zf~x=cBGS~)oP21Fl)$=d)%=>-b$fdLin^PR0>y$%ZV#jpXSvKdJ4M&!v?_9JX)ofl z&i!na^Pw&4Ue;YOZS3 zr_#ANK0g;du|_yw{^!n}CyN2cEie2*##pZ_0rnv`j$!<{Gl|XFCxygeiLrqr-#CE!uvRnD6_RP zh?>-JAy7ad6p%rY@`a*BCLxK6X|7JWPu!G;fq{I?FnWADhJh3y8%rGz=3+7)6i}ihdVHDlx*{+D`ux#^pa@AYuF)2J1gzaQz(y*%UbH`K{lyIHj6= z9{y|<&0 zR>soA-CDVdbFHS@s#7p(g2r3`i8&k+Z}{(G_98~Si}~Q^n5hl^P2JIdV;28=Yzj*QnVeXi4ww*|I6;7ciGj&TnHM7oDQ5 z4#9$krCanvSijQB%S7*vR%E}>>IF13D6RUD|D}}%bXD)d`kPO{J?>(>`EcfECCfpA zMAHToUc{r~LEhoAkMM~+xW|$P!>*34>WyDa@55=L2uZf8^0$|($i@q)LBsNZgk=Q* zvHD%MbcvDfh=%@4ww^;m`+AqHseiM@1`Q1w7S-R`qEwJGJPs;i7hX@*Om`O;jw?|E z1TwDNkMe_#8};M3zotXiME@=wLcgTrD|BpVI!HHvN(bxRxPPYuBodAPhL()c>Cg^y z`Q=E1>lT=A#m5i1%I|%KCt{eUxR}VU8D59%43_uJ9 zaCiJ?r<=pX@NTEu^tXu6o$eR^BKkrRAu|D;{XG+yUH(_@5^+slrU`CG9MAeiDDVs# z>n}L&0gE(}f^ck{4DZ7uo!xdyv@InGN5mfHVKSZ5c?fVPB$EgneNQs7{A|({L6hT# z(VIKhW%nKp^jy&Qd9j*}i_1{dbAz;?D+hD5XT81m>ELPBslf=0;<_f*urstnP)!E@rA7JfewB7 ziHdd`>Ar<~825I8M1qMy!WyonUblCv9>&zXL^DLTiVQxznbY$$;Lf456{Dqg|?@cIO&ndpS1K))74ZK%>_mxuWeSzT)=}jnCxUu1cWWIbs zjjK|$mI#S6eKX_rBCqBvPt`O|_a!08kD<;T$Xsi)1wG!9pgW%Wt}(XKCEiX9?NrySMbmFaa<8_F<$j#H$EO z^{)3$TKscnR-;25V_K5dSQ$`m;b5^e*p_5+`6+@wzTY-qa>G*m7N6&GWptpWi<|cB zRC^N7Ip&F%>@p?sXiUPq8;6UXx-f$MM^GG>@&cJS<{O^P%E#N1n9-?>Yr(8I&xFS3 zn2cZeZ9<@kCULIiS zo%vnh;geqRzn;eWp8YXvF21Y;)c|Cwsqn;1bk%_Gr-iv}6TzDdyzozH0aO;0Nah>`m#RWB#cykN|+!UWP z9@GaqL1#^R5lrXenufg zwLZoiqxo8RY>D*voY_)DgwOj!%Z?+PNm5d|%gZ+>c=rQ#S_homo-R2%pGj{K z1!lT_=_gtgFZ*uvMKf^y0Wn#(;~b)%$C=P*)*cM1Mm951-Tb8czATIw0{hel18l=L z-bpE0+w)lMzL{G%S2lqi!Cw3E1`Qa7%&F&CU%jY0N)qa7@Oe>{Dai+|+dqB#nh4Ie zSG_bNYW3t^4iIv`rU4MjuGVxjg1!>+e=z-$AdUZMbH~94L)hSGPt4yyll<{m;C!F0 z5^s=?U^mKKl&-5+yGbs*$IBAXT&4L4+uShkTe#=?Sx!o<$e7V79_TS02`iitsG`#X zM$#WTWxP*=>9Prlo@Pqz`Fip)q$YT7bzME^I6}&O$$no8eXHi!Sq}5lm!;4*UhRy= zG2h0o9^y1o^4=;A(+EP#f#y1UHeHRE89`PK7FKpJqAn;^#j>)f?lm5pGCNF zP(+wJ!uw0fuC&3dx~&4AA4GrICFoIob}eKZzi%SP<>FW*kb20>x4<7JGPDvcex%K` zg8ZZ+1l zIZX4MRzgYk9MvgPg??5KVfCL%UWUMlzPryqvOQN#k#BK8p82->F&xp!$$gssu$GbzL;L;of&}VE#B36?Gmy?YF>0x%c+DuXa5;RRGSUrvHic$ErK73(LZDGdcTGU2H2&y2 zR-NaKa=%uY37IIBy9!&~%YbH{cCs~B!h4B<9E$A~i=$T_PA}a=laq{-atuC>xZw3_ z_@@yq&s>qvAGN=_M$kr-OMiop>Y}SPCpF9QQim|#`S(mvL2#YI^b5r#nOZE&q^czFPcb8y=GplfialtncGOH{ZI>0$|IyWbP%7 zLQ;a`c*?0pS;w`t2ZNiLcGRZjL~$6`>(pB>|Owx&0LR9F56XoY}uO}ne3-B^BH!-%FnW-qA=Y}~j zdURpk6Dj9S-9M?`7VuOVL=Ao;+PoRD)2LhdmYw2}eeF@^(LZ6Eq>A^Xy9j)x0F|Eti^^*lFS+>4C^=8yrfO+u|?wEW2xc9{=ndQf2=%i$83f{l_`r zrrdSD$Ly_PU~7_{c*zJNoE4Uq$*>LCrK;}|kt3)|dS00mWEt>BL<3dpraCwaU=FV~ z9P|8`knQ8sgd44>4V6K)t5F_?YASJJVv*+#GwN`#ffgQ=ED0aquG&sHw<-FzpVG+$ zB((>Jb}Pj-Vq(jw16Ep_&cIbX3z7jwsMSego3kBT%X-7<_^@kA;$eD#&y;j@{<1|) zRQd*5VdWu7qEUj(2%fKFnLM}4;5|762Ivz7L9MXtm&Xn%OR8`3753^pk2(G0@$yI- z_68Hgvb0&zGPhgz+q~16oEfC8O1r*3f7ymwUNDuJ$g}S-)Y!T?uyo(ck&ZdS48P;z zjY-7XoQMd)1j5*5faX{u!Lu9v67U{7LeSM&?nocEswbB?8TwoEID7Yrm{WGka7UtqPXg{gl$cPD6W3{1zz^zrbI)$P%eg=zS^nF?#$QTkfmf13B}i z){z9$ORjVC#2#VJ*JT)BHILVO)D)DKiiPhNCL&qm>-OM9CWlj&_5hun4ZG;a6*(cr zVSLT#N8HxIg7PcQ0+tz6@9Z73De>NOV+$ZJM z6rc4L2OG-P1U~QQvu}*gl3Vu@_FR5IX54oL8n%r$$18lM8y4tg7Rp1lD(6}p%7fx4TST0MG7 zn7-^%S=O!}pWHNrmzvC0SSWYxzWQgu5xA|L{3Vfhs&%yWiW1lCIF-3FoJL5}y#x_hMWY2~l^;)~e6ljQfUeqNoja zLLc!Rd{97hNCkqeC)|fc42f#>yxd~m)}9KGU(!c9a<#r~iYjWQo@IW(N8G;S=%=T+ zuAdPxbl^)&!zNlcO)3EGQ;3{z97n2xcm|cGBmE32Db0D5Nz(J;99umMc;)elx|=PI zVV_g?wg%aXTJym;yE{MS0(|$?m+^R;v|q+at-YPiwx!yh{WfIxX7@SV(ilm z+z^9rk@|Na`n|>oy)zFbJy8>bZkyLTA7g|$l%va&8`hXyF8saI zyfu|$V;LSDWP68{8}h0FVc(Y5lY4#-71b-3*9R(Kq=#)6gM>h`MVaIAxjJ1AUaTQ& zar?`DR32>FXTHkJlZ8vyb=8eaFCw{KXl1OOG1VN!r8$9mS2CWD~Upw`BZ6XjzykBPG}XYj&XHaCFJe4 z=1i)HUlqjQ)L#^TPQYtQ$m1hfa!Zi?B&2n%f`PHJZ6C8BJj9rVoDdYD)>llyX2@XjY?i1Kqo*3+rUr4$)xqqoi}!h;*rP|G-@hP9 zYS1QvEk$vQ>f$v;bbR~Hn^4raL47;n@$$l_W0b-rMW;ueAHvAFcls1@5=vF#bv?T0 z=pEur0|`c|8_)ZEUDU*6-+&+55QX zUZi>moGBqnqQ9NrBfvrApm2To)qfMLXq|$}7=_N%*r;6~zC)S9rD7t_h#qe2vi$i$ zzyl2`&|JZxWc1Xl8uDBd+L@YD?r z?c-oa_fVjrQ+JQ!BvO;svy^THZ_h;TgbA$X@rMr^lo$*)YBw80zJEr(bVj$4au-kV zFac6}e(1?@<5J`nM8#^y6IUW5N}8!5KBeM?^ID-&KFL}JE81lS__9mFO{c%y*Q{F? z9h>*SA#jiAC{I-GL}pzl^~=5Q$rp-kYtkgjlKeVawSMkI$Y*xSH?oM;qcP@ zs#7f$mXF-}#On5yC5Z@{+#350>TILqXG@hcR*)HFN_pq|k|a63HMmW^uFiqQ>%)fy z1xO!dlL7o<knrZX2lt=*W-sebKW-@XoDSbgohv>k%Jmy?QB~ z(p=6QCGk2PMng$lPlEi>jjLBjSvaSBojlm)}rHMC2A2h#Ofi&Yy?Jbk?hRT|eAK5ms9DX$}KK zZJHqSi0on-hf%}b&lF?N*l1!0h7d{CyDz~txy^VCFDqpt-9tG~g*@OqkSeYPNAkUP zG(3pyefVwqS7f5DiR@`|pVbXCM_3+PDH1awRZ5Zd$IoJ5LKoD+i(QJdi?&0hQS@Ag zCgp`?Mipu61`I@ktrT!)^l?jAu(B@>$70v^QCDuy=hUnl!v%?(P2#K8zH0IisYR90 zH6U*(9IYN2133;l=9skGQdnk#ZV86@L$ua4g8-UQ*Q`wBjfrR`etQ-_ItPNR%ZC_> z2cJayrIz5mVf%}@m1Nv2-+i~uPc7O7U&66rPxch8J+@q#zljj>=UKXJW>KRe;Io>H zO5D2%7Ysr$D1~=iOT>R}J7(i9HKojN330_=Xw6vqBc2$e%zxN89+^;rS6 z!B|&}F#Budu0p*CUO}nSku&%vRALf_;i8yMCRUm?rWty7i9G!M1(i=QB&73=&Pvw$ zeQUa3V44suy6mX~$WT9=+YwW+c{Sa@&$^eE3u;WDvRttta}Ow~!r1F61Y}m4-r#Qa z%!^!7we0aNjE;P2$XDm33lTbzoI_D9g|jT%VJ}I^`kZ<>vf}Ycb3N9azFR?Lx57>);Mv%CiATmO(8|^wxkHfM3==)4v;X~S* z+Wo0?S#WMSh%Q+0OCN%mE9;Qt9MRLr;`i~-r}b+K>p=TSo1gZ-a(df|<9@yWA<=a& zv$P&Re#3H8>^RYnb32nz)K>xSf0Pk=-9Zy(h_BnlLoh#ssD)SLCHu@ry8S)p=GZGi1MQ2jZ~=d?~VIr_`aRYz*Y zP+oyrD+lou>c^1olJCA1VrWNCx=%y4&{NUV%6lVvX%FKME+zMOxBFo<812NHG+!rN zJlDy?j~*vcdv^IWFO~R$DgGuiLA{K?Qfs_O86|s$q{g$VJ@?2d<1jVFS6+b!r;yXQ z=!gT3tfm--!S1c3m3b6UO|Gt~Sz7yZ7g_`E)pr|QdXu69#0$To?b6ZH#=~ll?ere{ z)`wp(OlMHeE{_Qs+F&<@Cb}-JmkbwFo^JTHrA5^YQ3MNMPma90Vx(yo0$s^Vt=PUo z%NDib8s9Cw67jd_MxeJ84oyBiZR1GG*p>F6V<9uf-^H0X|7>V+GPC#YiCH(lRjz?d z2ggEJGYNXgp75jHsDNwI52;q_PpH+?Qwn*b$&N79^|gt2QkH~P@Gs!*eF_^_6CRl8 zEvrCVdI^v?ZruAcFG9D(TIL{xKv>xg{AjHHz(;%Z=43#Dh4{Q_r|Wr@1Eusc)Repk znh(l!QivjRIy!Jw9WBM`iANf0A1rT-_ob18_poA#2Q|_rH#yR1lyqO3SI>is1o2CJ z_?!$YAKFkkS#|~@V2l=`Ni`jsgn!{MOrN+B`kVp0;WA|~t&CP1%&a*E^7|GUT}z$i zV?7XkC{bNJ_pmNh296+T?kHuP%Mz{epiHuDR?ncSZhTcLadPvZbn|_(_N9}5i4qB3 z%WjO%jy|3#>+HQrqL0m*#`hBN-#D{ee~`T{_200sJl65qz8yl6m788SRqO;-!eX(( z*SQw1e2^TOTy7#&^!w1@Qr11S6}hO~?}76z<*S^O=Hz?DF{IT-S-|d`Co&q63p^2- z^AnJL+$kU~ruCrO)3br>N9RBUJvB^$?SgBBLm>DK~|$|uirg?vA2gb4bU*}qW6)3x8|t2fddbfV0u zEy&%I1m#*kJ=UwcB(>oWvou8mEh^8m-*~V(WIpq#m3@+KCjd|jnWpZku3zdkU6kVPm#-$VSN2-CYErwCp2Zyg1g&&G`h-KiQDQ;H23q)m25BvJu;K*B; z+9E8DVVeK@CjiHAhULeAiUv)A+!rviEW^SjJgvuz4MU47rJJ0qdKB4|S-KDF)d6M{ zFK;cA=u&*LS6{nK>0jqiXE=u1KcKT)#-DVD#m7!9H?KH*PEg%qu8!QX=kh(&I^V?L zlVTU_GKG>VoV}o~;Oe+_;Ok~cbfBvR3YgxsLFI$+?Y0)sTR{!Yr3h6-8 ztBoNGWNMSKw(wg;GPL%6V!5aO!A25TFVK$58_F_Qg(v8a_P= z_?nkdrQ%GF-F%BLzgeQ33iGMbwduW0FemnGSExI=iq`DbTBhVLiA1ItvaEZ6p#wZB z0Dd#u@Qu%`5zN7VmZm7J_+;LuKrntj!NLZt%1=1pLAihk{W!1ZGbL`@l$H#hIhwVtZI&d(dXLN2sq?*q>9Avuf=-+KT}WdX9lF5D-+IR*iscgc;H%7mQx=mS zDR=Ly>mitB6f_h-jYYWxnr!3ySDhwrfcJx8YoH7wkohAgG4D9Z`d?1!oIyCb`a4c? zLlBRU0C&f)oJ3kP@q==5GVW(i>YV-4_hK9T%t;njMIWZ>nq9h85k7M5ftkuqpg2QK zQYHmSqzCxkx0XCQYWs;fL7h%EQO7NAoeB0TIKI5B`6GBb zL8kq0dlG9HFCNebG8?V--Q%ZHo935-vBG-7Y+uM z)|anD5FDV@sy<*Bq0)llVm(8;9-VSnXuq${fI@Nhx%MI|_!xcj08c`Gi3Bz~myDTT zX1M*Kq#4-uy@J;An%>)E@9%XU$G+vDd-yEp^IVzVT2xZK!j^F7kHEyiAFc zm}L)H!^Xyl>qK8s(w-RejrN9m8Y;_LnD=YQk9Q4-3<}5 z!^_{=tBcYyK3e1UO(HNndT1OljD{a(lV?AKg@|TB{-w3&hJv1J%Y1jsey00*q(+X$ zf&q{G*ZG2NQqE&W(WT7Kgs?!^(Bj9t@d4_snq8rFr4!=A5elD2ih+yxPimodCKcceS~#clxt*`8zAGHQeHCnB)}hV;}z+@+Hm!v zAO%mGP(wspq}7s>u1aBgITep$CAa_n!Kgnr))N)ou7*Ni)aJ@W1g>*;33s2gljRIxc^bUlh^gGY!u!`R+rgHLwFT(+IfE1C3rJ|IHtY9cUa$2nnb`}F zh_e{V%I8|*DZRzd|GtrY82Ca{uAN^(JoN^o=E?l#KdGOT?g=Fe6_=&~~75Wg8&^+M0Ln`BAS!MMU{Hlk3 zK*BmHMoX9UBSxu=$<0IBH>UnMtUMz8F4eT%H0H6WLj$A!gerlw9Zh(B1GnK!^u~IUUrm=G5oqo~ZYp5#3U@FE{w%q_ z!nvxpG!u}f&)!-}V!8xyhE+;2o5JpcAJD#B^C5ia#Dj;O{l;iGGcP}t1P6(`037uc z&Q_AI!ulJZmmy)2CxSvmF0)WHKx4>)*|>HFyslUtN54r~j2 zn82y@aMfqPptq9UY>b|{00uLZ%+f-2o*~#sG?Azl^Uc|NQK8dG&s@R6Xgv;?M!UH* z2Wr!^w1EYNA8EO@nnGXAfnWl@$TIT2VHt%X(mkTS0fX%k-&=k_$)nUu(4Itr!(e?W zD9tsSZEtjv)2dn*X4rT|lO?;@AQk!i_2h?*85it{Z9T1T-i4TiV!ru<6yz__P8w*( zu<8+`0{I_~90X#??NzFuEsz8%t{|?yx0D)9APn7|aw~d^Vv^wGIhGVnI$*l;qN@fw zp|p5)P~_CNu=w4=3e_ahGg3$EV&^PU+N7fuRgcwhl?s*$YQ9fr zs7%zRJSrIXvQ=jLTSGkL+7=16Ywh1zQeTpG?kaDoN^ux7?J6Zw%5$cp@k-J9E zZaVNdG6)CE*|STKGl%$+6)mNu5@JO0i&DO2R^qSE?=LYB(c>hzNyp-KTEH*2-8yJ- z($5vlJ=H7y!XrS!Wml8q&g1{pd(U~r(4cZ8K^5~ESm4H+XFt=Q=`6V=@M@1(*qxaC z-g{i9nlR$UzzQ~$kW^ARS4OU6egJ}loN|?dQFVEB5{|bndM9GM=ivK-<=QPqCX~0c zmH|N{fzRB$=qtabahz$rh#KwVjBM&5qn!chM$Es*c}K(A7Xh!d%{Gf!YZJ)G`BY;h zpv^IOw)+L}R8q^>@;C>MreQJPq0@vx;+sh;=~s>r-W!KilM)GdWd1=0i#}t8bFas1 zwFp7R4TA5R(q40gt!d*+6tLN0M0cP>D17rzGQa5&zHzkl(lms{h7b2!x!%H=EmE<3 zOhZ+EuDsK#HPZmcd%LZz3Ure&?{q1t*X~zO$V8j=?p1`X#AJ_QY2_>+yxv;a;OT^hCQZqAfvy+aPPP$25YYFgqKd!8zKJ7q z^T@D>3F(Y2z}z9bB=b9tpdL5bcvu)GiQBOKOi{|yo;7J2z3-`&7O@Om)2n0T*7F!+ zh5dT0S!#_M`u^DCzSzaDSdq0~N>an8nypxlmW`b+I>o%hsk6QD@SSR|v0f2_6`G3) zBJt0Y_Uq2pcBWom9^Yne#CUffZ*hY*Q>>-yMG)+ZEX$?#2JF{L4y!tpX3L`CJCPc1 z21DrE+WW0Srs62*(pg7+7FK;bNC;1?31&)f(H9qjF z(v$F%EKq&*PNZx_sE&A)QFS4$;BB&px$?>*L1JxppV`a{*yvG*`YGx9XP*^<#4D$G zn?G>Np)XEOzg*1iE8e1ht;eoaJN7=apUiM%Tf3L<7Ey3WO8J8mESCcl-F#^LXy1yZ zyMp<8#nC{`EO5YRtC8%LH=D&+4=zHPajHscK4xFjh}l; zv$B7B${#+Ide>8uTb47*s7XyDDGq9M){ctz9wKYHN@ZyIFhz#qB79f;X7B5ew8_bP z=rnwC^Ja8GmAeoQmBkj`9^6p%?R@T1*C1%c#VxlrgEynrFE}b*5mwjulDz&+_cUVi zw>Q~m9cnhZpZpqGZ-x5}@*XjMFwW^&%6_nWYNAm_+*xv!<%{4}jRS5v??}c*+6s}x znA;PkL8(~teLO!H<>%r|i4qs_E{p-B{mR;CkdY9*rKINCu6d}}<&uPyDDxQwuIL)o zk^1mJRg6UeeufW+;yY4eS zUYyU2WMd;FH`yaIO}D(f;HA;uY2ftpTI(tzu|dwH9W`dE-P zOSzr#gmuxJcm$1d{njoIW_hZgW^6yIqHLy3*zv?Q?z33r9mEuWcEX@CEtMfs?o&8! z?@CMp;xI+eRXrk$nw+xle25%Vlw6;K&e$9j9U>k7EidXytv4y69a~sNPp}~D%?w7- zMiF}Jk~F>B6GX0!aCG(WYvIa=GZCKRCFe^1k8dllMis0Of1VUQH^DK*MYG^a>}yBUdE1P1ziI-5y!G z)VR#B{B@M4lxqb5IlHmihK4<4xVKhKIe1)P3Ms<=N0)MeuNF)~W1lywBUe_~Fum2` z!2WIuv{O)f`?O(qghI%)Smk9j?wT$GX5tb_^JHYP6NS@Hzvn=CZg*xdAtj~o83i>5OFkMwccTSDAiE#OZL<33S8v~;@r!Cze;-l}0-BmP7(sSQw zI~2xIlBa_)+Af?I)6SL^9>{&Aiq}hQRPc~07t?q@aq~_3cAyKDcYvxno-mBU3*8~+ zRXkz-*}(|;79|rOr4FL{EA%(!h$brTBM3H8 z-Sj1N8hrd&hMa}ajG&6q_27>hgng$$%>UIO%V!V`BK|>xwExi{Oj(%!{oiW8egKfg zB>L_HfC4{jkma*~_FDYKe%2tZdxO>ZpF^*%2G$G${jX`COuTfe40X7H;}YeUE}$(u zm`cix?pbM{suq}-dLZHBV`TaE63loX$LpC-;U^`7FC*cs&x8hm!*y%?|P3>pk~Q!pgfj_Emo39{F@l zHrCO`pc`R!Fc_Li4%t8MTE*P$T8aOhNvnY0>{|IlGnt0~Uv0EFaXqUa_`J(pBKCQB zbpHONkgw#dV}GYmBv}+E&+CiZm*7pemp$X`ZiG@k%@H||SSi~KUZ1B?qRQ*5E1F|_ zqaI2zsU5ep@=uDf*tWSQc^7-M(aB1!Kh)Kl=g;jrdh4O0z~+(C+13{Ka;;D)E-qV* zT)}9h^%B`PLg_ujQU{V-&A4M{EAf>2lWHspXWI36d>$DD&9kP{dQpd=ddcRGvj)So zgG{v138#BRIT1m70Pbe9XZ$SJLXpQQa5Z1>%VO@=H{W z-f>O`51mP6-tF3i(CU3YceDvI=x)Pi$M(v2;~*;D6@{u3qkYa0aJz;;uSwadZP$e_ zar6K5an(^#?Q4{f9=f|>Xi23TVQ8d7Qo1DvB&DSrq(+*dgi8-8NQu%dDP037CGvoE z-(Ao9T>f$X-TQps`hNSI{jGDh(2m0#bOR49mHYGJ7{iVeB_T;<6)dcDSS`+8&lqXK)5tOL5!Zo^*MsaqnWTQv$Du% z2i7FEt5U%%v#iUjKXNrG8Ne~g42=gkhjXi5%@_J|45^AoXfFne(+M}yD&KU^vfvgI zO!m}#n#coPa~|+-Rq$E?U^;31KirWrv49h;{nZ8cJ0`_Ho^Hb5rSsjLZhP0;31a@; z>DIhOoC6@-U;my-z_5Az-AsN;`*kMmUH|)rK`j64OulWY-Xs3-NU&(Y5qVEGz^T0z z&m&Z72P-5BUn_N`-owFruep*=QuLwa4mh&;1#(oIS}aigAZr+da$%1Xp%LvJMc#aN z9|}C9UbLP8)e?%Ws_GVn1`*^=0{{dk_nQ?$;SOv8&RFP)O^dNaNi(hDrxLh+cIhEP z;&Zwy`G&15ZW24AHXq>?k>U1q$V zK3*h8D7n^p-@=T!2GtfvAqYnr15k~)naOkJ)D4vlPVPBsijsQivniEU=uciDo0!!KZ88l&f zw(+ILsavKVK34;9tDAzigN(fA4e)N~PiI2NA{!an_-x~o4WNVgOrJVp{rSHF+;u}L z(99!XM(BO1yi78wI#EyZMi4+)24j^+2ho&!4ll%QJ;GKNPKQQ(#hUKyAb$ z--9aQ+O($Jz9;37+U4G+P3(tMy z@7=C9hgxf$#CrkSHzphccv&*Zz|((p?+xukv<0V3EwfhXeS8SVe4+1U7md6qE}(Vs z$}!10zVLXbz0HwXUBM^fI9EIPcv}_EInxsi)2TYYfg?Yi*rlDlhGMh8uJH)FB(8TJ zvJ-io5rTL#m{s%;6QpXn$WT_Ip!k?ny@-fzyu9NjWF~Eeax9Ow7Qxbv7EVFRn`IlA zhP8oB;>jLN3xoW06|y#h%@O%fWtuW-r#_Cl7Gpllfc%8j`44uosb4gcNi-U2>ul<#vNxbczK?JIm&rAPtTDxS`0 zMfbrDfjM?qtByEWliUN($W6z-SZigE**Oy=p0^mxFtCUJlH?EdhU|J}PiDBHz_CG$$$~n|-%`*|^O)2wP`1XB*-MdBxQ$V|$9fUFpRFL$&;Y zIZv3cXOKIj=jG-7sC_k6IWZzI@YK$vzwgt@<8oF90GE8!xnQ`oY5XHS3xbI+V(KX- zC8`8p>F&{dIt6K`Re0oud2_35$z~8gstY(z$+l`bwH&rHKpObEnnwA^$wBkSil?n# zt~lpzk?$*CvJ_s&=}&WiIh^-(4u8;-SB7Lv`WXtX)M>dyDErQsRHDy-f% zC)}zKE+GoE6V8zEDa=dTRC+wb5)|i(wj`j{-ypl;kI>aUUTfqDZof4oHjr@6DQSal z>(bouT9;Xy6l%FsaA4C(#~Qn~A&Mjr{_dw=Z8=~EStaM3cJOO#MWRUmgklCHJBiGM zlt+03`D=mcWwkSU&fPjZ zUfUwktEdm%AM&70%5u5gj7u}oF-keV-W zR~L_N(r|CFb*r!g)|U{hdk|E*&g9Z)c|9FS+$QRTzZB_59bF>|cBI{b&+A8wbH&2O z*ICy)IM&Ru9A8~gO(CSoFl$PGW(UzZ@*Huon8fjWx6YL)zBTksd9XWv555S5IUA~{by2KU#d63&YUS;X{H1x=^;KbEjjbny`%b!7^+a@5KU2Q?vK3Z;7!m>Ukv04@Frq^&hF-ouctI$@g-KpZ;0_>w~VpLICxUd%`9@<^+zkUT9;N@GtOy%Cb z39z=Z_KvM&@G+ynbo+VS@tI%UD$iOMhb!$1x~tYz4?$R<9^;xx>vh}YaPv%%F2%8T zKcEWt`W!(~SPV1IK<3zd1-nid+JyArM8?Y4HLt8mFH`o3yC_1(^5Kblft;gDo3q*r zEYXB5NU2C|U>c@v*W@PB6N|u&4xLYt{64*z1@B9m%MVG6Q&V?Rr$*lqAXw(-Bu2ZR ze-1osWy1sX`<_qIB$B?YKVmxnN>5;_5J-+3adHebqtk3$ws$hI5|DRSLVrw7${{20 zsqPr-JH4`#;HtYxxnoZujPv-Kg#(b5WTcmWkVG_VzTG|ydHCal{_&52q?X+=3tUtyBBtuy$4<+W z3$94h5wll_%Dtgu4wcho6stV^HjRtBo$=~uZm8iUj+2OHU}yNw*4mH7io+bWxbgi* zkAXJLX6+iJlu{hcii(U2a1$M;ImO90eh=drm6YI#-?yKBVl6%w4u+_~b zk&acBEBn zB=aIZhm`RTn8D_13tE2`nV$MtD?Y8M?obs<`_W)duliVpIQDg&-eW!aOASaVio+Tn zkps$!`erc4=hD+R2TEUyFQ=HE!YuXV&?&kvjPmGs0oFC@8IvB`-^F>lWKolX3+#bU18W^;SP zLKx{2=+j^5XS;vS7f?f7AbhlS5)|J0z$0x1n*>j~{^Munmjx9GqR#3UQq`z$sDh`t z_4tN4s@qrJ8`67m{lxMg3xEEw%Q058>?i?HBKKL_X3cGoC)+Q%aMs zwpHrrt0oqHa>KfHT;peoIksjJhx&}qP(FmiBc3WQ>eNAGx~o_N&b7>4GI#co=~k7I zWByiU97dlLz-AHEm5sQ}V)K18(x1H((Y<$K`+x7`jehH$^#A3Z0`CwVL4Vwgyt&_u zu>Igdkd90Cyvwdqz?EHrf(BaE-lBiRE*)*uhh~o>vaxBlF|$E=kw zx~0)_*GcegCl8Pi?yvvbj4Yey+(&bG{Mtz$gnyzr41VoohY!ja+^fek3^bL%sya`Y zG%luDj;-D(7B8*ug%Dmjv61$`#4tyG#@KN1h9EzF$Lxs)dsEvD!p>YmO&@l^hiesQ zsN_lJ%P*`MXLE(oSQw~bA-r=s)IO?w%6u6JTv_cSgjnWsuX`x;%Tbb+9B;HoWj-VY z_dW8`*ltRk!;pnAAh(rWTv6v_uu^v+yw7_SO+PC>HMWOG`93rHB{z65o_QYHaty{l zdY!>GylVhSFpo)v+InW}z7`7*gFKAFfQgZQF+c#3Num>ArT zA}|-R`%IeXZu{cs;p1qYdy z`tK$iYpm{uYlTL-pvPn_tYWa5e&noArc#IuDKfMxpm*pD%bzWE$Oq=YLU~AabW-yD? z3F>)V2|F1jfhX$(jPlqRDG;|}#123jcqvg<*@H~Bb~ClwSU=V>~#4F{e}OocxH z+UstN`^qoh&eCr^AJ4@puBH6?!cCFY_Qu4I(xwzkW7DQSgUacNle%NFWREZRWoGy_ z!&ThF?!attHku&hNU?w+(gw2Hsdg2VZA4n3QdfktUn2^Wf9Ku{Lnt$~P3_n_NWo~s zkZdd4*#K(#%O5Z>5esZ!Z#85mt3lp+Edu~9k_m;RF7w9=mrIewhA#APmg^k_EOSTh zB5v6JRw3Mn5du}Bf0+$Perf)h@jXoLMVVn9*_&syiu(+ZizQOG<-6&B3HqZl5#K8l z@c)$w487G6>)$C;+AX5%Et>1^5G^Q3?xU41ev3$Ui#Y!);(bMbhXv7t>9Pea8!uW1 zZN3nYxk8xG&UXpcF!}>nH#?OChJCG1@A$vm@|)jsoBxjgDFx|$MQH!x|NamE@UQ&D zxBL`;^E2>d1^EXdpW_xlK0^BFTqLZY-4Prf8J=+`eW7P V_f<3ft7?*4)XIMij^Q2Ze*gu`Ma=*J literal 0 Hc-jL100001 diff --git a/tests/lua/lua-tlslib-02/input.rules b/tests/lua/lua-tlslib-02/input.rules new file mode 100644 index 000000000..63b5ff9cf --- /dev/null +++ b/tests/lua/lua-tlslib-02/input.rules @@ -0,0 +1 @@ +alert tls any any -> any any (msg:"HTTP GET"; flow:established, to_client; lua: lua-tlsfunctions.lua; sid:1;) diff --git a/tests/lua/lua-tlslib-02/lua-tlsfunctions.lua b/tests/lua/lua-tlslib-02/lua-tlsfunctions.lua new file mode 100644 index 000000000..e0250736b --- /dev/null +++ b/tests/lua/lua-tlslib-02/lua-tlsfunctions.lua @@ -0,0 +1,25 @@ +local tls = require("suricata.tls") + +function init (args) + local needs = {} + -- needs["tls"] = true + return needs +end + +function match(args) + local t, err = tls.get_tx() + if t == err then + print(err) + end + + srv_serial = t:get_server_serial() + if srv_serial == "00:BB:2A:80:CC:14:FC:DD:BC:12:02:B2:A0:86:BD:1D:17" then + return 1 + end + cl_version = t:get_client_version() + if cl_version == "TLS 1.2" then + return 1 + end + + return 0 +end diff --git a/tests/lua/lua-tlslib-02/test.yaml b/tests/lua/lua-tlslib-02/test.yaml new file mode 100644 index 000000000..57940b58f --- /dev/null +++ b/tests/lua/lua-tlslib-02/test.yaml @@ -0,0 +1,13 @@ +requires: + min-version: 8 + +args: + - -k none + - --set security.lua.allow-rules=true + - --set default-rule-path=${TEST_DIR} + +checks: + - filter: + count: 27 + match: + alert.signature_id: 1 -- 2.47.2