From 1868f1f3880c1b6115c3583f5412cc42910fdc5e Mon Sep 17 00:00:00 2001 From: Andreas Herz Date: Wed, 11 Jun 2025 10:42:11 +0200 Subject: [PATCH] tests: remove exit-code check for datasets-absolute-allowed on v8 With the commit in Suricata to skip adding localstatedir when a full path is provided, the S-V test does not exit with 1 anymore but rather with 0 since it succeeds. This commits updates the previous test to run with Suricata prior to verison 8 and a dedicated copy of the test to work with Suricata 8 without the need to check the exit code anymore, since it's 0. The new test is split between Unix like systems and Windows by using different absolute paths for the filenames. --- .../datasets-absolute-allowed-pre8/README.md | 2 ++ .../suricata.yaml | 13 ++++++++ .../datasets-absolute-allowed-pre8/test.rules | 3 ++ .../datasets-absolute-allowed-pre8/test.yaml | 26 +++++++++++++++ .../README.md | 2 ++ .../suricata.yaml | 13 ++++++++ .../test.rules | 3 ++ .../test.yaml | 33 +++++++++++++++++++ .../datasets-absolute-allowed/test.yaml | 10 +++--- 9 files changed, 100 insertions(+), 5 deletions(-) create mode 100644 tests/datasets/datasets-absolute-allowed-pre8/README.md create mode 100644 tests/datasets/datasets-absolute-allowed-pre8/suricata.yaml create mode 100644 tests/datasets/datasets-absolute-allowed-pre8/test.rules create mode 100644 tests/datasets/datasets-absolute-allowed-pre8/test.yaml create mode 100644 tests/datasets/datasets-absolute-allowed-winonly/README.md create mode 100644 tests/datasets/datasets-absolute-allowed-winonly/suricata.yaml create mode 100644 tests/datasets/datasets-absolute-allowed-winonly/test.rules create mode 100644 tests/datasets/datasets-absolute-allowed-winonly/test.yaml diff --git a/tests/datasets/datasets-absolute-allowed-pre8/README.md b/tests/datasets/datasets-absolute-allowed-pre8/README.md new file mode 100644 index 000000000..3daacb0c2 --- /dev/null +++ b/tests/datasets/datasets-absolute-allowed-pre8/README.md @@ -0,0 +1,2 @@ +Test that the configuration option to allow absolute dataset filenames +in rules works. diff --git a/tests/datasets/datasets-absolute-allowed-pre8/suricata.yaml b/tests/datasets/datasets-absolute-allowed-pre8/suricata.yaml new file mode 100644 index 000000000..50171d9b9 --- /dev/null +++ b/tests/datasets/datasets-absolute-allowed-pre8/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +datasets: + rules: + allow-absolute-filenames: true + +logging: + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/datasets/datasets-absolute-allowed-pre8/test.rules b/tests/datasets/datasets-absolute-allowed-pre8/test.rules new file mode 100644 index 000000000..323fe04b7 --- /dev/null +++ b/tests/datasets/datasets-absolute-allowed-pre8/test.rules @@ -0,0 +1,3 @@ +alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen, type string, state /tmp/dns-seen.txt; sid:1; rev:1;) +alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen-save, type string, save /tmp/dns-seen-save.txt; sid:2; rev:1;) +alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen-parent, type string, state /tmp/../tmp/dns-seen.txt; sid:3; rev:1;) diff --git a/tests/datasets/datasets-absolute-allowed-pre8/test.yaml b/tests/datasets/datasets-absolute-allowed-pre8/test.yaml new file mode 100644 index 000000000..3c1a592e3 --- /dev/null +++ b/tests/datasets/datasets-absolute-allowed-pre8/test.yaml @@ -0,0 +1,26 @@ +pcap: ../../datasets/datasets-parent-path/one-packet.pcap + +requires: + lt-version: 8 + +args: + - -vvv + +# Due to differences between user-mode and system-mode, these rules +# will actually fail. Instead we're testing to make sure we got past +# the check for absolute filenames. +exit-code: 1 + +checks: + - filter: + count: 1 + match: + engine.message: "Allowing absolute filename for dataset rule: /tmp/dns-seen.txt" + - filter: + count: 1 + match: + engine.message: "Allowing absolute filename for dataset rule: /tmp/dns-seen-save.txt" + - filter: + count: 1 + match: + engine.message: "Allowing absolute filename for dataset rule: /tmp/../tmp/dns-seen.txt" diff --git a/tests/datasets/datasets-absolute-allowed-winonly/README.md b/tests/datasets/datasets-absolute-allowed-winonly/README.md new file mode 100644 index 000000000..3daacb0c2 --- /dev/null +++ b/tests/datasets/datasets-absolute-allowed-winonly/README.md @@ -0,0 +1,2 @@ +Test that the configuration option to allow absolute dataset filenames +in rules works. diff --git a/tests/datasets/datasets-absolute-allowed-winonly/suricata.yaml b/tests/datasets/datasets-absolute-allowed-winonly/suricata.yaml new file mode 100644 index 000000000..50171d9b9 --- /dev/null +++ b/tests/datasets/datasets-absolute-allowed-winonly/suricata.yaml @@ -0,0 +1,13 @@ +%YAML 1.1 +--- + +datasets: + rules: + allow-absolute-filenames: true + +logging: + outputs: + - file: + enabled: yes + filename: eve.json + type: json diff --git a/tests/datasets/datasets-absolute-allowed-winonly/test.rules b/tests/datasets/datasets-absolute-allowed-winonly/test.rules new file mode 100644 index 000000000..00559fe93 --- /dev/null +++ b/tests/datasets/datasets-absolute-allowed-winonly/test.rules @@ -0,0 +1,3 @@ +alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen, type string, state C:\Windows\Temp\dns-seen.txt; sid:1; rev:1;) +alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen-save, type string, save C:\Windows\Temp\dns-seen-save.txt; sid:2; rev:1;) +alert dns any any -> any any (dns.query; dataset: isnotset, dns-seen-parent, type string, state C:\Windows\Temp\..\Temp\dns-seen2.txt; sid:3; rev:1;) diff --git a/tests/datasets/datasets-absolute-allowed-winonly/test.yaml b/tests/datasets/datasets-absolute-allowed-winonly/test.yaml new file mode 100644 index 000000000..8fc673dc4 --- /dev/null +++ b/tests/datasets/datasets-absolute-allowed-winonly/test.yaml @@ -0,0 +1,33 @@ +pcap: ../../datasets/datasets-parent-path/one-packet.pcap + +requires: + min-version: 8 + lambda: sys.platform == "win32" + +args: + - -vvv + +checks: + - filter: + filename: eve.json + count: 3 + match: + engine.message.__startswith: "Allowing absolute filename for dataset rule" + - filter: + filename: eve.json + count: 1 + match: + engine.message.__startswith: "Allowing absolute filename for dataset rule" + engine.message.__endswith: "dns-seen.txt" + - filter: + filename: eve.json + count: 1 + match: + engine.message.__startswith: "Allowing absolute filename for dataset rule" + engine.message.__endswith: "dns-seen-save.txt" + - filter: + filename: eve.json + count: 1 + match: + engine.message.__startswith: "Allowing absolute filename for dataset rule" + engine.message.__endswith: "dns-seen2.txt" diff --git a/tests/datasets/datasets-absolute-allowed/test.yaml b/tests/datasets/datasets-absolute-allowed/test.yaml index 990990721..788538014 100644 --- a/tests/datasets/datasets-absolute-allowed/test.yaml +++ b/tests/datasets/datasets-absolute-allowed/test.yaml @@ -1,13 +1,13 @@ pcap: ../../datasets/datasets-parent-path/one-packet.pcap +# this needs at least Suricata 8 and based on the absolute path will not work on Windows +requires: + min-version: 8 + lambda: sys.platform != "win32" + args: - -vvv -# Due to differences between user-mode and system-mode, these rules -# will actually fail. Instead we're testing to make sure we got past -# the check for absolute filenames. -exit-code: 1 - checks: - filter: count: 1 -- 2.47.2