From 1627a132201b1af8a5218ff3207f254317238cce Mon Sep 17 00:00:00 2001
From: Jeff Lucovsky <jeff@lucovsky.org>
Date: Sun, 28 Feb 2021 15:06:04 -0500
Subject: [PATCH] tests: Invalid threshold.config w/out -T

---
 .../test.rules                                   |   0
 .../test.yaml                                    |   0
 .../threshold.config                             |   0
 tests/threshold-config-validate-02/input.pcap    | Bin 0 -> 2161 bytes
 tests/threshold-config-validate-02/test.rules    |   4 ++++
 tests/threshold-config-validate-02/test.yaml     |  15 +++++++++++++++
 .../threshold.config                             |   1 +
 7 files changed, 20 insertions(+)
 rename tests/{threshold-config-validate => threshold-config-validate-01}/test.rules (100%)
 rename tests/{threshold-config-validate => threshold-config-validate-01}/test.yaml (100%)
 rename tests/{threshold-config-validate => threshold-config-validate-01}/threshold.config (100%)
 create mode 100644 tests/threshold-config-validate-02/input.pcap
 create mode 100644 tests/threshold-config-validate-02/test.rules
 create mode 100644 tests/threshold-config-validate-02/test.yaml
 create mode 100644 tests/threshold-config-validate-02/threshold.config

diff --git a/tests/threshold-config-validate/test.rules b/tests/threshold-config-validate-01/test.rules
similarity index 100%
rename from tests/threshold-config-validate/test.rules
rename to tests/threshold-config-validate-01/test.rules
diff --git a/tests/threshold-config-validate/test.yaml b/tests/threshold-config-validate-01/test.yaml
similarity index 100%
rename from tests/threshold-config-validate/test.yaml
rename to tests/threshold-config-validate-01/test.yaml
diff --git a/tests/threshold-config-validate/threshold.config b/tests/threshold-config-validate-01/threshold.config
similarity index 100%
rename from tests/threshold-config-validate/threshold.config
rename to tests/threshold-config-validate-01/threshold.config
diff --git a/tests/threshold-config-validate-02/input.pcap b/tests/threshold-config-validate-02/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..dc92bd9639041ecf995a0154a95b07485043178d
GIT binary patch
literal 2161
zc-pm<eM}Q)9LJ9esHaubu`zMx31h=Tuf1z~lvbIPmkG$5wxXLly<Q)VgT8q^UI(TN
zCL4r>OtO*ah>8YZ=7Q+V!02?-jp>ZpAKijFvl(NU(Pc^&mTbw~^IVGx;<7FAa?j<S
zm-{^5-^=};(AlGVR75oK@QNm)&~y8$-VF;kkVFZ3$8C6j`Qczpi0fYP`|cS;9zkT`
zJ1e&G$1?|_$Szp_d1!<v)6UxP17;ji-M>FKkswsjF`q<Dn-&ulHG^CZ2F@#dRhZt=
zLlT9kk6V}<-b0};!*p}(mK&IicOc3_BU!J(XV4DUcF$k+)7c%E9-SPmnn7;2h5VR~
zcAAOFUm<cfqGnH}+Z54#dy?*Jh#nt|i(71HC5VXLtC)<5#=RubhiH9M5%)xhTc;!@
z#4YZ7VIpxwo&)F`O)gXQ+G<^uUjX?IN12|{F={g37m%$$)QKLUM$+*<kD6Q)fD&aB
zpchT>HIiFz*0ClXttM?e5B+E`RiCORS94wgT7k1chJj3$rYVM|(Hb?0<)6Cy&>@ex
z+SI=pyZTJqBv;34XKgGD#u1wA*<txedW~WNBA!FU*HPBsHklY*)X!n!$t_PJ9vzrS
z9Je1B=yXuVNwUbfL5|NWBcs)15f_lDVxLQ_5TVNo9F;X%KpViT(23SFX2393hPARr
zu%g(ZCi5JeU<FA`2G7!vaXO*JY;d|NEWFueab{GcSI~^b!djBlWIe@s8mWNnlQ;oV
zyqgOItibNDmE_u1=WZ&nsmX{0%F*CQz7;)aoxaKs1vSZYd?oq@%}YMF75HnMZjsjl
z4~L)v%rr8rF<l8jI7pNdo<Jl%YBHCT;kYFxVDn4Z5({85tfmYrONTA7;efJ617kEO
zQoN9tMW5FSsv-1KoLj7gYH}TAhf*zcQP~YBJrq^WI+0~e7Akvffi^P4y95JmHd?5h
z+!gqn96V|T`2`LwemoeW@<kb`WVFD5#~h*uO2{V+%bHBI(QIUNW`;4EGqmM)T3enM
zu`dvya>AaVY;L!&jw*(7rO$;xDATo|w9HXZT4H~~+EPgrL}V1oVZ{;&n<0Y=jz@uM
z01VFb@i;u1<X}9>^^7T<W!Q(SilA4JE0ODH2LAwqL$@>umv1IFeP7qTrt{dY>)Se2
zUEP`^XNNoIPha|7Y1e37`)A*FA6?(v8h>&mEo~?>VKq5>;h=oD|6|kp#DSQs)TlBt
z=uqvB#~oMm&*@8&!tWC%o<gVLBY2|zO3&zf_ID3n<Zno6b2g=1-`9HaO6M1EmM=ZD
zfM1lKNbYp@zPxu)R-$d>_R6pM*mErdZ7DZjxxD7^i*n0Y@6vaktN$%^^UOtUQb+S!
zZwzaa?^JJHcDIkKws~?F-s)O+yf^Qu+c9Nl$qrTCv6!mq$Axb`V6P9|sl9Z;{^gd@
z69@JE&))l^V?pM@LZz6aO4EeuR?}3q%iHf%YFEj`N+VKArAZ((r-KtKP4d`Fur)O)
zw<)x~?Z)zHwF51Q`<nB2tlxiX?8A0j$Ayev?3(k<#{+YO(Z6~QT`Srt^_*&__I0P6
z##-2W|NUUuScvop!MM49QlSUOz^_;jCSD!=-^6)w1a;|g;`8aV{;AgUiof2T<SzkH
mR|e-1n#^4f{MD#X5wYzN;=k6o5>YGBaY|61j%yqwF!gWKa<O^<

literal 0
Hc-jL100001

diff --git a/tests/threshold-config-validate-02/test.rules b/tests/threshold-config-validate-02/test.rules
new file mode 100644
index 000000000..91f56071a
--- /dev/null
+++ b/tests/threshold-config-validate-02/test.rules
@@ -0,0 +1,4 @@
+alert tcp any any -> any 25 (msg:"ET POLICY Inbound Frequent Emails - Possible Spambot Inbound"; \
+     flow:established; content:"mail from|3a|"; nocase;                                          \
+          threshold: type threshold, track by_src, count 10, seconds 60;                              \
+               reference:url,doc.emergingthreats.net/2002087; classtype:misc-activity; sid:2002087; rev:10;)
diff --git a/tests/threshold-config-validate-02/test.yaml b/tests/threshold-config-validate-02/test.yaml
new file mode 100644
index 000000000..2aeb0d28e
--- /dev/null
+++ b/tests/threshold-config-validate-02/test.yaml
@@ -0,0 +1,15 @@
+requires:
+    min-version: 7
+
+command: |
+  ${SRCDIR}/src/suricata -v --set threshold-file="${TEST_DIR}/threshold.config" -l ${OUTPUT_DIR} -c ${SRCDIR}/suricata.yaml -S ${TEST_DIR}/test.rules -r ${TEST_DIR}/input.pcap
+
+checks:
+
+    - shell:
+        args: grep -e "pcre_exec parse error, ret -1, string this is not correct" suricata.log | wc -l | xargs
+        expect: 1
+
+    - shell:
+        args: grep -e "Threshold config parsed.*0 rule.*found" suricata.log | wc -l | xargs
+        expect: 1
diff --git a/tests/threshold-config-validate-02/threshold.config b/tests/threshold-config-validate-02/threshold.config
new file mode 100644
index 000000000..93f562417
--- /dev/null
+++ b/tests/threshold-config-validate-02/threshold.config
@@ -0,0 +1 @@
+this is not correct
-- 
2.47.2