rules: new engine analysis format for generic integers

author Philippe Antoine <pantoine@oisf.net>

Thu, 16 Oct 2025 09:27:13 +0000 (11:27 +0200)

committer Victor Julien <vjulien@oisf.net>

Fri, 7 Nov 2025 00:42:35 +0000 (00:42 +0000)
author Philippe Antoine <pantoine@oisf.net>
Thu, 16 Oct 2025 09:27:13 +0000 (11:27 +0200)
committer Victor Julien <vjulien@oisf.net>
Fri, 7 Nov 2025 00:42:35 +0000 (00:42 +0000)
diff --git a/tests/rules/icmp_id/test.yaml b/tests/rules/icmp_id/test.yaml

index b3285e46e4825d6acb0377fa1906cc7bfce0b0c7..7b412fd396255a1f04ce9006ceab765140f299ff 100644 (file)
--- a/tests/rules/icmp_id/test.yaml
+++ b/tests/rules/icmp_id/test.yaml
@@ -7,9 +7,18 @@ args:
  
  checks:
  - filter:
+    lt-version: 9.0
      filename: rules.json
      count: 1
      match:
        id: 1
        lists.packet.matches[0].name: "icmp_id"
-      lists.packet.matches[0].id.number: 2
-\ No newline at end of file
+      lists.packet.matches[0].id.number: 2
+- filter:
+    min-version: 9.0
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      lists.packet.matches[0].name: "icmp_id"
+      lists.packet.matches[0].id.equal: 2
+\ No newline at end of file
diff --git a/tests/rules/tcp-seq-keyword/test.yaml b/tests/rules/tcp-seq-keyword/test.yaml

index d72a8a2279ab7a74c00446d73e1c748e6afca704..a6423dd10dac2a9d9e67201bb542b2993691a418 100644 (file)
--- a/tests/rules/tcp-seq-keyword/test.yaml
+++ b/tests/rules/tcp-seq-keyword/test.yaml
@@ -7,6 +7,7 @@ args:
  
  checks:
  - filter:
+    lt-version: 9.0
      filename: rules.json
      count: 1
      match:
@@ -14,8 +15,24 @@ checks:
        lists.packet.matches[0].name: "tcp.seq"
        lists.packet.matches[0].seq.number: 624
  - filter:
+    lt-version: 9.0
      filename: rules.json
      count: 1
      match:
          id: 2
-        lists.packet.matches[0].seq.number: 723833
-\ No newline at end of file
+        lists.packet.matches[0].seq.number: 723833
+- filter:
+    min-version: 9.0
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      lists.packet.matches[0].name: "tcp.seq"
+      lists.packet.matches[0].seq.equal: 624
+- filter:
+    min-version: 9.0
+    filename: rules.json
+    count: 1
+    match:
+        id: 2
+        lists.packet.matches[0].seq.equal: 723833
+\ No newline at end of file
diff --git a/tests/rules/tcp_ack/test.yaml b/tests/rules/tcp_ack/test.yaml

index 806629d6640c4a9a7a7a6203294d9e0a034103c9..4bb1178e9aef5a3f3238ec6c3c2dffec2a881236 100644 (file)
--- a/tests/rules/tcp_ack/test.yaml
+++ b/tests/rules/tcp_ack/test.yaml
@@ -7,6 +7,7 @@ args:
  
  checks:
  - filter:
+    lt-version: 9.0
      filename: rules.json
      count: 1
      match:
@@ -14,15 +15,40 @@ checks:
        lists.packet.matches[0].name: "tcp.ack"
        lists.packet.matches[0].ack.number: 782
  - filter:
+    lt-version: 9.0
      filename: rules.json
      count: 1
      match:
        id: 2
        lists.packet.matches[0].ack.number: 15
  - filter:
+    lt-version: 9.0
      filename: rules.json
      count: 1
      match:
        id: 3
        lists.packet.matches[0].name: "tcp.ack"
-      lists.packet.matches[0].ack.number: 437528
-\ No newline at end of file
+      lists.packet.matches[0].ack.number: 437528
+- filter:
+    min-version: 9.0
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      lists.packet.matches[0].name: "tcp.ack"
+      lists.packet.matches[0].ack.equal: 782
+- filter:
+    min-version: 9.0
+    filename: rules.json
+    count: 1
+    match:
+      id: 2
+      lists.packet.matches[0].ack.equal: 15
+- filter:
+    min-version: 9.0
+    filename: rules.json
+    count: 1
+    match:
+      id: 3
+      lists.packet.matches[0].name: "tcp.ack"
+      lists.packet.matches[0].ack.equal: 437528
+\ No newline at end of file
diff --git a/tests/rules/tcp_window/test.yaml b/tests/rules/tcp_window/test.yaml

index 49cabd16a31020b517161c6248f588180c0352da..9582d63af657717db5d0c869e3666710b3d6a33c 100644 (file)
--- a/tests/rules/tcp_window/test.yaml
+++ b/tests/rules/tcp_window/test.yaml
@@ -7,6 +7,7 @@ args:
  
  checks:
  - filter:
+    lt-version: 9.0
      filename: rules.json
      count: 1
      match:
@@ -14,12 +15,29 @@ checks:
        lists.packet.matches[0].name: "tcp.window"
        lists.packet.matches[0].window.size: 30336
        lists.packet.matches[0].window.negated: false
-
  - filter:
+    lt-version: 9.0
      filename: rules.json
      count: 1
      match:
        id: 2
        lists.packet.matches[0].name: "tcp.window"
        lists.packet.matches[0].window.size: 1024
-      lists.packet.matches[0].window.negated: true
-\ No newline at end of file
+      lists.packet.matches[0].window.negated: true
+
+- filter:
+    min-version: 9.0
+    filename: rules.json
+    count: 1
+    match:
+      id: 1
+      lists.packet.matches[0].name: "tcp.window"
+      lists.packet.matches[0].window.equal: 30336
+- filter:
+    min-version: 9.0
+    filename: rules.json
+    count: 1
+    match:
+      id: 2
+      lists.packet.matches[0].name: "tcp.window"
+      lists.packet.matches[0].window.diff: 1024
+\ No newline at end of file
author	Philippe Antoine <pantoine@oisf.net>
	Thu, 16 Oct 2025 09:27:13 +0000 (11:27 +0200)
committer	Victor Julien <vjulien@oisf.net>
	Fri, 7 Nov 2025 00:42:35 +0000 (00:42 +0000)
tests/rules/icmp_id/test.yaml		patch \| blob \| blame \| history
tests/rules/tcp-seq-keyword/test.yaml		patch \| blob \| blame \| history
tests/rules/tcp_ack/test.yaml		patch \| blob \| blame \| history
tests/rules/tcp_window/test.yaml		patch \| blob \| blame \| history