test: check for untested keywords in firewall mode

Add suricata-verify tests for keywords that emit 'has not been tes
for firewall rules' warnings. Tests are consolidated into 3 test cases.

- firewall-keyword-icode: tests icode with ICMP echo traffic
- firewall-keyword-http: tests pcre, urilen, dataset with HTTP traff
- firewall-keyword-tls: tests tls.cert_chain_len with TLS cert chain

These tests validate that the keywords function correctly in firewal
mode and can be used to justify adding SIGMATCH_SUPPORT_FIREWALL to
each keyword in the engine.

Related to
Ticket #8387

diff --git a/tests/firewall/ruletype-firewall-53-http-pcre-urilen-dataset/firewall.rules b/tests/firewall/ruletype-firewall-53-http-pcre-urilen-dataset/firewall.rules
new file mode 100644 (file)
index 0000000..1739598
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-53-http-pcre-urilen-dataset/firewall.rules
@@ -0,0 +1,26 @@
+# Test pcre, urilen, and dataset keywords in firewall mode
+# flowbit-oring PCAP: single HTTP GET / to testmyids.com, user-agent curl/7.43.0
+
+# Accept TCP session setup
+accept:hook tcp:all any any -> any any (sid:100;)
+
+# Accept request_started to allow app-layer processing
+accept:hook http1:request_started any any -> any any (sid:101;)
+
+# Test pcre: match URI "/" with regex (request_line hook)
+# Test urilen: URI "/" has length 1 (request_line hook)
+accept:hook http1:request_line any any -> any any (http.uri; pcre:"/^\//"; urilen:1; alert; sid:1;)
+
+# Test dataset: match user-agent against loaded dataset (request_headers hook)
+accept:hook http1:request_headers any any -> any any (http.user_agent; dataset:isset,ua-seen,type string,load ua-seen.csv; alert; sid:2;)
+
+# Accept remaining request/response hooks
+accept:hook http1:request_body any any -> any any (sid:104;)
+accept:hook http1:request_trailer any any -> any any (sid:105;)
+accept:hook http1:request_complete any any -> any any (sid:106;)
+accept:hook http1:response_started any any -> any any (sid:201;)
+accept:hook http1:response_line any any -> any any (sid:202;)
+accept:hook http1:response_headers any any -> any any (sid:203;)
+accept:hook http1:response_body any any -> any any (sid:204;)
+accept:hook http1:response_trailer any any -> any any (sid:205;)
+accept:hook http1:response_complete any any -> any any (sid:206;)

diff --git a/tests/firewall/ruletype-firewall-53-http-pcre-urilen-dataset/test.yaml b/tests/firewall/ruletype-firewall-53-http-pcre-urilen-dataset/test.yaml
new file mode 100644 (file)
index 0000000..6c99076
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-53-http-pcre-urilen-dataset/test.yaml
@@ -0,0 +1,33 @@
+requires:
+  min-version: 9
+
+pcap: ../../flowbit-oring/input.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+# pcre + urilen match on URI "/" at request_line hook
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 1
+# dataset matches user-agent "curl/7.43.0" at request_headers hook
+- filter:
+    count: 1
+    match:
+      event_type: alert
+      alert.signature_id: 2
+# No drops - all hooks covered
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 10
+      stats.ips.blocked: 0

diff --git a/tests/firewall/ruletype-firewall-53-http-pcre-urilen-dataset/ua-seen.csv b/tests/firewall/ruletype-firewall-53-http-pcre-urilen-dataset/ua-seen.csv
new file mode 100644 (file)
index 0000000..3961eb8
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-53-http-pcre-urilen-dataset/ua-seen.csv
@@ -0,0 +1 @@
+Y3VybC83LjQzLjA=

diff --git a/tests/firewall/ruletype-firewall-54-icmp-icode/firewall.rules b/tests/firewall/ruletype-firewall-54-icmp-icode/firewall.rules
new file mode 100644 (file)
index 0000000..a009ef8
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-54-icmp-icode/firewall.rules
@@ -0,0 +1,8 @@
+# Test icode keyword in firewall mode
+# ICMP PCAP has echo requests (type 8, code 0) and echo replies (type 0, code 0)
+
+# Accept all ICMP packets with icode:0 (all packets match)
+accept:hook icmp:all any any -> any any (icode:0; alert; sid:1;)
+
+# Drop everything else
+drop:packet ip:all any any -> any any (sid:999;)

diff --git a/tests/firewall/ruletype-firewall-54-icmp-icode/test.yaml b/tests/firewall/ruletype-firewall-54-icmp-icode/test.yaml
new file mode 100644 (file)
index 0000000..03be65f
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-54-icmp-icode/test.yaml
@@ -0,0 +1,26 @@
+requires:
+  min-version: 9
+
+pcap: ../../detect-itype-prefilter/icmpv4-ping.pcap
+
+args:
+  - --simulate-ips
+  - -k none
+
+checks:
+# icode:0 matches all 150 ICMP packets (75 echo req + 75 echo reply, all code 0)
+- filter:
+    count: 150
+    match:
+      event_type: alert
+      alert.signature_id: 1
+- filter:
+    count: 0
+    match:
+      event_type: drop
+- filter:
+    count: 1
+    match:
+      event_type: stats
+      stats.ips.accepted: 150
+      stats.ips.blocked: 0