tests: check replace keyword ban with firewall

Related to
Ticket #8551

diff --git a/tests/firewall/ruletype-firewall-90-ban-replace-keyword/README.md b/tests/firewall/ruletype-firewall-90-ban-replace-keyword/README.md
new file mode 100644 (file)
index 0000000..c92ea9f
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-90-ban-replace-keyword/README.md
@@ -0,0 +1,8 @@
+# Test
+
+Ensure that the engine throws an error message if the `replace` keyword is used
+in firewall rules, as it's banned from them.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/8551

diff --git a/tests/firewall/ruletype-firewall-90-ban-replace-keyword/firewall.rules b/tests/firewall/ruletype-firewall-90-ban-replace-keyword/firewall.rules
new file mode 100644 (file)
index 0000000..374c132
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-90-ban-replace-keyword/firewall.rules
@@ -0,0 +1,2 @@
+# should error out, as 'replace' is not allowed in firewall mode
+accept:hook http1:request_started any any -> any any (msg:"Test replace keyword with firewall rules or mode"; content:"foo"; replace:"bar"; sid:2000001;)

diff --git a/tests/firewall/ruletype-firewall-90-ban-replace-keyword/test.yaml b/tests/firewall/ruletype-firewall-90-ban-replace-keyword/test.yaml
new file mode 100644 (file)
index 0000000..0b8322d
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-90-ban-replace-keyword/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  min-version: 9
+
+pcap: ../../tls/tls-random/input.pcap
+
+args:
+  - --simulate-ips
+  - -v
+exit-code: 1
+
+checks:
+  - shell:
+      args: grep "keyword 'replace' is not allowed in firewall mode" stderr | wc -l
+      expect: 1
+

diff --git a/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/README.md b/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/README.md
new file mode 100644 (file)
index 0000000..094a47d
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/README.md
@@ -0,0 +1,8 @@
+# Test
+
+Ensure that the engine throws an error message if the `replace` keyword is used
+in threat detection rules, as it's banned in firewall mode.
+
+## Ticket
+
+https://redmine.openinfosecfoundation.org/issues/8551

diff --git a/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/firewall.rules b/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/firewall.rules
new file mode 100644 (file)
index 0000000..56a29a9
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/firewall.rules
@@ -0,0 +1 @@
+accept:hook tcp:all any any -> any any (msg:"Simple firewall rule."; sid: 1;)

diff --git a/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/td.rules b/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/td.rules
new file mode 100644 (file)
index 0000000..7cb15ca
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/td.rules
@@ -0,0 +1,2 @@
+# should error out, as 'replace' is not allowed in firewall mode
+alert http any any -> any any (msg:"Test replace keyword with firewall rules"; content:"foo"; replace:"bar"; sid:2000001;)

diff --git a/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/test.yaml b/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/test.yaml
new file mode 100644 (file)
index 0000000..0b8322d
--- /dev/null
+++ b/tests/firewall/ruletype-firewall-91-ban-replace-from-fw-mode/test.yaml
@@ -0,0 +1,15 @@
+requires:
+  min-version: 9
+
+pcap: ../../tls/tls-random/input.pcap
+
+args:
+  - --simulate-ips
+  - -v
+exit-code: 1
+
+checks:
+  - shell:
+      args: grep "keyword 'replace' is not allowed in firewall mode" stderr | wc -l
+      expect: 1
+