From: Jason Ish Date: Tue, 5 May 2026 21:49:00 +0000 (-0600) Subject: tests: add ntp lua tests X-Git-Tag: suricata-8.0.5~27 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=ccb889b8973cafda83cd17fa7285550436c1ef0c;p=thirdparty%2Fsuricata-verify.git tests: add ntp lua tests Ticket: #8533 --- diff --git a/tests/lua/lua-ntp-output/README.md b/tests/lua/lua-ntp-output/README.md new file mode 100644 index 000000000..c5de47c3d --- /dev/null +++ b/tests/lua/lua-ntp-output/README.md @@ -0,0 +1,8 @@ +# Test Description + +Test the `suricata.ntp` Lua library from a Lua output script. + +## PCAP + +Reuses `tests/ntp-keywords/input.pcap`, generated by +`tests/ntp-keywords/generate-pcap.py`. diff --git a/tests/lua/lua-ntp-output/expected/lua-ntp.log b/tests/lua/lua-ntp-output/expected/lua-ntp.log new file mode 100644 index 000000000..ec8e960c4 --- /dev/null +++ b/tests/lua/lua-ntp-output/expected/lua-ntp.log @@ -0,0 +1,4 @@ +NTP version=4 mode=3 stratum=0 reference_id=00:00:00:00 +NTP version=4 mode=4 stratum=2 reference_id=4c:4f:43:4c +NTP version=3 mode=3 stratum=0 reference_id=00:00:00:00 +NTP version=3 mode=4 stratum=2 reference_id=4c:4f:43:4c diff --git a/tests/lua/lua-ntp-output/output.lua b/tests/lua/lua-ntp-output/output.lua new file mode 100644 index 000000000..731e9ef93 --- /dev/null +++ b/tests/lua/lua-ntp-output/output.lua @@ -0,0 +1,44 @@ +local ntp = require("suricata.ntp") +local config = require("suricata.config") +local logger = require("suricata.log") + +local filename = "lua-ntp.log" + +local function to_hex(bytes) + local parts = {} + for i = 1, #bytes do + parts[#parts + 1] = string.format("%02x", string.byte(bytes, i)) + end + return table.concat(parts, ":") +end + +function init(args) + local needs = {} + needs["protocol"] = "ntp" + return needs +end + +function setup(args) + logger.notice("lua: setup()") + file = assert(io.open(config.log_path() .. "/" .. filename, "w")) +end + +function log(args) + local tx, err = ntp.get_tx() + if tx == nil then + print(err) + return + end + + local msg = string.format("NTP version=%d mode=%d stratum=%d reference_id=%s", + tx:version(), tx:mode(), tx:stratum(), to_hex(tx:reference_id())) + write(msg) +end + +function deinit(args) + file:close(file) +end + +function write(msg) + file:write(msg .. "\n") +end diff --git a/tests/lua/lua-ntp-output/suricata.yaml b/tests/lua/lua-ntp-output/suricata.yaml new file mode 100644 index 000000000..746a6ba65 --- /dev/null +++ b/tests/lua/lua-ntp-output/suricata.yaml @@ -0,0 +1,9 @@ +%YAML 1.1 +--- + +outputs: + - lua: + enabled: yes + scripts-dir: . + scripts: + - output.lua diff --git a/tests/lua/lua-ntp-output/test.yaml b/tests/lua/lua-ntp-output/test.yaml new file mode 100644 index 000000000..d97ce9ccb --- /dev/null +++ b/tests/lua/lua-ntp-output/test.yaml @@ -0,0 +1,12 @@ +requires: + min-version: 9 + +pcap: ../../ntp-keywords/input.pcap + +args: + - --runmode=single + +checks: + - file-compare: + filename: lua-ntp.log + expected: expected/lua-ntp.log diff --git a/tests/lua/lua-ntp-rules/README.md b/tests/lua/lua-ntp-rules/README.md new file mode 100644 index 000000000..5866fe6f4 --- /dev/null +++ b/tests/lua/lua-ntp-rules/README.md @@ -0,0 +1,8 @@ +# Test Description + +Test the `suricata.ntp` Lua library from detection rules. + +## PCAP + +Reuses `tests/ntp-keywords/input.pcap`, generated by +`tests/ntp-keywords/generate-pcap.py`. diff --git a/tests/lua/lua-ntp-rules/test-no-match.lua b/tests/lua/lua-ntp-rules/test-no-match.lua new file mode 100644 index 000000000..7e9cd96a6 --- /dev/null +++ b/tests/lua/lua-ntp-rules/test-no-match.lua @@ -0,0 +1,19 @@ +local ntp = require("suricata.ntp") + +function init(args) + return {} +end + +function match(args) + local tx, err = ntp.get_tx() + if tx == nil then + print(err) + return 0 + end + + if tx:version() == 4 and tx:mode() == 4 and tx:stratum() == 0 then + return 1 + end + + return 0 +end diff --git a/tests/lua/lua-ntp-rules/test-v3.lua b/tests/lua/lua-ntp-rules/test-v3.lua new file mode 100644 index 000000000..826826985 --- /dev/null +++ b/tests/lua/lua-ntp-rules/test-v3.lua @@ -0,0 +1,20 @@ +local ntp = require("suricata.ntp") + +function init(args) + return {} +end + +function match(args) + local tx, err = ntp.get_tx() + if tx == nil then + print(err) + return 0 + end + + if tx:version() == 3 and tx:mode() == 4 and tx:stratum() == 2 and + tx:reference_id() == "\x4c\x4f\x43\x4c" then + return 1 + end + + return 0 +end diff --git a/tests/lua/lua-ntp-rules/test-v4.lua b/tests/lua/lua-ntp-rules/test-v4.lua new file mode 100644 index 000000000..0920ded96 --- /dev/null +++ b/tests/lua/lua-ntp-rules/test-v4.lua @@ -0,0 +1,20 @@ +local ntp = require("suricata.ntp") + +function init(args) + return {} +end + +function match(args) + local tx, err = ntp.get_tx() + if tx == nil then + print(err) + return 0 + end + + if tx:version() == 4 and tx:mode() == 3 and tx:stratum() == 0 and + tx:reference_id() == "\0\0\0\0" then + return 1 + end + + return 0 +end diff --git a/tests/lua/lua-ntp-rules/test.rules b/tests/lua/lua-ntp-rules/test.rules new file mode 100644 index 000000000..4e00d4ac1 --- /dev/null +++ b/tests/lua/lua-ntp-rules/test.rules @@ -0,0 +1,3 @@ +alert ntp any any -> any any (msg:"TEST NTP LUA v4"; ntp.version:>=3; lua:test-v4.lua; sid:1; rev:1;) +alert ntp any any -> any any (msg:"TEST NTP LUA v3"; ntp.version:>=3; lua:test-v3.lua; sid:2; rev:1;) +alert ntp any any -> any any (msg:"TEST NTP LUA no match"; ntp.version:>=3; lua:test-no-match.lua; sid:3; rev:1;) diff --git a/tests/lua/lua-ntp-rules/test.yaml b/tests/lua/lua-ntp-rules/test.yaml new file mode 100644 index 000000000..67c8dec40 --- /dev/null +++ b/tests/lua/lua-ntp-rules/test.yaml @@ -0,0 +1,24 @@ +pcap: ../../ntp-keywords/input.pcap + +requires: + min-version: 9 + +args: + - --set default-rule-path=${TEST_DIR} + +checks: + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 1 + - filter: + count: 1 + match: + event_type: alert + alert.signature_id: 2 + - filter: + count: 0 + match: + event_type: alert + alert.signature_id: 3