tests: add rule type check for flowbits #1438
Conversation
| alert ip any any -> any any (msg:"isnotset rule need an option"; flowbits:isnotset; sid:2) | ||
| alert ip any any -> any any (msg:"set rule need an option"; flowbits:set; sid:3;) | ||
| alert ip any any -> any any (msg:"unset rule need an option"; flowbits:unset; sid:4;) | ||
| alert ip any any -> any any (msg:"toggle rule need an option"; flowbits:toggle; sid:5;) |
There was a problem hiding this comment.
Let's also have a rule for the flowbits:noalert option, please :)
There was a problem hiding this comment.
And rules that take into account the ored flowbits https://github.com/OISF/suricata-verify/blob/master/tests/detect-flowbits/test.rules#L3
;)
| @@ -0,0 +1,5 @@ | |||
| alert ip any any -> any any (msg:"isset rule need an option"; flowbits:isset; sid:1;) | |||
| alert ip any any -> any any (msg:"isnotset rule need an option"; flowbits:isnotset; sid:2) | |||
There was a problem hiding this comment.
In addition to the lack of a name for the flowbits variable, this rule would also result in a parse error because it lacks the ; after the rule sid. Each field within the parenthesis must be followed by those. ;)
| @@ -0,0 +1,5 @@ | |||
| alert ip any any -> any any (msg:"isset rule need an option"; flowbits:isset; sid:1;) | |||
There was a problem hiding this comment.
As seen in the flowbits documentation, this keyword needs two values, so all the rules written here will result in a parse error due to the lack of the second field.
(cf https://docs.suricata.io/en/latest/rules/flow-keywords.html#flowbits)
Tip: when an SV test fails with FAILED: got exit code 1, expected 0 this indicates that Suricata finished with an error state, so to debug such cases you should check the output directory in the test folder and see what's in stderr.
There was a problem hiding this comment.
I'm not sure what to pass as the second value? I have changed the code for DETECT-FLOWBITS case so that the name is being stored in ored_variables array, should I pass this array as the second value?
There was a problem hiding this comment.
The second value is a variable name, and as such it's not predefined. Just like a code variable, it is user-defined. Does this clear up?
There was a problem hiding this comment.
ah, okay, that makes sense. Thanks!
| match: | ||
| id: 1 | ||
| lists.packet.matches[0].name: "flowbits" | ||
| lists.packet.matches[0].flowbits.option: "isset" |
There was a problem hiding this comment.
The checks use flowbits.option, but the Suri code change has flowbits.cmd, which results in a check failure with SV.
|
Work continued on: #1439 |
Task#6309
Related to
Issue: #6309
Redmine ticket: https://redmine.openinfosecfoundation.org/issues/6309
Suricata PR: OISF/suricata#9685